-
DATA PRIVACY AND SECURITY PLAN
Southampton Public Schools
PARENTS' BILL OF RIGHTS FOR DATA PRIVACY AND SECURITY
The Southampton UFSD is committed to protecting the privacy and security of student, teacher, and principal data. In accordance with New York Education Law § 2-d, parents, legal guardians and persons in parental relation to a student are entitled to certain rights with regard to their child’s personally identifiable information. The School District wishes to inform the school community of the following rights:
- A student's personally identifiable information cannot be sold or released for any commercial purposes.
- Parents have the right to inspect and review the complete contents of their child's education record maintained by Southampton UFSD.
- State and federal laws protect the confidentiality of personally identifiable information, and safeguards associated with industry standards and best practices, including but not limited to, encryption, firewalls, and password protection, must be in place when data is stored or transferred.
- A complete list of all student data elements collected by the State is available for public review at:
http://www.p12.nysed.gov/irs/sirs/documentation/NYSEDstudentData.xlsx, Or by writing to the Office of Information & Reporting Services, New York State Education Department, Room 863 EBA, 89 Washington Avenue, Albany, New York 12234.
Parents have the right to have complaints about possible breaches of student data addressed. Complaints should be directed to:
Southampton Union Free School District
Chief Privacy Officer
70 Leland Lane
Southampton, NY 11968
631-591-4500Supplemental Information Regarding Third-Party Contractors:
In the course of complying with its obligations under the law and providing educational services, Southampton UFSD has entered into agreements with certain third-party contractors. Pursuant to such agreements, third-party contractors may have access to "student data" and/or "teacher or principal data.” Each contract the Agency enters into with a third party contractor where the third party contractor receives student data or teacher or principal data will include information addressing the following:
- The exclusive purposes for which the student data or teacher or principal data will be used;
- How the third party contractor will ensure that the subcontractors, persons or entities that the third party contractor will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements;
- When the agreement expires and what happens to the student data or teacher or principal data upon expiration of the agreement;
- If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected; and
- Where the student data or teacher or principal data will be stored (described in such a manner as to protect data security), and the security protections taken to ensure such data will be protected, including whether such data will be encrypted.
Third Party Contractors are required to:
- Provide training on federal and state law governing confidentiality to any officers, employees, or assignees who have access to student data or teacher or principal data;
- Limit internal access to education records to those individuals who have a legitimate educational interest in such records. |
- Not use educational records for any other purpose than those explicitly authorized in the contract;
- Not disclose personally identifiable information to any other party (i) without the prior written consent of the parent or eligible student; or (ii) unless required by statute or court order and the third-party contractor provides a notice of the disclosure to the New York State Education Department, board of education, or institution that provided the information no later than the time the information is disclosed, unless providing notice of the disclosure is expressly prohibited by the statute or court order;
- Maintain reasonable administrative, technical and physical safeguards to protect the security, c onfidentiality a n d integrity of personally identifiable student information in its custody
- Use encryption technology to protect data while in motion or in its custody from unauthorized disclosure as specified in Education Law §2-d;
- Notify Southampton UFSD of any breach of security resulting in an unauthorized release of student data or teacher or principal data, in the most expedient way possible and without unreasonable delay;
- Provide a data security and privacy plan outlining how all state, federal and local data security and privacy contract requirements will be implemented over the life of the contract;
- Provide a signed copy of this Bill of Rights to Southampton UFSD thereby acknowledging that they aware of and agree to abide by this Bill of Rights.
This Bill of Rights is subject to change based on regulations of the Commissioner of Education and the New York State Education Department’s Chief Privacy Officer, as well as emerging guidance documents.
Southampton Public Schools
Parents’ Bill of Rights Regarding Data Privacy and Security
Parents and guardians of students attending school in the Southampton Union Free School District are advised that they have the following rights with regard to student data:
- Student data will not be released or sold by the District for commercial purposes.
- A parent or guardian has the right to inspect and review the complete contents of his or her child’s education record.
- State and Federal law protect the confidentiality of personally identifiable information. The District utilizes the following safeguards to protect personally identifiable information: encryption, password protection, confidential information is destroyed in accordance with approved records schedules, etc.
- A list of all student data elements collected by New York State is available for public review at http://www.p12.nysed.gov/irs/sirs/documentation/NYSEDstudentData.xlsx or by writing to Office of Information & Reporting Services, New York State Education
Department, Room 86E EBA, 89 Washington Avenue, Albany, New York 12234.
- Parents and guardians have the right to have complaints about possible breaches of student data addressed. Complaints should be addressed to Dr. Nicholas Dyno at 70 Leland Lane, telephone at 631-591-4510.
This Bill of Rights will be included with every contract entered into by the District with an outside contractor if the contractor will receive student data or teacher or principal data. This Bill of Rights will be supplemented to include information about each contract that the District enters into with an outside contractor receiving confidential student data or teacher or principal data, including the exclusive purpose(s) for which the data will be used, how the contractor will ensure confidentiality and data protection and security requirements, the date of expiration of the contract and what happens to the data upon the expiration of the contract, if and how the accuracy of the data collected can be challenged, where the data will be stored and the security protections that will be taken.
By: ______________________________________ Dated: ______________________________ Name, Title
EDUCATION LAW 2-d RIDER
New York State Education Law 2-d was enacted in 2014 to address concerns relative to securing certain personally identifiable information. In order to comply with the requirements of Education Law 2-d, educational agencies and certain third-party contractors who contract with educational agencies must take certain additional steps to secure such data. These steps include enacting and complying with a Parents’ “Bill of Rights” relative to protected data, ensuring that each third-party contractor has a detailed data privacy plan in place to ensure the security of such data, and that each third-party contractor sign a copy of the educational agency’s Parents’ Bill of Rights, thereby signifying that the third-party contractor will comply with such Parents’ Bill of Rights. This Agreement is subject to the requirements of Education Law 2-d and is a covered third-party contractor.
In order to comply with the mandates of Education Law 2-d, and notwithstanding any provision of the Agreement between Southampton Union Free School District (“DISTRICT”) and ___________________(“____”) to the contrary, ____ agrees as follows:
____ will treat “Protected Data” (as defined below) as confidential and shall protect the nature of the Protected Data by using the same degree of care, but not less than a reasonable degree of care, as _______ uses to protect its own confidential data, so as to prevent the unauthorized dissemination or publication of Protected Data to third parties. _______ shall not disclose Protected Data other than to those of its employees or agents who have a need to know such Protected Data under this Agreement. _______ shall not use Protected Data for any other purposes than those explicitly provided for in this Agreement. All Protected Data shall remain the property of the disclosing party. As more fully discussed below, _______ shall have in place sufficient internal controls to ensure that the DISTRICT’s and/or Participants’ Protected Data is safeguarded in accordance with all applicable laws and regulations, including, but not limited to, the Children’s
Internet Protection Act, Family Educational Rights and Privacy Act (“FERPA”) and Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), if applicable.
“Protected Data” includes any information rendered confidential by State or federal law, including, but not limited to student data, student demographics, scheduling, attendance, grades, health and discipline tracking, and all other data reasonably considered to be sensitive or confidential data by the DISTRICT and/or a Participant. Protected Data also includes any information protected under Education Law 2-d including, but not limited to:
“Personally identifiable information” from student records of the DISTRICT and/or its Participants as that term is defined in §99.3 of FERPA,
-AND-
Personally identifiable information from the records of the DISTRICT and/or its Participants relating to the annual professional performance reviews of classroom teachers or principals that is confidential and not subject to release under the provisions of Education Law 3012-c.
_______ and/or any subcontractor, affiliate, or entity that may receive, collect, store, record or display any Protected Data shall comply with New York State Education Law § 2-d. As applicable, _______ agrees to comply with the DISTRICT policy(ies) on data security and privacy. _______ shall promptly reimburse DISTRICT and/or its Participants for the full cost of notifying a parent, eligible student, teacher, or principal of an unauthorized release of Protected Data by _______, its subcontractors, and/or assignees. In the event this Agreement expires, is not renewed or is terminated, _______ shall return all of DISTRICT and/or its Participants’ data, including any and all Protected Data, in its possession by secure transmission.
Data Security and Privacy Plan
_______ and/or any subcontractor, affiliate, or entity that may receive, collect, store, record or display any of DISTRICT and/or its Participant’s Protected Data, shall maintain a Data Security and Privacy Plan that includes the following elements:
- A provision incorporating the requirements of DISTRICT Parents’ Bill of Rights for data security and privacy, to the extent that any of the provisions in the Bill of Rights applies to _______’s possession and use of Protected Data pursuant to this Agreement.
- An outline of how all state, federal, and local data security and privacy contract requirements will be implemented over the life of the contract, consistent with the
_______’s policy on data security and privacy.
- An outline of the measures taken by _______ to secure Protected Data and to limit access to such data to authorized staff.
- An outline of how _______ will use “best practices” and industry standards with respect to data storage, privacy and protection, including, but not limited to encryption, firewalls, passwords, protection of off-site records, and limitations of access to stored data to authorized staff.
- An outline of how will ensure that any subcontractors, persons or entities with which will share Protected Data, if any, will abide by the requirements of _______’s policy on data security and privacy, and the contractual obligations with respect to Protected Data set forth herein.
DATA PRIVACY AND SECURITY PLAN
- Attached hereto as Exhibit “B” is a copy of _______’s Data and Privacy Plan.
- Attached hereto as Exhibit “C” is a copy of the District’s Bill of Rights signed by _______.
NIST Framework
As required by Education Law 2-D, Southampton Public Schools' Data Security and Privacy Plan aligns with the state’s data security and privacy standard. SPS has adopted the National Institute for Standards and Technology Cybersecurity Framework (NIST CSF) as the standard for educational agencies.