Student data privacy and security: parental rights and district duties

On Board Online • October 13, 2014

By Courtney Sanik
Policy Consultant

Information is a hot commodity. As more districts move to local electronic or cloud information storage, there is widespread – and valid – concern that student’s information be protected. Districts have a legal duty to protect “personally identifiable information” (PII). This includes the student’s name and information that a reasonable person could use to link a given record to a student’s name with reasonable certainty.

The recently enacted Common Core Implementation Act (Chapter 56 of the Laws of 2014) included, among other items, provisions regarding student privacy policy requirements. Much of the new law focuses on third-party contractors that receive student PII. The law also created notification requirements and established that districts must offer a “Parent’s Bill of Rights for Data Privacy and Security.”In light of these changes, NYSSBA’s Policy Department has updated policy 5500, Student Records. The update, which is consistent with the Federal Education Rights Privacy Act, covers new state requirements. Perhaps the biggest change to this policy is that a Parental Bill of Rights for Student Data and Privacy must be sent to parents notifying them of their rights when it comes to their child’s data and privacy. It is to include the following information:

• students’ PII will be collected and disclosed only as necessary to achieve educational purposes in accordance with state and federal law.
• That a student’s personally identifiable information cannot be sold or released for any commercial purposes by a third party contractor. Additionally, the district has the duty not to sell student personally identifiable information or release it for commercial purposes. The exception is directory information released by the district in accordance with district policy.
• That parents have the right to inspect and review the complete contents of their child’s education record.
• That state and federal laws protect the confidentiality of PII and that third party contractors implement safeguards associated with industry standards and best practices.
• That parents can view a complete list of all student data elements collected by the State Education Department at www.p12.nysed.gov/irs/sirs/.
• That, as parents, they have the right to have complaints about possible breaches of student data addressed and where complaints should be directed at the district level. The notice should also state that complaints can also be directed to the State Education Department by writing to the Chief Privacy Officer, NYSED, 89 Washington Avenue,
• Albany, NY 12234 or by email to CPO@mail.nysed.gov.
• That in the event a district engages a third party provider to deliver student educational services, the contractor or subcontractors will be obligated to adhere to state and federal laws to safeguard student PII.

In addition to that notification, districts must prepare a supplemental statement for each third-party contractor that receives student PII. Some districts may adopt a generic statement, but districts are encouraged to consult with their school attorneys to determine what is best for the district.

This statement must name the third party contractor and explain what they will be doing with the information. Parents must be informed of the right to challenge the accuracy of the data and told how to do so.The statement should indicate that, at the end of the contract, the data will be destroyed by a specific date. It also must explain that anyone involved with the data, including subcontractors, will abide by applicable laws, data protections and security requirements – and how they will do so.