Table of Contents
Instructional Technology (IT) Data Protection Protocols and Practices
Message for Parents
The following acts and policies describe protections available for students and parents and parent’s rights regarding student records. This information has been compiled here under the guidance of the transparency best practices found at Transparency Best Practices for Schools and Districts, July 2014 (ed.gov). Below you will find information regarding how student privacy and confidentiality are maintained through limited disclosure and security measures when personally identifiable information is shared with applications (apps), programs, websites, etc. To quickly access the information you seek, please click on the outline below to jump to that section of the page. In addition, the printed school calendar offers an annual notification regarding Family Educational Rights and Privacy Act of 1974 (FERPA), Protection of Pupil Rights Amendment (PPRA), directory information, acceptable use of technology and the network, etc. If you have any questions/comments/suggestions about district data sharing and student privacy policies, please call the Assistant Superintendent for Curriculum, Instruction and Assessment Office at 516-887-0255.
Return to top
BOE Policies regarding Student Data
a. 5500 STUDENT RECORDS
The Board of Education recognizes its legal responsibility to maintain the confidentiality of student records. As part of this responsibility, the Board will ensure that eligible students and parents/guardians have the right to inspect and review education records, the right to seek to amend education records and the right to have some control over the disclosure of information from the education record. The procedures for ensuring these rights will be consistent with state and federal law, including the Family Educational Rights and Privacy Act of 1974 (FERPA) and its implementing regulations.
The Board also recognizes its responsibility to ensure the orderly retention and disposition of the district’s student records in accordance with Schedule ED-1 as adopted by the Board in policy 1120.
The District will use reasonable methods to provide access to student educational records only to those authorized under the law and to authenticate the identity of the requestor. The district will document requests for and release of records, and retain the documentation in accordance with law. Furthermore, pursuant to Chapter 56 of the Laws of 2014, the district will execute agreements with third-party contractors who collect, process, store, organize, manage or analyze student personally identifiable information (PII) to ensure that the contractors comply with the law in using appropriate means to safeguard the data.
The Superintendent of Schools is responsible for ensuring that all requirements under law and the Commissioner’s regulations are carried out by the district.
Authorized Representative: an authorized representative is any individual or entity designated by a State or local educational authority or a Federal agency headed by the Secretary, the Comptroller General or the Attorney General to carry out audits, evaluations, or enforcement or compliance activities relating to educational programs.
Education Record: means those records, in any format, directly related to the student and maintained by the district or by a party acting on behalf of the district, except:
(a) records in the sole possession of the individual who made it and not accessible or revealed to any other person except a substitute (e.g., memory joggers such as recorded videos of live sessions);
(b) records of the district’s law enforcement unit;
(c) grades on peer-graded papers before they are collected and recorded by a teacher.
Eligible student: a student who has reached the age of 18 or is attending postsecondary school.
Legitimate educational interest: a school official has a legitimate educational interest if they need to review a student’s record in order to fulfill their professional responsibilities.
Personally identifiable information (PII): as it pertains to students, is information that would allow a reasonable person in the school or its community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty. Such data might include social security number, student identification number, parents’ name and/or address, a biometric record, etc. This term is fully defined in federal regulations at 34 CFR 99.3.
School official: a person who has a legitimate education interest in a student record who is employed by the district as an administrator, supervisor, instructor or support staff member (including health or medical staff and law enforcement unit personnel); a member of the Board of Education; a person or company with whom the district has contracted to perform a special task (such as attorney, auditor, medical consultant or therapist); or a parent or student serving on an official committee, such as disciplinary or grievance committee, or assisting another school official performing their tasks.
Third party contractor: is any person or entity, other than an educational agency (which includes schools, school districts, BOCES, or the State Education Department), that receives student data or teacher or principal (PII) data from an educational agency pursuant to a contract or other written agreement for purposes of providing services to such educational agency, including but not limited to data management or storage services, conducting studies or on behalf of such educational agency, or audit or evaluation of publicly funded programs. This includes educational partnership organizations that receive student or teacher/principal PII from a school district to carry our responsibilities under Education Law 211-e(for persistently lowest-achieving schools or schools under registration review) and is not an educational agency. This also includes not-for-profit corporations or other nonprofit organizations, other than an educational agency.
At the beginning of each school year, the district will publish a notification that informs parents, guardians and students currently in attendance of their rights under FERPA and New York State Law and the procedures for exercising those rights. A ‘Parents’ Bill of Rights for Data Privacy and Security’ will be posted on the district website and included in any agreements with third-party contractors (see 5500-E.4) The notice and ‘Bill of Rights’ may be published in a newspaper, handbook or other school bulletin or publication. The notice and ‘Bill of Rights’ will also be provided to parents, guardians, and students who enroll during the school year.
The notice and Parents’ Bill of Rights will include a statement that the parent/guardian or eligible student has a right to:
- Inspect and review the student’s education records;
- Request that records be amended to ensure that they are not inaccurate, misleading, or otherwise in violation of the student’s privacy rights;
- Consent to disclosure of personally identifiable information contained in the student’s education records, except to the extent that FERPA authorizes disclosure without consent; and file a complaint with the United States Department of Education alleging failure of the district to comply with FERPA and its regulations; and/or file a complaint regarding a possible data breach by a third party contractor with the district and/or the New York State Education Department’s Chief Privacy Officer for failure to comply with state law.
The annual notice and Parents’ Bill of Rights will inform parents/guardians and students:
- That it is the district’s policy to disclose personally identifiable information from student records, without consent, to other school officials within the district whom the district has determined to have legitimate educational interests. The notice will define ‘school official’ and ‘legitimate educational interest.’
- That, upon request, the district will disclose education records without consent to officials of another school district in which a student seeks to or intends to enroll or is actually enrolled.
- That personally identifiable information will be released to third party authorized representatives for the purposes of educational program audit, evaluation, enforcement or compliance purposes.
- That the district, at its discretion, releases directory information (see definition below) without prior consent, unless the parent/guardian or eligible student has exercised their right to prohibit release of the information without prior written consent. The district will not sell directory information.
- That, upon request, the district will disclose a high school student’s name, address and telephone number to military recruiters and institutions of higher learning unless the parent or secondary school student exercises their right to prohibit release of the information without prior written consent.
- Of the procedure for exercising the right to inspect, review and request amendment of student records.
- That the district will provide information as a supplement to the ‘Parents’ Bill of Rights’ about third parties with which the district contracts that use, or have access to, personally identifiable student data.
The district may also release student education records, or the personally identifiable information contained within, without consent, where permitted under federal law and regulation. For a complete list of exceptions to FERPA’s prior consent requirements see accompanying regulation 5500-R, Section 5.
The district will effectively notify parents, guardians and students who have a primary or home language other than English.
In the absence of the parent or secondary school student exercising their right to opt out of the release of information to the military, the district is required to, under federal law, release the information indicated in number five (5) above.
The district has the option under FERPA of designating certain categories of student information as “directory information.” The Board directs that “directory information” include a student’s:
- ID number, user ID, or other unique personal identifier used by a student for purposes of accessing or communicating in electronic systems (only if the ID cannot be used to gain access to education records except when used in conjunction with one or more factors that authenticate the student’s identity),
- Address (except information about a homeless student’s living situation, as described below)
- Telephone number
- Date and place of birth
- Major course of study
- Participation in school activities or sports
- Weight and height if a member of an athletic team
- Dates of attendance,
- Degrees and awards received
- Most recent school attended
- Grade level
- E-mail address
- Enrollment status
- Class Schedule
- Class Roster
Information about a homeless student’s living situation will be treated as a student educational record, and will not be deemed directory information. A parent/guardian or eligible student may elect, but cannot be compelled, to consent to release of a student’s address information in the same way they would for other student education records. The district’s McKinney-Vento liaison will take reasonable measures to provide homeless students with information on educational, employment, or other postsecondary opportunities and other beneficial activities.
Social security numbers or other personally identifiable information will not be considered directory information.
Students who opt out of having directory information shared are still required to display their student ID cards.
Once the proper FERPA notification is given by the district, a parent/guardian or student will have 14 days to notify the district of any objections they have to any of the “directory information” designations. If no objection is received, the district may release this information without prior approval of the parent/guardian or student for the release. Once the student or parent/guardian provides the “opt-out,” it will remain in effect after the student is no longer enrolled in the school district.
The district may elect to provide a single notice regarding both directory information and information disclosed to military recruiters and institutions of higher education.
Adoption date: February 12, 1997
Revised: September 13, 2000
Second revision date: July 5, 2017
Third revision date: May 6, 2020
Fourth revision date: July 7, 2020
Lynbrook Union Free School District
Return to top
b. 5500-R STUDENT RECORDS REGULATION
It is recognized that the confidentiality of pupil records must be maintained. The following necessary procedures have been adopted to guarantee the protection of pupil records.
Section 1. Pursuant to the Family Educational Rights and Privacy Act of 1974 it shall be the policy of this school district with respect to parents or guardians of a student under 18 years of age and with respect to students 18 years of age or older (an eligible student) to permit such persons to inspect and review any and all official records, files and data directly related to that student, including all materials that are incorporated into each student's cumulative record folder, and intended for school use or to be available to parties outside the school or school system, and specifically including, but not necessarily limited to, identifying data, academic work completed, level of achievement (grades, standardized achievement test scores), attendance data, scores on standardized intelligence, aptitude, and psychological tests, interest inventory results, health data, family background information, teacher or counselor ratings and observations, and verified reports of serious or recurrent behavior patterns.
Section 2. Parents or guardians of a student under 18 years of age or an eligible student shall have an opportunity for a hearing to challenge the content of that student's school records, to ensure that the records are not inaccurate, misleading, or otherwise in violation of the privacy or other rights of students, and to provide an opportunity for the correction or deletion of any such inaccurate, misleading, or otherwise inappropriate data contained therein.
Section 3. In order to implement the rights provided for in Sections 1 and 2 hereof, the following procedures are adopted:
- A parent or guardian of a student under 18 years of age or an eligible student shall make a request for access to that student's school records, in writing, to the Superintendent of Schools. Upon receipt of such request, arrangements shall be made to provide access to such records within thirty (30) days after the request has been received.
- A parent or guardian of a student under 18 years of age or an eligible student, who wishes to challenge the contents of that student's school records, shall submit a request, in writing, identifying the record or records which they believe to be inaccurate, misleading or otherwise in violation of the privacy or other rights of the student together with a statement with the reasons for their challenge to the record to the Superintendent.
- Upon receipt of a written challenge, the Superintendent shall provide a written response indicating either that he/she finds the challenged record inaccurate, misleading or otherwise in violation and it will be corrected or deleted, or that he/she finds no basis for correcting or deleting the record in question, but that the parent/guardian or eligible student will be given an opportunity for a hearing. Such written response by the Superintendent shall be provided the parent/guardian or eligible student within fourteen (14) days after receipt of the written challenge. Said response shall also outline the procedures to be followed with respect to a hearing, if desired by the parent/guardian or eligible student.
- Within fourteen (14) days of receipt of the response from the Superintendent a parent/guardian or eligible student may request, in writing, that a hearing be held to review the determination of the Superintendent.
Section 4. Student records, and any material contained herein which is personally identifiable, are confidential and may not be released or made available to persons other than parents/guardians or students without the written consent of parents/guardians of students 18 years of age or younger. Such records and material may be made available without the written consent of parents/guardians or eligible students in the following cases:
- to other school officials, including teachers within the district who have legitimate educational interests;
- to officials of another school in which the student intends to enroll, if the parents/guardians or student are notified of the transfer of records, are given a copy if they desire one, and have an opportunity for a hearing to challenge the content of the records;
- to authorized representatives of certain designated federal and state agencies, including state educational authorities, for the purpose of the audit and in connection with the enforcement of federal legal requirements;
- in connection with a student's application for or receipt of financial aid; and
- pursuant to court order or subpoena, after notification to the parent/guardian or eligible student.
Section 5. Whenever a student record or any material contained therein is to be made available to third persons, other than those covered by the exceptions indicated in Section 4 hereof, the parent or guardian of a student under 18 years of age or an eligible student must file a written consent to such action and any third party to whom such records have been made available must sign a written statement that he will not further release such records without the consent of the parent/guardian or eligible student.
Section 6. All persons requesting access to such records except for those persons provided for in subdivision 1 of Section 4 hereof, state agencies provided for in subdivision 3 of Section 4 hereof and those persons provided for in subdivision 5 of Section 4 hereof shall be required to sign a written form which indicates a legitimate educational or other interest that such person has in inspecting the records. Such form shall be kept with the student's file. See Exhibit 5500-E.3.
Section 7. Whenever the district is requested to forward a student's school records, including health records, to a neighboring public school district, the following procedures shall be followed:
- A student's school records, including health records, shall be forwarded to the neighboring public school district from which such a request is made upon the receipt of a request by the appropriate administrator of the requesting district.
- The prior written consent of the student's parents/guardians or eligible student shall not be necessary. However, upon the forwarding of the student's records, the parent(s) or guardian(s) of the student or eligible student shall be notified in writing that the records have been transferred.
Section 8. All instructional material, including teachers' manuals, which are used in connection with a research or experimental program must be available for inspection by the parents or guardians of the children engaged in such program.
"Research or experimentation program or project" is defined as a program or project "designed to explore or develop new or unproven teaching methods or techniques."
Retention and Disposition of Student Records
The Board adheres to state and federal law and regulations governing the retention and disposition of student records, including the Records Retention and Disposition Schedule ED-1 setting forth the minimum length of time school district records must be retained. Student records that have been kept in excess of the minimum retention periods outlined in the schedule will be disposed of, except in the following cases:
- Records being used in legal actions must be kept for one year after the legal action ends, or until the scheduled retention period has passed, whichever is longer.
- The school district will not destroy any education records while there is an outstanding request to inspect and review them.
- Records being kept beyond the established retention period at the request of state or federal agencies will be kept until the district/BOCES receives the audit report, or the need is satisfied.
- Personally-identifiable special education records which may be useful to a child when applying for social security or other benefits and which have been requested by a parent/guardian or eligible child may be kept beyond the minimum period of time.
- Any school records predating 1910 require express written permission from the State Archives and Records Administration.
- No record may be disposed of unless it is listed on this schedule or its disposition is covered by other laws. In cases where the school district is uncertain as to the length of time a record must be kept, the district will contact the State Education Department.
For purposes of this regulation, the disposition of student records means the physical destruction, removal of personal identifiers from information so that it is no longer personally-identifiable, sale, gift, or other authorized means of disposal.
Some of the student records and their minimum retention dates are as follows:
General Student Records: A student's cumulative achievement record including information on school entry, withdrawal and graduation, subjects taken and grades received from examinations will be kept permanently. Other records will be kept for the minimum period of time listed in the schedule (see ED-1).
Health Records: A student's cumulative health record shall be kept until the student attains age 27. A student's psychological or social assessment record file including a report regarding student's ability, personality, family, and environmental influences will be kept 6 years after the report has been written. Other health records will be kept for the minimum period of time listed in the schedule (see ED-1).
Special Education Records: The basic records in a student's special education file including a student's most recent Individual Education Program (IEP), student information sheet and summary record will be kept 6 years after the student receives diploma or 6 years after student attains age 21, whichever is shorter. Other special education records in that file will be kept for the minimum period of time outlined in the schedule (see ED-1).
In accordance with federal regulations, the school shall inform parents/guardians when personally-identifiable information that has been collected is no longer needed to provide educational services to the student. In informing parents/guardians about their rights, the school will remind them that these records may be needed by the child in connection with applications for social security or other benefits. If the parents/guardians then request that the information be destroyed and the school determines that the information is no longer needed to provide educational services to the student, the personally-identifiable information must be destroyed. However, a permanent record of a student's name, address, phone number, his/her grades, attendance record, classes attended, grade level completed and year completed will be kept without time limitation.
Personally-identifiable information on a child with a disability may be retained permanently unless the parents/guardians or eligible child request that it be destroyed.
Pursuant to the Family Educational Rights and Privacy Act and taking into consideration the age of the student and the type or severity of disability, the district may transfer the rights of parents/guardians regarding Special Education records to the student when the student became 18 years of age.
Adoption date: February 12, 1997
Lynbrook Union Free School District
Return to top
c. 8625 PROTECTING PERSONAL, PRIVATE AND SENSITIVE INFORMATION WHEN DISPOSING OF OR REUSING ELECTRONIC EQUIPMENT (PPSI)
The Board of Education recognizes that the District maintains electronic data essential to the operation of the schools. All members of the School District have a responsibility to protect the school district’s data from unauthorized generation, access, modification, disclosure, transmission or destruction. In addition, the Board of Education recognizes the need to keep Personal, Private and Sensitive Information (PPSI) data secure. Prior to reusing or disposing of electronic equipment containing PPSI data, all PPSI data will be removed by the IT Department.
PPSI includes, but it not limited to, any information to which unauthorized access, disclosure, modification, destruction, or disruption of access or use could severely impact critical functions, employees, customers or third parties, or citizens of New York, in general. Private information includes, but is not limited to, one of the following: Social Security number; driver’s license number or non-driver ID; account number, credit card of debit card number and security code; or access code/password that permits access to an individual’s financial account. PPSI containing personally identifiable information might exist on hard drives, tapes, compact discs (CDs), digital video disks (DVDs), floppy disks, thumb drives, cell phones, multiple function copiers, personal digital assistants (PDAs), or other storage devices, at times without the user’s knowledge.
This policy governs the privacy, security, and integrity of school district data, especially confidential data, and the responsibilities of institutional units and individuals for such data. It also provides the various definitions of data classifications. The corresponding regulation addresses the implementation of controls and other related operations for the disposal of electronic equipment that may contain personal, private and sensitive information data. The policy and regulation provided herein apply to all faculty, staff, students, visitors and contractors.
Data Classifications: Data owned, used, created, or maintained by the school district is classified into the following four general categories:
- Confidential Data
Confidential data are considered the most sensitive and require the highest level of protection. Confidential data includes data that the school district must keep private under federal, local, and state laws, contractual arrangements, or based on its proprietary worth. Confidential data may be disclosed to individuals only as required or permitted by applicable law. Personal, Private, or Sensitive Information (PPSI) is to be considered confidential.
- Protected Staff Data
Protected Staff Data is information that must be guarded due to proprietary, ethical, or privacy considerations, and must be protected from unauthorized access, modification, transmission, storage or other use. This classification applies even though there may not be a civil statute requiring this protect. Protected Staff Data is information that is restricted to staff and faculty members of the School District who have a legitimate purpose for accessing such data. Students are not permitted to access this data.
- Protected Student Data
- Public Data
Public data is information that may or must be open to the general public. It is defined as information with no existing local, national or international legal restrictions on access or usage. Public data, while subject to school district disclosure rules, is available to the general public.
Data are generally stored in collections (i.e., databases, files, tables, etc.). Often these collections do not segregate the more sensitive data elements of a collection from the less sensitive data. Therefore, in determining the classification category, the most sensitive data element in the collection will be used to classify the entire collection.
Data Classification Roles and Responsibilities: A data owner is the individual(s) assigned by the Superintendent or designee to oversee the proper handling of administrative, academic, or research data. The owner is responsible for ensuring that appropriate steps are taken to protect data and to implement policies, guidelines, and memorandums of understanding that define the appropriate use of the data. Typically, the owner of a collection of information is the person responsible for the business results of that system or the business use of the information. Where appropriate, ownership may be shared by administrators of different departments.
Data Owner: The data owner is responsible for and authorized to:
- Approve who may access data resources and formally assign custody of an information resources asset (e.g., what permissions or types of data a user may access.)
- Specify appropriate controls (e.g., access, security, proper handling) based on data classification, to protect the information resources from unauthorized modification, deletion, or disclosure. The owner will convey those requirements as necessary for implementation of controls and will educate those who may have access to the data.
- Confirm that the applicable controls specified are in place to ensure appropriate levels of confidentiality, integrity and availability of the data.
- Ensure that users, data systems, and relating operations comply with applicable controls.
- Assign custody of information resources assets (e.g., computerized systems, electronic files) and provide appropriate authority to those who implement security controls and procedures.
- Ensure access rights to the data are re-evaluated or modified when a user’s access requirements change (e.g., job assignment change, departure)
Data Security Administrator (DSA): The Office of Information Technology and District Data Coordinator are charged with implementing the controls specified by the owner. They are responsible for the processing, storage and recovery of information. They will:
- Implement the controls specified by the owner(s)
- Provide physical and procedural safeguards for the information resources
- Assist owners in evaluating the overall effectiveness of controls and monitoring
- Implement the monitoring techniques and procedures for detecting, reporting, and investigating incidents
Data User: The user is any person who has been authorized by the owner of the information to read, enter, or update that information. The user has the responsibility to (1) use the resource only for the purpose specified by the owner, (2) comply with controls established by the owner, and (3) prevent disclosure of confidential or sensitive information. The user is the single most effective control for providing adequate security.
Adoption date: February 11, 2015
Lynbrook Union Free School District
Return to top
d. 8635 INFORMATION SECURITY BREACH AND NOTIFICATION
The Board of Education acknowledges the heightened concern regarding the rise in identity theft and the need for secure networks and prompt notification when security breaches occur. The Board adopts the National Institute for Standards and Technology Cybersecurity Framework Version 1.1 (NIST CSF) for data security and protection. The Data Privacy Officer is responsible for ensuring the district’s systems follow NIST CSF and adopt technologies, safeguard and practices which align with it. This will include an assessment of the district’s current cybersecurity state, their target future cybersecurity state, opportunities for improvement, progress toward the target state, and communication about cyber security risk.
The Board of Education will designate a Data Protection Officer to be responsible for the implementation of the policies and procedures required in Education Law §2-d and its accompanying regulations, and to serve as the point of contact for data security and privacy.
The Board directs the Superintendent of Schools, in accordance with appropriate business and technology personnel, and the Data Protection Officer to establish regulations which address:
I. Student and Teacher/Principal “Personally Identifiable Information” under Education Law §2-d
General Provisions: PII as applied to student data is as defined in Family Educational Rights and Privacy Act (Policy 5500), which includes certain types of information that could identify a student, and is listed in the accompanying regulation 8635-R. PII as applied to teacher and principal data, means results of Annual Professional Performance Reviews that identify the individual teachers and principals, which are confidential under Education Law §§3012-c and 3012-d, except where required to be disclosed under state law and regulations.
The Data Protection Officer will see that every use and disclosure of personally identifiable information (PII) by the district benefits students and the district (e.g., improve academic achievement, empower parents and students with information, and/or advance efficient and effective school operations). However, PII will not be included in public reports or other documents.
The district will protect the confidentiality of student and teacher/principal PII while stored or transferred using industry standard safeguards and best practices, such as encryption, firewalls, and passwords. The district will monitor its data systems, develop incident response plans, limit access to PII to district employees and third-party contractors who need such access to fulfill their professional responsibilities or contractual obligations, and destroy PII when it is no longer needed.
Certain federal laws and regulations provide additional rights regarding confidentiality of and access to student records, as well as permitted disclosures without consent, which are addressed in policy and regulation 5500, Student Records.
Under no circumstances will the district sell PII. It will not disclose PII for any marketing or commercial purpose, facilitate its use or disclosure by any other party for any marketing or commercial purpose, or permit another party to do so. Further, the district will take steps to minimize the collection, processing, and transmission of PII.
Except as required by law or in the case of enrollment data, the district will not report the following student data to the State Education Department:
- juvenile delinquency records;
- criminal records;
- medical and health records; and
- student biometric information.
The district has created and adopted a Parent’s Bill of Rights for Data Privacy and Security (see Exhibit 8635-E). It has been published on the district’s website at www.lynbrookschools.org and can be requested from the district clerk.
Each third-party contractor that will receive student data or teacher or principal data must:
- adopt technologies, safeguards and practices that align with the NIST CSF;
- limit internal access to PII to only those employees or sub-contractors that need access to provide the contracted services;
- not use the PII for any purpose not explicitly authorized in its contract;
- not disclose any PII to any other party without the prior written consent of the parent or eligible student (i.e., students who are eighteen years old or older):
- except for authorized representatives of the third-party contractor to the extent they are carrying out the contract; or
- unless required by statute or court order and the third-party contractor provides notice of disclosure to the district, unless expressly prohibited.
- maintain reasonable administrative, technical and physical safeguards to protect the security, confidentiality and integrity of PII in its custody;
- use encryption to protect PII in its custody; and
- not sell, use, or disclose PII for any marketing or commercial purpose, facilitate its use or disclosure by others for marketing or commercial purpose, or permit another party to do so. Third party contractors may release PII to subcontractors engaged to perform the contractor’s obligations, but such subcontractors must abide by data protection obligations of state and federal law, and the contract with the district.
If the third-party contractor has a breach or unauthorized release of PII, it will promptly notify the district in the most expedient way possible without unreasonable delay but no more than seven calendar days after the breach’s discovery.
Third-Party Contractors’ Data Security and Privacy Plan: The district will ensure that contracts with all third-party contractors include the third-party contractor’s data security and privacy plan. This plan must be accepted by the district.
At a minimum, each plan will:
- outline how all state, federal, and local data security and privacy contract requirements over the life of the contract will be met, consistent with this policy;
- specify the safeguards and practices it has in place to protect PII;
- demonstrate that it complies with the requirements of Section 121.3(c) of this Part;
- specify how those who have access to student and/or teacher or principal data receive or will receive training on the federal and state laws governing confidentiality of such data prior to receiving access;
- specify if the third-party contractor will utilize sub-contractors and how it will manage those relationships and contracts to ensure personally identifiable information is protected;
- specify how the third-party contractor will manage data security and privacy incidents that implicate personally identifiable information including specifying any plans to identify breaches and unauthorized disclosures, and to promptly notify the district;
- describe if, how and when data will be returned to the district, transitioned to a successor contractor, at the district’s direction, deleted or destroyed by the third-party contractor when the contract is terminated or expires.
Training: The district will provide annual training on data privacy and security awareness to all employees who have access to student and teacher/principal PII.
Reporting: Any breach of the district’s information storage or computerized data which compromises the security, confidentiality, or integrity of student or teacher/principal PII maintained by the district will be promptly reported to the Data Protection Officer, the Superintendent and the Board of Education.
The Data Privacy Officer will report every discovery or report of a breach or unauthorized release of student, teacher or principal PII to the State’s Chief Privacy Officer without unreasonable delay, but no more than 10 calendar days after such discovery.
The district will notify affected parents, eligible students, teachers and/or principals in the most expedient way possible and without unreasonable delay, but no more than 60 calendar days after the discovery of a breach or unauthorized release or third-party contractor notification.
However, if notification would interfere with an ongoing law enforcement investigation, or cause further disclosure of PII by disclosing an unfixed security vulnerability, the district will notify parents, eligible students, teachers and/or principals within seven calendar days after the security vulnerability has been remedied, or the risk of interference with the law enforcement investigation ends.
The Superintendent, in consultation with the Data Protection Officer, will establish procedures to provide notification of a breach or unauthorized release of student, teacher or principal PII, and establish and communicate to parents, eligible students, and district staff a process for filing complaints about breaches or unauthorized releases of student and teacher/principal PII.
II. “Private Information” under State Technology Law §208
“Private information” is defined in State Technology Law §208, and includes certain types of information, outlined in the accompanying regulation, which would put an individual at risk for identity theft or permit access to private accounts. “Private information” does not include information that can lawfully be made available to the general public pursuant to federal or state law or regulation.
Any breach of the district’s information storage or computerized data which comprises the security, confidentiality, or integrity of “private information” maintained by the district must be promptly reported to the Superintendent and the Board of Education.
The Board directs the Superintendent of Schools, in accordance with appropriate business and technology personnel, to establish regulations which:
- Identify and/or define the types of private information that is to be kept secure. For purposes of this policy, “private information” does not include information that can lawfully be made available to the general public pursuant to federal or state law or regulation;
- Include procedures to identify any breaches of security that result in the release of private information; and
- Include procedures to notify persons affected by the security breach as required by law.
III. Employee “Personal Identifying Information” under Labor Law §203-d
Pursuant to Labor Law §203-d, the district will not communicate employee “personal identifying information” to the general public. This includes, but not limited to,
- social security number
- home address or telephone number
- personal email address
- Internet identification name or password
- parent’s surname prior to marriage
- driver’s license number.
In addition, the district will protect employee social security numbers in that such numbers will not be:
- Publicly posted or displayed
- Visibly printed on any ID badge, card or timecard
- Placed in files with unrestricted access or
- Used for occupational licensing purposes.
Employees with access to such information shall be notified of these prohibitions and their obligations.
1120, District Records
5500, Student Records
State Technology Law §§201-208
Labor Law §203-d
Education Law §2-d
NYCRR Part 121
Adoption date: February 11, 2015
First revision date: May 6, 2020
Lynbrook Union Free School District
Return to top
e. 8635-R INFORMATION SECURITY BREACH AND NOTIFICATION REGULATION
“Private information” shall mean personal information (i.e., information such as name, number, symbol, mark or other identifier which can be used to identify a person) in combination with any one or more of the following data elements:
- Social security number;
- Driver’s license number or non-driver identification card number; or
- Account number, credit or debit card number, in combination with any required security code, access code, or password which would permit access to an individual’s financial account.
“Breach of the security of the system” shall mean unauthorized acquisition of physical or computerized data.
Procedure for Identifying Security Breaches
In determining whether information has been acquired, or is reasonably believed to have been acquired, by an unauthorized person or a person without valid authorization, the district shall consider:
- indications that the information is in the physical possession and control of an unauthorized person, such as removal of hard copies, lost or stolen computer, or other device containing information;
- indications that the information has been downloaded, removed or copied;
- indications that the information was used by an unauthorized person, such as fraudulent accounts, opened or instances of identity theft reported; and/or
- any other factors which the district shall deem appropriate and relevant to such determination.
Security Breaches – Procedures and Methods for Notification
Once it has been determined that a security breach has occurred, the following steps shall be taken:
- If the breach involved hard copy or computerized data owned or licensed by the district, the district shall notify those New York State residents whose private information was, or is reasonably believed to have been acquired by a person without valid authorization. The disclosure to affected individuals shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, or any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the system.
The district shall consult with the New York State Office of Cyber Security and Critical Infrastructure Coordination (CSCIC) to determine the scope of the breach and restoration measures.
- 2. If the breach involved hard copy or computer data maintained by the district, the district shall notify the owner or licensee of the information of the breach immediately following discovery, if the private information was or is reasonably believed to have been acquired by a person without valid authorization.
The required notice shall include (a) district contact information, (b) a description of the categories information that were or are reasonably believed to have been acquired without authorization, (c) which specific elements of personal or private information were or are reasonably believed to have been acquired and (d) what the district is doing about it. This notice shall be directly provided to the affected individuals by either:
- Written notice
- Electronic notice, provided that the person to whom notice is required has expressly consented to receiving the notice in electronic form; and that the district keeps a log of each such electronic notification. In no case, however, shall the district require a person to consent to accepting such notice in electronic form as a condition of establishing a business relationship or engaging in any transaction.
- Telephone notification, provided that the district keeps a log of each such telephone notification.
However, if the district can demonstrate to the State Attorney General that (a) the cost of providing notice would exceed $250,000; or (b) that the number of persons to be notified exceeds 500,000; or (c) that the district does not have sufficient contact information, substitute notice may be provided. Substitute notice would consist of all of the following steps:
- E-mail notice when the district has such address for the affected individual;
- Conspicuous posting on the district’s website, if they maintain one; and
- Notification to major media
Notification of State and Other Agencies
Once notice has been made to affected New York State residents, the district shall notify the State Attorney General, the Department of State Division of Consumer Protection, and the State Office of Information Technology Services as to the timing, content, and distribution of the notices and approximate number of affected persons.
If more than 5,000 New York State residents are to be notified at one time, the district shall also notify consumer reporting agencies as to the timing, content and distribution of the notices and the approximate number of affected individuals. A list of consumer reporting agencies will be furnished, upon request, by the Office of the State Attorney General.
Adoption date: February 11, 2015
Lynbrook Union Free School District
Return to top
f. 8635-E PARENTS’ BILL OF RIGHTS FOR STUDENT DATA PRIVACY AND SECURITY
The Lynbrook Union Free School District, in recognition of the risk of identity theft and unwarranted invasion of privacy, affirms its commitment to safeguarding student personally identifiable information (PII) in educational records from unauthorized access or disclosure in accordance with State and Federal law. The Lynbrook Union Free School District establishes the following parental bill of rights:
- Student PII will be collected and disclosed only as necessary to achieve educational purposes in accordance with State and Federal Law.
- The district and its schools, and third-party contractors and subcontractors, will not sell student PII or use or disclose it for any marketing or commercial purposes or facilitate its use or disclosure by any other party for any marketing or commercial purpose or permit another party to do so;
- Parents have the right to inspect and review the complete contents of their child's education record (for more information about how to exercise this right, see 5500-R);
- State and federal laws, such as NYS Education Law §2-d and the Family Educational Rights and Privacy Act, protect the confidentiality of students’ personally identifiable information. Safeguards associated with industry standards and best practices, including but not limited to, encryption, firewalls, and password protection, must be in place when data is stored or transferred;
- A complete list of all student data elements collected by the State Education Department is available for public review at https://nysed.gov or by writing to: Chief Privacy Officer, New York State Education Department, 89 Washington Avenue, Albany, NY 12234
- Parents have the right to have complaints about possible breaches and unauthorized disclosures of student data addressed. Complaints should be directed to the Data Privacy Officer, who can be reached by phone at 516-887-0255 or in writing to Lynbrook Schools, Data Privacy Officer, 111 Atlantic Avenue, Lynbrook, New York, NY 11563. Complaints can also be directed to the New York State Education Department online at https://nysed.gov, by mail to the Chief Privacy Officer, New York State Education Department, 89 Washington Avenue, Albany, NY 12234 or by email to email@example.com or by telephone at 518-474-0937.
- Parents have the right to be notified in accordance with applicable laws and regulations if a breach or unauthorized release of their student’s PII occurs.
- All district and school employees and officers with access to PII will receive annual training on applicable federal and state laws, regulations, district and school policies and safeguards which will be in alignment with industry standards and best practices to protect PII.
- In the event that the District engages a third-party provider to deliver student educational services, the contractor or subcontractors will be obligated to adhere to State and Federal Laws to safeguard student PII. Parents can request information about third party contractors by contacting the district’s Data Privacy Officer, who can be reached by phone at 516-887-0255 or in writing to Lynbrook Schools, Data Privacy Officer, 111 Atlantic Avenue, Lynbrook, New York, NY 11563.
Adoption date: October 13, 2021
Lynbrook Union Free School District
Return to top
III. Procedures regarding Student Personally Identifiable Information (PII)
The Lynbrook UFSD (“The District”) is required by law to collect and store educator and student information. The District takes its obligations seriously to protect the privacy of data collected, used, shared, and stored by the District. Educational data is essential to the District’s mission to ensure that all students are prepared for success in society, work, and life.
The District has adopted the policy below to protect educator and student data that is collected, used, shared, and stored by the District.
- Confidentiality of PII
Student Personally Identifiable Information (PII) includes, but is not limited to, information that is collected, maintained, generated, or inferred and that, alone or in combination, personally identifies an individual student or the student's parent(s) or family.
PII, as defined by federal law, also includes other information that, alone or in combination, is linked or linkable to a specific student that would allow a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty; or information requested by a person who the educational agency or institution reasonably believes knows the identity of the student to whom the education record relates.
Some examples of PII collected by the District may include, but are not limited to, the following list:
Student education records are official and confidential documents protected by the Family Educational Rights and Privacy Act (FERPA) and other state and federal laws. With the increasing use of technology in education, it is imperative that information that identifies individual students and their families is protected from misappropriation and misuse.
- A student's name
- A personal identifier such as a student ID number
- Student's date of birth
- A student’s socioeconomic information
- Photos, videos, and voice recordings
- State-administered assessment results, including participation information, courses taken and completed, credits earned, course grades, and other transcript information
- Grade level and anticipated graduation year
- Degree, diploma credential attainment or other school exit information
- Attendance information
- Special education data and special education discipline reports
- Program participation information required by state or federal law
- Confidentiality of Educator PII
Educator PII includes, but is not limited to: the educator’s name, any unique identifier, including social security number, and other information that, alone or in combination, is linked or linkable to a specific educator. The District may collect information concerning an individual educator's performance evaluation ratings and student assessments results linked to the educator in order to fulfill its duties as required by law. Each educator has the right to inspect and to have copies made (at the educator’s expense) of all information pertaining to the educator that is held by the District. Educators may challenge any such record by formal letter or other evidence, which shall be added to the District’s records.
- Disclosure of De-Identified or Aggregate Data
The District may disclose information that does not allow any individual to be personally identified. Data requested via this process will not include small counts in order to reduce the likelihood that this information is personally identifiable for small populations.
- External Disclosures of and Access to PII
The District will only release PII to outside entities or individuals that have a legitimate educational purpose to receive this information. The District is authorized to share PII for research purposes, so long as the sharing is permitted by state and federal law.
In compliance with state and federal laws, the District limits access to educator and student PII to the following:
Students and/or their parents or legal guardians are allowed access to the student’s PII and educators are allowed to access their own PII in accordance with state and federal law.
- The authorized staff of the District and New York State Department of Education (NYSED) that require access to perform assigned duties
- The District’s and NYSED’s contractors that require access to perform assigned or contractual duties as stated in their contracts
- The District administrators, teachers, and school personnel who require access to perform assigned duties
- The authorized staff of other state agencies, including public institutions of higher education, as required by law and defined by interagency agreements
- Entities conducting research on behalf of the District to develop, validate, or administer tests, as permitted by law and defined by research data sharing agreements
- Vendors, third parties, and other service providers that provide or service databases, assessments, or instructional supports as permitted by law and defined by contractual agreements
- Authorized representatives of the District in connection with an audit or evaluation of Federal- or State- supported education programs, or for the enforcement of or compliance with Federal legal requirements that relate to those programs
Disclosures of PII for Research Purposes: The District has developed a process to consider and review all outside requests for PII or individual-level data by individuals who seek to conduct research. Potential users such as doctoral and master's degree candidates, university faculty, independent researchers, and private and public agencies must submit proposals before receiving PII or individual-level data to conduct and publish their research.
The requestor must meet all of the District’s criteria prior to submitting the proposal for any individual-level de-identified data or PII. This includes gaining Institutional Review Board (IRB) approval.
The District will conduct an extensive internal review of the research proposal. Approval to use the PII or individual-level data for one study, audit, or evaluation does not confer approval to use it for another.
The District has the right to review any data prior to publication and to verify that proper disclosure avoidance techniques have been used. The District also has the right to approve reports prior to publication to ensure they reflect the original intent of the agreement.
Requirements for Agreements and Contracts to Disclose PII: Prior to sharing PII, the District must enter into a written agreement or contract that meets the following requirements:
- Designates the individual or entity that will serve as the authorized representative or primary individual responsible to protecting and managing PII;
- Specifies the purpose and scope of the contract or agreement;
- The duration of the contract or agreement;
- The types of PII that are collected, used, or maintained under the contract or agreement;
- The uses of PII under the contract or agreement; and
- The length of time that PII can be held.
In addition to all of the precautions addressed above, any agreement or contract shall also address the following assurances to protect PII from further disclosure and unauthorized use:
- Requires the third party to use PII only to meet the purpose stated in the written agreement and not for further disclosure, unless authorized.
- The District shall maintain the right to conduct audits or other monitoring activities of the entity or individual’s policies, procedures, and systems.
- The District shall verify that the entity has a comprehensive information security program to protect all PII. This includes requirements stating how to respond to any breach in security, including the requirement that any breach in security must be reported immediately to the District.
PII Retention and Disposition: The PII that the District collects is maintained according to the retention and disposition schedules outlined by New York State Archives in partnership with state and local governments. For information defined as “Student Permanent Record” (i.e., demographics, enrollment and academic performance data), the District archives this information and protects it with appropriate technical, physical, and administrative safeguards in accordance with state and federal law.
Return to top
The following links to the vendors and public privacy policies of those vendors who work with Lynbrook UFSD.
DPSS - Inventory Tool (riconedpss.org)
Return to top
The following is a link to the official Board of Education (BOE) form to access records.
Return to top
Under the law, school districts and BOCES are required to conduct an Annual Professional Performance Review (APPR) for each teacher and principal, resulting in a rating of “highly effective,” “effective,” “developing,” or “ineffective.” Parents and legal guardians of students may request the final quality rating and composite effectiveness score for each of the teachers and for the principal of the school building to which their children are assigned for the current school year.
Return to top
From time to time, the school district takes photos and videos of students at work or play for use in local newspapers, television broadcasts, school publications and websites and other media outlets. If you do not wish photos or videos of your child to be released, please notify the school principal in writing by the date in the printed calendar.
Return to top
The district shall maintain directory information regarding its students. Directory information consists of personal information about individual students and includes the student’s name, address, telephone listing, date and place of birth, major field of study, dates of attendance, degrees and awards received, and previous educational institutions attended. Directory information shall be disclosed for limited purposes. Any objection to such disclosure of directory information, and any request to be excluded from the list of directory information to be disclosed, shall be submitted in writing to the superintendent of schools as per the timeline in the printed calendar.
Return to top
The following is a link to the District Technology Home Page which can be used to access both the Network Use Agreement and Student Acceptable Use Form.
District Technology Home Page
Return to top
The Family Educational Rights and Privacy Act (FERPA), a Federal law, requires that school districts, with certain exceptions, obtain your written consent prior to the disclosure of personally identifiable information from your child’s education records. However, school districts may disclose appropriately designated “directory information” without written consent, unless you have advised the school district to the contrary in accordance with school district procedures. The primary purpose of directory information is to allow the school district to include information from your child’s education records in certain school publications.
Directory information, which is information that is generally not considered harmful or an invasion of privacy if released, can also be disclosed to outside organizations without a parent’s prior written consent. Outside organizations include, but are not limited to, companies that manufacture class rings or publish yearbooks. In addition, two federal laws require local educational agencies (LEAs) receiving assistance under the Elementary and Secondary Education Act of 1965, as amended (ESEA) to provide military recruiters, upon request, with the following information – names, addresses and telephone listings – unless parents have advised the LEA that they do not want their student’s information disclosed without their prior written consent. [Note: These laws are Section 9528 of the ESEA (20 U.S.C. § 7908) and 10 U.S.C. § 503(c).]
If you do not want the school district to disclose any or all of the types of information designated in Board of Education (BOE) policy and regulation 5500, Student Records, as directory information from your child’s education records without your prior written consent, you must notify the principal in writing by the date in the printed calendar.
Protection of Pupil Rights Amendment (PPRA) defines the rules states and school districts must follow when administering tools like surveys, analysis, and evaluations funded by the US Department of Education to students. It requires parental approval to administer many such tools and ensures that school districts have policies in place regarding how the data collected through these tools can be used. For additional information regarding PPRA, visit https://studentprivacy.ed.gov/topic/protection-pupil-rights-amendment-ppra
Return to top
The Family Educational Rights and Privacy Act (FERPA) affords parents and students who are 18 years of age or older ("eligible students") certain rights with respect to the student's education records. These rights are:
- The right to inspect and review the student's education records within 45 days after the day the school receives a request for access.
Parents or eligible students who wish to inspect their child’s or their education records should submit to the school principal a written request that identifies the records they wish to inspect. The principal will make arrangements for access and notify the parent or eligible student of the time and place where the records may be inspected.
- The right to request the amendment of the student’s education records that the parent or eligible student believes are inaccurate, misleading, or otherwise in violation of the student’s privacy rights under FERPA.
Parents or eligible students who wish to ask the school to amend their child’s or their education record should write the school principal, clearly identify the part of the record they want changed and specify why it should be changed. If the school decides not to amend the record as requested by the parent or eligible student, the school will notify the parent or eligible student of the decision and of their right to a hearing regarding the request for amendment. Additional information regarding the hearing procedures will be provided to the parent or eligible student when notified of the right to a hearing.
- The right to provide written consent before the school discloses personally identifiable information (PII) from the student's education records, except to the extent that FERPA authorizes disclosure without consent.
One exception, which permits disclosure without consent, is disclosure to school officials with legitimate educational interests. The criteria for determining who constitutes a school official and what constitutes a legitimate educational interest must be set forth in the school’s or school district’s annual notification for FERPA rights. A school official typically includes a person employed by the school or school district as an administrator, supervisor, instructor, or support staff member (including health or medical staff and law enforcement unit personnel) or a person serving on the school board. A school official also may include a volunteer, contractor, or consultant who, while not employed by the school, performs an institutional service or function for which the school would otherwise use its own employees and who is under the direct control of the school with respect to the use and maintenance of PII from education records, such as an attorney, auditor, medical consultant, or therapist; a parent or student volunteering to serve on an official committee, such as a disciplinary or grievance committee; or a parent, student, or other volunteer assisting another school official in performing his or her tasks. A school official typically has a legitimate educational interest if the official needs to review an education record in order to fulfill his or her professional responsibility.
Upon request, the school discloses education records without consent to officials of another school or school district in which a student seeks or intends to enroll or is already enrolled if the disclosure is for purposes of the student’s enrollment or transfer.
- The right to file a complaint with the U.S. Department of Education concerning alleged failures by the school to comply with the requirements of FERPA.
The name and address of the Office that administers FERPA are:
U.S. Department of Education
400 Maryland Avenue, SW
Washington, DC 20202
FERPA permits the disclosure of PII from students’ education records, without consent of the parent or eligible student, if the disclosure meets certain conditions found in § 99.31 of the FERPA regulations. Except for disclosures to school officials, disclosures related to some judicial orders or lawfully issued subpoenas, disclosures of directory information, and disclosures to the parent or eligible student, § 99.32 of the FERPA regulations requires the school to record the disclosure. Parents and eligible students have a right to inspect and review the record of disclosures. A school may disclose PII from the education records of a student without obtaining prior written consent of the parents or the eligible student as per Board of Education (BOE) policy and regulation 5500, Student Records.
Return to top
Protection of Pupil Rights Amendment (PPRA) defines the rules states and school districts must follow when administering tools like surveys, analysis, and evaluations funded by the US Department of Education to students. It requires parental approval to administer many such tools and ensures that school districts have policies in place regarding how the data collected through these tools can be used. The full text is below.
United States Code, 2010 Edition
Title 20 - EDUCATION
CHAPTER 31 - GENERAL PROVISIONS CONCERNING EDUCATION
SUBCHAPTER III - GENERAL REQUIREMENTS AND CONDITIONS CONCERNING OPERATION AND ADMINISTRATION OF EDUCATION PROGRAMS: GENERAL AUTHORITY OF SECRETARY
Part 4 - Records; Privacy; Limitation on Withholding Federal Funds
Sec. 1232h - Protection of pupil rights
From the U.S. Government Publishing Office, www.gpo.gov
§1232h. Protection of pupil rights
- Inspection of instructional materials by parents or guardians
All instructional materials, including teacher's manuals, films, tapes, or other supplementary material which will be used in connection with any survey, analysis, or evaluation as part of any applicable program shall be available for inspection by the parents or guardians of the children.
- Limits on survey, analysis, or evaluations
No student shall be required, as part of any applicable program, to submit to a survey, analysis, or evaluation that reveals information concerning—
without the prior consent of the student (if the student is an adult or emancipated minor), or in the case of an unemancipated minor, without the prior written consent of the parent.
- political affiliations or beliefs of the student or the student's parent;
- mental or psychological problems of the student or the student's family;
- sex behavior or attitudes;
- illegal, anti-social, self-incriminating, or demeaning behavior;
- critical appraisals of other individuals with whom respondents have close family relationships;
- legally recognized privileged or analogous relationships, such as those of lawyers, physicians, and ministers;
- religious practices, affiliations, or beliefs of the student or student's parent; or
- income (other than that required by law to determine eligibility for participation in a program or for receiving financial assistance under such program),
- Development of local policies concerning student privacy, parental access to information, and administration of certain physical examinations to minors
- Development and adoption of local policies
Except as provided in subsections (a) and (b) of this section, a local educational agency that receives funds under any applicable program shall develop and adopt policies, in consultation with parents, regarding the following:
- The right of a parent of a student to inspect, upon the request of the parent, a survey created by a third party before the survey is administered or distributed by a school to a student; and
- any applicable procedures for granting a request by a parent for reasonable access to such survey within a reasonable period of time after the request is received.
- Arrangements to protect student privacy that are provided by the agency in the event of the administration or distribution of a survey to a student containing one or more of the following items (including the right of a parent of a student to inspect, upon the request of the parent, any survey containing one or more of such items):
- Political affiliations or beliefs of the student or the student's parent.
- Mental or psychological problems of the student or the student's family.
- Sex behavior or attitudes.
- Illegal, anti-social, self-incriminating, or demeaning behavior.
- Critical appraisals of other individuals with whom respondents have close family relationships.
- Legally recognized privileged or analogous relationships, such as those of lawyers, physicians, and ministers.
- Religious practices, affiliations, or beliefs of the student or the student's parent.
- Income (other than that required by law to determine eligibility for participation in a program or for receiving financial assistance under such program).
- The right of a parent of a student to inspect, upon the request of the parent, any instructional material used as part of the educational curriculum for the student; and
- any applicable procedures for granting a request by a parent for reasonable access to instructional material within a reasonable period of time after the request is received.
- The administration of physical examinations or screenings that the school or agency may administer to a student.
- The collection, disclosure, or use of personal information collected from students for the purpose of marketing or for selling that information (or otherwise providing that information to others for that purpose), including arrangements to protect student privacy that are provided by the agency in the event of such collection, disclosure, or use.
- (i) The right of a parent of a student to inspect, upon the request of the parent, any instrument used in the collection of personal information under subparagraph (E) before the instrument is administered or distributed to a student; and
(ii) any applicable procedures for granting a request by a parent for reasonable access to such instrument within a reasonable period of time after the request is received.
- Parental notification
- Notification of policies
The policies developed by a local educational agency under paragraph (1) shall provide for reasonable notice of the adoption or continued use of such policies directly to the parents of students enrolled in schools served by that agency. At a minimum, the agency shall—
(i) provide such notice at least annually, at the beginning of the school year, and within a reasonable period of time after any substantive change in such policies; and
(ii) offer an opportunity for the parent (and for purposes of an activity described in subparagraph (C)(i), in the case of a student of an appropriate age, the student) to opt the student out of participation in an activity described in subparagraph (C).
- Notification of specific events
The local educational agency shall directly notify the parent of a student, at least annually at the beginning of the school year, of the specific or approximate dates during the school year when activities described in subparagraph (C) are scheduled, or expected to be scheduled.
- Activities requiring notification
The following activities require notification under this paragraph:
(i) Activities involving the collection, disclosure, or use of personal information collected from students for the purpose of marketing or for selling that information (or otherwise providing that information to others for that purpose).
(ii) The administration of any survey containing one or more items described in clauses (i) through (viii) of paragraph (1)(B).
(iii) Any nonemergency, invasive physical examination or screening that is—
(I) required as a condition of attendance;
(II) administered by the school and scheduled by the school in advance; and
(III) not necessary to protect the immediate health and safety of the student, or of other students.
- Existing policies
A local educational agency need not develop and adopt new policies if the State educational agency or local educational agency has in place, on January 8, 2002, policies covering the requirements of paragraph (1). The agency shall provide reasonable notice of such existing policies to parents and guardians of students, in accordance with paragraph (2).
(A) Educational products or services
Paragraph (1)(E) does not apply to the collection, disclosure, or use of personal information collected from students for the exclusive purpose of developing, evaluating, or providing educational products or services for, or to, students or educational institutions, such as the following:
(i) College or other postsecondary education recruitment, or military recruitment.
(ii) Book clubs, magazines, and programs providing access to low-cost literary products.
(iii) Curriculum and instructional materials used by elementary schools and secondary schools.
(iv) Tests and assessments used by elementary schools and secondary schools to provide cognitive, evaluative, diagnostic, clinical, aptitude, or achievement information about students (or to generate other statistically useful data for the purpose of securing such tests and assessments) and the subsequent analysis and public release of the aggregate data from such tests and assessments.
(v) The sale by students of products or services to raise funds for school-related or education-related activities.
(vi) Student recognition programs.
(B) State law exception
The provisions of this subsection—
(i) shall not be construed to preempt applicable provisions of State law that require parental notification; and
(ii) do not apply to any physical examination or screening that is permitted or required by an applicable State law, including physical examinations or screenings that are permitted without parental notification.
- General provisions
- Rules of construction
(i) This section does not supersede section 1232g of this title.
(ii) Paragraph (1)(D) does not apply to a survey administered to a student in accordance with the Individuals with Disabilities Education Act (20 U.S.C. 1400 et seq.).
- Student rights
The rights provided to parents under this section transfer to the student when the student turns 18 years old, or is an emancipated minor (under an applicable State law) at any age.
- Information activities
The Secretary shall annually inform each State educational agency and each local educational agency of the educational agency's obligations under this section and section 1232g of this title.
A State educational agency or local educational agency may use funds provided under part A of title V of the Elementary and Secondary Education Act of 1965 [20 U.S.C. 7201 et seq.] to enhance parental involvement in areas affecting the in-school privacy of students.
As used in this subsection:
- Instructional material
The term “instructional material” means instructional content that is provided to a student, regardless of its format, including printed or representational materials, audio-visual materials, and materials in electronic or digital formats (such as materials accessible through the Internet). The term does not include academic tests or academic assessments.
- Invasive physical examination
The term “invasive physical examination” means any medical examination that involves the exposure of private body parts, or any act during such examination that includes incision, insertion, or injection into the body, but does not include a hearing, vision, or scoliosis screening.
- Local educational agency
The term “local educational agency” means an elementary school, secondary school, school district, or local board of education that is the recipient of funds under an applicable program, but does not include a postsecondary institution.
The term “parent” includes a legal guardian or other person standing in loco parentis (such as a grandparent or stepparent with whom the child lives, or a person who is legally responsible for the welfare of the child).
- Personal information
The term “personal information” means individually identifiable information including—
(i) a student or parent's first and last name;
(ii) a home or other physical address (including street name and the name of the city or town);
(iii) a telephone number; or
(iv) a Social Security identification number.
The term “student” means any elementary school or secondary school student.
The term “survey” includes an evaluation.
Educational agencies and institutions shall give parents and students effective notice of their rights under this section.
The Secretary shall take such action as the Secretary determines appropriate to enforce this section, except that action to terminate assistance provided under an applicable program shall be taken only if the Secretary determines that—
(1) there has been a failure to comply with such section; and
(2) compliance with such section cannot be secured by voluntary means.
- Office and review board
The Secretary shall establish or designate an office and review board within the Department of Education to investigate, process, review, and adjudicate violations of the rights established under this section.
(Pub. L. 90–247, title IV, §445, formerly §439, as added Pub. L. 93–380, title V, §514(a), Aug. 21, 1974, 88 Stat. 574; amended Pub. L. 95–561, title XII, §1250, Nov. 1, 1978, 92 Stat. 2355; Pub. L. 103–227, title X, §1017, Mar. 31, 1994, 108 Stat. 268; renumbered §445, Pub. L. 103–382, title II, §212(b)(1), Oct. 20, 1994, 108 Stat. 3913; amended Pub. L. 107–110, title X, §1061, Jan. 8, 2002, 115 Stat. 2083.)
REFERENCES IN TEXT
The Individuals with Disabilities Education Act, referred to in subsec. (c)(5)(A)(ii), is title VI of Pub. L. 91–230, Apr. 13, 1970, 84 Stat. 175, as amended, which is classified generally to chapter 33 (§1400 et seq.) of this title. For complete classification of this Act to the Code, see section 1400 of this title and Tables.
The Elementary and Secondary Education Act of 1965, referred to in subsec. (c)(5)(D), is Pub. L. 89–10, Apr. 11, 1965, 79 Stat. 27, as amended. Part A of title V of the Act is classified generally to part A (§7201 et seq.) of subchapter V of chapter 70 of this title. For complete classification of this Act to the Code, see Short Title note set out under section 6301 of this title and Tables.
A prior section 445 of Pub. L. 90–247 was classified to section 1233d of this title prior to repeal by Pub. L. 103–382.
2002—Subsec. (b)(1) to (8). Pub. L. 107–110, §1061(1), added pars. (1) to (8) and struck out former pars. (1) to (7) which read as follows:
“(1) political affiliations;
“(2) mental and psychological problems potentially embarrassing to the student or his family;
“(3) sex behavior and attitudes;
“(4) illegal, anti-social, self-incriminating and demeaning behavior;
“(5) critical appraisals of other individuals with whom respondents have close family relationships;
“(6) legally recognized privileged or analogous relationships, such as those of lawyers, physicians, and ministers; or
“(7) income (other than that required by law to determine eligibility for participation in a program or for receiving financial assistance under such program),”.
Subsec. (c) to (f). Pub. L. 107–110, §1061(2), (3), added subsec. (c) and redesignated former subsecs. (c) to (e) as (d) to (f), respectively.
1994—Pub. L. 103–227 amended section generally, substituting in subsec. (a), provisions relating to inspection of instructional materials by parents or guardians for similar provisions, in subsec. (b), provisions relating to limits on survey, analysis, or evaluations for provisions relating to psychiatric or psychological examinations, testing, or treatment, and adding subsecs. (c) to (e).
1978—Pub. L. 95–561 designated existing provisions as subsec. (a) and added subsec. (b).
EFFECTIVE DATE OF 2002 AMENDMENT
Amendment by Pub. L. 107–110 effective Jan. 8, 2002, except with respect to certain noncompetitive programs and competitive programs, see section 5 of Pub. L. 107–110, set out as an Effective Date note under section 6301 of this title.
EFFECTIVE DATE OF 1978 AMENDMENT
Amendment by Pub. L. 95–561 effective Oct. 1, 1978, see section 1530(a) of Pub. L. 95–561, set out as a note under section 1221e–3 of this title.
Section 514(b) of Pub. L. 93–380 provided that: “The amendment made by subsection (a) [enacting this section] shall be effective upon enactment of this Act [Aug. 21, 1974].”
Return to top
The Children’s Online Privacy Protection Act (COPPA) gives parents control over what information websites can collect from their kids. The following is a link to the official Federal Trade Commission (FTC) website regarding COPPA.
Children's Privacy | Federal Trade Commission (ftc.gov)
Return to top
If you have any questions/comments/suggestions about district data sharing and student privacy policies, please call the Assistant Superintendent for Curriculum, Instruction and Assessment Office at 516-887-0255.
The following is a link to the official New York State Education Department (NYSED) website to file a complaint with the Chief Privacy Officer alleging that Personally Identifiable Information (PII) has been disclosed to or accessed by an unauthorized person.
Report an Improper Disclosure | New York State Education Department (nysed.gov)
Return to top
The following is a link to the official The National Institute of Standards and Technology (NIST) website. NIST is part of the U.S. Department of Commerce and its cybersecurity measurements program aims to better equip organizations to purposefully and effectively manage their cybersecurity risks.
National Institute of Standards and Technology | NIST
Return to top
The Educational Law Section 2-d, known amongst NY schools as EdLaw 2-d, provides “guidance to educational agencies and their third-party contractors on ways to strengthen data privacy and security to protect student data and annual professional performance review data.” The following are links to the official New York State Education Department (NYSED) and New York State Senate websites regarding Education Law 2-d.
Return to top