Requires notification of parents when student directory personally identifiable information is released to third parties; provides an opportunity to opt out.
Ayes (62): Adams, Addabbo, Alesi, Avella, Ball, Bonacic, Breslin, Carlucci, DeFrancisco, Diaz, Dilan, Duane, Espaillat, Farley, Flanagan, Fuschillo, Gallivan, Gianaris, Golden, Griffo, Grisanti, Hannon, Hassell-Thomps, Huntley, Johnson, Kennedy, Klein, Krueger, Kruger, Lanza, Larkin, LaValle, Libous, Little, Marcellino, Martins, Maziarz, McDonald, Montgomery, Nozzolio, O'Mara, Oppenheimer, Parker, Peralta, Perkins, Ranzenhofer, Ritchie, Rivera, Robach, Saland, Sampson, Savino, Serrano, Seward, Skelos, Smith, Squadron, Stavisky, Stewart-Cousin, Valesky, Young, Zeldin
TITLE OF BILL: An act to amend the education law, in relation to the release of personally identifiable student information by school districts
PURPOSE: To enhance privacy protections to students' personally identifiable student information contained in student education records maintained by schools and school districts and place additional restrictions on the release of personally identifiable student information.
SUMMARY OF PROVISIONS: The Education Law is amended by adding a new section 3212-b to describe the lawful and unlawful dissemination of disclosable directory information and personally identifiable student information. This new section defines, under this act, student; school; disc10sable directory information (DDI); and personally identifiable student information (PISI).
Subsection 2 stipulates the legal dissemination of disclosable directory information and the provisions for the parents or student in attendance from opting-out of the dissemination of such information, and the prohibition of the dissemination of personally identifiable student information, unless the school receives the affirmative consent to do so from the parent or student in attendance.
Disclosable Directory Information (DDI). The dissemination of a student's educational record within the school district is not restricted, and will comport with existing laws and regulations within said school district. A school district may disseminate students' directory information to the parent or student in attendance, and any educational agency, organization, or institution; and a school district may disseminate students' directory information to a school club, newspaper, yearbook, honor roll, and the like, unless the parent or student in attendance prohibits the school district from doing so.
Personally Identifiable Student Information (PISI). A school district may only distribute this information with the affirmative consent of the parent or student in attendance. If a parent or student grants the affirmative consent, the school may disseminate PISI to: another parent or student in attendance at the school; to non-profit that seeks the information for a specific purpose deemed to be beneficial for the student, and that has not violated the disclosure procedures stipulated in this section. If the third party violates the wishes of the custodial parent or student over the age of 18, it is prohibited from receiving this information for a period of five years.
Furthermore, even with the affirmative consent of the parent or student in attendance, the school is prohibited from disseminating students' PISI to a third party for profit-making purposes, such as for marketing products or services, and selling the information for commercial purposes.
Subsection 3 outlines the procedures for school districts notification of parents or students of their rights under this bill. To achieve active parental consent, within the first week of each new school year, the school district must issue a public notice, include in the student handbook, and send home with the student, information stipulating the disclosure procedures for the DDI and PISI. The disclosure information shall consist of the definition of disclosable directory information and personally identifiable student information as defined in this act; the procedures for obtaining affirmative consent for prohibiting the school district from disseminating the student's DDI to a third party for non-profit purposes; the procedures for obtaining affirmative consent for authorizing the school district to disseminate the student's PISI to a third party for non-profit purposes.
If the school district does not receive a response from the parent or student 30 days of the dissemination of the disclosure information notice, the school district will operate under the premise that: (i) The parent or student did not opt-out, thus allowing the school district to disseminate the DDI to a third party for non-profit purposes; and (ii) the parent or student did not opt-in, thus prohibiting the school district from disseminating the PISI to a third party for nonprofit purposes
Subsection 4 states that the new law shall not limit an employee of the board of education, state, court, of federal government from public school records purely for administrative purposes. Subsection 5 provides for exemptions with regard to military recruitment, in order to comply with federal law.
Section 2 of the bill sets the effective date.
EXISTING LAW: Currently, under the federal Family Education Rights Privacy Act, known as FERPA, schools are required to notify parents at the beginning of the school year of their right to "opt out" of school disclosure of a student's personally identifiable information. This information, which is maintained by the school, is defined under FERPA as "information ... that would not generally be considered harmful or an invasion of privacy if disclosed." Students' personally identifiable information may be requested by and disclosed to for-profit organizations related to school activities, such as school ring companies or athletic team apparel and equipment. However, under FERPA, there are no restrictions on who may request or receive this information from a school. The U.S. military and institutions of higher learning have access to student directory information without parental or student consent. A school also can release a student's personally identifiable information to another school, the New York State Education Department, or law enforcement agencies as necessary without alerting parents and/or students.
A school must annually notify students of their rights under FERPA. The annual notification must include information regarding a student's right to inspect and review his or her education records, the right to seek to amend the records, and the right to consent to disclosure of personally identifiable information from the records. However, FERPA does not require the school to notify students of
these rights on an individual basis, so the school may meet FERPA requirements by posting this information on its website, school calendar, or student handbook, for example. Also, under FERPA, non-consensual disclosure of Directory Information may be released to school-related organizations and businesses. There are no provisions governing the re-selling of this information in secondary markets, including to marketers or other nonacademic-related companies, for example. Nor are there civil penalties to parties that misuse personal and identifiable information about students. Therefore, once a student's personally identifiable information is disclosed, it is difficult to control how and where it is disseminated. This may result in student's personally identifiable information being used in direct marketing campaigns and targeted advertising. The information, once released, also has the potential to compromise student safety and security if used by the wrong parties.
JUSTIFICATION: New York has the opportunity to enhance and strengthen privacy protections for its students, which is especially critical as personally identifiable information will be digitized and shared electronically to audit and evaluate state and local education programs and to support the Statewide Longitudinal Data Systems. This makes data security and student safety of paramount concern and the State has an interest to ensure the disclosure of students' personally identifiable information meets the standards of the Fair Information Practice Principles, as outlined by the Federal Trade Commission: notice/awareness, choice/consent, access/participation, integrity/security, and enforcement/redress.
While FERPA protects student information privacy it does not go far enough, nor does it adequately address the privacy issues of the electronic age and the capacity of marketers and other commercial enterprises to capture, use, and re-sell student information. Even with privacy controls in place, it is also far too easy for individuals to get a hold of student information and use it for illegal purposes', including identity theft, child abduction in custody battles, and domestic violence.
Therefore, this proposed legislation will enhance the protection to New York students and their families by stipulating that a student's personally identifiable information will only be disclosed to a third party for non-profit purposes with the consent from the parent or student, if the student is over age 18. Further, directory information, which can be disclosed under current law, may be restricted at the request of a parent or student over the age of 18. Lastly, this bill further enhances privacy by completely prohibiting the disclosure of directory information or personally identifiable information to a third party for profit-making purposes.
This legislation will give parents and students greater control over disclosure of personally identifiable information to third parties. It will protect students from their personal information being used by marketers who re-sell their information in secondary markets. The sophisticated electronic systems used to identify and breach the privacy of individuals should not have access to the personally identifiable information of vulnerable students. This added
protection to New York students would protect them from opportunistic marketers and from identity theft.
Schools have been found to have varying degrees of conformance with the basic FERPA privacy requirements. Schools must become more proactive in providing parents with adequate notice of their rights to keep students' information private and handling the information as sensitive data. New York has the opportunity to become a national leader in helping schools to protect students from violations of their privacy by affording them added protections and the option not to disclose locator information.
Recent proposed amendments to FERPA underscore this need, as students' personally identifiable information and data will be mined for the Statewide Longitudinal Data Systems, audit and evaluation of education programs, and research projects. Student data will be shared across government agency systems and with researchers, increasing the risk of data breaches and privacy violations. The proposed New York legislation would further restrict the release of personally identifiable information so that there will be fewer opportunities for data security to be compromised and do harm to an individual or group of students.
This legislation would create additional and needed privacy protections for students while not imposing any mandates or requiring additional spending by New York schools. The legislation will remind schools of their very serious obligation to protect student privacy, the risks of disclosing student information to commercial enterprises, and the challenges of collecting and disseminating personal data in the digital age. Schools are stewards of students' personally identifiable information and as such must adhere to the highest standards of practice in protecting privacy and confidentiality. This legislation will provide those standards and serve as a model for other states seeking to protect the privacy, safety, and security of its students.
LEGISLATIVE HISTORY: S.7414-A/A.10795-A of 2009-2010
FISCAL IMPLICATIONS: None.
EFFECTIVE DATE: Shall take effect on July 1, 2011 and shall apply to school years beginning with the 2011-12 school year.
STATE OF NEW YORK ________________________________________________________________________ 2357--B 2011-2012 Regular Sessions IN SENATE January 19, 2011 ___________Introduced by Sen. OPPENHEIMER -- read twice and ordered printed, and when printed to be committed to the Committee on Education -- commit- tee discharged, bill amended, ordered reprinted as amended and recom- mitted to said committee -- committee discharged, bill amended, ordered reprinted as amended and recommitted to said committee AN ACT to amend the education law, in relation to the release of personally identifiable student information by school districts THE PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND ASSEM- BLY, DO ENACT AS FOLLOWS: Section 1. The education law is amended by adding a new section 3212-b to read as follows: S 3212-B. RELEASE OF PERSONALLY IDENTIFIABLE INFORMATION BY SCHOOL DISTRICTS. 1. FOR THE PURPOSES OF THIS SECTION THE FOLLOWING TERMS SHALL HAVE THE FOLLOWING MEANINGS: (A) "STUDENT" SHALL MEAN AND INCLUDE ANY PERSON WITH RESPECT TO WHOM AN EDUCATIONAL AGENCY OR INSTITUTION MAINTAINS EDUCATION RECORDS OR PERSONALLY IDENTIFIABLE INFORMATION, BUT DOES NOT INCLUDE A PERSON WHO HAS NOT BEEN IN ATTENDANCE AT SUCH AGENCY OR INSTITUTION. (B) THE TERM "SCHOOL" MEANS ANY PUBLIC SCHOOL; IN ANY CITY, UNION FREE, COMMON OR CENTRAL SCHOOL DISTRICT, ANY NON-PUBLIC SCHOOL OF SECONDARY EDUCATION; AND ANY SCHOOL OF HIGHER EDUCATION. (C) DISCLOSABLE DIRECTORY INFORMATION (DDI) HEREAFTER REFERRED TO IN THIS SECTION AS "DIRECTORY INFORMATION", MEANS WITH RESPECT TO A STUDENT, THE STUDENT'S NAME; PHOTOGRAPH; AGE; MAJOR FIELD OF STUDY; GRADE LEVEL; ENROLLMENT STATUS (E.G., UNDERGRADUATE OR GRADUATE, FULL-TIME OR PART-TIME); DATES OF ATTENDANCE; PARTICIPATION IN OFFICIAL- LY RECOGNIZED ACTIVITIES AND SPORTS; WEIGHT AND HEIGHT OF MEMBERS OF ATHLETIC TEAMS; DEGREES, HONORS AND AWARDS RECEIVED; AND THE MOST RECENT EDUCATIONAL AGENCY OR INSTITUTION ATTENDED.EXPLANATION--Matter in ITALICS (underscored) is new; matter in brackets [ ] is old law to be omitted. LBD07381-08-1 S. 2357--B 2
(D) "PERSONALLY IDENTIFIABLE STUDENT INFORMATION (PISI)" SHALL INCLUDE DISCLOSABLE DIRECTORY INFORMATION, AND A STUDENT'S OR PARENT'S ADDRESS, TELEPHONE NUMBER, AND E-MAIL ADDRESS. 2. (A) A SCHOOL MAY DISCLOSE DIRECTORY INFORMATION ABOUT A STUDENT ONLY: (I) IF THE DISCLOSURE DOES NOT INCLUDE ANY INFORMATION OTHER THAN DISCLOSABLE DIRECTORY INFORMATION AS DEFINED IN THIS SECTION; (II) AFTER GIVING THE PARENT OF THE STUDENT IN ATTENDANCE OR THE ELIGIBLE STUDENT IN ATTENDANCE AT THE SCHOOL NOTICE AND AN OPPORTUNITY TO OPT-OUT OF THE DISCLOSURE IN ACCORDANCE WITH SUBDIVISION THREE OF THIS SECTION; AND (III) IF THE DISCLOSURE IS TO A SCHOOL NEWSPAPER, LOCAL NEWSPAPER, SCHOOL CLUB OR ORGANIZATION, SCHOOL YEARBOOK, HONOR ROLL OR OTHER RECOG- NITION LIST, GRADUATION PROGRAM, SPORTS RELATED PUBLICATION WHICH PROVIDES SPECIFIC INFORMATION ABOUT PARTICULAR STUDENTS FOR THE PURPOSES OF A SPECIFIC SPORTS ACTIVITY OR FUNCTION, OR PARENT AND TEACHER ORGAN- IZATION. (B) A SCHOOL MAY DISCLOSE PERSONALLY IDENTIFIABLE STUDENT INFORMATION ONLY WITH THE AFFIRMATIVE CONSENT OF THE PARENT OF THE STUDENT IN ATTENDANCE OR THE ELIGIBLE STUDENT IN ATTENDANCE IN ACCORDANCE WITH THE PROCEDURE PROVIDED IN SUBDIVISION THREE OF THIS SECTION IF: (I) THE DISCLOSURE IS TO THE PARENT OF ANY STUDENT IN ATTENDANCE OR ANY ELIGIBLE STUDENT IN ATTENDANCE AT THE SCHOOL; OR (II) THE DISCLOSURE IS TO A NON-PROFIT ORGANIZATION THAT: (A) SEEKS THE INFORMATION FOR A SPECIFIC PURPOSE DETERMINED BY THE SCHOOL TO BE BENEFICIAL TO THE STUDENT; (B) STATES IN WRITING THAT IT HAS NOT USED OR DISCLOSED PERSONALLY IDENTIFIABLE STUDENT INFORMATION FROM ANY SCHOOL IN A MANNER INCONSISTENT WITH THE TERMS OF DISCLOSURE WITHIN THE PAST FIVE YEARS; AND (C) AGREES IN WRITING TO USE THE INFORMATION ONLY FOR THAT PURPOSE AND TO RETURN OR DESTROY THE INFORMATION WHEN THE PURPOSE HAS BEEN FULFILLED OR WITHIN ONE YEAR AFTER RECEIPT, WHICHEVER COMES FIRST; AND (III) THE SCHOOL HAS NO REASON TO BELIEVE THAT THE RECIPIENT HAS USED OR DISCLOSED PERSONALLY IDENTIFIABLE STUDENT INFORMATION FROM ANY SCHOOL IN A MANNER INCONSISTENT WITH THE TERMS OF THE DISCLOSURE WITHIN THE PAST FIVE YEARS. (C) UNLESS OTHERWISE ALLOWED BY LAW, A SCHOOL MAY NOT, EVEN WITH THE AFFIRMATIVE CONSENT OF THE PARENT OF THE STUDENT IN ATTENDANCE OR THE ELIGIBLE STUDENT IN ATTENDANCE, DISCLOSE PERSONALLY IDENTIFIABLE STUDENT INFORMATION FOR A COMMERCIAL, FOR-PROFIT ACTIVITY INCLUDING BUT NOT LIMITED TO USE FOR: (I) MARKETING PRODUCTS OR SERVICES; (II) SELLING PERSONALLY IDENTIFIABLE STUDENT INFORMATION FOR USE IN MARKETING PRODUCTS OR SERVICES; (III) CREATING OR CORRECTING AN INDIVIDUAL OR HOUSEHOLD PROFILE; (IV) COMPILATION OF A STUDENT LIST; (V) SALE OF THE INFORMATION FOR ANY COMMERCIAL PURPOSE; OR (VI) ANY OTHER PURPOSE CONSIDERED BY THE SCHOOL AS LIKELY TO BE A COMMERCIAL, FOR-PROFIT ACTIVITY. (D) IN MAKING AN ALLOWABLE DISCLOSURE UNDER THIS SUBDIVISION, A SCHOOL MAY ONLY DISCLOSE THE MINIMUM AMOUNT OF INFORMATION NECESSARY TO ACCOM- PLISH THE PURPOSE OF THE DISCLOSURE. 3. WITHIN THE FIRST WEEK OF EACH SCHOOL YEAR, EACH SCHOOL DISTRICT SHALL ISSUE A PUBLIC NOTICE, INCLUDE IN THE STUDENT HANDBOOK, AND SEND HOME WITH EVERY STUDENT, INFORMATION STIPULATING THE DISCLOSURE PROCE-S. 2357--B 3
DURES FOR DISCLOSABLE DIRECTORY INFORMATION AND PERSONALLY IDENTIFIABLE STUDENT INFORMATION. (A) THE DISCLOSURE INFORMATION SHALL CONSIST OF THE DEFINITION OF DISCLOSABLE DIRECTORY INFORMATION AND PERSONALLY IDENTIFIABLE STUDENT INFORMATION AS SET FORTH IN THIS SECTION; AND SHALL ALSO INCLUDE: (I) THE PROCEDURE FOR PROHIBITING THE SCHOOL FROM DISSEMINATING DISC- LOSABLE DIRECTORY INFORMATION UNDER PARAGRAPH (A) OF SUBDIVISION TWO OF THIS SECTION AND A DESCRIPTION OF ANY DIRECTORY INFORMATION THAT THE SCHOOL PROPOSES TO DISCLOSE DURING THE SCHOOL YEAR; AND (II) THE PROCEDURE FOR AUTHORIZING THE SCHOOL TO DISCLOSE PERSONALLY IDENTIFIABLE STUDENT INFORMATION UNDER PARAGRAPH (B) OF SUBDIVISION TWO OF THIS SECTION AND A DESCRIPTION OF ANY PERSONALLY IDENTIFIABLE STUDENT INFORMATION THAT THE SCHOOL PROPOSES TO DISCLOSE DURING THE SCHOOL YEAR. (B) (I) IF THE SCHOOL DOES NOT RECEIVE NOTICE FROM THE PARENT OF A STUDENT IN ATTENDANCE OR THE ELIGIBLE STUDENT IN ATTENDANCE AT THE SCHOOL PROHIBITING THE DISCLOSURE OF DIRECTORY INFORMATION WITHIN THIRTY DAYS OF THE DISSEMINATION OF THE INFORMATION REQUIRED TO BE PROVIDED IN PARAGRAPH (A) OF THIS SUBDIVISION, THE SCHOOL MAY DISSEMINATE DISCLOSA- BLE DIRECTORY INFORMATION RELATING TO THE STUDENT PURSUANT TO PARAGRAPH (A) OF SUBDIVISION TWO OF THIS SECTION. (II) IF THE SCHOOL DOES RECEIVE CONSENT FROM THE PARENT OF A STUDENT IN ATTENDANCE OR THE ELIGIBLE STUDENT IN ATTENDANCE AT THE SCHOOL TO DISCLOSE PERSONALLY IDENTIFIABLE STUDENT INFORMATION UNDER PARAGRAPH (B) OF SUBDIVISION TWO OF THIS SECTION, THE SCHOOL MAY DISSEMINATE PERSONALLY IDENTIFIABLE STUDENT INFORMATION AS SET FORTH IN THIS SECTION. 4. NOTHING IN THIS SECTION SHALL LIMIT THE ADMINISTRATIVE USE OF PUBLIC SCHOOL RECORDS BY A PERSON ACTING EXCLUSIVELY IN THE PERSON'S CAPACITY AS AN EMPLOYEE OF A BOARD OF EDUCATION OR OF THE STATE OR ANY OF ITS POLITICAL SUBDIVISIONS, ANY COURT, OR THE FEDERAL GOVERNMENT. 5. THE PROVISIONS OF THIS SECTION SHALL NOT APPLY TO THE RELEASE OF PERSONALLY IDENTIFIABLE STUDENT INFORMATION TO THE DEPARTMENT, THE UNITED STATES MILITARY, OR ANY INSTITUTION OF HIGHER EDUCATION, ANY POLITICAL SUBDIVISION OR FEDERAL AGENCY THAT DEMONSTRATES AN APPROPRIATE NEED FOR THE INFORMATION OR A SCHOOL DISTRICT OR SCHOOL THAT DEMON- STRATES AN APPROPRIATE NEED FOR THE INFORMATION. S 2. This act shall take effect July 1, 2011 and shall apply to school years beginning with the 2011-2012 academic year.