This bill has been amended

Bill S6007-2013

Establishes penalties for the unauthorized release of personally identifiable information from student records and certain records of classroom teachers and building principals

Establishes penalties for the unauthorized release of personally identifiable information from student records and certain records of classroom teachers and building principals.

Details

Actions

  • Jan 14, 2014: 1ST REPORT CAL.28
  • Jan 9, 2014: COMMITTEE DISCHARGED AND COMMITTED TO EDUCATION
  • Jan 8, 2014: REFERRED TO RULES
  • Dec 11, 2013: REFERRED TO RULES

Votes

VOTE: COMMITTEE VOTE: - Education - Jan 14, 2014
Ayes (18): Flanagan, Farley, Lanza, Little, Marcellino, Maziarz, Ranzenhofer, Robach, Seward, Valesky, Martins, Latimer, Addabbo, Avella, Breslin, Montgomery, Stavisky, Tkaczyk
Ayes W/R (1): LaValle

Memo

BILL NUMBER:S6007

TITLE OF BILL: An act to amend the education law and the penal law, in relation to establishing penalties for the unauthorized release of personally identifiable information from student records and certain records of classroom teachers and building principals

PURPOSE:

This bill enhances protections and create stricter penalties in the case of a breach of data as it relates to the protections of personally identifiable information of students and certain records of teachers and building principals as they relate to annual professional performance reviews.

SUMMARY OF PROVISIONS:

Section 1: Section 1 amends section 305 of the education law by adding a new subdivision 43. The bill first lays out the definitions as used within the act. Notable definitions include: "student data" which refers to the personally identifiable information ("PII") of a student; "teacher or principal data" which refers to the PII of teachers and principals in regards to their annual professional performance reviews; and "third party contractor" which refers to persons or entities who are allowed to access such PII of students, teachers, or principals.

The bill thereafter creates the position of Chief Privacy Officer ("CPO") within the State Education Department ("SED"). The CPO shall be selected by the commissioner and shall be responsible for formulating the policies and procedures as they relate to student data or teacher or principal data. The CPO shall be required by January 1, 2014, and each January first thereafter, to submit an annual report to the executive and legislative branches that will address issues and updates on student data and privacy in the State.

The bill requires the CPO to work with members of the New York State Educational Conference Board and parents to establish a Parents Bill of Rights for Data Privacy and Security ("Parents Bill of Rights"). The Parents Bill of Rights shall be required to be signed and adhered to by any third party contractor that enters into an agreement with an educational agency, i.e., a district or BOCES, or the SED, where that third party contactor receives any PII of students, teachers, or principals. The Parents Bill of Rights is to be completed within 120 days of this bill being enacted.

The bill would also permit districts to opt-out of having the data they are required to submit to SED due to federal and state requirements from being uploaded to SED's statewide education data portal ("EDP").

The bill requires that the CPO publish on SED's website a complete list of all data elements that are collected, why such data elements are collected, and the legal and/or regulatory authority the department has to collect such data elements.

The bill additionally requires that any time there is a breach of student data or teacher or principal data that the third party contractor notify the district, parent, teacher, and/or principal, as applicable, in the most expedient way possible and without unreasonable delay. If a third party contractor fails to notify in the most expedient way possible and without unreasonable delay, the third party contractor may be subject to a class E felony as well as a civil penalty up to $150,000.

SED is authorized to impose administrative penalties that are greater than the penalties that the federal Family Educational Rights and Privacy Act ("FERPA") provides. SED may prohibit a third party contractor from accessing student data or teacher or principal data from the district that is harmed or from any district within the state for a fixed period of up to five years. SED may also determine that the third party contactor is not deemed a "responsible bidder" for purposes of submitting requests for proposals or that the third party contractor must provide additional training to its employees in the areas of data privacy and security. If it is determined that any release of data was no fault of the third party contractor, the department may make a finding that no administrative penalties should be imposed.

The bill would also require the commissioner to establish regulations whereby individuals may submit complaints of a possible breach of data to the CPO.

The bill would also require SED to promulgate regulations outlining best practices for districts to follow in regards to privacy and security. Each district would have 90 days from enactment of this legislation to ensure it has adopted the best practices guidelines.

Moreover, each third party contactor would be required to establish that it has privacy protections in place when it contracts to acquire student data or teacher or principal data in its official capacities. The third party contractor would also have to agree in writing to abide by the terms of the Parents Bill of Rights each time it receives student data or teacher or principal data.

Finally, the bill outlines civil penalties that may be imposed upon a third party contactor if they are in violation of this act.

Section 2: Section 2 creates new definitions in the penal law by amending subdivision 7 and creating new subdivisions 10, 11, and 12 to section 156.00 of the penal law.

Section 3: Section 3 creates a new class E felony in section 156.30 of the penal law when a person is guilty of unlawful duplication of computer material in the first degree with the intent to disseminate such material.

Section 4: Section 4 adds a new subdivision 8 to section 165.45 of the penal law.

Section 5: Section 5 sets forth an effective date that this act shall take effect 90 days after it shall become law, provided however, the

commissioner shall have 120 days from enactment to establish a Parents Bill of Rights.

JUSTIFICATION:

For many years it has been prerogative of school districts and the State Education Department ("SED") to collect data on our students to better enhance the students' educational experience and to allow for the efficient operation of school districts. By collecting data on our students, teachers and administrators can better formulate lesson plans and better provide services that our students desperately need. The data that has been collected has also been very beneficial to parents who, in many instances, have the opportunity to quickly access their child's grades and attendance records.

Presently, every district in the state contracts with third party vendors to provide many of the services that benefit our children This is not a new phenomenon. In fact, using outside vendors to provide services to districts has been an established practice and protocol for many years. These services include transportation, food and lunch programs, and special education services, among many others. These types of services would be very costly and time consuming if individual districts had the burden of administering them exclusively. Vendors, therefore, are a necessary component of a child's education because most districts do not have the time, resources, or expertise to provide the services being provided under the contract. Simply put, if a district did not contract out for these services, our students would not be receiving the high quality education that we should expect for all of our students.

Consent, in certain instances, is not needed by parents or eligible students by third party contactors that collect personally identifiable information ("PIT") because of exceptions in the federal Family Educational Rights and Privacy Act ("FERPA") and its implementing regulations. These excepted circumstances are institutional services that are necessary for the functioning of a school district. As indicated above, without these institutional services provided by third party contractors, school districts would severely struggle to exist and children would be denied necessary services.

While FERPA contains many protections to prevent PII from being disclosed to inappropriate parties or being re-disclosed if given to a third party contactor, FERPA should be viewed as a floor. The only penalty available under FERPA is a five-year prohibition from accessing data from the respective school district that the third party contractor received the data from.

This bill would accomplish beneficial goals to enhance the protections of our students PII. It would create greater transparency of what data is being collected, who has access to it, and what happens to the data when the contracted for services are completed. It would create a Chief Privacy Officer ("CPO") to oversee student data and privacy at the department. In addition, it creates very strict civil and criminal penalties to act as deterrents from abuse. Importantly, this bill would not only protect the PII of our students, but it would also

protect the PII of our teachers and principals in their annual professional performance reviews ("APPR").

Another critical aspect of this bill is to allow districts to opt-out of having the student, teacher, and principal data they already send to the department based on state and federally required directives, from being uploaded to the as-yet-complete education data portal ("EDP"). Since 2010, the Regents Reform Agenda has ambitiously changed the educational landscape in New York through a transition to the common core standards, common core aligned assessments, and a teacher and principal evaluation system. While these are all important and noteworthy steps in ensuring every student in the state receives a high quality education, there has been considerable consternation on the part of parents, administrators, teachers, and students at the pace at which the Reform Agenda has been rolled out. Changes are continually being advanced to ensure those initiatives are implemented correctly, and notably, districts and their unions are right now going back to the table to fine tune their APPR plans. Therefore, districts, parents, teachers, and students simply cannot afford another onerous obligation on top of the significant changes they are currently undertaking.

There is no doubt that some districts would reap immediate benefits from the EDP, however, it should at the very least be optional for districts to take part in this mandated initiative while they continue to deal with the already complex and time consuming implemented aspects of the Reform Agenda. While participation in the EDP under this legislation would be optional, it is important to note that districts would still-as has been current practice-be obligated to send the data they are currently required to collect to the Department.

It is fundamental that we protect our students, teachers, and principals PII from being used inappropriately. It is also important that we allow districts to continue to use data responsibly in order to provide necessary services for our students by continuing to allow third parties to provide the services they have been providing for many years. This bill would strike an appropriate balance between protecting our students, teachers and principals, and allowing districts to provide necessary services efficiently.

LEGISLATIVE HISTORY:

New bill

FISCAL IMPLICATIONS:

To be determined.

EFFECTIVE DATE:

This act shall take effect on the ninetieth day after it shall become law, provided however, the commissioner shall have 120 days from enactment to develop a parents bill of rights for student data and privacy.


Text

STATE OF NEW YORK ________________________________________________________________________ 6007 2013-2014 Regular Sessions IN SENATE December 11, 2013 ___________
Introduced by Sen. FLANAGAN -- read twice and ordered printed, and when printed to be committed to the Committee on Rules AN ACT to amend the education law and the penal law, in relation to establishing penalties for the unauthorized release of personally identifiable information from student records and certain records of classroom teachers and building principals THE PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND ASSEM- BLY, DO ENACT AS FOLLOWS: Section 1. Section 305 of the education law is amended by adding a new subdivision 43 to read as follows: 43. UNAUTHORIZED RELEASE OF PERSONALLY IDENTIFIABLE INFORMATION. A. AS USED IN THIS SUBDIVISION THE FOLLOWING TERMS SHALL HAVE THE FOLLOWING MEANINGS: (1) "BUILDING PRINCIPAL" MEANS A BUILDING PRINCIPAL SUBJECT TO ANNUAL PERFORMANCE EVALUATION REVIEW UNDER THE PROVISIONS OF SECTION THREE THOUSAND TWELVE-C OF THIS CHAPTER. (2) "CLASSROOM TEACHER" MEANS A TEACHER SUBJECT TO ANNUAL PERFORMANCE EVALUATION REVIEW UNDER THE PROVISIONS OF SECTION THREE THOUSAND TWELVE-C OF THIS CHAPTER. (3) "EDUCATIONAL AGENCY" MEANS A SCHOOL DISTRICT, BOARD OF COOPERATIVE EDUCATIONAL SERVICES, SCHOOL, INSTITUTION OF HIGHER EDUCATION OR THE EDUCATION DEPARTMENT. (4) "INSTITUTION OF HIGHER EDUCATION" MEANS AN ENTITY WITH A CAMPUS IN NEW YORK THAT PROVIDES HIGHER EDUCATION, AS DEFINED IN SUBDIVISION EIGHT OF SECTION TWO OF THIS TITLE, THAT IS SUBJECT TO THE REQUIREMENTS OF THE FAMILY EDUCATIONAL RIGHTS AND PRIVACY ACT, SECTION TWELVE HUNDRED THIR- TY-TWO-G OF TITLE TWENTY OF THE UNITED STATES CODE. (5) "PERSONALLY IDENTIFIABLE INFORMATION", AS APPLIED TO STUDENT DATA, MEANS PERSONALLY IDENTIFIABLE INFORMATION AS DEFINED IN SECTION 99.3 OF TITLE THIRTY-FOUR OF THE CODE OF FEDERAL REGULATIONS IMPLEMENTING THE FAMILY EDUCATIONAL RIGHTS AND PRIVACY ACT, SECTION TWELVE HUNDRED THIR-
TY-TWO-G OF TITLE TWENTY OF THE UNITED STATES CODE, AND, AS APPLIED TO TEACHER OR PRINCIPAL DATA, MEANS "PERSONALLY IDENTIFYING INFORMATION" AS SUCH TERM IS USED IN SUBDIVISION TEN OF SECTION THREE THOUSAND TWELVE-C OF THIS CHAPTER. (6) "SCHOOL" MEANS ANY PUBLIC ELEMENTARY OR SECONDARY SCHOOL, CHARTER SCHOOL, UNIVERSAL PRE-KINDERGARTEN PROGRAM AUTHORIZED PURSUANT TO SECTION THIRTY-SIX HUNDRED TWO-E OF THIS CHAPTER, AN APPROVED PROVIDER OF PRESCHOOL SPECIAL EDUCATION, ANY OTHER PUBLICLY FUNDED PRE-KINDERGAR- TEN PROGRAM, AN APPROVED PRIVATE SCHOOL FOR THE EDUCATION OF STUDENTS WITH DISABILITIES, A STATE-SUPPORTED SCHOOL SUBJECT TO THE PROVISIONS OF ARTICLE EIGHTY-FIVE OF THIS CHAPTER, A STATE-OPERATED SCHOOL SUBJECT TO THE PROVISIONS OF ARTICLE EIGHTY-SEVEN OR EIGHTY-EIGHT OF THIS CHAPTER. (7) "STUDENT" MEANS ANY PERSON ATTENDING OR SEEKING TO ENROLL IN AN EDUCATIONAL AGENCY. (8) "ELIGIBLE STUDENT" MEANS A STUDENT EIGHTEEN YEARS OR OLDER OR AN EMANCIPATED MINOR. AN EMANCIPATED MINOR AS USED IN THIS SECTION REFERS TO A STUDENT AT LEAST SIXTEEN YEARS OR OLDER WHO IS NO LONGER A DEPEND- ENT OF OR IN THE CUSTODY OF A PARENT AS DEFINED IN THIS SECTION. (9) "PARENT" MEANS A PARENT, LEGAL GUARDIAN, OR PERSON IN PARENTAL RELATION TO A STUDENT. (10) "STUDENT DATA" MEANS PERSONALLY IDENTIFIABLE INFORMATION FROM STUDENT RECORDS OF AN EDUCATIONAL AGENCY. (11) "TEACHER OR PRINCIPAL DATA" MEANS PERSONALLY IDENTIFIABLE INFOR- MATION FROM THE RECORDS OF AN EDUCATIONAL AGENCY RELATING TO THE ANNUAL PROFESSIONAL PERFORMANCE REVIEWS OF CLASSROOM TEACHERS OR PRINCIPALS THAT IS CONFIDENTIAL AND NOT SUBJECT TO RELEASE UNDER THE PROVISIONS OF SECTION THREE THOUSAND TWELVE-C OF THIS CHAPTER. (12) "THIRD PARTY CONTRACTOR" SHALL MEAN ANY PERSON OR ENTITY, OTHER THAN AN EDUCATIONAL AGENCY, THAT RECEIVES STUDENT DATA OR TEACHER OR PRINCIPAL DATA FROM AN EDUCATIONAL AGENCY PURSUANT TO A CONTRACT OR OTHER WRITTEN AGREEMENT FOR PURPOSES OF PROVIDING SERVICES TO SUCH EDUCATIONAL AGENCY, INCLUDING BUT NOT LIMITED TO DATA MANAGEMENT OR STORAGE SERVICES, CONDUCTING STUDIES FOR OR ON BEHALF OF SUCH EDUCA- TIONAL AGENCY, OR AUDIT OR EVALUATION OF PUBLICLY FUNDED PROGRAMS. SUCH TERM SHALL INCLUDE AN EDUCATIONAL PARTNERSHIP ORGANIZATION THAT RECEIVES STUDENT AND/OR PRINCIPAL DATA FROM A SCHOOL DISTRICT TO CARRY OUT ITS RESPONSIBILITIES PURSUANT TO SECTION TWO HUNDRED ELEVEN-E OF THIS CHAP- TER AND IS NOT AN EDUCATIONAL AGENCY AS DEFINED IN SUBPARAGRAPH THREE OF PARAGRAPH A OF THIS SUBDIVISION, AND A NOT-FOR-PROFIT CORPORATION OR OTHER NON-PROFIT ORGANIZATION, OTHER THAN AN EDUCATIONAL AGENCY, OR A FOR-PROFIT CORPORATION OR BUSINESS ENTITY THAT IS AFFILIATED WITH A CHARTER SCHOOL AND PROVIDES MANAGEMENT AND/OR OTHER SERVICES TO SUPPORT THE CHARTER SCHOOL IN ACCORDANCE WITH A CHARTER ISSUED PURSUANT TO ARTI- CLE FIFTY-SIX OF THIS CHAPTER. B. (1) THE COMMISSIONER SHALL APPOINT A CHIEF PRIVACY OFFICER WITHIN THE DEPARTMENT. THE CHIEF PRIVACY OFFICER SHALL BE QUALIFIED BY TRAINING OR EXPERIENCE IN STATE AND FEDERAL EDUCATION PRIVACY LAWS AND REGU- LATIONS, CIVIL LIBERTIES, ANNUAL PROFESSIONAL PERFORMANCE REVIEWS, INFORMATION TECHNOLOGY, AND INFORMATION SECURITY. THE CHIEF PRIVACY OFFICER SHALL REPORT TO THE COMMISSIONER ON MATTERS AFFECTING PRIVACY AND THE SECURITY OF STUDENT, TEACHER, AND PRINCIPAL DATA. (2) THE FUNCTIONS OF THE CHIEF PRIVACY OFFICER SHALL INCLUDE, BUT NOT BE LIMITED TO: (I) PROMOTING THE IMPLEMENTATION OF FAIR INFORMATION PRACTICES FOR PRIVACY AND SECURITY OF STUDENT DATA OR TEACHER OR PRINCIPAL DATA;
(II) ASSISTING THE COMMISSIONER IN HANDLING INSTANCES OF DATA BREACHES AS WELL AS ASSISTING THE COMMISSIONER IN DUE PROCESS PROCEEDINGS REGARD- ING ANY ALLEGED BREACHES OF STUDENT DATA OR TEACHER OR PRINCIPAL DATA; (III) PROVIDING ASSISTANCE TO EDUCATIONAL AGENCIES WITHIN THE STATE ON MINIMUM STANDARDS AND BEST PRACTICES ASSOCIATED WITH PRIVACY AND THE SECURITY OF STUDENT DATA OR TEACHER OR PRINCIPAL DATA; (IV) FORMULATING A PROCEDURE WITHIN THE DEPARTMENT WHEREBY PARENTS, STUDENTS, TEACHERS, SUPERINTENDENTS, SCHOOL BOARD MEMBERS, PRINCIPALS, AND OTHER PERSONS OR ENTITIES THE CHIEF PRIVACY OFFICER DETERMINES IS APPROPRIATE, MAY REQUEST INFORMATION PERTAINING TO STUDENT DATA OR TEACHER OR PRINCIPAL DATA IN A TIMELY AND EFFICIENT MANNER; (V) ASSISTING THE COMMISSIONER IN ESTABLISHING A PROTOCOL FOR THE SUBMISSION OF COMPLAINTS OF POSSIBLE BREACHES OF STUDENT DATA OR TEACHER OR PRINCIPAL DATA; (VI) MAKING RECOMMENDATIONS AS NEEDED REGARDING PRIVACY AND THE SECU- RITY OF STUDENT DATA ON BEHALF OF THE DEPARTMENT TO THE GOVERNOR, THE SPEAKER OF THE ASSEMBLY, THE TEMPORARY PRESIDENT OF THE SENATE, AND THE CHAIRS OF THE SENATE AND ASSEMBLY EDUCATION COMMITTEES; (VII) DEVELOPING, WITH INPUT FROM THE NEW YORK STATE EDUCATIONAL CONFERENCE BOARD AND PARENTS, THE PARENTS BILL OF RIGHTS FOR DATA PRIVA- CY AND SECURITY; AND (VIII) ANY OTHER FUNCTIONS THAT THE COMMISSIONER SHALL DEEM APPROPRI- ATE. (3) THE CHIEF PRIVACY OFFICER SHALL HAVE THE POWER TO: (I) ACCESS ALL RECORDS, REPORTS, AUDITS, REVIEWS, DOCUMENTS, PAPERS, RECOMMENDATIONS, AND OTHER MATERIALS MAINTAINED BY AN EDUCATIONAL AGENCY THAT RELATE TO STUDENT DATA OR TEACHER OR PRINCIPAL DATA; (II) TO REVIEW AND COMMENT UPON ANY DEPARTMENT PROGRAM, PROPOSAL, GRANT, OR CONTRACT THAT INVOLVES THE PROCESSING OF STUDENT DATA OR TEACHER OR PRINCIPAL DATA BEFORE THE COMMISSIONER BEGINS OR AWARDS THE PROGRAM, PROPOSAL, GRANT, OR CONTRACT; AND (III) ANY OTHER POWERS THAT THE COMMISSIONER SHALL DEEM APPROPRIATE. (4) THE CHIEF PRIVACY OFFICER SHALL SUBMIT BY JANUARY FIRST, TWO THOU- SAND FIFTEEN, AND EACH JANUARY FIRST THEREAFTER, A REPORT OUTLINING A SUMMARY OF ACTIVITIES, RECOMMENDATIONS, COMPLAINTS, AND STATUTORY, REGU- LATORY OR DEPARTMENTAL CHANGES PERTAINING TO THE PROTECTION OF STUDENT DATA OR TEACHER OR PRINCIPAL DATA. THE REPORT SHALL BE SUBMITTED ON BEHALF OF THE DEPARTMENT TO THE GOVERNOR, THE SPEAKER OF THE ASSEMBLY, THE TEMPORARY PRESIDENT OF THE SENATE, AND THE CHAIRS OF THE SENATE AND ASSEMBLY EDUCATION COMMITTEES. THE REPORT SHALL ALSO BE MADE PUBLICLY AVAILABLE ON THE DEPARTMENT'S WEBSITE. (5) THE CHIEF PRIVACY OFFICER MAY HOLD MORE THAN ONE POSITION WITHIN THE DEPARTMENT; PROVIDED HOWEVER, THAT NO ADDITIONAL POSITION WILL INTERFERE WITH THE DUTIES OF THE CHIEF PRIVACY OFFICER OUTLINED IN THIS PARAGRAPH. C. (1) THE CHIEF PRIVACY OFFICER SHALL DEVELOP, WITH INPUT FROM THE NEW YORK STATE EDUCATIONAL CONFERENCE BOARD AND PARENTS, A PARENTS BILL OF RIGHTS FOR DATA PRIVACY AND SECURITY. THE PARENTS BILL OF RIGHTS FOR DATA PRIVACY AND SECURITY SHALL BE INCLUDED WITH EVERY CONTRACT THE DEPARTMENT OR EDUCATIONAL AGENCY ENTERS INTO WITH A THIRD PARTY CONTRAC- TOR WHERE THE THIRD PARTY CONTRACTOR RECEIVES STUDENT DATA OR TEACHER OR PRINCIPAL DATA. EVERY THIRD PARTY CONTRACTOR THAT ENTERS INTO A CONTRACT WITH THE DEPARTMENT OR AN EDUCATIONAL AGENCY WHERE THE THIRD PARTY CONTRACTOR RECEIVES STUDENT DATA OR TEACHER OR PRINCIPAL DATA SHALL BE REQUIRED TO AGREE IN WRITING TO ABIDE BY THE PROVISIONS SET FORTH IN THE PARENTS BILL OF RIGHTS FOR DATA PRIVACY AND SECURITY. AT A
MINIMUM, THE PARENTS BILL OF RIGHTS FOR DATA PRIVACY AND SECURITY SHALL INCLUDE: (I) WHO THE EXCLUSIVE PERSONS OR ENTITIES ARE THAT THE THIRD PARTY CONTRACTOR WILL SHARE THE STUDENT DATA OR TEACHER OR PRINCIPAL DATA WITH, IF ANY; (II) WHEN THE AGREEMENT EXPIRES AND WHAT HAPPENS TO THE STUDENT DATA OR TEACHER OR PRINCIPAL DATA UPON EXPIRATION OF THE AGREEMENT; (III) IF AND HOW A PARENT, STUDENT, ELIGIBLE STUDENT, TEACHER OR PRIN- CIPAL MAY CHALLENGE THE ACCURACY OF THE STUDENT DATA OR TEACHER OR PRIN- CIPAL DATA THAT IS COLLECTED; (IV) WHERE THE STUDENT DATA OR TEACHER OR PRINCIPAL DATA WILL BE STORED, AND THE SECURITY PROTECTIONS TAKEN TO ENSURE SUCH DATA WILL BE PROTECTED, INCLUDING WHETHER SUCH DATA WILL BE ENCRYPTED; AND (V) THE EXCLUSIVE PURPOSES FOR WHICH THE STUDENT DATA OR TEACHER OR PRINCIPAL DATA WILL BE USED. (2) THE COMMISSIONER SHALL PROMULGATE REGULATIONS FOR A COMMENT PERIOD WHEREBY PARENTS MAY SUBMIT COMMENTS AND SUGGESTIONS TO THE CHIEF PRIVACY OFFICER TO BE CONSIDERED FOR INCLUSION IN THE PARENTS BILL OF RIGHTS FOR STUDENT DATA PRIVACY AND SECURITY. (3) THE DEPARTMENT SHALL POST THE PARENTS BILL OF RIGHTS FOR STUDENT DATA PRIVACY AND SECURITY ON THE DEPARTMENT'S WEBSITE. EACH EDUCATIONAL AGENCY THAT HAS AN INTERNET WEBSITE SHALL ALSO POST THE PARENTS BILL OF RIGHTS FOR STUDENT DATA AND SECURITY ON ITS WEBSITE. (4) THE PARENTS BILL OF RIGHTS FOR STUDENT DATA PRIVACY AND SECURITY SHALL BE COMPLETED WITHIN ONE HUNDRED TWENTY DAYS AFTER THE EFFECTIVE DATE OF THIS SUBDIVISION. D. (1) EACH EDUCATIONAL AGENCY SHALL BE ABLE TO OPT-OUT OF HAVING THE STUDENT DATA OR TEACHER OR PRINCIPAL DATA THAT THEY ARE REQUIRED TO REPORT TO THE DEPARTMENT THROUGH STATE OR FEDERAL LAW OR REGULATION FROM BEING UPLOADED BY THE DEPARTMENT TO THE DEPARTMENT'S EDUCATIONAL DATA PORTAL. (2) NOTHING IN THIS PARAGRAPH SHALL ALLOW AN EDUCATIONAL AGENCY TO FAIL TO COMPLY WITH ANY STUDENT DATA OR TEACHER OR PRINCIPAL DATA REPORTING REQUIREMENTS TO THE DEPARTMENT AS REQUIRED BY STATE OR FEDERAL LAW OR REGULATION. E. THE CHIEF PRIVACY OFFICER SHALL MAKE PUBLICLY AVAILABLE ON THE DEPARTMENT'S WEBSITE A COMPLETE LIST OF ALL STUDENT OR TEACHER OR PRIN- CIPAL DATA ELEMENTS COLLECTED WITH AN EXPLANATION AND/OR LEGAL OR REGU- LATORY AUTHORITY OUTLINING THE REASONS SUCH DATA ELEMENTS ARE COLLECTED. F. (1) EACH THIRD PARTY CONTRACTOR THAT RECEIVES STUDENT DATA OR TEACHER OR PRINCIPAL DATA PURSUANT TO A CONTRACT OR OTHER WRITTEN AGREE- MENT WITH AN EDUCATIONAL AGENCY SHALL BE REQUIRED TO NOTIFY SUCH EDUCA- TIONAL AGENCY OF ANY BREACH OF SECURITY RESULTING IN AN UNAUTHORIZED RELEASE OF SUCH DATA IN VIOLATION OF APPLICABLE STATE OR FEDERAL LAW, THE PARENTS BILL OF RIGHTS FOR STUDENT DATA PRIVACY AND SECURITY, THE DATA PRIVACY AND SECURITY POLICIES OF THE EDUCATIONAL AGENCY AND/OR BINDING CONTRACTUAL OBLIGATIONS RELATING TO DATA PRIVACY AND SECURITY, IN THE MOST EXPEDIENT WAY POSSIBLE AND WITHOUT REASONABLE DELAY. THE EDUCATIONAL AGENCY SHALL, UPON NOTIFICATION BY THE THIRD PARTY CONTRAC- TOR, BE REQUIRED TO REPORT TO THE CHIEF PRIVACY OFFICER ANY SUCH BREACH OF SECURITY AND UNAUTHORIZED RELEASE OF SUCH DATA AND TO REPORT SUCH BREACH AND UNAUTHORIZED RELEASE TO LAW ENFORCEMENT IN THE MOST EXPEDIENT WAY POSSIBLE AND WITHOUT UNREASONABLE DELAY. (2) IN THE CASE OF AN UNAUTHORIZED RELEASE OF STUDENT DATA, THE EDUCA- TIONAL AGENCY, OR THE THIRD PARTY CONTRACTOR INVOLVED, SHALL NOTIFY THE PARENT OR ELIGIBLE STUDENT OF THE UNAUTHORIZED RELEASE OF STUDENT DATA
THAT INCLUDES PERSONALLY IDENTIFIABLE INFORMATION FROM THE STUDENT RECORDS OF SUCH STUDENT IN THE MOST EXPEDIENT WAY POSSIBLE AND WITHOUT UNREASONABLE DELAY. IN THE CASE OF AN UNAUTHORIZED RELEASE OF TEACHER OR PRINCIPAL DATA, THE EDUCATIONAL AGENCY, OR THE THIRD PARTY CONTRACTOR INVOLVED, SHALL NOTIFY EACH AFFECTED TEACHER OR PRINCIPAL OF THE UNAU- THORIZED RELEASE OF DATA THAT INCLUDES PERSONALLY IDENTIFIABLE INFORMA- TION FROM THE TEACHER OR PRINCIPAL'S ANNUAL PROFESSIONAL PERFORMANCE REVIEW IN THE MOST EXPEDIENT WAY POSSIBLE AND WITHOUT UNREASONABLE DELAY. (3) FAILURE TO NOTIFY AGAINST PUBLIC POLICY. (I) A THIRD PARTY CONTRACTOR SHALL NOT FAIL TO NOTIFY THE EDUCATIONAL AGENCY OR PARENT, ELIGIBLE STUDENT, TEACHER OR PRINCIPAL, AS APPLICABLE, IN THE MOST EXPE- DIENT WAY POSSIBLE AND WITHOUT UNREASONABLE DELAY. (II) EACH VIOLATION OF CLAUSE (I) OF THIS SUBPARAGRAPH SHALL CONSTI- TUTE A CLASS E FELONY, AND SHALL BE PUNISHABLE BY A CIVIL PENALTY OF THE GREATER OF FIVE THOUSAND DOLLARS OR UP TO TEN DOLLARS PER INSTANCE OF FAILED NOTIFICATION, PROVIDED THAT THE LATTER AMOUNT SHALL NOT EXCEED ONE HUNDRED FIFTY THOUSAND DOLLARS. G. IF THE CHIEF PRIVACY OFFICER DETERMINES THAT A THIRD PARTY CONTRAC- TOR, IN VIOLATION OF APPLICABLE STATE OR FEDERAL LAW, THE DATA PRIVACY AND SECURITY POLICIES OF THE EDUCATIONAL AGENCY AND/OR BINDING CONTRAC- TUAL OBLIGATIONS RELATING TO DATA PRIVACY AND SECURITY, HAS RE-RELEASED ANY STUDENT DATA OR TEACHER OR PRINCIPAL DATA RECEIVED FROM AN EDUCA- TIONAL AGENCY TO ANY PERSON OR ENTITY NOT AUTHORIZED BY LAW TO RECEIVE SUCH DATA PURSUANT TO A LAWFUL SUBPOENA OR OTHERWISE, THE CHIEF PRIVACY OFFICER, AFTER AFFORDING THE THIRD PARTY CONTRACTOR WITH NOTICE AND AN OPPORTUNITY TO BE HEARD, SHALL BE AUTHORIZED TO: (1) ORDER THAT THE THIRD PARTY CONTRACTOR BE PRECLUDED FROM ACCESSING STUDENT DATA OR TEACHER OR PRINCIPAL DATA, AS APPLICABLE, FROM THE EDUCATIONAL AGENCY FROM WHICH THE CONTRACTOR OBTAINED THE DATA THAT WAS IMPROPERLY DISCLOSED FOR A FIXED PERIOD OF UP TO FIVE YEARS; AND/OR (2) ORDER THAT A THIRD PARTY CONTRACTOR WHO KNOWINGLY AND RECKLESSLY ALLOWS FOR THE UNAUTHORIZED RELEASE OF STUDENT DATA OR TEACHER OR PRIN- CIPAL DATA BE PRECLUDED FROM ACCESSING STUDENT DATA OR TEACHER OR PRIN- CIPAL DATA FROM ANY EDUCATIONAL AGENCY IN THE STATE FOR A FIXED PERIOD OF UP TO FIVE YEARS; AND/OR (3) ORDER, IN THE CASE OF AN EDUCATIONAL AGENCY THAT IS A PUBLIC AGEN- CY SUBJECT TO COMPETITIVE BIDDING REQUIREMENTS, THAT A THIRD PARTY CONTRACTOR WHO KNOWINGLY AND RECKLESSLY ALLOWS FOR THE UNAUTHORIZED RELEASE OF STUDENT DATA OR TEACHER OR PRINCIPAL DATA, THAT THE THIRD PARTY CONTRACTOR SHALL NOT BE DEEMED A RESPONSIBLE BIDDER OR OFFERER ON ANY CONTRACT WITH THE EDUCATIONAL AGENCY FROM WHICH THE CONTRACTOR OBTAINED THE DATA THAT WAS IMPROPERLY DISCLOSED THAT INVOLVES THE SHAR- ING OF STUDENT DATA OR TEACHER OR PRINCIPAL DATA, AS APPLICABLE FOR PURPOSES OF THE PROVISIONS OF SECTION ONE HUNDRED THREE OF THE GENERAL MUNICIPAL LAW OR PARAGRAPH C OF SUBDIVISION TEN OF SECTION ONE HUNDRED SIXTY-THREE OF THE STATE FINANCE LAW, AS APPLICABLE, FOR A FIXED PERIOD OF UP TO FIVE YEARS; AND/OR (4) REQUIRE THE THIRD PARTY CONTRACTOR TO PROVIDE TRAINING AT THE CONTRACTOR'S EXPENSE ON THE FEDERAL AND STATE LAW GOVERNING CONFIDEN- TIALITY OF STUDENT DATA AND/OR TEACHER OR PRINCIPAL DATA AND THE PROVISIONS OF THIS SUBDIVISION TO ALL ITS OFFICERS AND EMPLOYEES WITH ACCESS TO SUCH DATA, PRIOR TO BEING PERMITTED TO RECEIVE SUBSEQUENT ACCESS TO SUCH DATA FROM THE EDUCATIONAL AGENCY FROM WHICH THE CONTRAC- TOR OBTAINED THE DATA THAT WAS IMPROPERLY DISCLOSED OR FROM ANY EDUCA- TIONAL AGENCY; AND/OR
(5) IF IT IS DETERMINED THAT THE UNAUTHORIZED RELEASE OF STUDENT DATA OR TEACHER OR PRINCIPAL DATA ON THE PART OF THE THIRD PARTY CONTRACTOR WAS INADVERTENT AND DONE WITHOUT INTENT OR GROSS NEGLIGENCE, THE COMMIS- SIONER MAY DETERMINE THAT NO PENALTY BE ISSUED UPON THE THIRD PARTY CONTRACTOR. H. THE COMMISSIONER, IN CONSULTATION WITH THE CHIEF PRIVACY OFFICER, SHALL PROMULGATE REGULATIONS ESTABLISHING PROCEDURES TO IMPLEMENT THE PROVISIONS OF THIS SUBDIVISION, INCLUDING BUT NOT LIMITED TO PROCEDURES FOR THE SUBMISSION OF COMPLAINTS FROM PARENTS AND/OR PERSONS IN PARENTAL RELATION TO STUDENTS, CLASSROOM TEACHERS OR BUILDING PRINCIPALS, OR OTHER STAFF OF AN EDUCATIONAL AGENCY, MAKING ALLEGATIONS OF IMPROPER DISCLOSURE OF STUDENT DATA AND/OR TEACHER OR PRINCIPAL DATA BY A THIRD PARTY CONTRACTOR OR ITS OFFICERS OR EMPLOYEES THAT MAY BE SUBJECT TO THE SANCTIONS SET FORTH IN PARAGRAPH G OF THIS SUBDIVISION. UPON RECEIPT OF A COMPLAINT OR OTHER INFORMATION INDICATING THAT SUCH AN IMPROPER DISCLOSURE BY A THIRD PARTY CONTRACTOR MAY HAVE OCCURRED, THE CHIEF PRIVACY OFFICER SHALL BE AUTHORIZED TO INVESTIGATE, VISIT, EXAMINE AND INSPECT THE THIRD PARTY CONTRACTOR'S FACILITIES AND RECORDS AND ISSUE ANY SUBPOENAS DEEMED NECESSARY TO OBTAIN DOCUMENTATION FROM, OR REQUIRE THE TESTIMONY OF, ANY PARTY RELATING TO THE ALLEGED IMPROPER DISCLOSURE OF STUDENT DATA OR TEACHER OR PRINCIPAL DATA. I. THE COMMISSIONER, IN CONSULTATION WITH THE CHIEF PRIVACY OFFICER, SHALL PROMULGATE REGULATIONS ESTABLISHING MINIMUM STANDARDS FOR EDUCA- TIONAL AGENCY DATA SECURITY AND PRIVACY POLICIES AND SHALL DEVELOP ONE OR MORE MODEL POLICIES FOR USE BY EDUCATIONAL AGENCIES. EACH EDUCATIONAL AGENCY, BY NO LATER THAN NINETY DAYS AFTER THE EFFECTIVE DATE OF THIS SUBDIVISION, SHALL ENSURE THAT IT HAS A POLICY ON DATA SECURITY AND PRIVACY IN PLACE THAT IS CONSISTENT WITH APPLICABLE STATE AND FEDERAL LAWS AND APPLIES TO STUDENT DATA AND, WHERE APPLICABLE, TO TEACHER OR PRINCIPAL DATA. SUCH POLICY SHALL BE PUBLISHED ON THE WEBSITE OF THE EDUCATIONAL AGENCY, IF SUCH EDUCATIONAL AGENCY HAS AN INTERNET WEBSITE, AND NOTICE OF SUCH POLICY SHALL BE PROVIDED TO ALL OFFICERS AND EMPLOY- EES OF THE EDUCATIONAL AGENCY. AS APPLIED TO STUDENT DATA, SUCH POLICY SHALL PROVIDE ALL PROTECTIONS AFFORDED TO PARENTS AND PERSONS IN PARENTAL RELATIONSHIPS, OR STUDENTS WHERE APPLICABLE, REQUIRED UNDER THE FAMILY EDUCATIONAL RIGHTS AND PRIVACY ACT, SECTION TWELVE HUNDRED THIR- TY-TWO-G OF TITLE TWENTY OF THE UNITED STATES CODE, WHERE APPLICABLE THE INDIVIDUALS WITH DISABILITIES EDUCATION ACT, SECTIONS FOURTEEN HUNDRED, ET. SEQ. OF TITLE TWENTY OF THE UNITED STATES CODE, AND THE FEDERAL REGULATIONS IMPLEMENTING SUCH STATUTES. EACH EDUCATIONAL AGENCY SHALL ENSURE THAT IT HAS IN PLACE PROVISIONS IN ITS CONTRACTS WITH THIRD PARTY CONTRACTORS OR IN SEPARATE DATA SHARING AND CONFIDENTIALITY AGREEMENTS THAT REQUIRE THAT CONFIDENTIALITY OF THE SHARED STUDENT DATA OR TEACHER OR PRINCIPAL DATA BE MAINTAINED IN ACCORDANCE WITH FEDERAL AND STATE LAW AND THE EDUCATIONAL AGENCY'S POLICY ON DATA SECURITY AND PRIVACY. J. EACH EDUCATIONAL AGENCY THAT ENTERS INTO A CONTRACT OR OTHER WRIT- TEN AGREEMENT WITH A THIRD PARTY CONTRACTOR UNDER WHICH THE THIRD PARTY CONTRACTOR WILL RECEIVE STUDENT DATA OR TEACHER OR PRINCIPAL DATA SHALL ENSURE THAT SUCH CONTRACT OR AGREEMENT INCLUDE A DATA SECURITY AND PRIVACY PLAN THAT OUTLINES HOW ALL STATE, FEDERAL, AND LOCAL DATA SECU- RITY AND PRIVACY CONTRACT REQUIREMENTS WILL BE IMPLEMENTED OVER THE LIFE OF THE CONTRACT, CONSISTENT WITH THE EDUCATIONAL AGENCY'S POLICY ON DATA SECURITY AND PRIVACY. SUCH PLAN SHALL INCLUDE, BUT SHALL NOT BE LIMITED TO, A SIGNED COPY OF THE PARENTS BILL OF RIGHTS FOR DATA PRIVACY AND SECURITY, AND A REQUIREMENT THAT ANY OFFICERS OR EMPLOYEES OF THE THIRD PARTY CONTRACTOR WHO HAVE ACCESS TO STUDENT DATA OR TEACHER OR PRINCIPAL
DATA HAVE RECEIVED OR WILL RECEIVE TRAINING ON THE FEDERAL AND STATE LAW GOVERNING CONFIDENTIALITY OF SUCH DATA PRIOR TO RECEIVING ACCESS. K. (1)(I) EACH VIOLATION OF ANY PROVISION OF THIS SECTION BY A THIRD PARTY CONTRACTOR SHALL BE PUNISHABLE BY A CIVIL PENALTY OF UP TO ONE THOUSAND DOLLARS; A SECOND VIOLATION BY THE SAME THIRD PARTY CONTRACTOR INVOLVING THE SAME STUDENT DATA OR TEACHER OR PRINCIPAL DATA SHALL BE PUNISHABLE BY A CIVIL PENALTY OF UP TO FIVE THOUSAND DOLLARS; ANY SUBSE- QUENT VIOLATION BY THE SAME THIRD PARTY CONTRACTOR INVOLVING THE SAME STUDENT DATA OR TEACHER OR PRINCIPAL DATA SHALL BE PUNISHABLE BY A CIVIL PENALTY OF UP TO TEN THOUSAND DOLLARS. (II) EACH VIOLATION OF THIS SUBDIVISION SHALL BE CONSIDERED A SEPARATE VIOLATION FOR PURPOSES OF CIVIL PENALTIES. (2) THE ATTORNEY GENERAL SHALL HAVE THE AUTHORITY TO ENFORCE COMPLI- ANCE WITH THIS SECTION BY INVESTIGATION AND SUBSEQUENT COMMENCEMENT OF A CIVIL ACTION TO SEEK CIVIL PENALTIES FOR VIOLATIONS OF THIS SECTION, AND TO SEEK APPROPRIATE INJUNCTIVE RELIEF. IN CARRYING OUT SUCH INVESTI- GATION AND IN MAINTAINING SUCH CIVIL ACTION LOCAL LAW ENFORCEMENT ARE AUTHORIZED TO SUBPOENA WITNESSES, COMPEL THEIR ATTENDANCE, EXAMINE THEM UNDER OATH AND REQUIRE THAT ANY BOOKS, RECORDS, DOCUMENTS, PAPERS, OR ELECTRONIC RECORDS RELEVANT OR MATERIAL TO THE INQUIRY BE TURNED OVER FOR INSPECTION, EXAMINATION OR AUDIT, PURSUANT TO THE CIVIL PRACTICE LAW AND RULES. (3) NOTHING CONTAINED IN THIS SUBDIVISION SHALL BE CONSTRUED AS CREAT- ING A PRIVATE RIGHT OF ACTION AGAINST THE DEPARTMENT OR AN EDUCATIONAL AGENCY. L. NOTHING IN THIS SECTION SHALL LIMIT THE ADMINISTRATIVE USE OF STUDENT DATA OR TEACHER OR PRINCIPAL DATA BY A PERSON ACTING EXCLUSIVELY IN THE PERSON'S CAPACITY AS AN EMPLOYEE OF AN EDUCATIONAL AGENCY OR OF THE STATE OR ANY OF ITS POLITICAL SUBDIVISIONS, ANY COURT OR THE FEDERAL GOVERNMENT THAT IS OTHERWISE REQUIRED BY LAW. S 2. Subdivision 7 of section 156.00 of the penal law, as added by chapter 558 of the laws of 2006, is amended and three new subdivisions 10, 11 and 12 are added to read as follows: 7. "Access" means to instruct, communicate with, store data in, retrieve from, or otherwise make use of any resources of a computer, physically, directly or by electronic means; INCLUDING DISSEMINATION OF DATA. 10. "EDUCATIONAL AGENCY" MEANS AN EDUCATIONAL AGENCY AS SUCH TERM IS DEFINED IN SUBDIVISION FORTY-THREE OF SECTION THREE HUNDRED FIVE OF THE EDUCATION LAW. AN EDUCATIONAL AGENCY AS SO DEFINED SHALL BE DEEMED A GOVERNMENTAL INSTRUMENTALITY FOR PURPOSES OF THIS ARTICLE. 11. "THIRD PARTY CONTRACTOR" MEANS A THIRD PARTY CONTRACTOR AS DEFINED IN SUBDIVISION FORTY-THREE OF SECTION THREE HUNDRED FIVE OF THE EDUCA- TION LAW. 12. "EDUCATIONAL COMPUTER MATERIAL" MEANS PERSONALLY IDENTIFIABLE INFORMATION FROM STUDENT RECORDS OR CONFIDENTIAL ANNUAL PROFESSIONAL PERFORMANCE REVIEWS OF CLASSROOM TEACHERS OR PRINCIPALS, OF A SCHOOL DISTRICT, BOARD OF COOPERATIVE EDUCATIONAL SERVICES, SCHOOL, INSTITUTION OF HIGHER EDUCATION, OR THE STATE EDUCATION DEPARTMENT. S 3. Section 156.30 of the penal law, as amended by chapter 590 of the laws of 2008, is amended to read as follows: S 156.30 Unlawful duplication of computer related material in the first degree. A person is guilty of unlawful duplication of computer related MATERI- AL in the first degree [material] when having no right to do so, he or she copies, reproduces or duplicates in any manner:
1. any computer data or computer program and thereby intentionally and wrongfully deprives or appropriates from an owner thereof an economic value or benefit in excess of two thousand five hundred dollars;[or] 2. any computer data or computer program with an intent to commit or attempt to commit or further the commission of any felony[.]; OR 3. EDUCATIONAL COMPUTER MATERIAL WITH THE INTENT TO DISSEMINATE IN VIOLATION OF SECTION THREE HUNDRED FIVE OF THE EDUCATION LAW. Unlawful duplication of computer related material in the first degree is a class E felony. S 4. Section 165.45 of the penal law is amended by adding a new subdi- vision 8 to read as follows: 8. THE PROPERTY CONSISTS OF EDUCATIONAL COMPUTER MATERIAL AS DEFINED IN ARTICLE ONE HUNDRED FIFTY-SIX OF THIS CHAPTER. S 5. This act shall take effect on the ninetieth day after it shall have become a law, provided, however, the commissioner of education shall within one hundred twenty days after it shall have become law, develop a parents bill of rights for student data privacy and security.

Comments

Open Legislation comments facilitate discussion of New York State legislation. All comments are subject to moderation. Comments deemed off-topic, commercial, campaign-related, self-promotional; or that contain profanity or hate speech; or that link to sites outside of the nysenate.gov domain are not permitted, and will not be published. Comment moderation is generally performed Monday through Friday.

By contributing or voting you agree to the Terms of Participation and verify you are over 13.

Discuss!

blog comments powered by Disqus