We want to help businesses better understand what the New York State Education Department (NYSED) Law § 2-d is and what they can do to comply with it. We’ll be discussing the importance of NYSED Law § 2-d, covering Personally Identifiable Information (PII), who the law applies to, the requirements of NYSED Law § 2-d as well as what the repercussions of violations are and how to avoid them.
What is NYSED Law § 2-d?
NYSED Law § 2-d is a comprehensive legal framework designed to protect the privacy and security of personally identifiable information (PII) of students and certain other individuals associated with educational institutions in New York State. Enacted in response to growing concerns over data privacy in the educational sector, this law sets strict guidelines for how educational agencies and their third-party service providers can collect, store, and use student data. Here are the key components and objectives of § 2-d:
Protect Student, Teacher, and Principal Privacy: The law aims to safeguard the privacy of students by regulating how their personal information is handled by schools and third-party vendors.
Secure Data Handling: Establishes security standards and practices for managing and protecting student data against unauthorized access, disclosure, and misuse.
Parental Rights: Enhances the rights of parents and eligible students (those that are at least 18 years old) to access and control their personal information held by educational institutions, including the right to review, correct, and consent to the use of their data.
These objectives underscore the growing concern about the storage and management of student electronic data. The key components of NYSED Law § 2-d are:
Parents’ Bill of Rights: Schools are required to publish a “Parents’ Bill of Rights for Data Privacy and Security,” which informs parents about their rights regarding their children’s personal information and the measures taken by educational agencies to protect that information.
Data Security and Privacy Standards: Educational agencies must adopt the National Institute of Standards and Technology’s Cybersecurity Framework (NIST CSF) to ensure the confidentiality, integrity, and availability of protected student data.
Contracts with Third-Party Vendors: Contracts with vendors that have access to student, teacher, and principal data must include specific provisions that ensure the confidentiality and security of the data, along with protocols for data breach notification.
Appointment of Data Protection Officer (DPO): Each educational agency is required to appoint a Data Protection Officer responsible for ensuring compliance with § 2-d and overseeing the security of student data.
Data Breach Notification: The law mandates prompt notification procedures in the event of a data breach that compromises the security of student data, including specific timelines and information to be provided to affected individuals.
What kinds of data need to be protected?
NYSED has published an extensive list of data elements that they collect which can be found on their website. In summary though:
Personally Identifiable Information: Any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means.
Student Data: Personally identifiable information from student records of an educational agency.
Teacher or principal data: Personally identifiable information from the records of an educational agency relating to the annual professional performance reviews of classroom teachers or principals that is confidential and not subject to release under the provisions of section three thousand twelve-c of this chapter.
Who does NY Education Law § 2-d apply to?
Public Schools: All public elementary and secondary schools within the state must comply with the law. This includes schools operating under the jurisdiction of local school districts, providing education from kindergarten through 12th grade.
Charter Schools: Charter schools in New York, which are publicly funded but operate independently of the traditional public school system, are also subject to the provisions of § 2-d. Like public schools, charter schools handle significant amounts of student personally identifiable information (PII) and must ensure its protection.
Boards of Cooperative Educational Services (BOCES): BOCES provide educational services, including special education, vocational training, and adult education, to member school districts. They are required to adhere to the data privacy and security standards set forth in § 2-d.
School Districts: Entire school districts, which may encompass multiple individual schools, are covered by the law. District-level administration must ensure that all schools within their jurisdiction comply with the requirements for protecting student data.
The requirements also extend to third-party contractors of these entities that have access to student data, or teacher or principal data.
What does an organization need to do to comply with NY Education Law § 2-d?
Appoint a Data Protection Officer (DPO): This will be the individual who will be responsible for the overall compliance of the organization.
Adopt the NIST Cyber Security Framework: The DPO will need to make sure that the organizations has policies and controls that are aligned to the NIST CSF. You can learn more about the NIST CSF 2.0 in our previous blog post.
Train your users: Employees should be trained on cybersecurity principles as well as laws that such as FERPA and NY Education Law § 2-d.
Publish a Data Privacy and Security Policy: The school needs to publish on their website Data Privacy and Security Policy on their website that covers the following:
What the school does to protect student data and teacher and principal data.
What the school does to ensure that third-party contractors do to protect student data and teacher and principal data.
How the school trains its employees.
What the school will do to notify individuals of breaches.
Publish a Parents’ Bill of Rights: The school needs to publish on their website a Parents’ Bill of Rights which details the rights that parents have under Law § 2-d.
Publish a NY School Procedures for Complaints of Breach: The school needs to publish on their website instructions for people to contact the school in the event that they suspect a breach as well as what the school will do when they receive a complaint.
Publish a list of third-party contractors and their reviews of said contractors: The school needs to publish on their website a list of third-party contractors that have access to student data or teacher and principal data along with a document review of each contractor.
What happens if I don’t comply with NYSED Law § 2-d?
As with any lack of security program in a regulated industry, noncompliance can have financial, reputational, operational, and legal ramifications:
Legal Penalties: Schools that fail to comply with Education Law 2-D may face legal consequences, including fines and penalties which can vary depending on the severity of the violation and can result in financial risks to the school.
Loss of Trust and Reputation: Reputational risks due to noncompliance could lead to loss of trust from students, parents, and the larger community. This can affect the school’s ability to attract students and maintain positive relationships with stakeholders.
Data Breaches and Security Risks: The risk of data breaches and unauthorized access to student data is increased posing potential harm to students and legal liabilities for the school.
Loss of Funding or Grants: Schools that fail to comply may face repercussions when it comes to funding or grant opportunities. Funding agencies and organizations often prioritize institutions that demonstrate a commitment to data privacy and compliance.
What's Next?
In wrapping up our exploration of New York Education Law § 2-d, it’s evident that this legislation is not just another bureaucratic hurdle but a crucial framework designed to uphold the privacy and security of personal information within the educational realm. For businesses, understanding and implementing the provisions of § 2-d is more than legal compliance — it’s a commitment to safeguarding the trust placed in them by students, parents, and educational institutions.
Navigating the complexities of § 2-d may seem daunting, but by leveraging a tool like Blacksmith which will provide you with the policies, notices, security roadmap, and risk register you can be guided through the necessary steps to take a strategic approach focused on becoming compliant, in an easy and methodical manner. While fostering an organizational culture attuned to privacy and security, compliance can become an integral part of your operational philosophy.
Moreover, the consequences of non-compliance — ranging from legal penalties to a tarnished reputation—underscore the importance of taking proactive steps to align with the law. By embracing these challenges as opportunities for improvement, businesses can not only avoid the pitfalls of non-compliance but also strengthen their relationships with educational partners.
As we move forward, data privacy in education will continue to evolve, and with it, the responsibilities of all stakeholders. Staying informed, vigilant, and committed to best practices in data privacy and security will ensure that businesses not only comply with NYSED Law § 2-d but also contribute to a safer, more secure educational environment for all.
