As New York public schools increase the use of technology in day-to-day operations and in the classroom, they increasingly face data management and data security threats similar to those faced by businesses and non-profit institutions.
On August 24, 2016, the New York State Education Department appointed Temitope Akinyemi as its first Chief Privacy Officer to help schools navigate this evolving landscape. The appointment was set in motion on March 31, 2014 when Governor Cuomo signed a budget bill adding two new sections to the New York State Education Law that relate to the release of student data. Specifically, Section 2-d(2) of the Education Law directs the Commissioner of Education to appoint a Chief Privacy Officer whose functions include, among many other things, implementing sound practices to protect the privacy and security of student, teacher and principal data.
After a two-year search, the position was finally filled last month. Ms. Akinyemi comes from the New York State Office of Information Technology Services, where she served as a privacy officer and an attorney for more than five years.
According to the press release, Ms. Akinyemi’s duties as Chief Privacy Officer will include: leading investigations of security breaches and privacy-related emergencies and recommending required actions to NYSED executive management; providing technical assistance to State educational agencies on minimum standards and best practices associated with privacy and the security of student, teacher and principal data; establishing a protocol for submitting complaints of possible breaches of student, teacher or principal data; and consulting with the Commissioner to develop regulations establishing standards for educational agency data security and privacy. With input from parents, education and expert stakeholders and the public, Ms. Akinyemi will also be tasked with reviewing and enhancing the Department’s existing Parents Bill of Rights for data privacy and security.
Part of the impetus for this new position was growing concern for the security of student data as schools increasingly use educational technology and other cloud-based services. A 1974 federal law, the Family Educational Rights and Privacy Act (FERPA), gives parents certain rights concerning their children’s education records and protects against unauthorized disclosures without parental consent. These rights transfer to the student when he or she reaches age eighteen or attends school beyond high school. However, there are a number of exceptions to FERPA’s written consent requirement – and some concerns arise because much of the data collected from online educational learning tools is outside the scope of FERPA. In particular, subsets of educational services offered through computer software, mobile applications, and web-based tools provided by third parties (and accessed via the internet by students and/or parents) may be outside FERPA’s scope.
Ms. Akinyemi will begin her new post on September 22, 2016 – right after the start of the new school year. She will report to the Department of Education’s general counsel. What lies ahead for data security innovations and collaboration between the public and private sector on school data aggregation remains to be seen.