As part of the recently enacted Common Core Implementation Reform Act, New York State now requires every “educational agency” operating in the state to develop a Parents’ Bill of Rights for Data Privacy and Security. Included in this new request are:
- Public school districts;
- Boards of Cooperative Educational Services; and
- Public elementary and secondary schools;
- Universal pre-Kindergarten programs;
- Approved providers of preschool special education services;
- All other publicly funded pre-kindergarten programs;
- Charter schools;
- Special Act school districts; and
- Schools for the education of students with disabilities (853 schools and 4201 programs).
The Parents’ Bill of Rights was enacted in response to concerns surrounding the New York State Education Department’s intent to share student data with “private concerns” in furtherance of New York’s obligations under its federal Race to the Top funding agreement. The New York State Legislature addressed these concerns around the collection, retention and sharing of certain student data and information, especially around testing, by directing the appointment of a New York State Education Department (NYSED) Chief Privacy Officer to develop data-security standards and privacy policies. The NYSED has yet to make such appointment.
The Reform Act also called for the immediate development of the Parents’ Bill of Rights, which must be published on each “educational agency’s” website and be incorporated into each contract such agency enters into with any “third party contractor” defined as any person or entity that receives student data or teacher or principal data from the educational agency pursuant to a contract or other written agreement. These contracts or agreements must now include a data security and privacy plan that outlines how all state, federal and local data security and privacy contract requirements will be implemented. However, the standards for an educational agency’s policy on data security and privacy must be prescribed in regulations that have not yet been promulgated.
In the absence of more detailed guidance, NYSED has made available a Model Notification of Rights under the Family Educational Rights and Privacy Act (FERPA) for Elementary and Secondary Schools, which includes notice of a parent’s right to inspect and review education records, to request amendment of such records, to provide written consent before the school discloses personally identifiable information (PII) from the student’s records, the right to refuse to let the school designate certain student specific information as directory information, and the right to file a complaint with the U.S. Department of Education concerning alleged failures by the school to comply with the requirements of FERPA. The notice also outlines those limited instances where a school may disclose PII without obtaining prior written consent of the parent, including disclosure to school officials within the educational agency, to officials of another school the student intends to enroll, to federal, state and local educational agencies, such as NYSED in connection with an audit or evaluation of a federal or state supported education program and to organizations conducting studies for, or on behalf of, the school in order to develop, validate or administer predictive tests or improve instruction, among other specific instances.
The confidentiality and privacy provisions added by the Parents’ Bill of Rights law extend only to PII and not to student data that is not personally identifiable. Additional rights extended by the new law prohibit the sale or release of a student’s PII for any commercial or marketing purposes, and severely restricts a school’s authority to collect and release PII.
The new law does not create a private right of action against NYSED or any educational agency.
All educational agencies, including non-public schools and charter schools, should be aware of these new mandates, even as the field awaits the regulations which, it is anticipated, will provide further detail and direction.