What is Ed Law 2-d
On January 13, 2020, the Board of Regents adopted Part 121 of the Regulations of the Commissioner of Education. The adoption of this new law focuses on the protection and handling of Personal Identifiable Information (PII) for students and personnel.
Important Links
NYS Education Department Data Privacy Page:
What is Wellsville doing in preparation for Ed Law 2-d
Wellsville CSD has appointed a DPO (Data Protection Officer), Mrs. Caitlin Bowen. We are working directly with BOCES and vendors to get “Data Sharing and Confidentiality Agreements” for all iPad Apps, Software Packages, Web Apps, and Websites accessed/used by students and staff. We have developed a Parents Bill of Rights (posted below). Finally, we are reviewing and updating current and new policies in line with Data Security, Privacy Policy, and Security Standards. If you have any questions or concerns, please contact Caitlin Bowen at dpo@wlsv.org.
Parent Information
Parents have the right to make formal complaints about possible breaches of student data addressed. Complaints can be made in person by going to the Wellsville Central School District Office at 126 West State Street, Wellsville, NY 14895. Any questions, please contact Caitlin Bowen at dpo@wlsv.org.
Wellsville Data Privacy & Security Terms & Conditions
As a Parent What Do I need to Know
Education Law Section 2-D Definitions
“Educational agency” means a school district, board of cooperative educational services, school, or the education department.
“Personally identifiable information,” as applied to student data, means personally identifiable information as defined in section 99.3 of title thirty-four of the code of federal regulations implementing the family educational rights and privacy act, section twelve hundred thirty-two-g of title twenty of the United States code, and, as applied to teacher or principal data, means “personally identifying information” as such term is used in subdivision ten of section three thousand twelve-c of this chapter.
“School” means any public elementary or secondary school, universal pre-kindergarten program authorized pursuant to section thirty-six hundred two-e of this chapter, an approved provider of preschool special education, any other publicly funded pre-kindergarten program, a school serving children in a special act school district as defined in section four thousand one of this chapter, an approved private school for the education of students with disabilities, a state-supported school subject to the provisions of article eighty-five of this chapter, or a state-operated school subject to the provisions of article eighty-seven or eight-eight 1 of this chapter.
“Student” means any person attending or seeking to enroll in an educational agency.
“Eligible student” means a student eighteen years or older.
“Parent” means a parent, legal guardian, or person in parental relation to a student.
“Student data” means personally identifiable information from student records of an educational agency.
“Teacher or principal data” means personally identifiable information from the records of an educational agency relating to the annual professional performance reviews of classroom teachers or principals that is confidential and not subject to release under the provisions of section three thousand twelve-c of this chapter.
“Third-party contractor” shall mean any person or entity, other than an educational agency, that receives student data or teacher or principal data from an educational agency pursuant to a contract or other written agreement for purposes of providing services to such educational agency, including but not limited to data management or storage services, conducting studies for or on behalf of such educational agency, or audit or evaluation of publicly funded programs. Such term shall include an educational partnership organization that receives student and/or teacher or principal data from a school district to carry out its responsibilities pursuant to section two hundred eleven-e of this title and is not an educational agency as defined in paragraph c of this subdivision, and a not-for-profit corporation or other non-profit organization, other than an educational agency.
Parent FAQ
Frequently Asked Questions About Data Privacy and Security
1. Can companies that provide services to my school under contract (third party contractors) buy my information or use it for their marketing purposes?
No. Your personally identifiable information (PII) cannot be sold by a contractor or used for marketing purposes.
2. Must I be notified if there is an unauthorized disclosure of my personally identifiable information?
Yes. The school must notify the parent or eligible student of the unauthorized release of student data in the most expedient way possible and without unreasonable delay. This applies to cases of an unauthorized release of teacher or principal personally identifiable information data as well. Each affected teacher or principal must be notified.
3. What other laws protect my student’s data?
In addition to New York’s Education Law Section 2-d, there are federal laws that are designed to protect student data and prohibit any misuse. The Family Educational Rights and Privacy Act (FERPA) is the foundational federal law on the privacy of students’ educational records. It was enacted in 1974 and applies to schools that receive federal funding, which are mostly public schools and some, but not all, private schools. FERPA safeguards student privacy by limiting who may access student records, specifying for what purpose they may access those records, and detailing what rules they have to follow when accessing the data. FERPA also includes provisions that guarantee a parent’s right to access, review, and request the correction of their child’s educational record. For additional information about FERPA and other federal laws, please visit our page, Federal Laws that Protect Student Data. Other applicable laws are the Protection of Pupil Rights Amendment (PPRA) which defines the rules states and school districts must follow when administering tools like surveys, analysis, and evaluations funded by the US Department of Education to students, and the Children’s Online Privacy Protection Rule (COPPA) which imposes certain requirements on operators of websites, games, mobile apps or online services directed to children under 13 years of age, and on operators of other websites or online services that have actual knowledge that they are collecting personal information online from a child under 13 years of age.
4. How will contracted service providers be held accountable for maintaining the confidentiality of the student data they receive?
Educational agencies that contract with third parties who will receive student PII must enter into contracts with such third parties which include certain conditions outlined in the law such as the inclusion of data security and privacy plan, the parent's bill of rights, and minimum technical security standards to protect student PII. The Chief Privacy Officer is also authorized by the law to impose civil penalties.
5. What are the essential parents’ rights under the Family Educational Rights and Privacy Act (FERPA) relating to personally identifiable information in their child’s student records?
The rights of parents under FERPA are summarized in the Model Notification of Rights prepared by the United States Department of Education for use by schools in providing annual notification of rights to parents.
Parents’ rights under FERPA include:
6. What “educational agencies” are included in the requirements of Education Law §2-d?
7. What kind of student data is subject to the confidentiality and security requirements of Education Law §2-d?
The law applies to personally identifiable information contained in student records of an educational agency listed above. The term “student” refers to any person attending or seeking to enroll in an educational agency, and the term “personally identifiable information” (“PII”) uses the definition provided in FERPA. Under FERPA, personally identifiable information or PII includes, but is not limited to:
8.What kind of student data is not subject to the confidentiality and security requirements of Education Law §2-d?
The confidentiality and privacy provisions of Education Law §2-d and FERPA extend only to PII, and not to student data that is not personally identifiable. Therefore, de-identified data (e.g., data regarding students that uses random identifiers), aggregated data (e.g., data reported at the school district level) or anonymized data that could not be used to identify a particular student is not considered to be PII and is not within the purview of Education Law §2-d.
9. What protections are required to be in place if an educational agency contracts with a third-party contractor to provide services and the contract requires the disclosure of PII to the third party contractor?
Education Law §2-d provides very specific protections for contracts with “third party contractors”, defined as any person or entity, other than an educational agency, that receives student data or teacher or principal data from an educational agency pursuant to a contract or other written agreement for purposes of providing services to such educational agency. The term “third party contractor” also includes an educational partnership organization that receives student and/or teacher or principal APPR data from a school district to carry out its responsibilities pursuant to Education Law §211-e, and a not-for-profit corporation or other non-profit organization, which are not themselves covered by the definition of an “educational agency.”
Services of a third-party contractor covered under Education Law §2-d include, but not limited to, data management or storage services, conducting studies for or on behalf of the educational agency, or audit or evaluation of publicly funded programs.
When an educational agency enters into a contract with a third-party contractor, under which the third-party contractor will receive student data, the contract or agreement must include a data security and privacy plan that outlines how all state, federal, and local data security and privacy contract requirements will be implemented over the life of the contract, consistent with the educational agency’s policy on data security and privacy. However, the standards for an educational agency’s policy on data security and privacy must be prescribed in Regulations of the Commissioner that have not yet been promulgated. A signed copy of the Parents’ Bill of Rights must be included, as well as a requirement that any officers or employees of the third-party contractor and its assignees who have access to student data or teacher or principal data have received or will receive training on the federal and state law governing the confidentiality of such data prior to receiving access.
Each third party contractor that enters into a contract or other written agreement with an educational agency under which the third party contractor will receive student data or teacher or principal data must also comply with additional requirements outlined in Education Law §2-d such as limiting internal access to education records to those individuals that are determined to have legitimate educational interests, not using the education records for any other purposes than those explicitly authorized in its contract; not disclosing any PII to any other party that is not an authorized representative of the third party contractor to the extent they are carrying out the contract (i) without the prior written consent of the parent or eligible student; or (ii) unless required by statute or court order and the party provides a notice of the disclosure to NYSED, district board of education, or institution that provided the information no later than the time the information is disclosed, unless providing notice of the disclosure is expressly prohibited by the statute or court order; maintaining reasonable administrative, technical and physical safeguards to protect the security, confidentiality and integrity of PII in its custody; and using encryption technology to protect data while in motion or in its custody from unauthorized disclosure.
10. What steps can and must be taken in the event of a breach of confidentiality or security?
NYSED’s Chief Privacy Officer is authorized to investigate, visit, examine and inspect the third-party contractor’s facilities and records and obtain documentation from, or require the testimony of, any party relating to the alleged improper disclosure of student data or teacher or principal APPR data. Where there is a breach and unauthorized release of PII by a third-party contractor or its assignees, the third-party contractor must notify NYSED of the breach in the most expedient way possible and without unreasonable delay. NYSED must then notify the parents in the most expedient way possible and without unreasonable delay. The law also authorizes the Chief Privacy Officer to impose certain penalties such as a monetary fine; mandatory training regarding federal and state law governing the confidentiality of student data, or teacher or principal APPR data; and preclusion from accessing any student data, or teacher or principal APPR data, from an educational agency for a fixed period up to five years.
Vendor Agreements
2020-2021
2021-2022
Click Here to View Wellsville's Vendor Privacy Policies
2022-2023