Background
In early 2020, the New York State Department of Education adopted a new law focused on the privacy and security of student and staff personally identifiable information (PII). The Educational Law Section 2-d, known among NY schools as "Ed Law 2-d", provides “guidance to educational agencies and their third-party contractors on ways to strengthen data privacy and security to protect student data and annual professional performance review data.”
See the full law: NYS Senate.gov
New York State Education Law 2-d:
- Protects the unauthorized release of personally identifiable information (PII):
- The student's name
- The names of the student’s parents or other family members
- The address of the student or student’s family
- A personal identifier, such as the student’s social security number, student number, or biometric record
- Other indirect identifiers, such as the student's date of birth, place of birth, or mother's maiden name
- Other information that, alone or in combination, is linked or linkable to a specific student that would allow a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty;
- Information requested by a person who the educational agency or institution reasonable believes knows the identity of the student to whom the education record relates.
- Supplements the "Parent's Bill of Rights" for Data Privacy and Security
- Provides very specific protections for contracts with "third party" contractors
- Establishes information security and privacy standards
- Authorizes NYSED's Chief Privacy Officer (CPO) to impose certain penalties (such as a monetary fine, mandatory training, and preclusion from accessing data from an education agency for a fixed period of time up to 5 years)