PARENTS’ BILL OF RIGHTS
FOR DATA PRIVACY AND SECURITY
To satisfy their responsibilities regarding the provision of education to students in pre- kindergarten through grade twelve, “educational agencies” (as defined below) in the State of New York collect and maintain certain personally identifiable information from the education records of their students. As part of the Common Core Implementation Reform Act, Education Law §2-d requires that each educational agency in the State of New York must develop a Parents’ Bill of Rights for Data Privacy and Security (Parents’ Bill of Rights). The Parents’ Bill of Rights must be published on the website of each educational agency, and must be included with every contract the educational agency enters into with a “third party contractor” (as defined below) where the third party contractor receives student data, or certain protected teacher/principal data related to Annual Professional Performance Reviews that is designated as confidential pursuant to Education Law §3012-c (“APPR data”).
The purpose of the Parents’ Bill of Rights is to inform parents (which also include legal guardians or persons in parental relation to a student, but generally not the parents of a student who is age eighteen or over) of the legal requirements regarding privacy, security and use of student data. In addition to the federal Family Educational Rights and Privacy Act (FERPA), Education Law §2-d provides important new protections for student data, and new remedies for breaches of the responsibility to maintain the security and confidentiality of such data.
A. What are the essential parents’ rights under the Family Educational Rights and Privacy Act (FERPA) relating to personally identifiable information in their child’s student records?
The rights of parents under FERPA are summarized in the Model Notification of Rights prepared by the United States Department of Education for use by schools in providing annual notification of rights to parents. It can be accessed at http://www2.ed.gov/policy/gen/guid/fpco/ferpa/lea-officials.html, and a copy is attached to this Parents’ Bill of Rights. Complete student records are maintained by schools and school districts, and not at the New York State Education Department (NYSED). Further, NYSED would need to establish and implement a means to verify a parent’s identity and right of access to records before processing a request for records to the school or school district. Therefore, requests to access student records will be most efficiently managed at the school or school district level.
Parents’ rights under FERPA include:
1. The right to inspect and review the student's education records within 45 days after the day the school or school district receives a request for access.
2. The right to request amendment of the student’s education records that the parent or eligible student believes are inaccurate, misleading, or otherwise in violation of the student’s privacy rights under FERPA. Complete student records are maintained by schools and school districts and not at NYSED, which is the secondary repository of data, and NYSED make amendments to school or school district records. Schools and school districts are in the best position to make corrections to students’ education records.
3. The right to provide written consent before the school discloses personally identifiable information (PII) from the student's education records, except to the extent that FERPA authorizes disclosure without consent (including but not limited to disclosure under specified conditions to: (i) school officials within the school or school district with legitimate educational interests; (ii) officials of another school for purposes of enrollment or transfer; (iii) third party contractors providing services to, or performing functions for an educational agency; (iv) authorized representatives of the U. S. Comptroller General, the U. S. Attorney General, the U.S. Secretary of Education, or State and local educational authorities, such as NYSED; (iv) (v) organizations conducting studies for or on behalf of educational agencies) and (vi) the public where the school or school district has designated certain student data as “directory information” (described below). The attached FERPA Model Notification of Rights more fully describes the exceptions to the consent requirement under FERPA).
4. Where a school or school district has a policy of releasing “directory information” from student records, the parent has a right to refuse to let the school or school district designate any all of such information as directory information. Directory information, as defined in federal regulations, includes: the student’s name, address, telephone number, email address, photograph, date and place of birth, major field of study, grade level, enrollment status, dates of attendance, participation in officially recognized activities and sports, weight and height of members of athletic teams, degrees, honors and awards received and the most recent educational agency or institution attended. Where disclosure without consent is otherwise authorized under FERPA, however, a parent’s refusal to permit disclosure of directory information does not prevent disclosure pursuant to such separate authorization.
5. The right to file a complaint with the U.S. Department of Education concerning alleged failures by the School to comply with the requirements of FERPA.
B. What are parents’ rights under the Personal Privacy Protection Law (PPPL), Article 6- A of the Public Officers Law relating to records held by State agencies?
The PPPL (Public Officers Law §§91-99) applies to all records of State agencies and is not specific to student records or to parents. It does not apply to school districts or other local educational agencies. It imposes duties on State agencies to have procedures in place to protect from disclosure of “personal information,” defined as information which because of a name, number, symbol, mark or other identifier, can be used to identify a “data subject” (in this case the student or the student’s parent). Like FERPA, the PPPL confers a right on the data subject (student or the student’s parent) to access to State agency records relating to them and requires State agencies to have procedures for correction or amendment of records.