MINISINK VALLEY CENTRAL SCHOOL DISTRICT PARENTS’ BILL OF RIGHTS FOR DATA PRIVACY AND SECURITY
The Minisink Valley Central School District is committed to protecting the privacy and security of student data and classroom teacher and building principal data. In accordance with New York State Education Law § 2-d and its implementing regulations, the District hereby informs the school community of the following:
1. A student’s personally identifiable (“PII”) information, as defined by Education Law § 2-d and the Family Educational Rights and Privacy Act (“FERPA”) cannot be sold or released for any commercial or marketing purpose. See 34 CFR § 99.3 for a complete definition of what constitutes PII under Education Law Section 2-d.
2. Parents (including legal guardians or personal in parental relationships) have the right to inspect and review the complete contents of their child’s education record. Further, Eligible Students (students who have reached 18 years of age or older) have the right to review the complete contents of their education records stored or maintained by the educational agency.
3. State and federal laws and their implementing regulations (such as Education Law § 2-d, with regulations at 8 NYCRR Part 121, FERPA at 12 U.S.C. 1232g with regulations at 33 CFR Part 99 and the Individuals with Disabilities Education Act [“IDEA”] at 20 U.S.C. 1400 et seq., with regulations at 34 CFR Part 300) protect the confidentiality of personally identifiable information.
4. Safeguards associated with industry standards and best practices, including but not limited to encryption, firewalls, and password protection, must be in place when PII is stored or transferred.
5. A complete list of all student data elements collected by the New York State Education Department is available at the following website: www.nysed.gov/data-privacy-security, or by writing to the Chief Privacy Officer, New York State Education Department, 89 Washington Avenue, Albany, New York 12234.
6. Complaints by parents, eligible students, classroom teachers, building principals or other staff of the educational agency about possible breaches or improper disclosures of PII shall be addressed through the submission of written complaints. Complaints should be directed in writing to: Christian Ranaudo, Data Protection Officer, by mail at: PO BOX 217, 2320 Route 6, Slate Hill, NY 10973; by phone at:(845)355-5100; or via email to: firstname.lastname@example.org.
In addition, complaints may be directed to the Chief Privacy Officer of the New York State Education Department, by mail at 89 Washington Avenue, Albany, New York 12234; via email to email@example.com; or by telephone at 518-474-0937. Complaints may also be submitted using the form available on SED’s website.
7. Parents, eligible students, classroom teachers and building principals have the right to be notified in accordance with applicable laws and regulations if a breach or unauthorized release of PII occurs.
8. School District employees and officers who have access to PII shall annually receive data privacy and security awareness training. Such training shall include training on state and federal laws that protect PII and how to comply with such laws, as well as applicable policies, and safeguards associated with industry standards and best practices.
9. School District contracts with third-party contractors that receive PII will address statutory and regulatory data privacy and security requirements.
Supplemental to Parents’ Bill of Rights for Data Privacy and Security for Agreements between Minisink Valley Central School District School District and Third Party Contractors
In the course of complying with its obligations under the law and providing educational services to District residents, the Minisink Valley Central School District (“District”) has entered into agreements with certain third-party contractors. Pursuant to these agreements, third-party contractors may have access to “student data” and/or “classroom teacher” or “building principal data,” as those terms are defined by applicable laws and regulations.
For each contract or other written agreement that the District enters into with a third-party contractor where the third-party contractor receives student data or classroom teacher or building principal data from the District, the following supplemental information will be included with this Bill of Rights:
1. The exclusive purposes for which the student data or classroom teacher or building principal data will be used by the third-party contractor, as defined in the Original Contract, is to provide services that benefit students and District, as expressly enumerated in said Contract between the District and the third-party contractor.
2. The third-party contractor will ensure that the subcontractors, or other authorized persons or entities to whom the third-party contractor will disclose the student data or teacher or principal data, if any, will abide by all applicable data protection and security requirements, including but not limited to those outlined in applicable laws and regulations (e.g., FERPA; Education Law Section 2-d) and will not subcontract any services without the express prior approval of the District, and unless the subcontractor demonstrates its full compliance with state and federal privacy laws and regulations pertaining to the underlying Agreement.
3. The duration of the contract, including its expiration date. The contract shall expire on the stated expiration date, unless earlier terminated pursuant to a provision contained therein.
4. Upon termination of the Original Contract, third-party contractor shall return or destroy all confidential information obtained in connection with the services provided, including any and all student data. Destruction of the confidential information and/or student data shall be accomplished utilizing an approved method of confidential destruction, including shredding, burning or certified/witnessed destruction of physical materials and verified erasure of magnetic media using approved methods of electronic file destruction. Said data shall be returned by the third-party contractor to the District, or securely transitioned to a subsequent contractor at the request of the District.
5. A parent or eligible student, may challenge the accuracy of student data that is collected by following the procedures set forth in District policy, consistent with FERPA. A classroom teacher or building principal may challenge the accuracy of classroom teacher or building principal data through the APPR appeals process, where applicable.
6. Student data or classroom teacher or building principal data will be stored in a safe and secure manner, consistent with industry standards and best practices, and security protections shall be taken to ensure the data will be protected and data privacy and security risks mitigated.
7. The above-referenced data will be protected using encryption while in motion and at rest using a technology or methodology specified by the secretary of the U.S. Department of Health and Human Services in guidance under § 13402(H)(2) of Public Law 111-5.