NYSED DPO Newsletter

DPO NEWSLETTER

A Message from the Chief Privacy Officer

Goodbye, Adios, Adieus, Arrivederci, Au revoir, Sayonara, Auf Wiedersehen, Farvel

Farewell friends! By the time this newsletter is issued Robyn will be retired and I am ten weeks behind her. We want to use this opportunity to thank you for your assistance and professionalism over the past three and a half years. There is a true commitment to protect student data in New York’s schools and we thank you for that. It has been an honor to work with you all in my position as Chief Privacy Officer. Not to be overlooked are some of the many items we've accomplished together:

A report and subsequent determination regarding the use of facial recognition technology on New York’s students.
An ever-expanding DPSS annual conference on data privacy and security.
A resurrected Data Privacy Advisory Committee (DPAC).
A quarterly newsletter.
Monitoring of Educational Agencies for compliance with Part 121 requirements.
An increase in reported data incidents from 44 in 2020 to 384 in 2024.
Four Annual Reports.
Membership in A4L and TEC to standardize our educational agencies’ data privacy agreements.
The ROC.
The initiation of enforcement cases against third party contractors as authorized under Education Law Section 2-d.
Numerous guidance documents.
Privacy complaint investigations and determinations.
Dialogue!

Thank you all for your partnership in this important work.

Louise

Looking Back at 2024

It’s Here! The 2024 Annual Report has been published on the NYSED Data Privacy and Security website. The past year’s highlights include an increase in reported data incidents to 384 - 152 being caused by third party contractors. There was a decrease in reported phishing incidents from 23 in 2023 to 10 in 2024. As in previous Annual Reports, details of the types of data incidents reported to the Privacy Office are shared. 2024 saw a significant increase in students obtaining unauthorized or improper access to school accounts. Additionally, there were several instances of improper social media postings and data incidents occurring with paper files. These examples could be shared with school staff (perhaps as part of their annual training) to demonstrate the types of breaches that commonly occur in schools today.

The Annual Report also provides a summary of the privacy complaint determinations rendered in 2024. The issue of student photographs has become a predominant concern for many parents who, because of AI, cyberbullying, social media abuses, or just general privacy concerns, wish to opt-out of having their children’s photos taken and shared, especially on social media. These important issues do not always fall within the bounds of FERPA and Education Law § 2-d, therefore educational agencies should consider hearing from, and working with parents to ensure that their schools have appropriate policies and guidance in place to address concerns.

New Parents Bill of Rights (PBOR)

After several months of working with advocates and data protection officers, the Privacy Office published a revised Parents Bill of Rights (PBOR). The PBOR is a pillar of the Education Law § 2-d requirement for schools to be transparent regarding student data security and privacy. Therefore, the PBOR was revised to make it easier for parents to understand and for vendors to comprehend and comply with the fundamental requirements of Education Law § 2-d. The new PBOR includes a link to privacy terms for parents and a link to guidance for educational agency leaders on PBOR implementation. The PBOR should not be forgotten after it is attached to contracts and uploaded to websites to then be forgotten - it requires ongoing awareness and implementation.

Lessons Learned from Major Educational Technology

Vendor Breaches

It appears that the beginning of a new year not only brings promise and optimism but often, news of a data breach. For example, in December 2021, Illuminate Education was breached affecting schools state-wide. In November/December 2023 New York was faced with the repercussions from a New York Therapy employee falling victim to a phishing incident and a Raptor Technologies vulnerability found by a researcher showing that Raptor failed to secure two data storage repositories in the cloud, making student data and other records accessible.[1] In December 2024, threat actors exfiltrated data from PowerSchool’s student and teacher tables affecting over 300 New York schools and thousands of schools in several countries.

PowerSchool has and will continue to provide educational agencies with “lessons learned” regarding mitigating the risk to our student’s data. Here, we discuss two often overlooked mitigation strategies: Data Destruction and Data Minimization.

1. Data Destruction. Both the PowerSchool and Illuminate breaches affected former customers. An educational agency’s contract and/or Data Privacy Agreement (DPA) with a vendor requires the vendor to securely delete/destroy the school’s data when the contract ends and is not renewed. Unfortunately, it is too easy for both the vendor and educational agency to forget about this requirement. Educational agencies need to be proactive. Remember to ask for a certificate of secure deletion that is notarized and signed under penalty of perjury. Your school attorney might thank you after an incident such as PowerSchool.

2. Data Minimization. Additionally, educational agencies should only collect, store and share student data that it needs to. When data is no longer needed it must be securely deleted. Educational agencies are required to use the State’s LGS-1 as their guide for determining how long records are to be retained. For example, some educational agencies that were maintaining data long-term, went into their SIS and eliminated student social security numbers, those that did not update their records had students’ social security numbers breached as well as additional student data.

Finally, PowerSchool taught us the power of working together in a crisis. When the news of the PowerSchool breach broke, everyone wanted answers right away and PowerSchool could not provide the specific information that educational agencies needed. As reported by TechCrunch, what started as a Reddit post by an affected customer in Dubai that contained step by step instructions to determine if schools were compromised, ultimately became multiple users providing additional tools and insights to help other affected schools.[2] There are never enough resources when confronted with an issue such as an educational agency’s SIS being breached, however one customer in Dubai created and published instructions, assisting schools all over the world, including New York. As well, many of New York’s educational agencies helped each other with information sharing so that the extent of the breach could be ascertained as quickly as possible. Aside from it being the law, people affected by the PowerSchool breach deserved to know as quickly as possible so that they could take precautions. Schools helping schools supports all affected New Yorkers.

[1] Education Week: A Massive Data Leak Exposed School Lockdown Plans. What Districts Need to Know

[2] TechCrunch: How Victims of PowerSchool's Data Breach Helped Each Other Investigate 'Massive' Hack

School Boards and Student Data

We all want to celebrate student achievements and give credit where credit is due. Appearing before a school board for recognition is a time-honored tradition in many schools.

However, data protection officers and school board members must be aware that Education Law § 2-d and Part 121 of the Regulations of the Commissioner of Education prohibit the inclusion of student data in public records and reports [Education Law § 2-d (5)(b)(1) and 8 NYCRR § 121.5(c)(2)]. That prohibition does not mean that school boards cannot recognize student achievements. After several data incidents in 2024 involving PII being shared through school board information, the Privacy Office offers the following best practices for recognizing student achievements:

Hold recognition ceremonies in special session and do not include any student data in any notation regarding the event.
If the school board wants to broadcast the recognition ceremony, do not include any student data in the board meeting agenda, conduct the ceremony before or after the board meeting, and do not record the ceremony.
If the school board wants to recognize a group of students, such as the debate team or the football team, during a board meeting, the school board should refrain from identifying any of the individual students and refer only to the group.
If any presentations are made at the school board meeting, make sure that they do not contain any student data.

Questions?

You can contact us at privacy@nysed.gov.

Louise DeCandia, Chief Privacy Officer

Robyn Cotrona, Senior Attorney