SHARE:  
New York State Education Department Logo

DPO NEWSLETTER

NYSED Privacy Office

July 2024 · Volume 3 Issue 3

Happy Summer everyone and welcome to the Privacy Office’s new Newsletter format. You may recognize it as a format used by several other New York State Education Department Program Offices. One of the benefits of this new format is that anyone who wants to receive a copy of the newsletter can sign onto the distribution list. For the purposes of our newsletter, the Privacy Office will no longer be relying solely upon the Data Protection Officer and Superintendent Listservs, although the contacts that we have from those listservs are being used as the starting point for our distribution list.  

illustrated-sun-boats.jpg

We hope you find this format more accessible and inform your colleagues who do not automatically get a copy, that they can now be on our distribution list too. To join the subscription list, click the subscribe button at the bottom of this newsletter and sign up. You can also sign up via the Privacy website on the homepage.


Enjoy Your Summer and Stay Cool,

Louise

The National Data Protection Agreement

Access 4 Learning Community Student Data Privacy Consortium

As you know, schools are required to use approved education technology products. An approved product means that the product has a contract that includes a master service agreement (“MSA”) and a data protection agreement (“DPA”). 

 

Since taking on the position of Chief Privacy Officer, I have heard many complaints about the process of negotiating DPAs. Therefore, to make the DPA requirement easier to implement, the New York State Education Department (“NYSED”) recently developed a new centralized and standardized DPA structure. Specifically, NYSED purchased a State-wide membership in the national education consortium Access for Learning (“A4L”). This membership allows New York to use their National Data Protection Agreement (“NDPA”). The NDPA offers a standard DPA that all of New York’s 1000+ educational agencies can use. 


Additionally, to complement this membership, the BOCES Regional Information Centers (“RICs”) joined The Education Cooperative Student Data Privacy Alliance (“TEC SDPA”). The TEC SDPA is an alliance of ten states. Using the NDPA, the RICs and TEC SDPA manage a team that supports the negotiation and execution of DPAs that include standard New York State terms. This new DPA structure eliminates the need for school staff to directly negotiate DPAs with each third party vendor who they share student data with. While the new relationships may sound complex, the outcome of this arrangement will be a simplified and standardized DPA process.

 

Schools that are interested in participating will be working with their RICs to get onboarded onto the A4L DPA dashboard. Once onboarded, NYSED seeks assistance from school administrators to ensure that your school only uses third party vendors that have agreed to a DPA. Because schools are required to maintain control over student data, including after they have shared it with a third party vendor, using the New York approved NDPA is the easiest way to make sure your students’ data is safe.

 

For more information on this important initiative, and to learn more about the RIC One Vendor Management Risk Operations Center (RIC One ROC) which has been created to implement a standardized, cost effective and sustainable process to manage vendor risk, visit RIC One  or speak with your RIC director as to how you can get started. 

  

Applicable Terms:

 

Access for Learning’s Student Data Privacy Consortium (“A4L’s SDPC”): Is a national consortium of schools, state agencies and providers addressing data privacy concerns. The Consortium provides a model National Data Privacy Agreement (NDPA) with terms agreed to by third-party contractors and educational agencies. See Access 4 Learning (A4L)

 

Resource Registry (also known as the A4L SDPC Resource Registry): Is the platform used to manage workflow and management needs related to Data Privacy Agreements. See A4L DPC Resource Registry

 

The Education Cooperative (“TEC”): Is a Massachusetts educational service agency and 501(C)(3) non-profit organization. The Massachusetts Education Cooperatives are similar to the BOCES. 

 

The Education Cooperative Student Data Privacy Alliance (“TEC SDPA”): Is a multi-state data privacy alliance. TEC SDPA supports K-12 agencies in New York, Maine, Massachusetts, New Hampshire, Rhode Island, Vermont, Ohio, Virginia, Tennessee and MissouriThrough the TEC SDPA and RIC One ROC partnership, NDPAs are negotiated that include NYS specific terms. See TEC SDPA

Protecting Laptops, Tablets and Other Mobile Devices

The NIST Cybersecurity Framework requires that data be encrypted when it is in motion and at rest. For New York’s educational agencies this means that all student data and all teacher or principal APPR data must be encrypted in motion and at rest. Below is a discussion of encryption requirements for student data and teacher or principal APPR data.


Please note: Any applications or software mentioned below are for illustrative purposes only and do not constitute an endorsement by NYSED. 

Data at rest means that the data is stored on an encrypted hard or flash drive, server or in the cloud. Traditional hardware such as desktop computers, laptops, and servers, should not pose a significant problem because the latest Operating Systems are automatically encrypting hard drives. Therefore, the challenge is making sure that users do not save files to the unencrypted boot volume and making sure that the users do not turn off the encryption.

 

For mobile devices such as Chromebooks, tablets and cell phones, device encryption began over a decade ago with iOS 3.0 and Android 4.0 (Ice Cream Sandwich). As mobile devices matured, the methods of encryption also matured and became a standard setting on these devices. Therefore, the challenge is making sure that the user does not turn off the encryption and educating users to not share mobile devices that contain their data.

 

For cloud services, educational agencies need to ensure that third party contractors are encrypting student data and teacher or principal APPR data that is being stored in the cloud. There are many ways and places that data such as documents, email, photographs, recordings, and other media is stored in the cloud, including:

  • Google Suite, including Gmail, Google Drive, Google Docs, Sheets, Slides, Chat, Calendar, and Meet;
  • Office 365, including Outlook, OneDrive, SharePoint, and Forms;
  • EduTech apps or software that use AWS (Amazon Web Services) or other cloud solution, including Blackboard, ClassHook, Coursea, Kahoot!, Lessonbee, Udacity, Udemy, Raptor Technologies and Wakelet;
  • Storage solutions including Barracuda, Cohesity, and Rubrik; and 
  • Websites and social media platforms, including Facebook, Instagram, X, and YouTube.

Therefore, the challenge in this circumstance is ensuring that the cloud storage is encrypted and locked using multi-factor authentication (MFA) for access, access to stored data is based on the principle of least privilege, and that the contract with the service provider includes a data protection agreement (DPA) requiring encryption. 


Data in transit means data that is moving from one location to another location using an Educational Agency’s network or the Internet. It is important to note that the encryption requirement is not limited to data moving over the Internet. If data is moving, it must be encrypted. Therefore, the challenge is selecting one or more products or services that provide encrypted communication and ensuring that the application is used when communicating confidential information. The various types of communication and examples of products are:

  • Communication with parents, including ClassDojo, ParentSquare, and Procare; 
  • Communication with teachers/staff and students, including Bloomz and Remind;
  • Communication with anyone other than parents or students and faculty, including third-party contractors that provide services to the educational agency, such as Gmail, Outlook, Virtru, and Zix Mail; and
  • Communication for Special Education, including Ed Plan, Embrace, and Frontline. 

Data that is stored or transmitted in clear text (unencrypted) is gold for threat actors because they do not have to do anything to mine the confidential information, including personally identifiable information in the data. Do not make it easy for threat actors to steal your data. Use encryption. It’s the law.

Best Practices to Consider

When reviewing incident reports, we see practices to emulate and practices to avoid.

Our Top 3 practices to Emulate:


  1. When faced with a student device with malware that has probably been used at home, a school district notified the affected student’s family that any devices currently and recently connected to their network are at risk of being infected with malware. The school district suggested that the family scan each device for malware.
  2.  After receiving a Saturday report that a link to a phishing attack using a Google Form had been sent to all users in the school district’s email system, parents were notified on Saturday of the attack and asked to have their child or children check their email account(s) for the email and delete it. Additionally, at the beginning of the next school day, announcements were made in each classroom instructing students not to click on the link or complete the form. The announcements also asked any students who had completed the form to immediately notify a teacher.
  3. As a lesson learned from the Raptor Technologies incident, instead of uploading documents that include student and parent confidential  information, such as custody orders and/or orders of protection for storage in the application, consider uploading a document noting that a court order exists and who to contact for additional information.

Our Top 3 Practices Not To Emulate:


  1. Teachers or staff providing a student’s PII to the wrong parent during an in person meeting. On more than one occasion, a staff member disclosed student PII to a person other than the student’s parent.
  2. Failing to file an incident report and/or provide notification to the parents of affected students when student data was accessible to persons who have no educational need to know the information because your Educational Agency’s notification policy does not require these actions be taken. The Privacy Office has found that these policies are often based on General Business Law § 899-aa and State Technology Law § 280. However, Education Law § 2-d and Part 121 require reports and notification in instances where neither would be required under the General Business Law and the State Technology Law. Your Educational Agency’s notification policy for breaches of student data and/or teacher or principal APPR data is required to follow the requirements of Education Law § 2-d and Part 121.
  3. Failing to file an incident report after NYSED knows that your Educational Agency suffered a data incident and failing to respond to NYSED’s questions regarding a filed incident report. Filing these reports is required by law and regulation. Reporting helps the Privacy Office to ascertain trends and provide helpful tips as to what is happening in the field. Also, a review of data incidents is published annually in the Privacy Office’s Annual Report. Finally, if no other reason is sufficient, report because Robyn knows who you are and that you are failing to report. 

Resources from the Privacy Office:

Questions?


You can contact us at privacy@nysed.gov.

Subscribe
NYSED Privacy Office

Louise DeCandia, Chief Privacy Officer

Robyn Cotrona, Senior Attorney