NYSED DPO Newsletter | January 2025

DPO NEWSLETTER

JANUARY 27-31, 2025 IS DATA PRIVACY WEEK!!

Sample spreadsheet showing headings Vendor, Contract Term, Supplemental Information.

A Message from the Chief Privacy Officer

Education Law Section 2-d was passed as part of the 2014 budget bill, meaning there is no bill jacket to review to help interpret some of the language that might be confusing. However, even if some confusion remains, it is unmistakable that transparency is one of the law’s pillars. This is evidenced by the law’s authorization of parents and eligible students to file privacy complaints with their local educational agency or my office, as well as the requirement to adopt and publicly post a Parents Bill of Rights which includes supplemental information about the third party contractors an educational agency is sharing PII with.

This school year, the Privacy Office has received several questions regarding the requirement to publicly post supplemental information. This issue was also discussed at the DPSS Conference last spring. Education Law Section 2-d (3)(c) and Section 121.3 of the Commissioner’s regulations require educational agencies to publish the Parents Bill of Rights on their website. This includes supplemental information for each contract where a third-party contractor receives student data. As discussed, this mandate is one of several transparency requirements in Education Law Section 2-d.

Section 121.3 [e] of the Commissioner’s regulations allow the supplemental information to be redacted to the extent necessary to safeguard the privacy and security of the educational agency’s data or technology infrastructure. It is the Privacy Office’s opinion that redaction is rarely necessary. There is no evidence supporting the theory that threat actors attack schools that publicly display the education technology tools they use. Additionally, many of the same educational agencies that complain about this requirement list the portals, student information and management systems and other tools the school uses on their website to assist parents and students.

If schools place their supplemental information on a portal or other non-public facing web page, all parents must have ready access to the information without having to ask for it and a notice about where to locate the information must be on the school’s webpage. A hidden link or login or a notice that the information will be furnished upon request is not acceptable.

Finally, this requirement is not unique to New York. Several other states including Colorado, Illinois and Connecticut require their schools to publicly post all the third-party vendors the school district is sharing student data with.

Data Privacy Week - January 27-31

The National Cybersecurity Alliance is presenting a series of conversations about how to keep your data private and safe. More information can be found at Talking Data 2025.

Talking Data (Data Privacy Week). Daily conversations about keeping your data private and safe! "Dude, Where's My Data?" Monday, January 27. "Privacy and AI," Tuesday, January 28. "Take Control of Your Data: Privacy Settings in Your Favorite Apps," Wednesday, January 29. "Are We Making Progress? Understanding Privacy Laws," Thursday, January 30. "Safeguard Your Kids' Data," Friday, January 31. "Level Up Your Privacy Game!" Friday, January 31.

The National Cybersecurity Alliance also produced a series of short videos named Kubikle. You can find out more at the Kubikle Website.

Winter FERPA Training

The Student Privacy Policy Office (SPPO), through its Privacy Technical Assistance Center (PTAC), will host a 3-day virtual webinar series on student privacy and data security in January 2025. This series will provide the education community with opportunities to learn more about FERPA, data security, data breach preparedness and response, transparency, and more.

Day 1: FERPA 101 and Data Security Best Practices, January 15, 2-4 p.m. ET covers the basics of FERPA and provides training on current data security best practices for education data systems.
Day 2: FERPA 201 and Transparency, January 22, 2-4 p.m. ET dives into scenarios faced by schools and districts and highlights PTAC’s research on transparency.
Day 3: Incident Response and Vetting Educational Technology, January 29, 2-4 p.m. ET leads participants through a simulated data breach and explores how to assess online educational technology for privacy protections and general FERPA compliance.

ACCEPTABLE USE POLICIES

One of the best tools that DPOs have for orderly administration of their networks are Acceptable Use Policies ("AUPs"). All users are subject to the district’s AUPs.

Before we start discussing AUPs, ask yourself these three questions:

Does your district have an AUP?
Has your district’s AUP been reviewed within the last 5 years?
Have you read your district’s AUP within the last year?

If you answered yes to all three questions, congratulations! You are vigilant and ready for one part of NYSED CISO, Marlowe Cochran’s Data Security Review! If you did not answer yes to more than one question, before you pull out your To Do List, please read a little more.

AUPs are part of the NIST CSF 1.1 and 2.0. They are also part of the CISA Cybersecurity Performance Goals (CPGs), which can be found in the Cross-Sector Cybersecurity Performance Goals report along with the CISA CPG Checklist. Additionally, the Center for Internet Security has some policy templates for 49 of the NIST CSF 1.1 subcategories (including AUPs) available at NIST Cybersecurity Framework Policy Template Guide.

AUPs are important to:

Protect the Confidentiality, Integrity, and Availability (CIA) of data at rest (CSF 2.0 PR.DS-01) and prohibit the connection of unauthorized devices (CPG 2.T)
Establish the cybersecurity roles and responsibilities for the workforce. (CSF 2.0 GV.RR-02)
Ensure that users are trained so that they possess the knowledge to perform tasks with security risks in mind (PR.AT-01; CPG 2.I)
Provide users with information regarding the potential risks to the organization when they do not follow the AUP.

You can reinforce the AUP’s requirements in the annual privacy training that all employees are required to take (Section 121.7 of the Commissioner’s regulations). Employees with access to student data, especially teachers, should be keenly aware of their legal obligation to protect student data from unauthorized accessibility, access, or disclosure.

Looking Forward to 2025

NIST SP 800-63B-4 Password Guidelines should be finalized in 2025. The last round of public comments ended on October 7, 2024.

Questions?

You can contact us at privacy@nysed.gov.

Louise DeCandia, Chief Privacy Officer

Robyn Cotrona, Senior Attorney