Protecting student privacy and data is a critical concern at ONC BOCES. As an educational facility, ONC BOCES receives, creates, stores and transfers information about students, teachers and principals that is protected by state and federal law. We take active steps to protect the confidentiality of protected information in compliance with all applicable state and federal laws. The BOCES expects all district officers, employees and partners to maintain the confidentiality of protected information in accordance with state and federal law and all applicable Board Policies.
It's important for students and their parents or guardians to familiarize themselves with our privacy policies and to ask questions if they have concerns about how their data is being handled. In an age where technology is increasingly integrated into education, protecting student privacy and data is a crucial aspect of maintaining trust and ensuring the well-being of students.
In early 2020, The New York State Department of Education adopted a new law focused on the privacy and security of student and staff personally identifiable information (PII). The Educational Law Section 2-d, known amongst NY schools as Ed Law 2-d, provides “guidance to educational agencies and their third-party contractors on ways to strengthen data privacy and security to protect student data and annual professional performance review data.”
Education Law §2-d applies to school districts, charter schools, universal pre-K providers and BOCES. It also applies to special education schools that have contracted with the NYS Education Department or local school districts.
Educational organizations must ensure that their technologies, safeguards and practices align with the National Institute for Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity (NIST) and that their third-party vendor contracts comply with this multifaceted data privacy law.
Education Law §2-d applies to school districts, charter schools, universal pre-K providers and BOCES. It also applies to special education schools that have contracted with the NYS Education Department or local school districts.
Under Education Law §2-d, educational institutions must protect students’ personally identifiable information (PII) by ensuring that the use and disclosure of PII benefits students. It also prohibits the inclusion of PII in public reports or other public documents. Schools are also now required to use industry standard safeguards and best practices, such as encryption, firewalls and passwords to ensure data privacy and security.
In addition, schools must publish a Parents’ Bill of Rights for Data Privacy and Security (Bill of Rights) on their website and include it in all third-party contracts where the third-party contractor will receive student data or teacher or principal data. This Bill of Rights sets forth the rights a parent (or eligible student if over 18) has with regard to their child’s data. Included among these rights are that: data will only be disclosed as necessary to achieve educational purposes; data cannot be sold or released for commercial purposes; the parents have the right to inspect, review and correct their child’s education record; parents have the right to make complaints about possible breaches and unauthorized disclosures by filing complaints to the School or directly to the State Education Department; and parents have a right to be notified if a breach or unauthorized release occurs.
Education Law §2-d is also triggered when an educational institution contracts with a third-party contractor for a service where that third-party will receive student data or teacher or principal data. “Student data” is defined broadly as PII. This includes, but is not limited to: the student’s name, address, personal identifiers such as social security number or school ID number, date or place of birth, mother’s maiden name, special education status, etc. However, “teacher or principal data” is more narrowly defined as PII relating to their annual professional performance reviews (APPR). Supplemental information must be included in every third-party contract where data is exchanged that spells out: the purpose for the data disclosure, how the data will be handled after the contract’s termination, what training will be provided to employees regarding data privacy, how the data will be protected, etc.
Supplemental Information
Education Law 2-d requires each NYS educational agency to post supplemental information for each contract where a third-party contractor receives student data and/or teacher or principal data from ONC BOCES. A list of contracts to which this applies is available below
District Data Privacy Inventory Tool
New York State Education Law Section 2-d requires that all school districts introduce an inventory of programs used in the school environment on their websites and make such a document publicly available. Schools must also provide a clear description of the various data elements collected by the programs and applications including student, teacher and administrator Personally Identifiable Information (PII). To that end, we are pleased to introduce just such an inventory which is listed below. In addition to the required information, more resources such as legal or regulatory documentation may be added to this public resource further outlining the reasons particular data elements are collected as well as the intended uses. At the bottom of this page, you will find the inventory and a description of the programs currently in use in our schools with links to each company's privacy policies. This public portal will be continuously updated as new security information is received or as new technological applications are integrated into the school environment.
After reviewing this resource, if you have any questions, please feel free to contact our Data Protection Officer:
Name: Genevieve Ballard
Phone: 607-286-7715 ext. 2402
Mailing Address: 1914 County Route 35, Milford, NY 13807