Data Privacy Rider for All Contracts Involving Protected
Data Pursuant to New York State Education Law §2-C and §2-D
ONC BOCES and the Third-Party Contractor agree as follows:
1. Definitions:
a. Protected
Information means personally identifiable information of students from student
education records as defined by FERPA, as well as teacher and Principal data
regarding annual professional performance reviews made confidential under New
York Education Law §3012-c and §3012-d;
b. Personally
Identifiable Information (PII) means the same as defined by the regulations
implementing FERPA (20 USC §1232-g);
2. Confidentiality
of all Protected Information shall be maintained in accordance with State and
Federal Law and the BOCES Data Security and Privacy Policy;
3. The Parties
agree that the BOCES Parents’ Bill of Rights for Data Security and Privacy are
incorporated as part of this agreement, and the Third-Party Contractor shall
comply with its terms;
4. The
Third-Party Contractor agrees to comply with New York State Education Law §2-d
and its implementing regulations;
5. The
Third-Party Contractor agrees that any officers or employees of the Third-Party
Contractor, and its assignees who have access to Protected Information, have
received or will receive training on Federal and State law governing
confidentiality of such information prior to receiving access;
6. The
Third-Party Contractor shall:
a. limit internal
access to education records to those individuals that are determined to have
legitimate educational interests;
b. not use the
education records for any other purposes than those explicitly authorized in
its contract or written agreement. Unauthorized use specifically includes, but
is not limited to, selling or disclosing personally identifiable information
for marketing or commercial purposes or permitting, facilitating, or disclosing
such information to another Third-Party for marketing or commercial purposes;
c. except for
authorized representatives of the Third-Party Contractor to the extent they are
carrying out the contract or written agreement, not disclose any personally
identifiable information to any other party;
i. without the prior written
consent of the parent or eligible student; or
ii. unless required by
statute or court order and the party provides notice of the disclosure to the
New York State Education Department, Board of Education, or institution that
provided the information no later than the time the information is disclosed,
unless providing notice of the disclosure is expressly prohibited by statute or
court order;
d. maintain
reasonable administrative, technical, and physical safeguards to protect the
security, confidentiality and integrity of personally identifiable information
in its custody;
e. use encryption
technology to protect data while in motion or in its custody from unauthorized
disclosure using a technology or methodology specified by the Secretary of the
United States Department of Health and Human Services in guidance issued under
Section 13402(H)(2) of Public Law §111-5;
f. adopt
technology, safeguards and practices that align with the NIST Cybersecurity
Framework;
g. impose all the
terms of this rider in writing where the Third-Party Contractor engages a
subcontractor or other party to perform any of its contractual obligations
which provides access to Protected Information.
Agreement and Signature
By signing below, you agree to the Terms and Conditions in
this Rider:
Company Name ____________________________
Product Name _____________________________
Printed Name __________________________ Signature __________________________
Date ______