Data Privacy Rider for All Contracts

Data Privacy Rider for All Contracts Involving Protected Data Pursuant to New York State Education Law §2-C and §2-D


 ONC BOCES and the Third-Party Contractor agree as follows:

1.     Definitions:

a.     Protected Information means personally identifiable information of students from student education records as defined by FERPA, as well as teacher and Principal data regarding annual professional performance reviews made confidential under New York Education Law §3012-c and §3012-d;

b.     Personally Identifiable Information (PII) means the same as defined by the regulations implementing FERPA (20 USC §1232-g);

2.     Confidentiality of all Protected Information shall be maintained in accordance with State and Federal Law and the BOCES Data Security and Privacy Policy;

3.     The Parties agree that the BOCES Parents’ Bill of Rights for Data Security and Privacy are incorporated as part of this agreement, and the Third-Party Contractor shall comply with its terms;

4.           The Third-Party Contractor agrees to comply with New York State Education Law §2-d and its implementing regulations;

5.           The Third-Party Contractor agrees that any officers or employees of the Third-Party Contractor, and its assignees who have access to Protected Information, have received or will receive training on Federal and State law governing confidentiality of such information prior to receiving access;

6.           The Third-Party Contractor shall:

a.     limit internal access to education records to those individuals that are determined to have legitimate educational interests;

b.     not use the education records for any other purposes than those explicitly authorized in its contract or written agreement. Unauthorized use specifically includes, but is not limited to, selling or disclosing personally identifiable information for marketing or commercial purposes or permitting, facilitating, or disclosing such information to another Third-Party for marketing or commercial purposes;

c.     except for authorized representatives of the Third-Party Contractor to the extent they are carrying out the contract or written agreement, not disclose any personally identifiable information to any other party;

                                               i.        without the prior written consent of the parent or eligible student; or

                                              ii.        unless required by statute or court order and the party provides notice of the disclosure to the New York State Education Department, Board of Education, or institution that provided the information no later than the time the information is disclosed, unless providing notice of the disclosure is expressly prohibited by statute or court order;

d.     maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality and integrity of personally identifiable information in its custody;

e.     use encryption technology to protect data while in motion or in its custody from unauthorized disclosure using a technology or methodology specified by the Secretary of the United States Department of Health and Human Services in guidance issued under Section 13402(H)(2) of Public Law §111-5;

f.      adopt technology, safeguards and practices that align with the NIST Cybersecurity Framework;

g.     impose all the terms of this rider in writing where the Third-Party Contractor engages a subcontractor or other party to perform any of its contractual obligations which provides access to Protected Information.

Agreement and Signature

By signing below, you agree to the Terms and Conditions in this Rider:

Company Name ____________________________ 

Product Name _____________________________

Printed Name __________________________ Signature __________________________ 

Date ______

View text-based website