Phoenix Central School District

Student Data Privacy- Education Law 2-D

New York State Education Law 2-d and Part 121 of the Commissioner’s Regulations outline requirements for school districts and BOCES for protecting personally identifiable information (PII) of students and teacher and principal APPR evaluation information. Districts and BOCES must post a Parents’ Bill of Rights and provide Supplemental Information for all third-party contracts subject to NYS Education Law 2-d.

Please reference this Fact Sheet for Parents provided by NYSED.

Education Law § 2-d protects students' personally identifiable information (PII) from unauthorized disclosure. Education Law § 2-d also gives parents rights regarding their child's PII. The parent fact sheet explains these rights.

Questions related to student data privacy and security can be emailed to mfoley@phoenixcsd.org and will be forwarded to the Phoenix Central School District Data Protection Officer (DPO), Michael Foley, for review.


Parent Bill of Rights The district is required to post the Parents' Bill of Rights.	Supplemental Information An inventory/list of third parties who have access to student data.	Data Security & Privacy Policy The district's Data Security and Privacy Policy must be posted on the website. 4510.4 Student Use of Personal Technology Policy 4510.3 PCSD Acceptable Use Policy	Unauthorized Disclosure Complaint Procedures Details how stakeholders are notified of a potential data incident/breach.

FERPA Annual Notification This policy/notification informs parents and students about their rights to review education records. Click here to view our FERPA policy Click here for the Image Opt-Out Form	Directory Information Policy Clearly identifies the elements that comprise the district's directory information (such as names, birthdates, etc.).	PRPA Policy Notification of the Pupil Rights Protection Amendments and how it covers surveys, marketing, and physical exams.	Notification of Specific Events Details how districts notify parents of additional events not originally covered in an initial (annual) PRPA notification. See Below

New York State Data Privacy and Security

Ed Law 2D - Education Law § 2-d went into effect in April 2014. The focus of the statute was to foster privacy and security of personally identifiable information (PII) of students and certain PII related to classroom teachers and principals.

Part 121 Amendment to Ed Law 2D - Although the proposed regulations largely restate the requirements of Education Law § 2-d, there are new elements, including the adoption by the New York State Education Department of a data security and privacy standard, as was required by the statute. The Department will adopt the National Institute for Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity Version 1.1 (CSF or Framework)

Contact Us

If you have any questions or concerns regarding Data Privacy and Security, please contact Michael Foley, Director of Data and Technology and Data Protection Officer for the Phoenix Central School District 315-695-1549.

Notification of Specific Events

Notification

The District will notify the New York State Attorney General (AG), the New York State Department Consumer Protection Board (CPB) and the New York State Office of Cyber Security (OCS), as required by law. All affected individuals must be notified of the breach if their compromised data meets the classifications described in law. The District may delay notification of affected individuals if law enforcement determines that notification may impede a criminal investigation.

The required notice shall be directly provided to the affected persons by one of the following methods:

Written notice;
Electronic notice, provided that the person to whom notice is required has expressly consented to receiving the notice in electronic form; and a log of each such notification is kept by the District when notifying affected persons in electronic form. However, in no case shall the District require a person to consent to accepting such notice in electronic form as a condition of establishing any business relationship or engaging in any transaction;
Telephone notification, provided that a log of each such notification is kept by the District when notifying affected persons by phone; or
Substitute notice, if the District demonstrates to the State Attorney General that the cost of providing notice would exceed $250,000, or that the affected class of subject persons to be notified exceeds $500,000, or that the District does not have sufficient contact information. Substitute notice shall consist of all of the following:
1. Email notice when the District has an email address for the subject persons;
2. Conspicuous posting of the notice on the District's website page, if the District maintains one; and
3. Notification to major statewide media.

Regardless of the method of which notice is provided, a notification must include:

Contact information for the District official handling the notification;
A description of the categories of information that were, or are reasonably believed to have been, acquired without authorization; and
Details on which elements of personal and private information were, or are reasonably believed to have been, so acquired.

The New York State Office of Cyber Security will be informed as to the timing, content and distribution of the notices and the approximate number of affected persons. The Attorney General and the Division of Consumer Protection should also be informed of these notices to affected persons. Refer to New York State Security Breach Reporting Form for contact information, addresses and notification guidelines.

Applicable Federal and State Laws that Impact Technology Use and Student Privacy

PCSD Policies and Guidelines for Student Data and Security

Additional Resources

Data Security and Privacy