Data Privacy/Security Policy for Schools and Offices

With Respect to Outside Entities Provided Access to Confidential Information by the New Your City Department of Education

New York Education Law 2-d and its implementing regulations impose a number of requirements on outside entities (called a “third party contractor” or “TPC”) who receive student or certain pedagogue personally identifiable information (PII) from the NYC DOE pursuant to a written agreement. These requirements are listed below. If any outside entity receives PII from the NYC DOE pursuant to a written agreement, they should be considered a TPC and must comply with these provisions.

Compliance with Law and Policy 

TPCs must: 

  • Comply with N.Y. Education Law 2-d and its implementing regulations, and the NYC DOE’s information privacy and security policies, including Chancellor’s Regulation A-820. 
  • Comply with the NYC DOE Parents’ Bill of Rights for Data Privacy and Security, and attach it to the written agreement 
  • Provide certain “supplemental information” attached to the Bill of Rights with respect to their data privacy and security practices 

Restrictions on PII Use

TPCs must:  

  • Not use the PII for any purpose not explicitly authorized in its agreement with the NYC DOE 
  • Not sell PII nor use or disclose it for any marketing or commercial purpose or facilitate its use or disclosure by any other party for any marketing or commercial purpose or permit another party to do so 
  • Limit internal access to PII to only those employees or sub-contractors that need access to provide the contracted services
  • Not disclose any PII to any other party without the prior written consent of the parent or eligible student, except as required to carry out the contract, or as otherwise required or permitted by law 

Data Privacy and Security Practices

TPCs must: 

  • Adopt technologies, safeguards and practices that align with the NIST Cybersecurity Framework 
  • Use encryption to protect personally identifiable information in its custody while in motion or at rest
  • Maintain reasonable administrative, technical and physical safeguards to protect the security, confidentiality and integrity of PII in its custody
  • Agree to a data privacy and security plan, which must do the following: 
    • outline how the TPC will implement all state, federal, and local data security and privacy contract requirements over the life of the agreement, consistent with NYC DOE policies;
    • specify the administrative, operational and technical safeguards and practices it has in place to protect PII that it will receive under the agreement;
    • specify how officers or employees of the TPC and its assignees who have access to PII receive or will receive training on the federal and state laws governing confidentiality of such data prior to receiving access 
  • specify if the TPC will utilize sub-contractors and how it will manage those relationships and contracts to ensure PII is protected;
  • specify how the TPC manage data security and privacy incidents that implicate PII including specifying any plans to identify breaches and unauthorized disclosures, and to promptly notify the NYC DOE; and 
  • describe whether, how and when data will be returned to the NYC DOE, transitioned to a successor contractor, at the NYC DOE’s option and direction, deleted or destroyed by the TPC when the contract is terminated or expires. 

Data Breach Reporting Obligations 

TPCs must: 

  • Notify the NYC DOE of any breach or unauthorized release of PII in the most expedient way possible and without unreasonable delay but no more than seven calendar days after the discovery of such breach 
  • Cooperate with the NYC DOE and law enforcement to protect the integrity of investigations into the breach or unauthorized release of PII 
  • Pay for or promptly reimburse the NYC DOE for the full cost of parental notifications, where a breach or unauthorized release is attributed to the TPC