Data Security Policy
STUDENT DATA SECURITY POLICY
1. Defining Student Data
- Identifiable information that is maintained in education records which can be used to identify the student with reasonable certainty, either directly or indirectly.
- Includes, but is not limited to:
- the student's name;
- the name of the student's parent or other family members;
- the address of the student or student's family;
- a personal identifier, such as the student's social security number, student number, or biometric record; or
- other indirect identifiers, such as the student's date of birth, place of birth, and the mother’s maiden nam2. Education Law §2-d and 8 NYCRR Part 121
- Includes, but is not limited to:
- Imposes an obligation on the State Education Department to take action to provide guidance on strengthening data privacy and security
- Protects student data and teacher and principal data
- Applies to public school districts, charter schools, and special education schools that contract with SED or local school districts
- Regulations were adopted on January 13, 2020
- Data Privacy and Security Standards
- Schools must adopt technologies, safeguards, and practices that that align with the National Institute for Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity Version 1.1 (“NIST”)
- Schools must protect PII by:
- Ensuring that use and disclosure of PII benefits students
- Prohibiting the inclusion of PII in public reports or other public documents
- Using industry standard safeguards and best practices, such as encryption, firewalls, and passwords
- Data Security Practices
- No communication that involves student data should be sent to via email ro text message.