Resources » Data Security Policy

Data Security Policy



1. Defining Student Data
  • Identifiable information that is maintained in education records which can be used to identify the student with reasonable certainty, either directly or indirectly.
    • Includes, but is not limited to:
      • the student's name;
      • the name of the student's parent or other family members;
      • the address of the student or student's family;
      • a personal identifier, such as the student's social security number, student number, or biometric record; or
      • other indirect identifiers, such as the student's date of birth, place of birth, and the mother’s maiden nam2. Education Law §2-d and 8 NYCRR Part 121
  • Imposes an obligation on the State Education Department to take action to provide guidance on strengthening data privacy and security
  • Protects student data and teacher and principal data
  • Applies to public school districts, charter schools, and special education schools that contract with SED or local school districts
  • Regulations were adopted on January 13, 2020
  1. Data Privacy and Security Standards
  • Schools must adopt technologies, safeguards, and practices that that align with the National Institute for Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity Version 1.1 (“NIST”)
  • Schools must protect PII by:
  • Ensuring that use and disclosure of PII benefits students
  • Prohibiting the inclusion of PII in public reports or other public documents
  • Using industry standard safeguards and best practices, such as encryption, firewalls, and passwords
  1. Data Security Practices
  • No communication that involves student data should be sent to via email ro text message.