New York Codes Rules Regulations (Last Updated: March 27,2024) |
TITLE 8. Education Department |
Chapter II. Regulations of the Commissioner |
Subchapter E. Elementary and Secondary Education |
Part 121. Strengthening Data Privacy and Security in NY State Educational Agencies to Protect Personally Identifiable Information |
Sec. 121.1. Definitions
Latest version.
- As used in this Part, the following terms shall have the following meanings:(a) Breach means the unauthorized acquisition, access, use, or disclosure of student data and/or teacher or principal data by or to a person not authorized to acquire, access, use, or receive the student data and/or teacher or principal data.(b) Chief Privacy Officer means the Chief Privacy Officer appointed by the commissioner pursuant to Education Law section 2-d.(c) Commercial or marketing purpose means the sale of student data; or its use or disclosure for purposes of receiving remuneration, whether directly or indirectly; the use of student data for advertising purposes, or to develop, improve or market products or services to students.(d) Contract or other written agreement means a binding agreement between an educational agency and a third-party, which shall include but not be limited to an agreement created in electronic form and signed with an electronic or digital signature or a click wrap agreement that is used with software licenses, downloaded and/or online applications and transactions for educational technologies and other technologies in which a user must agree to terms and conditions prior to using the product or service.(e) Disclose or disclosure mean to permit access to, or the release, transfer, or other communication of personally identifiable information by any means, including oral, written, or electronic, whether intended or unintended.(f) Education records means an education record as defined in the Family Educational Rights and Privacy Act and its implementing regulations, 20 U.S.C. 1232g and 34 C.F.R. part 99, respectively.(g) Educational agency means a school district, board of cooperative educational services (BOCES), school, or the department.(h) Eligible student means a student who is 18 years or older.(i) Encryption means methods of rendering personally identifiable information unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified or permitted by the Secretary of the United States Department of Health and Human Services in guidance issued under section 13402(H)(2) of Public Law 111-5.(j) FERPA means the Family Educational Rights and Privacy Act and its implementing regulations, 20 U.S.C. 1232g and 34 C.F.R. part 99, respectively.(k) NIST Cybersecurity Framework means the U.S. Department of Commerce National Institute for Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity version 1.1 which is available at the Office of Counsel, State Education Department, State Education Building, Room 148, 89 Washington Avenue, Albany, NY 12234.(l) Parent means a parent, legal guardian, or person in parental relation to a student.(m) Personally identifiable information, as applied to student data, means personally identifiable information as defined in section 99.3 of title 34 of the Code of Federal Regulations implementing the Family Educational Rights and Privacy Act, 20 U.S.C 1232g, and as applied to teacher and principal data, means personally identifiable information as such term is defined in Education Law section 3012-c(10).(n) Release shall have the same meaning as disclosure or disclose.(o) School means any public elementary or secondary school including a charter school, universal pre-kindergarten program authorized pursuant to Education Law section 3602-e, an approved provider of preschool special education, any other publicly funded pre-kindergarten program, a school serving children in a special act school district as defined in Education Law section 4001, an approved private school for the education of students with disabilities, a State-supported school subject to the provisions of article 85 of the Education Law, or a State-operated school subject to the provisions of articles 87 or 88 of the Education Law.(p) Student means any person attending or seeking to enroll in an educational agency.(q) Student data means personally identifiable information from the student records of an educational agency.(r) Teacher or principal data means personally identifiable information from the records of an educational agency relating to the annual professional performance reviews of classroom teachers or principals that is confidential and not subject to release under the provisions of Education Law sections 3012-c and 3012-d.(s) Third-party contractor means any person or entity, other than an educational agency, that receives student data or teacher or principal data from an educational agency pursuant to a contract or other written agreement for purposes of providing services to such educational agency, including but not limited to data management or storage services, conducting studies for or on behalf of such educational agency, or audit or evaluation of publicly funded programs. Such term shall include an educational partnership organization that receives student and/or teacher or principal data from a school district to carry out its responsibilities pursuant to Education Law section 211-e and is not an educational agency, and a not-for-profit corporation or other nonprofit organization, other than an educational agency.(t) Unauthorized disclosure or unauthorized release means any disclosure or release not permitted by Federal or State statute or regulation, any lawful contract or written agreement, or that does not respond to a lawful order of a court or tribunal or other lawful order.