 |
New York Codes Rules Regulations (Last Updated: March 27,2024) |
 |
TITLE 8. Education Department |
|
Chapter II. Regulations of the Commissioner |
|
Subchapter E. Elementary and Secondary Education |
|
Part 121. Strengthening Data Privacy and Security in NY State Educational Agencies to Protect Personally Identifiable Information |
Sec. 121.5. Data security and privacy standard
Latest version.
- (a) As required by Education Law section 2-d(5), the department adopts the National Institute for Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity version 1.1 (NIST Cybersecurity Framework or NIST CSF) as the standard for data security and privacy for educational agencies.(b) Each educational agency shall adopt and publish a data security and privacy policy that implements the requirements of this Part and aligns with the NIST CSF no later than October 1, 2020.(c) Each educational agency’s data security and privacy policy must also address the data privacy protections set forth in Education Law section 2-d(5)(b)(1) and (2) as follows:(1) every use and disclosure of personally identifiable information by the educational agency shall benefit students and the educational agency (e.g., improve academic achievement, empower parents and students with information, and/or advance efficient and effective school operations).(2) personally identifiable information shall not be included in public reports or other documents.(d) An educational agency’s data security and privacy policy shall include all the protections afforded to parents or eligible students, where applicable, under FERPA and the Individuals with Disabilities Education Act (20 U.S.C. 1400 et seq.), and the Federal regulations implementing such statutes.(e) Each educational agency must publish its data security and privacy policy on its website and provide notice of the policy to all its officers and employees.