Sec. 121.9. Third-party contractors  


Latest version.
  • (a) In addition to all other requirements for third-party contractors set forth in this Part, each third-party contractor that will receive student data or teacher or principal data shall:
    (1) adopt technologies, safeguards and practices that align with the NIST Cybersecurity Framework;
    (2) comply with the data security and privacy policy of the educational agency with whom it contracts; Education Law section 2-d; and this Part;
    (3) limit internal access to personally identifiable information to only those employees or sub-contractors that need access to provide the contracted services;
    (4) not use the personally identifiable information for any purpose not explicitly authorized in its contract;
    (5) not disclose any personally identifiable information to any other party without the prior written consent of the parent or eligible student:
    (i) except for authorized representatives of the third-party contractor such as a subcontractor or assignee to the extent they are carrying out the contract and in compliance with State and Federal law, regulations and its contract with the educational agency; or
    (ii) unless required by statute or court order and the third-party contractor provides a notice of disclosure to the department, district board of education, or institution that provided the information no later than the time the information is disclosed, unless providing notice of disclosure is expressly prohibited by the statute or court order;
    (6) maintain reasonable administrative, technical and physical safeguards to protect the security, confidentiality and integrity of personally identifiable information in its custody;
    (7) use encryption to protect personally identifiable information in its custody while in motion or at rest; and
    (8) not sell personally identifiable information nor use or disclose it for any marketing or commercial purpose or facilitate its use or disclosure by any other party for any marketing or commercial purpose or permit another party to do so.
    (b) Where a third-party contractor engages a subcontractor to perform its contractual obligations, the data protection obligations imposed on the third-party contractor by State and Federal law and contract shall apply to the subcontractor.