Resources
Below are resources developed by a partnership of the New York Regional Information Centers to support schools in the implementation of Education Law 2-d and Part 121 Regulations.
NYSED Documents and Information
New York State Education Department news and updates from the Office of Communications.
NYSED Ed Law 2-dNew York State Education Law Section 2-d and the Family Educational Rights and Privacy Act provide clear protections for student data, and NYSED is committed to complying with all applicable laws. The New York State Department of Education has committed to promoting the least intrusive data collection policies practicable that advance the goals of improving academic achievement, empowering parents with information and advancing efficient and effective school operations while minimizing the collection and transmission of personally identifiable information, and will work to ensure that this is reflected in the practices of every educational agency in New York State by developing policies and standards that will provide clear guidance to the field.
Part 121 Regulations
Regulatory changes to increase information security measures to safeguard the Personally Identifiable Information (PII) of students and certain school personnel. Part 121 regulations outline requirements for educational agencies and their third-party contractors to ensure the security and privacy of such protected information and were developed in consultation with stakeholders and the public.
NYSED Data Privacy and Security Laws, Regulations, & Guidance
Resources provided by NYSED Data Privacy and Security on laws, regulations, and guidance.
NYSED Annual Report on Data Privacy and Security
Pursuant to NYS Education Law §2-d, the Chief Privacy Officer is required to issue an annual report on (1) data privacy and security activities and progress, (2) the number and disposition of reported breaches, if any, and (3) a summary of any complaints of possible breaches of student data or teacher or principal annual professional performance review data (PII).
Master SED Data Privacy & Security Policy
SED's Data Privacy and Security Policy (Released June 14, 2021).
NYSED Model Data Privacy Agreement
The NYSED Model Data Privacy Agreement can be used as an addendum to a third-party vendor agreement. This model DPA includes a model Parents' Bill of Rights and a model third-party vendor supplemental information document.
NYSED Parents' Bill of Rights
The New York State Education Department collects and maintains certain personally identifiable information about students enrolled in public schools across the state. Education Law § 2-d requires each educational agency in the State of New York to develop a Parents’ Bill of Rights for Data Privacy and Security and publish it on its website.
Online Privacy and Safety Resources
The continuity of education for students during the COVID-19 pandemic is of utmost importance. Schools are utilizing digital online tools to deliver classes and communicate with staff and students. Parents, students and even educational agency staff may have questions related to the privacy and security of student data when these tools are used. NYSED's online privacy and safety page compiles resources from various departments around this topic.
Reporting a Data Privacy/Security Incident QA
Educational agencies must report unauthorized disclosures and/or access to data protected by state and federal laws to SED's Chief Privacy Officer. This QA page contains information on Data Privacy/Security/Cyber-incident Reporting.
Data Protection Officer FAQ
Frequently asked questions related to Education Law 2-d compliance. This page was designed to address common questions asked by Data Protection Officers.
Data Protection & Planning
The Regional Information Centers have developed The Data Protection & Planning resource document which can help facilitate these requirements. The document includes updated information on Ed Law 2-d Part 121 requirements, a sample contract addendum, and data sharing agreement.
DATA PROTECTION & PLANNINGData Security for Educators
This video and resource document were developed by the Regional Information Centers as free training tools to support all districts in improving their data security posture. The video begins with comments from data security experts in the education sector. Then, the video provides an overview of the five data protection reminders outlined on the handout. If you have specific questions about data privacy and security, please contact your local RIC.
Data Security for EducatorsProtection of Personally Identifiable Information (PII)
Regulations 121.2 and 121.5
Protect the confidentiality of personally identifiable information of students (FERPA) and personally identifiable information of teachers and principals (APPR).
Bill of Rights for Data Privacy and Security
Regulation 121.3
Adopt and post on website a Parents' Bill of Rights for Data Privacy and Security, with supplemental information about each written agreement with a third-party contractor (vendor) that involves disclosure of PII.
Data Security and Privacy Policy
Regulation 121.5
Adopt and post a Data Security and Privacy Policy that includes adherence to the NIST Cybersecurity Framework to protect PII.
NIST Cybersecurity Framework
Regulation 121.5
Apply the planning,processes,and categories of information protection defined within the NIST Cybersecurity Framework to district practices and systems.
NIST Framework Core
NIST Framework Core Deck
Data Protection & Planning Guide
NIST Cybersecurity Framework (XLSX)
CISA Report Summary
Third-party Contracts
Regulations 121.2, 121.3, 121.6, 121.9, 121.10
Whenever the educational agency discloses PII to a third-party contractor, ensure that the written agreement for using the product or services includes the language required by Education Law.
Toolkit
Many BOCES and Regional Information Centers (RIC) belong to the Instructional Technology Contract Consortium or Distance Learning Contract Consortium. The vendors and products on the lists below are only compliant with Ed Law 2-d Part 121 Regulations when the products are purchased through a BOCES or RIC. If a district purchases a product directly from the vendor the district is responsible for obtaining a district specific data protection agreement. If interested in a product on these lists, contact your local BOCES or RIC.
Inventory of Instructional and Distance Learning Products available through BOCES/RIC Contracts
BOCES Instructional Technology Contracts
BOCES Distance Learning Contracts
Annual Employee Training
Regulations 121.5 and 121.7
Deliver annual privacy and security awareness training to all employees.
Unauthorized Disclosure Complaint Procedures
Regulation 121.4
Create and publish a parent complaint process.
Incident Reporting and Notification
Regulation 121.10
Follow reporting and notification procedures when unauthorized disclosure occurs.
Data Protection Officer
Regulation 121.8
Appoint a Data Protection Officer to oversee implementation of Education Law 2-d responsibilities.
Data Protection & Planning Guide
Updated 2023 Website Checklist