Resources

The recommended adoption of Part 121 Regulations for Ed Law 2-d was reviewed by the Board of Regents on October 7, 2019. A review of the comments submitted by the public during the past 45 day comment period has necessitated additional modifications of the regulations. These changes will require a third public comment period.

It is anticipated that the proposed amendment will be presented to the Board of Regents at the January 2020 meeting. If adopted the proposed rule will become effective on January 29, 2020. These changes do not substantially change the requirements of the districts. Districts are still required to have a local School Board approved Data Privacy and Security Policy in place by July 1, 2020.

Below are resources developed by a partnership of the New York Regional Information Centers
to support schools in the implementation of these regulations.

New York State Education Law Section 2-d and the Family Educational Rights and Privacy Act provide clear protections for student data, and NYSED is committed to complying with all applicable laws. The New York State Department of Education has committed to promoting the least intrusive data collection policies practicable that advance the goals of improving academic achievement, empowering parents with information and advancing efficient and effective school operations while minimizing the collection and transmission of personally identifiable information, and will work to ensure that this is reflected in the practices of every educational agency in New York State by developing policies and standards that will provide clear guidance to the field.


NYSED Ed Law 2-d

Regulatory changes to increase information security measures to safeguard the Personally Identifiable Information (PII) of students and certain school personnel. Part 121 regulations outline requirements for educational agencies and their third-party contractors to ensure the security and privacy of such protected information and were developed in consultation with stakeholders and the public.

Part 121 Regulations

The regulations are composed of nine requirements. Information on these requirements are available as a separate link for each requirement. The complete overview is also available as one document.

Complete Overview

A toolkit has also been developed to help districts comply with the regulations. A separate Toolkit is available for each requirement under each heading. The complete Toolkit is also available as one document.

Complete Toolkit

This video and resource document were developed by the Regional Information Centers as free training tools to support all districts in improving their data security posture. The video begins with comments from data security experts in the education sector. Then, the video provides an overview of the five data protection reminders outlined on the handout. If you have specific questions about data privacy and security, please contact your local RIC.

Companion Document
Data Security for Educators

Regulations 121.2 and 121.5
Protect the confidentiality of personally identifiable information of students (FERPA) and personally identifiable information of teachers and principals (APPR).

Overview
Toolkit

Regulation 121.3
Adopt and post on website a Parents' Bill of Rights for Data Privacy and Security, with supplemental information about each written agreement with a third-party contractor (vendor) that involves disclosure of PII.

Overview
Toolkit

Regulation 121.5
Adopt and post a Data Security and Privacy Policy that includes adherence to the NIST Cybersecurity Framework to protect PII.

Overview
Toolkit

Regulation 121.5
Apply the planning,processes,and categories of information protection defined within the NIST Cybersecurity Framework to district practices and systems.

Overview
Toolkit

Regulations 121.2, 121.3, 121.6, 121.9, 121.10
Whenever the educational agency discloses PII to a third-party contractor, ensure that the written agreement for using the product or services includes the language required by Education Law.

Overview
Toolkit

Regulations 121.5 and 121.7
Deliver annual privacy and security awareness training to all employees.

Overview
Toolkit

Regulation 121.4
Create and publish a parent complaint process.

Overview
Toolkit

Regulation 121.10
Follow reporting and notification procedures when unauthorized disclosure occurs.

Overview
Toolkit

Regulation 121.8
Appoint a Data Protection Officer to oversee implementation of Education Law 2-d responsibilities.

Overview
Toolkit