Student Data Privacy Officer
Tracy Falvo | (518) 399-9141, ext. 85050
Student Data Privacy
Managing student data safely is a complicated issue that our school district takes very seriously. However, we begin this case study with the caveat that we are NOT experts in this area. We are practitioners who are trying to manage a constantly evolving field. It is a challenge to stay informed and up to date on best practice in this ever changing landscape- but the threat of not addressing these issue is potentially severe. At BH-BL, we address the issue on multiple fronts. In order to better understand our approach, it is helpful to discuss the concept of student data privacy using this diagram.
Where is sensitive student data kept?
The lock in the middle represents the location of all of the important and sensitive information that we collect on our students in order to function effectively as a school district.
This includes information on demographics, academics, special education, discipline, health, food services, and transportation. This data is held securely in servers that are protected by state of the art firewalls and disaster recovery procedures. Most of this data is in highly secure servers at the North East Regional Information Center (NERIC). Some of the data is housed in secure servers inside the district. A small portion of this secure data is housed in contracted space with the particular vendor.
Is student data shared?
Yes. Student data that is collected and secured by the district is shared outside of this protected area in two ways:
Data is shared with New York State.
New York State requires that we share some of student and staff data with NYSED for a variety of reasons. Our Chief Information Officer (CIO) carefully maps the data that is requested to the corresponding fields in our secure databases and pushes that data to the NYS Data Warehouse. This process is overseen and “certified” by the Superintendent of Schools. The data pushed to the Data Warehouse is maintained securely (details of security protocol) The exact data fields requested by NYSED change periodically. These changes are monitored by our Student Privacy Officer, who makes an annual report to the Board of Education. Any substantive changes in reporting requirements are brought to the Board of Education on an as needed basis. NYS publishes a list of the fields being pushed to the NYS Data Warehouse. The most recent list can be accessed here.
Data is shared with approved third party vendors.
There are many software applications that require the input of limited student data in order function effectively. When we share student data with a third party vendor, the following three principles are followed:
- The vendor/application must be approved by the Data Privacy Officer as compliant with federal and state privacy laws. The process is as follows:
- Staff members submit the software for approval by the district.
- The Data Privacy Officer uses multiple sources of information (including the RIC ONE Data Privacy and Security Service; The Privacy Evaluation Initiative Consortium and DATAG) to make a judgement as to the level of compliance of the vendor.
- Software and Apps that are reviewed (or in process of being reviewed) are made available to staff in our BHBL App Catalog.
- Once a vendor is approved by the district, the district shares the minimal amount of data necessary for the software to function effectively.
- Any data transferred to a third party vendor must be transferred through secure networking protocol.
What do we see as areas of need for school districts?
This is our list of immediate needs. We think that this question warrants further discussion and the aggregate list could inform NYSED efforts in this area.
- Help us to evaluate/assess privacy policies of 3rd Party vendors at the NY state or BOCES level so that we can more efficiently approve them on the local level. Perhaps a global scale or rating system?
- Help us specifically with Google. It has become a major ecosystem in NYS K-12 education but it is difficult to ensure that it is compliant with the necessary federal and state privacy laws.
- Develop a network of Student Data Privacy Officers similar to the DATAG CIO Listserv.
Family Educational Rights & Privacy Act (FERPA)
The district complies with the Family Educational Rights and Privacy Act (FERPA). Parents and 18-year-old students may inspect official records relating to them including progress reports, grades, aptitude and achievement test scores, psychological tests, and teacher evaluations. A record may be challenged by parents or 18 year olds when they believe it to be inaccurate or misleading. The principal may remove designated material if in agreement with the challenge. Definitions of school official and additional procedures under FERPA can be found in the Board of Education Policy Manual.
Individual student records are confidential and are not released to colleges, employers, or elsewhere without written permission, subject to the following exceptions. District schools may forward educational records to other schools that have requested them and in which a BH-BL student seeks or intends to enroll. What the law refers to as directory information may be made public for school purposes unless a parent informs us in writing that they do not want this information made public. Directory information that we may make public includes: a student’s name, address, phone number, grade level, honor or award received, dates of attendance, photograph, age, membership in a school athletic team, activity or club, and (for athletes only) height and weight. Directory information is primarily made public so that students’ accomplishments can be included in various publications such as a concert program, yearbook, or honor roll.
As required by federal law, the high school provides a list of senior class member names, addresses and phone numbers to the military services—unless parents inform the high school principal in writing by September 15 that they do not want their child included in such lists.
Parents and 18-year-old students have the right to opt out of the disclosure of directory information by contacting their school principal. Parents should also inform the Superintendent if they do not wish their child’s likeness to be included on the district website, Facebook page or in occasional photos or videos taken by the media or district staff for school-related purposes.
Also, in accordance with the federal Protection of Pupil Rights amendment, the district hereby notifies parents that our schools may occasionally conduct student surveys that touch on topics such as political affiliation, income, or beliefs or religious practices of the student. In such cases, a letter will be sent home explaining parent rights to opt a child out from such a survey before it is conducted.
Questions about school policies in connection with family rights and privacy laws can be addressed to building principals or the Superintendent.
Parents Bill of Rights for Data Privacy & Security
The BH-BL School District is committed to ensuring student privacy in accordance with local, state and federal regulations and district policies. To this end and pursuant to U.S. Department of Education (DOE) regulations (Education Law §2-d), the district is providing the following Parents’ Bill of Rights for Data Privacy and Security:
- A student’s personally identifiable information cannot be sold or released for any commercial or marketing purposes.
- Parents have the right to inspect and review the complete contents of their child’s education record, including any student data maintained by the BH-BL School District. This right of inspection of records is consistent with the federal Family Educational Rights and Privacy Act (FERPA). Under the more recently adopted regulations (Education Law §2-d), the rights of inspection are extended to include data, meaning parents have the right to inspect or receive copies of any data in their child’s educational record. The New York State Education Department (SED) will develop further policies and procedures related to these rights in the future.
- State and federal laws protect the confidentiality of personally identifiable information and safeguards associated with industry standards and best practices, including but not limited to, encryption, firewalls and password protection, must be in place when data is stored or transferred.
- A complete list of all student data elements collected by the state is available for public review online. Parents may also obtain a copy of this list by writing to the Office of Information & Reporting Services, New York State Education Department, Room 863 EBA, 89 Washington Avenue, Albany, N.Y. 12234.
- Parents have the right to have complaints about possible breaches of student data addressed. Complaints should be directed to: Student Data Privacy Officer Tracy Falvo, BH-BL High School, 88 Lakehill Road, Burnt Hills, NY 12027. (518) 399-9141, ext. 85050 or firstname.lastname@example.org. Complaints to SED should be directed to: Chief Privacy Officer, New York State Education Department, 89 Washington Avenue, Albany, NY 12234; the e-mail address is email@example.com. SED’s complaint process is under development and will be established through regulations from the department’s chief privacy officer, who has yet to be appointed.
Additional student data privacy information
This bill of rights is subject to change based on regulations of the commissioner of education and the SED chief privacy officer, as well as emerging guidance documents from SED. For example, these changes/additions will include requirements for districts to share information about third-party contractors that have access to student data, including:
- How the student, teacher or principal data will be used;
- How the third-party contractors (and any subcontractors/ others with access to the data) will abide by data protection and security requirements;
- What will happen to data when agreements with third-party contractors expire;
- If and how parents, eligible students, teachers or principals may challenge the accuracy of data that is collected; and
- Where data will be stored to ensure security and the security precautions taken to ensure the data is protected, including whether the data will be encrypted.
More information is also available on the following websites:
- NYSED Data Privacy Resources
- New York State Education Department Parents Bill of Rights
- U.S. Department of Education press release: Guidance for Schools Issued on How to Keep Parents Better Informed on the Data They Collect on Students
- Privacy Technical Assistance Center (PTAC): newly established one-stop resource for education stakeholders to learn about data privacy.