Education Law 2-d and Part 121 of the Commissioner’s Regulations outline requirements for school districts and BOCES related to the protection of the personally identifiable information (PII) of students, as well as some teacher and principal information. The law and the regulations require schools to undertake a multi-pronged approach to information governance.

Vendor Supplemental Information

Educational agencies are required to post information about third-party contracts on the agency’s website with the Bill of Rights. Supplemental information may be redacted to the extent necessary to safeguard the data.

Privacy & Security for Student, Teacher, & Principal Data

Part 121 of the Commissioner’s Regulations requires agencies to adopt a policy on data security and privacy. Additionally, the law requires agencies to publish the policy on the district’s website.

Parents' Bill of Rights

A Parents’ Bill of Rights for Data Privacy and Security must be published on the website of each educational agency and must be included with every contract an educational agency enters into with a third-party contractor that receives personally identifiable information.