MASSENA — School districts have until July 1 to create policies and procedures to safeguard student data and other personnel information.
Massena Central School Superintendent Patrick Brady said the policies and procedures would have to address programs such as the SchoolTool student management system, the system students use to pay for meals, special education software, software used by teachers “and a variety of other ones.”
Under Education Law 2-D and the New York State Commissioners regulations, districts will be required to appoint a data protection officer who would be responsible for the implementation of the policies and procedures, and would also serve as the point of contact for data security and privacy for the educational agency.
“In most cases it’s the superintendent,” Mr. Brady said.
School board members will be asked to adopt a resolution naming him as the data protection officer during their January meeting.
Districts must also adopt and post on their website a Parents’ Bill of Rights for Data Privacy and Security. They must also post supplemental information about each written agreement with a third-party contractor that involves disclosure of personally identifiable information. Personally identifiable information includes a student name, parent names, student address, student number and linkable information.
He said they have already adopted and posted the bill of rights for data security on their website. It can be accessed at http://wdt.me/f3femz.
Mr. Brady said one of the major requirements is to ensure that, whenever they disclose personally identifiable information to a third party contractor, there must be a written agreement that the third party is using the information in compliance with the education law.
“Anything we receive from BOCES (the Board of Cooperative Educational Services) or NERIC (Northeastern Regional Information Center) will be 2-D compliant,” he said.
In addition, they must provide annual privacy and security awareness training to all employees, and create and publish an authorized disclosure complaint process.
Mr. Brady said they have much work ahead of them to meet the July 1 adoption and implementation deadline. The state Education Department is expected to adopt the regulations during its January meeting.