School districts must safeguard student data

J.W. Leary Junior School students are pictured during WEB (Where Everybody Belongs) training. School districts have until July 1 to create policies and procedures to safeguard student data and other personnel information. Bob Beckstead/Johnson Newspapers

MASSENA — School districts have until July 1 to create policies and procedures to safeguard student data and other personnel information.

Massena Central School Superintendent Patrick Brady said the policies and procedures would have to address programs such as the SchoolTool student management system, the system students use to pay for meals, special education software, software used by teachers “and a variety of other ones.”

Under Education Law 2-D and the New York State Commissioners regulations, districts will be required to appoint a data protection officer who would be responsible for the implementation of the policies and procedures, and would also serve as the point of contact for data security and privacy for the educational agency.

“In most cases it’s the superintendent,” Mr. Brady said.

School board members will be asked to adopt a resolution naming him as the data protection officer during their January meeting.

Districts must also adopt and post on their website a Parents’ Bill of Rights for Data Privacy and Security. They must also post supplemental information about each written agreement with a third-party contractor that involves disclosure of personally identifiable information. Personally identifiable information includes a student name, parent names, student address, student number and linkable information.

He said they have already adopted and posted the bill of rights for data security on their website. It can be accessed at

Mr. Brady said one of the major requirements is to ensure that, whenever they disclose personally identifiable information to a third party contractor, there must be a written agreement that the third party is using the information in compliance with the education law.

“Anything we receive from BOCES (the Board of Cooperative Educational Services) or NERIC (Northeastern Regional Information Center) will be 2-D compliant,” he said.

In addition, they must provide annual privacy and security awareness training to all employees, and create and publish an authorized disclosure complaint process.

Mr. Brady said they have much work ahead of them to meet the July 1 adoption and implementation deadline. The state Education Department is expected to adopt the regulations during its January meeting.

Johnson Newspapers 7.1

Recommended for you

(0) comments

Welcome to the discussion.

Keep it Clean. Please avoid obscene, vulgar, lewd, racist or sexually-oriented language.
Don't Threaten. Threats of harming another person will not be tolerated.
Be Truthful. Don't knowingly lie about anyone or anything.
Be Nice. No racism, sexism or any sort of -ism that is degrading to another person.
Be Proactive. Use the 'Report' link on each comment to let us know of abusive posts.
Share with Us. We'd love to hear eyewitness accounts, the history behind an article.