7244 - Student Records
|Policy: Student Records||Policy Number: 7244|
|Date of Original Policy: 12/09/2015||Date Revision Adopted: 12/02/2020|
|Reviewed by Policy Committee: 09/03/2020||Date of Next Review: 12/09/2023|
|Replacement of Policy Number: 7240, 7242, 7243|
The Board of Education recognizes its legal responsibility to maintain the confidentiality of student records. As part of this responsibility, the Board will ensure that eligible students and parents/guardians have the right to inspect and review education records, the right to seek to amend education records and the right to have some control over the disclosure of information from the education record. The procedures for ensuring these rights shall be consistent with state and federal law, including the Family Educational Rights and Privacy Act of 1974 (FERPA) and its implementing regulations.
The Board also recognizes its responsibility to ensure the orderly retention and disposition of the District’s student records in accordance with LGS-1
The District will use reasonable methods to provide access to student educational records only to those authorized under the law and to authenticate the identity of the requestor. The District will document requests for and release of records, and retain the documentation in accordance with law.
The Superintendent of Schools shall be responsible for ensuring that all requirements under law and the Commissioner’s regulations are carried out by the District.
Authorized Representative: an authorized representative is any individual or entity designated by a State or local educational authority or a Federal agency headed by the Secretary, the Comptroller General or the Attorney General to carry out audits, evaluations, or enforcement or compliance activities relating to educational programs.
Education Record: means those records, in any format, directly related to the student and maintained by the District or by a party acting on behalf of the District, except:
(a) records in the sole possession of the individual who made it and not accessible or revealed to any other person except a substitute (e.g. memory joggers);
(b) records of the District’s law enforcement unit;
(c) grades on peer-graded papers before they are collected and recorded by a teacher.
Eligible student: a student who has reached the age of 18 or is attending postsecondary school.
Legitimate educational interest: a school official has a legitimate educational interest if they need to review a student’s record in order to fulfill his or her professional responsibilities.
Personally identifiable information: is information that would allow a reasonable person in the school or its community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty. Such data might include social security number, student identification number, parents’ name and/or address, a biometric record, etc.
School official: a person who has a legitimate education interest in a student record who is employed by the District as an administrator, supervisor, instructor or support staff member (including health or medical staff and law enforcement unit personnel); a member of the Board of Education; a person or company with whom the District has contracted to perform a special task (such as attorney, auditor, medical consultant or therapist); or a parent or student serving on an official committee, such as disciplinary or grievance committee, or assisting another school official performing his or her tasks. Volunteers may be considered school officials for purposes of access to personally identifiable information if they are under the direct control of the district, are trained in he requirements of law under this policy, have a legitimate educational interest, and the district uses reasonable methods to limit access to only the information necessary to fulfill their volunteer duties. Volunteers may only access the information necessary for the assignment, and must not disclose student information to anyone other than a school official with a legitimate education interest. The Building Principal will provide adequate training on confidentiality of student records.
Third party contractor: is a person or entity, other than an educational agency (which includes schools, school districts, BOCES, or the State Education Department), that receives student or teacher/principal PII from and educational agency pursuant to a contract or other written agreement for purposes of providing services to such educational agency, including but not limited to data management or storage services, conducting studies of or on behalf of such educational agency, or audit or evaluation of publicly funded programs. This includes educational partnership organizations that receive student or teacher/principal PII from a school district to carry out responsibilities under Education Law§211-e (persistently lowest achieving schools or schools under registration review) and is not an educational agency. This also includes not-for-profit corporations or other nonprofit organizations, other than an educational agency.
At the beginning of each school year, the District will publish a notification that informs parents, guardians and students currently in attendance of their rights under FERPA and the procedures for exercising those rights. This notice may be published in a newspaper, handbook or other school bulletin or publication. This notice will also be provided to parents, guardians, and students who enroll during the school year.
The notice will include a statement that the parent/guardian or eligible student has a right to:
1. inspect and review the student’s education records;
2. request that records be amended to ensure that they are not inaccurate, misleading, or otherwise in violation of the student’s privacy rights;
3. consent to disclosure of personally identifiable information contained in the student’s education records, except to the extent that FERPA authorizes disclosure without consent; and
4. file a complaint with the United States Department of Education alleging failure of the District to comply with FERPA and its regulations.
The annual notice will inform parents/guardians and students:
1. that it is the District’s policy to disclose personally identifiable information from student records, without consent, to other school officials within the District whom the District has determined to have legitimate educational interests. The notice will define ‘school official’ and ‘legitimate educational interest.’
2. that, upon request, the District will disclose education records without consent to officials of another school district in which a student seeks to or intends to enroll or is actually enrolled.
3. that personally identifiable information will be released to third party authorized representatives for the purposes of educational program audit, evaluation, enforcement or compliance purposes.
4. that the District, at its discretion, releases directory information (see definition below) without prior consent, unless the parent/guardian or eligible student has exercised their right to prohibit release of the information without prior written consent.
5. that, upon request, the District will disclose a high school student’s name, address and telephone number to military recruiters and institutions of higher learning unless the parent or secondary school student exercises their right to prohibit release of the information without prior written consent.
6. of the procedure for exercising the right to inspect, review and request amendment of student records.
For a complete list of exceptions to FERPA’s prior consent requirements see accompanying regulation 7240-R, Section 5.
The District shall effectively notify parents, guardians and students who have a primary or home language other than English.
In the absence of the parent or secondary school student exercising their right to opt out of the release of information to the military, the District is required to, under federal law, release the information indicated in number five (5) above.
The District has the option under FERPA of designating certain categories of student information as “directory information.” The Board directs that “directory information” include a student’s:
• ID number, user ID, or other unique personal identifier used by a student for purposes of accessing or communicating in electronic systems (only if the ID cannot be used to gain access to education records except when used in conjunction with one or more factors that authenticate the student’s identity),
• Telephone number
• Date of birth
• Dates of attendance,
• Most recent school attended
• Grade level
• Photograph (if available)
• Enrollment status
Information about a homeless student’s living situation will be treated as a student educational record, and will not be deemed directory information. A parent/guardian or eligible student may elect, but cannot be compelled, to consent to release of a student’s address information in the same way they would for other student education records. The district’s McKinney-Vento liaison will take reasonable measures to provide homeless students with information on educational, employment, or other postsecondary opportunities and other beneficial activities. The district permits the parent/guardian to select the school’s address as the student’s address for purposes of directory information.
Social security numbers or other personally identifiable information will not be considered directory information.
Once the proper FERPA notification is given by the District, a parent/guardian or student will have 14 days to notify the district of any objections they have to any of the “directory information” designations. If no objection is received, the District may release this information without prior approval of the parent/guardian or student for the release. Once the student or parent/guardian provides the “opt-out,” it will remain in effect after the student is no longer enrolled in the school district.
The District may elect to provide a single notice regarding both directory information and information disclosed to military recruiters and institutions of higher education.
Parent’s Bill of Rights
Parents bill of rights for data privacy and security. a. A parents bill of rights for data privacy and security shall be published on the website of each educational agency and shall be included with every contract an educational agency enters into with a third party contractor where the third party contractor receives student data or teacher or principal data.
b. The parents bill of rights for data privacy and security shall state in clear and plain English terms that:
(1) A student's personally identifiable information cannot be sold or released for any commercial purposes;
(2) Parents have the right to inspect and review the complete contents of their child's education record;
(3) State and federal laws protect the confidentiality of personally identifiable information, and safeguards associated with industry standards and best practices, including but not limited to, encryption, firewalls, and password protection, must be in place when data is stored or transferred;
(4) A complete list of all student data elements collected by the State is available for public review at (insert website address here) or by writing to (insert mailing address here); and
(5) Parents have the right to have complaints about possible breaches of student data addressed. Complaints should be directed to (insert phone number, email and mailing address here).
c. The parents bill of rights for data privacy and security shall include supplemental information for each contract an educational agency enters into with a third party contractor where the third party contractor receives student data or teacher or principal data. Such supplemental information shall be developed by the educational agency and shall include:
(1) the exclusive purposes for which the student data or teacher or principal data will be used;
(2) how the third party contractor will ensure that the subcontractors, persons or entities that the third party contractor will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements;
(3) when the agreement expires and what happens to the student data or teacher or principal data upon expiration of the agreement;
(4) if and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected; and
(5) where the student data or teacher or principal data will be stored (described in such a manner as to protect data security), and the security protections taken to ensure such data will be protected, including whether such data will be encrypted.
d. The chief privacy officer, with input from parents and other education and expert stakeholders, shall develop additional elements of the parents bill of rights for data privacy and security. The commissioner shall promulgate regulations for a comment period whereby parents and other members of the public may submit comments and suggestions to the chief privacy officer to be considered for inclusion. The parents bill of rights for data privacy and security shall be completed within one hundred twenty days after the effective date of this section.
4. Data collection transparency and restrictions. a. The department shall promote the least intrusive data collection policies practicable that advance the goals of improving academic achievement, empowering parents with information and advancing efficient and effective school operations while minimizing the collection and transmission of personally identifiable information.
b. The chief privacy officer shall develop, regularly update and make publicly available on the department's website and through such additional methods as may facilitate accessibility an inventory and understandable description of the student, teacher and principal data elements collected with an explanation and/or legal or regulatory authority outlining the reasons such data elements are collected and the intended uses and disclosure of the data.
c. Except as otherwise specifically authorized by law, the department shall only collect personally identifiable information relating to an educational purpose.
d. The department may only require districts to submit personally identifiable information, including data on disability status and student suspensions, where such release is required by law or otherwise authorized under the family educational rights and privacy act, 20 U.S.C. section 1232g, and the personal privacy protection law.
e. Except as required by law or in the case of educational enrollment data, school districts shall not report to the department the following student data elements:
(1) juvenile delinquency records;
(2) criminal records;
(3) medical and health records; and
(4) student biometric information.
f. Personally identifiable information maintained by educational agencies, including data provided to third-party contractors and their assignees, shall not be sold or used for marketing purposes.
g. Parents shall have the right to inspect and review their child's educational record including any student data stored or maintained by an educational agency. The department shall develop policies for school districts that:
(1) provide for annual notification to parents of their right to request student data;
(2) ensure security when providing student data to parents, including that only authorized individuals receive such data; and
(3) specify a reasonable amount of time in which school districts should respond to such requests.
5. Data security and privacy standards. a. The commissioner, in consultation with the chief privacy officer, shall promulgate regulations establishing standards for educational agency data security and privacy policies and shall develop one or more model policies for use by educational agencies. The commissioner shall seek the input of experts, including those from security, cyber-security and fields in addition to education that have experience with personal data protection, in developing such standards and policies.
b. The standards for data security and privacy policies shall include, but not be limited to:
(1) data privacy protections, including criteria for determining whether a proposed use of personally identifiable information would benefit students and educational agencies, and processes to ensure that personally identifiable information is not included in public reports or other public documents;
(2) data security protections, including data systems monitoring, data encryption, incident response plans, limitations on access to personally identifiable information, safeguards to ensure personally identifiable information is not accessed by unauthorized persons when transmitted over communication networks, and destruction of personally identifiable information when no longer needed; and
(3) application of all such restrictions, requirements and safeguards to third-party contractors.
c. Following promulgation of regulations by the commissioner pursuant to paragraph a of this subdivision each educational agency shall ensure that it has a policy on data security and privacy in place that is consistent with applicable state and federal laws and applied to student data and, where applicable, to teacher or principal data. Such policy shall be published on the educational agency's website, if it exists, and notice of such policy shall be provided to all officers and employees of the educational agency.
d. As applied to student data, such policy shall provide all protections afforded to parents and persons in parental relationships, or students where applicable, required under the family educational rights and privacy act, 20 U.S.C. section 1232g, where applicable the individuals with disabilities education act, sections fourteen hundred, et seq. of title twenty of the United States code, and the federal regulations implementing such statutes. Each educational agency shall ensure that it has in place provisions in its contracts with third party contractors or in separate data sharing and confidentiality agreements that require that confidentiality of the shared student data or teacher or principal data be maintained in accordance with federal and state law and the educational agency's policy on data security and privacy.
e. Each educational agency that enters into a contract or other written agreement with a third party contractor under which the third party contractor will receive student data or teacher or principal data shall ensure that such contract or agreement includes a data security and privacy plan that outlines how all state, federal, and local data security and privacy contract requirements will be implemented over the life of the contract, consistent with the educational agency's policy on data security and privacy. Such plan shall include, but shall not be limited to, a signed copy of the parents bill of rights for data privacy and security, and a requirement that any officers or employees of the third party contractor and its assignees who have access to student data or teacher or principal data have received or will receive training on the federal and state law governing confidentiality of such data prior to receiving access.
f. Each third party contractor that enters into a contract or other written agreement with an educational agency under which the third party contractor will receive student data or teacher or principal data shall:
(1) limit internal access to education records to those individuals that are determined to have legitimate educational interests;
(2) not use the education records for any other purposes than those explicitly authorized in its contract;
(3) except for authorized representatives of the third party contractor to the extent they are carrying out the contract, not disclose any personally identifiable information to any other party:
(i) without the prior written consent of the parent or eligible student; or
(ii) unless required by statute or court order and the party provides a notice of the disclosure to the department, district board of education, or institution that provided the information no later than the time the information is disclosed, unless providing notice of the disclosure is expressly prohibited by the statute or court order;
(4) maintain reasonable administrative, technical and physical safeguards to protect the security, confidentiality and integrity of personally identifiable student information in its custody;
(5) uses encryption technology to protect data while in motion or in its custody from unauthorized disclosure using a technology or methodology specified by the secretary of the United States department of health and human services in guidance issued under Section 13402(H)(2) of Public Law 111-5.
6. Breach and unauthorized release of personally identifiable information. a. Each third party contractor that receives student data or teacher or principal data pursuant to a contract or other written agreement with an educational agency shall be required to notify such educational agency of any breach of security resulting in an unauthorized release of such data by the third party contractor or its assignees in violation of applicable state or federal law, the parents bill of rights for student data privacy and security, the data privacy and security policies of the educational agency and/or binding contractual obligations relating to data privacy and security, in the most expedient way possible and without unreasonable delay. The educational agency shall, upon notification by the third party contractor, be required to report to the chief privacy officer any such breach of security and unauthorized release of such data. The chief privacy officer shall, upon belief that such breach and unauthorized release constitutes criminal conduct, report such breach and unauthorized release to law enforcement in the most expedient way possible and without unreasonable delay.
b. In the case of an unauthorized release of student data, the educational agency shall notify the parent or eligible student of the unauthorized release of student data that includes personally identifiable information from the student records of such student in the most expedient way possible and without unreasonable delay. In the case of an unauthorized release of teacher or principal data, the educational agency shall notify each affected teacher or principal of the unauthorized release of data that includes personally identifiable information from the teacher or principal's annual professional performance review in the most expedient way possible and without unreasonable delay.
c. In the case of notification to a parent, eligible student, teacher or principal under paragraph b of this subdivision due to the unauthorized release of student data by a third-party contractor or its assignee, the third-party contractor shall promptly reimburse the educational agency for the full cost of such notification.
d. Each violation of a third party contractor pursuant to paragraph a of this subdivision shall be punishable by a civil penalty of the greater of five thousand dollars or up to ten dollars per student, teacher, and principal whose data was released, provided that the latter amount shall not exceed the maximum penalty under paragraph (a) of subdivision six of section eight hundred ninety-nine-aa of the general business law.
e. If the chief privacy officer determines that a third party contractor or its assignee, in violation of applicable state or federal law, the data privacy and security policies of the educational agency provided by such educational agency to the third party contractor and/or binding contractual obligations relating to data privacy and security, has released any student data or teacher or principal data received from an educational agency to any person or entity not authorized by law to receive such data pursuant to a lawful subpoena or otherwise, the chief privacy officer, after affording the third party contractor with notice and an opportunity to be heard, shall be authorized to:
(1) order that the third party contractor be precluded from accessing student data or teacher or principal data, as applicable, from the educational agency from which the contractor obtained the data that was improperly disclosed for a fixed period of up to five years; and/or
(2) order that a third party contractor or assignee who knowingly or recklessly allowed for the unauthorized release of student data or teacher or principal data be precluded from accessing student data or teacher or principal data from any educational agency in the state for a fixed period of up to five years; and/or
(3) order that a third party contractor or assignee who knowingly or recklessly allowed for the unauthorized release of student data or teacher or principal data shall not be deemed a responsible bidder or offerer on any contract with an educational agency that involves the sharing of student data or teacher or principal data, as applicable for purposes of the provisions of section one hundred three of the general municipal law or paragraph c of subdivision ten of section one hundred sixty-three of the state finance law, as applicable, for a fixed period of up to five years; and/or
(4) require the third party contractor to provide training at the contractor's expense on the federal and state law governing confidentiality of student data and/or teacher or principal data and the provisions of this section to all its officers and employees with access to such data, prior to being permitted to receive subsequent access to such data from the educational agency from which the contractor obtained the data that was improperly disclosed or from any educational agency; and/or
(5) if it is determined that the unauthorized release of student data or teacher or principal data on the part of the third party contractor or assignee was inadvertent and done without intent, knowledge, recklessness or gross negligence, the commissioner may determine that no penalty be issued upon the third party contractor.
7. Implementation and enforcement. a. The commissioner, in consultation with the chief privacy officer, shall promulgate regulations establishing procedures to implement the provisions of this section, including but not limited to procedures for the submission of complaints from parents and/or persons in parental relation to students, classroom teachers or building principals, or other staff of an educational agency, making allegations of improper disclosure of student data and/or teacher or principal data by a third party contractor or its officers, employees or assignees that may be subject to the sanctions set forth in subdivision six of this section. Upon receipt of a complaint or other information indicating that such an improper disclosure by a third party contractor may have occurred, the chief privacy officer shall be authorized to investigate, visit, examine and inspect the third party contractor's facilities and records and obtain documentation from, or require the testimony of, any party relating to the alleged improper disclosure of student data or teacher or principal data.
b. Except as provided under paragraph d of subdivision six of this section, each violation of any provision of this section by a third party contractor or its assignee shall be punishable by a civil penalty of up to one thousand dollars; a second violation by the same third party contractor involving the same student data or teacher or principal data shall be punishable by a civil penalty of up to five thousand dollars; any subsequent violation by the same third party contractor involving the same student date or teacher or principal data shall be punishable by a civil penalty of up to ten thousand dollars. Each violation of this subdivision shall be considered a separate violation for purposes of civil penalties and the total penalty shall not exceed the maximum penalty under paragraph (a) of subdivision six of section eight hundred ninety-nine-aa of the general business law.
c. Nothing contained in this section shall be construed as creating a private right of action against the department or an educational agency.
d. Nothing in this section shall limit the administrative use of student data or teacher or principal data by a person acting exclusively in the person's capacity as an employee of an educational agency or of the state or any of its political subdivisions, any court or the federal government that is otherwise required by law.
Family Educational Rights and Privacy Act, 20 USC 1232g; 34 CFR Part 99
No Child Left Behind Act, 20 USC §7908 (Military Recruiter Access)
10 USC §503 as amended by §544 of the National Defense Reauthorization Act for FY 2002
Education Law § 225
Public Officers Law §87(2)(a)
Arts and Cultural Affairs Law, Article 57-A (Local Government Records Law)
8 NYCRR 185.12 (Appendix I) Records Retention and Disposition, Schedule ED-1 for Use by School Districts and BOCES
“Guidance for Reasonable Methods and Written Agreements,” http://www2.ed.gov/policy/gen/guid/fpco/pdf/reasonablemtd_agreement.pdf
Family Policy Compliance Office website: http://www2.ed.gov/policy/gen/guid/fpco/index.html