Education Law 2-D Compliance
What is Education Law 2-D?
In January 2019, the New York State Education Department (NYSED) proposed regulatory changes to increase information security and privacy measures to safeguard the personally identifiable information (PII) of students and school personnel. Education Law 2-D protects any information that can be used to identify an individual either directly (e.g. student’s name or names of parents or family members) or indirectly when linked with other information (e.g. date of birth and mother’s maiden name) in New York’s educational agencies, including public and charter schools, school districts, and Boards of Cooperative Educational Services (BOCES).
Data Collection Transparency and Restrictions
Educational agencies must minimize the disclosure of PII for any purpose by managing contractual relationships to ensure compliance with regulations.
Parent’s Bill of Rights for Data Privacy and Security
Each educational agency must publish a parent’s bill of rights on its website and include it in every contract with a third-party contractor that receives PII.
Data Privacy and Security Standards
NYSED adopted the NIST Cybersecurity Framework as the standard for data privacy and security. All educational agencies must meet this national standard to ensure they are adequately protecting student data.
Complaints of Breach/Unauthorized Release of PII
Parents, eligible students (students who are at least 18 years of age), principals, teachers, and employees of an educational agency may file a complaint about a possible data security incident or improper disclosure of student data and/or protected teacher or principal data.
Educational agencies must establish procedures to address complaints and are required to report the findings of an investigation within 60 calendar days of the initial report.
To report a possible breach or unauthorized release of student data, please use our reporting form or mail a complaint to the district's Data Protection Officer at 11631 Salter-Colvin Road, Wolcott, NY 14590.
Reports and Notifications of Breach and Unauthorized Release
Educational agencies must report breaches to NYSED’s Chief Privacy Officer and notify affected parents and/or eligible students.
Data Protection Officer
Educational agencies must appoint a Data Protection Officer with appropriate knowledge, training, and experience to oversee data security and privacy.
Contact the NRWCSD’s Data Protection Officer, Lisa Brower, at lbrower@nrwcs.org.
Data Security and Privacy Policy
Educational agencies must adopt a Data Security and Privacy Policy and publish it on their website.
Training for Educational Agency Employees
Employees of educational agencies that handle PII must complete annual training on the laws and requirements necessary to protect sensitive data.
Third-Party Contractors
Third-party contractors must submit a Data Security and Privacy Plan for each contract to demonstrate how they will protect PII. NYSED’s Chief Privacy Officer may impose penalties on contractors for breaches.
Access to Records
Parents and eligible students have a right to inspect and review student education records as provided in federal law.