Ed Law 2-D & Part 121 Regulations

Personally Identifiable Information (PII)

Education Law Section 2-d and Part 121 of the Commissioner’s Regulations outline requirements for educational agencies and their third-party contractors to strengthen data privacy and security in order to protect student and annual teacher/principal professional performance review personally identifiable information or PII. Please look below to find resources that can assist you with understanding personally identifiable information or PII.

Data Protection Planning - PII.pdf

Personally Identifiable Information (PII) - Data Protection and Planning RIC one Resource

Protection of PII Overview.pdf

Protection of Personally Identifiable Information (PII) - RIC one Resource

District Website Requirements

Having district staff, students, and other stakeholders understand the law and how to protect data is very important. Education Law Section 2-d and Part 121 of the Commissioner’s Regulations requirements state there are certain items that need to be posted publicly on an educational agency's website. Please look below to find resources that can assist you with knowing what is needed to be on your district data security and privacy webpage.

Data Security and Privacy Planning - District Website Checklist_ May 2023.pdf

Communicating About the Protection of Data/Website Checklist - Data Privacy and Security Planning RIC one Resource

SCRIC Sample Website for Districts- Data Security and Privacy.pdf

District Data Security and Privacy Website Requirements - SCRIC Resource

Parents' Bill of Rights

A Parents’ Bill of Rights for Data Privacy and Security must be published on the website of each educational agency and must be included with every contract an educational agency enters into with a third-party contractor that receives personally identifiable information. Please look below to find resources that can assist you with understanding a Bill of Rights.

Data Protection Planning - BOR.pdf

Parents' Bill of Rights & Supplemental Information - Data Protection and Planning RIC one Resource

NYSEDParentsBillofRights.pdf

Model Parents' Bill of Rights - NYSED Resource

Data Security and Privacy Policy

Part 121 of the Commissioner’s Regulations requires agencies to adopt a policy on data security and privacy by October 1, 2020. Additionally, the law requires agencies to publish the policy on the district’s website. To learn more about this requirement, please look take a look at the resources below.

Data Protection Planning - Policy.pdf

Data Security and Privacy Policy - Data Protection and Planning RIC one Resource

Draft Policy from NYSED.pdf

Draft Data Security and Privacy - NYSED Resource

Unauthorized Disclosure Complaint Procedure

Educational agencies must establish and communicate to parents, eligible students, principals, teachers, and other staff of educational agency procedures to file complaints about breaches or unauthorized releases of student data and/or protected teacher or principal data. To learn more about this requirement, please look take a look at the resources below.

Data Protection Planning - Disclosure.pdf

Unauthorized Disclosure Complaint Procedure - Data Privacy and Security Planning RIC one Resource

Incident Response and Notification

Educational agencies will need to report every discovery or report of a breach or unauthorized release of a student, teacher, or principal data to the Chief Privacy Officer and notify impacted stakeholders. To learn more about this requirement, please look take a look at the resources below.

Helpful links:

Agencies: Report a Data Privacy/Security Incident

Data Protection Planning - Notification.pdf

Incident Reporting & Notification - Data Protection and Planning RIC one Resource

Third-Party Vendor Contracts/Data Privacy Agreements (DPAs)

: A third-party contractor or vendor is any person or entity, other than an educational agency, that receives student data or teacher or principal data from an educational agency pursuant to a contract or other agreement for the purpose of providing services.

An agreement that covers the requirements defined by Ed Law 2-d must exist either directly between the school district and the third-party vendor, or, if the product is part of a service obtained through a BOCES CoSer, an agreement between that BOCES and the product vendor. A vendor cannot achieve compliance unilaterally.

Please see below for resources to help you understand third-party contracts/agreements.

Data Protection Planning - 3PContracts.pdf

Third-Party Contracts Requirements & Paths To Compliance - Data Protection and Planning RIC one Resource

Compliance Assessment Questions.pdf

Third-Party Contractors Compliance Assessment Questions - RIC one Resource

Third-Party_Contracts-Toolkit.pdf

Third-Party Contracts Checklist - Data Protection and Planning RIC one Resource

Model DPA and Instructions - NYSED Resource

Sample Model Contract Rider for Ed Law 2-d - SCRIC Resource

BOCES Compliance with Third-Party Contractors

Districts that participate in the appropriate base service(s) have access to increased buying power as a result of the statewide and regional contracts that are negotiated. The information below provides a list of the software/applications that are offered by Broome-Tioga (BT) BOCES, Delaware Chenango Madison Otsego (DCMO) BOCES, Otsego Northern Catskills (ONC) BOCES, and the status of Education Law 2-d vendor documentation.

Any software/application that has a link under the Supporting Documentation column has the signed Education Law 2-d vendor documentation; if it does not have a link under the Supporting Documentation column, the signed vendor documentation has not been received.

For more information about BT BOCES Procurement,

please go here.

BT BOCES Contracts

DCMO Boces Contracts

ONC Boces Contracts

Page updated

Report abuse