Data Privacy and Security

Data Privacy Officer

Mr. Scott Storms, Superintendent of Schools


Mr. Nicholas Damiani, Instructional Technology Coordinator

Email: ndamiani@perucsd.org Phone: 518-643-6025


Personally Identifiable Information

Education Law Section 2-d and Part 121 of the Commissioner’s Regulations outline requirements for educational agencies and their third-party contractors to strengthen data privacy and security in order to protect student and annual professional performance review personally identifiable information.

PROTECTED STUDENT DATA The term “student” refers to any person attending or seeking to enroll in an educational agency, and the term “personally identifiable information” (“PII”) uses the definition provided in FERPA. The term PII includes, but is not limited to:
  • Student Name

  • Date of Birth

  • Parent Names

  • Photos

  • Video of Students

  • Student Email Address

  • Student Address

  • Student ID Number

  • Social Security Number

  • Student Medical Information

  • Special Education Information

  • Other Indirect Identifiers

  • Information that alone or in combination would allow a reasonable person to identify the student.

TEACHER AND PRINCIPAL DATA Personally identifiable information from the records of an educational agency relating to the annual professional performance reviews of classroom teachers or principals that is confidential and not subject to release under the provisions of Education Law §3012-c and §3012-d is subject to Education Law 2-d.

Data Privacy and Security Overview & Policy

Part 121 of the Commissioner’s Regulations requires agencies to adopt a policy on data security and privacy by October 1, 2020.1 Additionally, the law requires agencies to publish the policy on the district’s website. To learn more about this requirement, review Part 121.5 of the Regulations.
PeruCSD Data Privacy Policy

Parent's Bill of Rights

A Parents’ Bill of Rights for Data Privacy and Security must be published on the website of each educational agency and must be included with every contract an educational agency enters into with a third-party contractor that receives personally identifiable information. The list below highlights required elements that must be included in the Parents’ Bill of Rights. To learn more about this requirement, agencies can review Part 121.3 of the Regulations and Section 3 of Education Law 2-d.
PeruCSD Parent's Bill of Rights

Third-Party Contract Agreement and Approved Vendor List

A third-party contractor is any person or entity, other than an educational agency, that receives student data or teacher or principal data from an educational agency pursuant to a contract or other agreement for purposes of providing services to such agency, including but not limited to data management, conducting studies, or evaluation of publicly funded programs. To learn more about this requirement, agencies can review Part 121.2, 121.3, 121.6, 121.9, and 121.10 of the Regulations.
Example of PeruCSD Third Party ContractApproved Vendor and Software ListNERIC Approved Vendor and Software List

Unauthorized Disclosure Complaint Procedures


Parents, eligible students (students who are at least 18 years of age), principals, teachers, and employees of an educational agency may file a complaint about a possible breach or improper disclosure of student data and/or protected teacher or principal data.
  1. To submit a complaint, please download and complete the PeruCSD Unauthorized Data Disclosure/Data Breach Form. Paper forms are also available in the main office of each school and the District Office.

  • Completed forms may be submitted via email to the Data Protection Officer, Mr. Nicholas Damiani, at ndamiani@perucsd.org, or forms may be given directly to a building principal who will submit the form appropriately.

  1. The District assigned Data Privacy Officer will contact the complainant by phone, email, or through Parent Square to review the complaint and initiate an investigation.

  2. Investigations will be completed and finalized as quickly as possible. All investigations should be completed within 60 calendar days from the receipt of the complaint. If an investigation will be extending beyond the 60-day window, the complainant will be contacted about the delay and provided with an updated timeline for completion.

  3. The Peru Central School District will keep an updated record of all complaints of data breaches or unauthorized releases of student/staff data & their disposition in accordance with applicable data retention policies, and report complaint reports & investigations as directed by NYS Ed Law 2d / Part 121 Regulations to the NYSED Chief Privacy Officer.


Additional Information and Resources

Check out the FTC’s free online security tips and resources, and share with your friends, family, coworkers, and community

If you’re responsible for teaching kids or adults to be safe and secure online, we encourage you to use and share our resources.

Whether you need a game for a classroom activity, videos to share on social media with parents in your community, or an article to use in your workplace newsletter, you can find it here.


The best way to protect your kids online? Talk to them. While kids value the opinions of their peers, most tend to rely on their parents for help on the issues that matter most.

Here are some resources to help you get started. We hope you’ll share these with other parents in your community.