Strengthening Student Data Privacy

Here’s what parents need to know.

Ed Law 2-D Regulations (Part 121) Protecting Personally Identifiable Information in New York’s Educational Agencies*

In January 2019, the New York State Education Department (NYSED) proposed regulatory changes to increase information security and privacy measures to safeguard the Personally Identifiable Information (PII)** of students and school personnel. 

Data Collection Transparency and Restrictions                                                  

Educational agencies must minimize the disclosure of PII for any purpose by managing contractual relationships to ensure compliance with regulations.

Data Protection Officer

Educational agencies must appoint a Data Protection Officer with appropriate knowledge, training, and experience to oversee data security and privacy.

Parent’s Bill of Rights for Data Privacy and Security

Each educational agency must publish a parent’s bill of rights on its website and include it in every contract with a third-party contractor that receives PII.

Data Security and Privacy Policy

Educational agencies must adopt a Data Security and Privacy Policy by December 31, 2019 and publish it on their website.

Data Privacy and Security Standards                                      

NYSED adopted the NIST Cybersecurity Framework as the standard for data privacy and security. All educational agencies must meet this national standard to ensure they are adequately protecting student data.

Training for Educational Agency Employees

Employees of educational agencies that handle PII must complete annual training on the laws and requirements necessary to protect sensitive data.

Complaints of Breach /Unauthorized Release of PII

Parents and eligible students have a right to file complaints about possible breaches or unauthorized releases of student data. Educational agencies must establish procedures to address complaints.

Third Party Contractors

Third party contractors must submit a Data Security and Privacy Plan for each contract to demonstrate how they will protect PII. NYSED’s Chief Privacy Officer may impose penalties on contractors for breaches.

Reports and Notifications of Breach and Unauthorized Release                                                                         

Educational agencies must report breaches to NYSED’s Chief Privacy Officer, and notify affected parents and/or eligible students.

Access to Records

Parents and eligible students have a right to inspect and review student education records as provided in federal law.


Contact NYSED’s Chief Privacy Officer at

* Educational agencies include public schools (including charter schools), school districts, and BOCES.

** Personally Identifiable Information (PII) is information that can be used to identify an individual whether directly (e.g. student’s name; names of parents or family members; address of the student or student’s family; personal identifiers like social security numbers) or indirectly when linked with other information (e.g., date of birth and mother’s maiden name).

Visit for more information.