S04284 Summary:

BILL NOS04284
 
SAME ASNo same as
 
SPONSORGRISANTI
 
COSPNSRADDABBO, AVELLA, BOYLE, ESPAILLAT, GALLIVAN, GIPSON, GOLDEN, GRIFFO, HOYLMAN, KENNEDY, KRUEGER, LANZA, LATIMER, LITTLE, MARTINS, MAZIARZ, MONTGOMERY, O'MARA, PARKER, RITCHIE, SAVINO, SQUADRON, TKACZYK, VALESKY, ZELDIN
 
MLTSPNSR
 
Add S3212-b, Ed L
 
Prohibits the release of personally identifiable student information where parental consent is not provided.
Go to top    

S04284 Actions:

BILL NOS04284
 
03/19/2013REFERRED TO EDUCATION
01/08/2014REFERRED TO EDUCATION
Go to top

S04284 Text:



 
                STATE OF NEW YORK
        ________________________________________________________________________
 
                                          4284
 
                               2013-2014 Regular Sessions
 
                    IN SENATE
 
                                     March 19, 2013
                                       ___________
 
        Introduced  by Sen. GRISANTI -- read twice and ordered printed, and when
          printed to be committed to the Committee on Education
 
        AN ACT to amend the  education  law,  in  relation  to  the  release  of
          personally identifiable student information
 
          The  People of the State of New York, represented in Senate and Assem-

        bly, do enact as follows:
 
     1    Section 1. The education law is amended by adding a new section 3212-b
     2  to read as follows:
     3    § 3212-b. Release of personally identifiable student  information.  1.
     4  Definitions. As used in this section:
     5    (a)  "Directory  information"  shall  mean, but not be limited to, the
     6  student's name; address; telephone  listing;  electronic  mail  address;
     7  photograph;  date and place of birth; major field of study; grade level;
     8  enrollment status (undergraduate or graduate, full-time  or  part-time);
     9  dates  of  attendance; participation in officially recognized activities
    10  and sports; weight and height of members  of  athletic  teams;  degrees,
    11  honors,  and  awards  received;  the  most  recent educational agency or

    12  institution attended; student  ID  number,  user  ID,  or  other  unique
    13  personal  identifier  used  by  a  student  for purposes of accessing or
    14  communicating in electronic systems, but only if the  identifier  cannot
    15  be used to gain access to education records except when used in conjunc-
    16  tion  with  one  or  more factors that authenticate the user's identity,
    17  such as a personal identification number (PIN), password or other factor
    18  known or possessed only by the authorized user; and a student ID  number
    19  or  other  unique  personal identifier that is displayed on a student ID
    20  badge, but only if the identifier cannot  be  used  to  gain  access  to
    21  education  records  except  when  used  in  conjunction with one or more

    22  factors that authenticate the user's identity, such as a PIN,  password,
    23  or other factor known or possessed only by the authorized user.
    24    (b)  "Personally identifiable student information" shall mean, but not
    25  limited to, the student's name; the name  of  the  student's  parent  or
 
         EXPLANATION--Matter in italics (underscored) is new; matter in brackets
                              [ ] is old law to be omitted.
                                                                   LBD09672-03-3

        S. 4284                             2
 
     1  other  family members; the address of the student or student's family; a
     2  personal identifier, such  as  the  student's  social  security  number,
     3  student number, or biometric record; other indirect identifiers, such as

     4  the  student's  date of birth, place of birth, and mother's maiden name;
     5  other information that, alone or in combination, is linked or likable to
     6  a specific student that would allow a reasonable person  in  the  school
     7  community,  who does not have personal knowledge of the relevant circum-
     8  stances, to identify the student with reasonable certainty; or  informa-
     9  tion  requested  by  a  person who the educational agency or institution
    10  reasonably believes knows the identity of the student to whom the educa-
    11  tion record relates.
    12    (c) "Biometric record", as used in the definition of "personally iden-
    13  tifiably student information", shall mean a record of one or more  meas-
    14  urable  biological  or  behavioral  characteristics that can be used for

    15  automated recognition of an individual, including  fingerprints,  retina
    16  and  iris  patterns,  voiceprints, DNA sequence, facial characteristics,
    17  and handwriting.
    18    (d) "Student" shall mean any person with respect  to  whom  an  educa-
    19  tional  agency  or institution maintains education records or personally
    20  identifiable information, but does not include a person who has not been
    21  in attendance at such agency or institution.
    22    (e) "School" shall mean any public or private elementary or  secondary
    23  school or college as defined in section two of this chapter.
    24    2.  Neither  the department, district boards of education, nor schools
    25  shall disclose any personally identifiable student  information  to  any

    26  third  party  without parental consent, or in the case of students eigh-
    27  teen years of age or older the consent of the student, except where:
    28    (a) disclosure is required by law; or
    29    (b) disclosure is pursuant to a court order or subpoena; or
    30    (c) disclosure is to a third party pursuant to a contract whereby  the
    31  entity  is  performing  administrative, technical or transactional func-
    32  tions that would either be performed by employees of the  state  depart-
    33  ment  of education, district board of education or school, provided that
    34  said contractor:
    35    (1) agrees not to disclose or use the personally identifiable  student
    36  information for any other purposes;
    37    (2)  maintains reasonable administrative, technical and physical safe-

    38  guards to protect the security, confidentiality  and  integrity  of  the
    39  personally identifiable student information; and
    40    (3)  indemnifies the department, district board of education or school
    41  for any damages due to a violation of this section; or
    42    (d) disclosure is to a third party for the purpose of a research study
    43  carried out by or on the behalf of the  department,  district  board  of
    44  education or school; or
    45    (e) disclosure is for the purpose of a state or federal audit or eval-
    46  uation by entities authorized under state or federal law; or
    47    (f) disclosure is necessary due to a health or safety emergency.
    48    3.  Detailed  records  of  all  non-consensual disclosures pursuant to

    49  subdivision two of this section shall be included in  the  corresponding
    50  student's educational records.
    51    4. Where the department, district board of education or school makes a
    52  disclosure  pursuant to paragraph (d) of subdivision two of this section
    53  and pursuant to paragraph (e) of subdivision two of this  section  where
    54  practicable,  it  shall post on its website, send home via mail and make
    55  otherwise publicly available:

        S. 4284                             3
 
     1    (a) the particular type or types of  personally  identifiable  student
     2  information are to be disclosed;
     3    (b) the entity to which the disclosure is to be made;
     4    (c)  the purpose of the study, audit or evaluation and why the disclo-

     5  sure is necessary for its completion;
     6    (d) the specific time frame during which the  personally  identifiable
     7  student information will be utilized and then securely destroyed;
     8    (e)  the entity's assurance of compliance with administrative, techni-
     9  cal and physical safeguards, including all the federal  and  state  data
    10  privacy  and  data  safeguarding rules the department, district board of
    11  education and schools are subject to, to protect the security, confiden-
    12  tiality and integrity of the personally  identifiable  student  informa-
    13  tion; and
    14    (f)  the entity's indemnification of the department, district board of
    15  education or school for any violation of this section.
    16    5. Notification and consent forms shall include:

    17    (a) the scope, purpose and allowable uses of the personally  identifi-
    18  able student information;
    19    (b) the risk of data breaches and the reasonable administrative, tech-
    20  nical  and  physical  safeguards used to protect the security, confiden-
    21  tiality and integrity of the personally  identifiable  student  informa-
    22  tion; and
    23    (c)  information  regarding who is legally and financially responsible
    24  should there be a violation of this section.
    25    6. The state comptroller shall carry  out  regular  audits  to  ensure
    26  proper  procedures  have  been  used; relevant notifications and consent
    27  forms are completed; and security and privacy protections measures  used

    28  in  the  storage,  transmission  and  usage  of  personally identifiable
    29  student information  are  effective  and  accurately  described  in  the
    30  notification documents.
    31    7.  Any  organization  or  company  found  in  violation of any of the
    32  provisions of this section shall be prohibited from obtaining personally
    33  identifiable student information for a  period  of  no  less  than  five
    34  years.
    35    8.  The  New  York  state attorney general shall have the authority to
    36  oversee and enforce compliance with this section and to impose appropri-
    37  ate penalties on those found in violation of any of its provisions.
    38    9. Any data systems maintained by  the  state  or  district  or  their

    39  representatives  shall,  to the maximum extent practicable, conform with
    40  the federal trade commission's data privacy and data safeguarding rules.
    41    10. Nothing in this section shall  limit  the  administrative  use  of
    42  school  records  by a person acting exclusively in the person's capacity
    43  as an employee of a school, a board of education or of the state or  any
    44  of  its political subdivisions, any court or the federal government that
    45  demonstrates an appropriate need for the information.
    46    § 2. This act shall take effect July 1, 2013 and shall apply to school
    47  years beginning with the 2013-2014 academic year.
Go to top