•  Summary 
  •  
  •  Actions 
  •  
  •  Floor Votes 
  •  
  •  Memo 
  •  
  •  Text 

A06059 Summary:

BILL NOA06059A
 
SAME ASNo same as
 
SPONSORO'Donnell
 
COSPNSRMillman, Jaffee, Benedetto, Lifton, Duprey, Titone, Hevesi, Zebrowski, Englebright, Weprin, Steck, Abinanti, Montesano, Schimminger, Raia, Colton, Brennan, Finch, McDonough, Lopez P, Cook, Schimel, Skoufis, Braunstein, Malliotakis, Brook-Krasny, Mosley, Gunther, Cusick, Paulin, Goldfeder, Fahy, Borelli, Weinstein, Simotas, Curran, Friend, Lavine, Lupardo, Otis, Brindisi, Skartados, Nojay, Bronson
 
MLTSPNSRAbbate, Arroyo, Blankenbush, Butler, Clark, Crouch, Cymbrowitz, DenDekker, Dinowitz, Galef, Garbarino, Glick, Gottfried, Jacobs, Kearns, Lentol, Markey, McDonald, Perry, Rivera, Simanowitz, Solages, Stec, Sweeney, Weisenberg
 
Add S3212-b, Ed L
 
Prohibits the release of personally identifiable student information where parental consent is not provided.
Go to top

A06059 Text:



 
                STATE OF NEW YORK
        ________________________________________________________________________
 
                                         6059--A
 
                               2013-2014 Regular Sessions
 
                   IN ASSEMBLY
 
                                     March 13, 2013
                                       ___________
 
        Introduced  by  M.  of A. O'DONNELL, MILLMAN, JAFFEE, BENEDETTO, LIFTON,
          DUPREY, TITONE, MAISEL, HEVESI, ZEBROWSKI, ENGLEBRIGHT, WEPRIN, STECK,
          ABINANTI,  MONTESANO,  SCHIMMINGER,  RAIA,  GIBSON,  COLTON,  BRENNAN,
          FINCH,   McDONOUGH,  P. LOPEZ,  COOK,  SCHIMEL,  SKOUFIS,  BRAUNSTEIN,
          MALLIOTAKIS, BROOK-KRASNY, MOSLEY, GUNTHER, CUSICK, PAULIN, GOLDFEDER,

          FAHY, GABRYSZAK, BORELLI, WEINSTEIN -- Multi-Sponsored by -- M. of  A.
          ABBATE,  ARROYO,  BUTLER, CLARK, CROUCH, CYMBROWITZ, DenDEKKER, DINOW-
          ITZ, GALEF,  GARBARINO,  GLICK,  GOTTFRIED,  JACOBS,  KEARNS,  LENTOL,
          MARKEY,  McDONALD,  PERRY, RIVERA, SIMANOWITZ, SOLAGES, STEC, SWEENEY,
          WEISENBERG -- read once and referred to the Committee on Education  --
          committee  discharged,  bill amended, ordered reprinted as amended and
          recommitted to said committee
 
        AN ACT to amend the  education  law,  in  relation  to  the  release  of
          personally identifiable student information
 
          The  People of the State of New York, represented in Senate and Assem-
        bly, do enact as follows:
 
     1    Section 1. The education law is amended by adding a new section 3212-b
     2  to read as follows:

     3    § 3212-b. Release of personally identifiable information.  1.    Defi-
     4  nitions. As used in this section:
     5    (a)  the terms "disclosure," "education program," "education records,"
     6  "eligible student," "parent," "party," "personally identifiable informa-
     7  tion," "record," and "student" shall have  the  same  meaning  as  those
     8  terms are defined in 34 CFR Part 99.3;
     9    (b) the term "institution" shall mean any public or private elementary
    10  or  secondary  school  or  an  institution  that  provides  education to
    11  students beyond the secondary education level; secondary education shall
    12  have the meaning set forth in subdivision seven of section two  of  this
    13  chapter;

    14    2. Limitations on access to, or disclosure of, personally identifiable
    15  information. (a) Authorized representatives. The department and district
 
         EXPLANATION--Matter in italics (underscored) is new; matter in brackets
                              [ ] is old law to be omitted.
                                                                   LBD09672-04-3

        A. 6059--A                          2
 
     1  boards  of  education  shall only designate parties that are under their
     2  direct control to act as their authorized representatives to conduct any
     3  audit or evaluation,  or  any  compliance  or  enforcement  activity  in
     4  connection  with  legal  requirements  that  relate to state or district

     5  supported educational programs,  when  any  such  audit,  evaluation  or
     6  activity  requires  or  is  used  as  the  basis  for granting access to
     7  personally identifiable student information;
     8    (b) Outsourcing. The department,  district  boards  of  education  and
     9  institutions  may  not disclose personally identifiable information from
    10  education records of students without the written  consent  of  eligible
    11  students  or parents to a contractor, consultant, or other party to whom
    12  an agency or institution has outsourced institutional services or  func-
    13  tions unless that outside party:
    14    (1)  performs  an  institutional  service  or  function  for which the
    15  department, district board of education, or institution would  otherwise

    16  use employees;
    17    (2)  is  under  the  direct  control of the agency or institution with
    18  respect to the use and maintenance of education records;
    19    (3) limits internal access to education records to  those  individuals
    20  that are determined to have legitimate educational interests;
    21    (4)  does  not  use  the education records for any other purposes than
    22  those explicitly authorized in its contract;
    23    (5) does not disclose any personally identifiable information  to  any
    24  other party:
    25    (i)  without  the  prior  written  consent  of  the parent or eligible
    26  student, or
    27    (ii) unless required by statute or court order and the party  provides

    28  a  notice  of the disclosure to the department, district board of educa-
    29  tion, or institution that provided the information  no  later  than  the
    30  time  the  information  is  disclosed,  unless  providing  notice of the
    31  disclosure is expressly prohibited by the statute or court order;
    32    (6) maintains reasonable administrative, technical and physical  safe-
    33  guards  to  protect  the  security,  confidentiality  and  integrity  of
    34  personally identifiable student information in its custody;
    35    (7) uses encryption technologies to protect data while in motion or in
    36  its custody from unauthorized disclosure using a technology or methodol-
    37  ogy specified by the Secretary of the  U.S.  Department  of  Health  and

    38  Human  Services  in  guidance issued under section 13402(h)(2) of Public
    39  Law 111-5;
    40    (8) has sufficient administrative and technical procedures to  monitor
    41  continuously  the security of personally identifiable information in its
    42  custody;
    43    (9) conducts a security audit annually and  provides  the  results  of
    44  that  audit to each department, district board of education, or institu-
    45  tion that provided educational records;
    46    (10) provides the department, district board of education, or institu-
    47  tion with a  breach  remediation  plan  acceptable  to  the  department,
    48  district  board  of education or institution prior to initial receipt of
    49  education records;

    50    (11) reports  all  suspected  security  breaches  to  the  department,
    51  district  boards  of  education,  or institution that provided education
    52  records as soon as possible but not later than forty-eight hours after a
    53  suspected breach was known  or  would  have  been  known  by  exercising
    54  reasonable diligence;
    55    (12)  reports all actual security breaches to the department, district
    56  boards of education, or institution that provided education  records  as

        A. 6059--A                          3
 
     1  soon  as  possible  but not later than twenty-four hours after an actual
     2  breach was known or would have been known by exercising reasonable dili-
     3  gence;

     4    (13)  in the event of a security breach or unauthorized disclosures of
     5  personally identifiable information,  pays  all  costs  and  liabilities
     6  incurred  by  the  department,  district  boards of education, or insti-
     7  tutions related to  the  security  breach  or  unauthorized  disclosure,
     8  including  but not limited to the costs of responding to inquiries about
     9  the security breach or unauthorized disclosure, of notifying subjects of
    10  personally identifiable information about the breach, of mitigating  the
    11  effects of the breach for the subjects of personally identifiable infor-
    12  mation,  and  of investigating the cause or consequences of the security
    13  breach or unauthorized disclosure; and

    14    (14) destroys or returns to the department, district boards of  educa-
    15  tion,  or  institutions  all  personally identifiable information in its
    16  custody upon request and at the termination of the contract.
    17    (c) Studies. The department, district boards of education,  or  insti-
    18  tutions  may disclose personally identifiable information from an educa-
    19  tion record of a student without the consent  of  eligible  students  or
    20  parents  to a party conducting studies for, or on behalf of, educational
    21  agencies or institutions to:
    22    (1) develop, validate, or administer predictive tests;
    23    (2) administer student aid programs; or
    24    (3) improve instruction;
    25    Provided that the outside party conducting the study meets all of  the

    26  requirements for contractors set forth in paragraph (b) of this subdivi-
    27  sion;
    28    (d)  Commercial  use  prohibited.  The  department, district boards of
    29  education and institutions may  not,  without  the  written  consent  of
    30  eligible  students or parents, disclose personally identifiable informa-
    31  tion from education records to any party for a commercial use, including
    32  but not limited to marketing products or services, compilation of  lists
    33  for  sale or rental, development of products or services, or creation of
    34  individual, household, or group profiles; nor  may  such  disclosure  be
    35  made  for  provision  of  services  other than contracting, studies, and
    36  audits or evaluations as authorized and limited by  paragraphs  (b)  and

    37  (c) of this subdivision.  Any consent from an eligible student or parent
    38  must  be  signed  by  the  student or parent, be dated on the day it was
    39  signed, not have been signed more than six months prior to  the  disclo-
    40  sure, must identify the recipient and the purpose of the disclosure, and
    41  must  state  that the information will only be used for that purpose and
    42  will not be used or disclosed for any other purpose.
    43    3. Data repositories and information practices.
    44    (a) The department and district boards of education may not,  directly
    45  or through contracts with outside parties, maintain personally identifi-
    46  able  information  from education records without the written consent of

    47  eligible students or parents unless maintenance of such information is:
    48    (1) explicitly mandated in federal or state statute; or
    49    (2) administratively required for  the  proper  performance  of  their
    50  duties  under  the  law and is relevant to and necessary for delivery of
    51  services; or
    52    (3) designed to support  a  study  of  students  or  former  students,
    53  provided  that  no  personally  identifiable  information is retained on
    54  former students longer than five years after  the  date  of  their  last
    55  enrollment at an institution.

        A. 6059--A                          4
 
     1    (b) The department and district boards of education shall publicly and

     2  conspicuously  disclose on their web sites and through annual electronic
     3  notification to the chairs of the assembly and senate education  commit-
     4  tees the existence and character of any personally identifiable informa-
     5  tion  from  education  records  that they, directly or through contracts
     6  with outside parties, maintain. Such disclosure and notifications  shall
     7  include:
     8    (1)  the  name and location of the data repository where such informa-
     9  tion is maintained;
    10    (2) the legal authority which authorizes the establishment and  exist-
    11  ence of the data repository;
    12    (3)  the  principal  purpose  or purposes for which the information is
    13  intended to be used;

    14    (4) the categories of individuals on whom records  are  maintained  in
    15  the data repository;
    16    (5) the categories of records maintained in the data repository;
    17    (6)  each  expected  disclosure  of  the records contained in the data
    18  repository, including the categories of recipients and  the  purpose  of
    19  such disclosure;
    20    (7)  the  policies  and  practices  of  the department or the district
    21  boards of education regarding storage, retrievability, access  controls,
    22  retention, and disposal of the records;
    23    (8) the title and business address of the department or district board
    24  of  education  official  who is responsible for the data repository, and
    25  the name and business address of any contractor or other  outside  party

    26  maintaining  the  data  repository for or on behalf of the department or
    27  the district board of education;
    28    (9) the procedures whereby eligible students or parents can  be  noti-
    29  fied  at their request if the data repository contains a record pertain-
    30  ing to them or their children;
    31    (10) the procedures whereby eligible students or parents can be  noti-
    32  fied  at  their  request  how to gain access to any record pertaining to
    33  them or their children contained in the data repository,  and  how  they
    34  can contest its content; and
    35    (11) the categories of sources of records in the data repository;
    36    (c) The department, district boards of education, and institutions may

    37  not  append  education  records with personally identifiable information
    38  obtained from other federal or state agencies through data matches with-
    39  out the written consent of eligible students or parents unless such data
    40  matches are: (1) explicitly mandated in federal or state statute; or (2)
    41  administratively required for the proper  performance  of  their  duties
    42  under  the  law  and  are  relevant  to  and  necessary  for delivery of
    43  services.
    44    4. Penalties and enforcement. (a) Each violation of any  provision  of
    45  this  section by an organization or entity that is not the department, a
    46  district board of education, or an institution as defined  in  paragraph
    47  (b)  of  subdivision  one of this section shall be punishable by a civil

    48  penalty of up to one thousand dollars; a second violation  by  the  same
    49  organization  or entity involving the educational records and privacy of
    50  the same student shall be punishable by a civil penalty of  up  to  five
    51  thousand  dollars;  any subsequent violation by the same organization or
    52  entity involving the educational records and privacy of the same student
    53  shall be punishable by a civil penalty of up to  ten  thousand  dollars;
    54  and  each  violation involving a different individual educational record
    55  or a  different  individual  student  shall  be  considered  a  separate
    56  violation for purposes of civil penalties;

        A. 6059--A                          5
 

     1    (b)  The  attorney general shall have the authority to enforce compli-
     2  ance with this section by investigation and subsequent commencement of a
     3  civil action, to seek civil penalties for violations  of  this  section,
     4  and  to seek appropriate injunctive relief, including but not limited to
     5  a  prohibition  on  obtaining personally identifiable information for an
     6  appropriate time period. In carrying out such investigation and in main-
     7  taining such civil action the attorney general or any deputy or  assist-
     8  ant  attorney  general is authorized to subpoena witnesses, compel their
     9  attendance, examine them under oath and require that any books, records,
    10  documents, papers, or electronic records relevant  or  material  to  the

    11  inquiry be turned over for inspection, examination or audit, pursuant to
    12  the  civil  practice  law  and  rules; subpoenas issued pursuant to this
    13  paragraph may be enforced pursuant to the civil practice law and rules.
    14    (c) Nothing contained herein shall be construed as creating a  private
    15  right  of  action against the department, a district board of education,
    16  or an institution as defined in paragraph (b) of subdivision one of this
    17  section.
    18    5. Administrative use. Nothing in this section shall limit the  admin-
    19  istrative use of education records by a person acting exclusively in the
    20  person's capacity as an employee of a school, a district board of educa-
    21  tion  or of the state or any of its political subdivisions, any court or

    22  the federal government that is otherwise required by law.
    23    § 2. This act shall take effect July 1, 2014 and shall apply to school
    24  years beginning with the 2014-2015 academic year.
Go to top