- Floor Votes
Go to top
STATE OF NEW YORK ________________________________________________________________________ 8353 IN ASSEMBLY January 9, 2014 ___________ Introduced by M. of A. NOLAN -- read once and referred to the Committee on Education AN ACT to amend the education law and the penal law, in relation to establishing penalties for the unauthorized release of personally identifiable information from student records and certain records of classroom teachers and building principals The People of the State of New York, represented in Senate and Assem- bly, do enact as follows: 1 Section 1. Section 305 of the education law is amended by adding a new 2 subdivision 44 to read as follows: 3 44. Unauthorized release of personally identifiable information. 4 a. As used in this subdivision the following terms shall have the 5 following meanings: 6 (1) "Building principal" means a building principal subject to annual 7 performance evaluation review under the provisions of section three 8 thousand twelve-c of this chapter. 9 (2) "Classroom teacher" means a teacher subject to annual performance 10 evaluation review under the provisions of section three thousand 11 twelve-c of this chapter. 12 (3) "Educational agency" means a school district, board of cooperative 13 educational services, school, institution of higher education or the 14 education department. 15 (4) "Institution of higher education" means an entity with a campus in 16 New York that provides higher education, as defined in subdivision eight 17 of section two of this title, that is subject to the requirements of the 18 Family Educational Rights and Privacy Act, section twelve hundred thir- 19 ty-two-g of title twenty of the United States code. 20 (5) "Personally identifiable information", as applied to student data, 21 means personally identifiable information as defined in section 99.3 of 22 title thirty-four of the code of federal regulations implementing the 23 Family Educational Rights and Privacy Act, section twelve hundred thir- 24 ty-two-g of title twenty of the United States code, and, as applied to 25 teacher or principal data, means "personally identifying information" as EXPLANATION--Matter in italics (underscored) is new; matter in brackets [ ] is old law to be omitted. LBD13221-04-4A. 8353 2 1 such term is used in subdivision ten of section three thousand twelve-c 2 of this chapter. 3 (6) "School" means any public elementary or secondary school, charter 4 school, universal pre-kindergarten program authorized pursuant to 5 section thirty-six hundred two-e of this chapter, an approved provider 6 of preschool special education, any other publicly funded pre-kindergar- 7 ten program, an approved private school for the education of students 8 with disabilities, a state-supported school subject to the provisions of 9 article eighty-five of this chapter, a state-operated school subject to 10 the provisions of article eighty-seven or eighty-eight of this chapter. 11 (7) "Student" means any person attending or seeking to enroll in an 12 educational agency. 13 (8) "Eligible student" means a student eighteen years or older or an 14 emancipated minor. An emancipated minor as used in this section refers 15 to a student at least sixteen years or older who is no longer a depend- 16 ent of or in the custody of a parent as defined in this section. 17 (9) "Parent" means a parent, legal guardian, or person in parental 18 relation to a student. 19 (10) "Student data" means personally identifiable information from 20 student records of an educational agency. 21 (11) "Teacher or principal data" means personally identifiable infor- 22 mation from the records of an educational agency relating to the annual 23 professional performance reviews of classroom teachers or principals 24 that is confidential and not subject to release under the provisions of 25 section three thousand twelve-c of this chapter. 26 (12) "Third party contractor" shall mean any person or entity, other 27 than an educational agency, that receives student data or teacher or 28 principal data from an educational agency pursuant to a contract or 29 other written agreement for purposes of providing services to such 30 educational agency, including but not limited to data management or 31 storage services, conducting studies for or on behalf of such educa- 32 tional agency, or audit or evaluation of publicly funded programs. Such 33 term shall include an educational partnership organization that receives 34 student and/or principal data from a school district to carry out its 35 responsibilities pursuant to section two hundred eleven-e of this chap- 36 ter and is not an educational agency as defined in subparagraph three of 37 paragraph a of this subdivision, and a not-for-profit corporation or 38 other non-profit organization, other than an educational agency, or a 39 for-profit corporation or business entity that is affiliated with a 40 charter school and provides management and/or other services to support 41 the charter school in accordance with a charter issued pursuant to arti- 42 cle fifty-six of this chapter. 43 b. (1) The commissioner shall appoint a chief privacy officer within 44 the department. The chief privacy officer shall be qualified by training 45 or experience in state and federal education privacy laws and regu- 46 lations, civil liberties, annual professional performance reviews, 47 information technology, and information security. The chief privacy 48 officer shall report to the commissioner on matters affecting privacy 49 and the security of student, teacher, and principal data. 50 (2) The functions of the chief privacy officer shall include, but not 51 be limited to: 52 (i) Promoting the implementation of fair information practices for 53 privacy and security of student data or teacher or principal data; 54 (ii) Assisting the commissioner in handling instances of data breaches 55 as well as assisting the commissioner in due process proceedings regard- 56 ing any alleged breaches of student data or teacher or principal data;A. 8353 3 1 (iii) Providing assistance to educational agencies within the state on 2 minimum standards and best practices associated with privacy and the 3 security of student data or teacher or principal data; 4 (iv) Formulating a procedure within the department whereby parents, 5 students, teachers, superintendents, school board members, principals, 6 and other persons or entities the chief privacy officer determines is 7 appropriate, may request information pertaining to student data or 8 teacher or principal data in a timely and efficient manner; 9 (v) Assisting the commissioner in establishing a protocol for the 10 submission of complaints of possible breaches of student data or teacher 11 or principal data; 12 (vi) Making recommendations as needed regarding privacy and the secu- 13 rity of student data on behalf of the department to the governor, the 14 speaker of the assembly, the temporary president of the senate, and the 15 chairs of the senate and assembly education committees; 16 (vii) Developing, with input from the New York state educational 17 conference board and parents, the parents bill of rights for data priva- 18 cy and security; and 19 (viii) Any other functions that the commissioner shall deem appropri- 20 ate. 21 (3) The chief privacy officer shall have the power to: 22 (i) access all records, reports, audits, reviews, documents, papers, 23 recommendations, and other materials maintained by an educational agency 24 that relate to student data or teacher or principal data; 25 (ii) to review and comment upon any department program, proposal, 26 grant, or contract that involves the processing of student data or 27 teacher or principal data before the commissioner begins or awards the 28 program, proposal, grant, or contract; and 29 (iii) any other powers that the commissioner shall deem appropriate. 30 (4) The chief privacy officer shall submit by January first, two thou- 31 sand fifteen, and each January first thereafter, a report outlining a 32 summary of activities, recommendations, complaints, and statutory, regu- 33 latory or departmental changes pertaining to the protection of student 34 data or teacher or principal data. The report shall be submitted on 35 behalf of the department to the governor, the speaker of the assembly, 36 the temporary president of the senate, and the chairs of the senate and 37 assembly education committees. The report shall also be made publicly 38 available on the department's website. 39 (5) The chief privacy officer may hold more than one position within 40 the department; provided however, that no additional position will 41 interfere with the duties of the chief privacy officer outlined in this 42 paragraph. 43 c. (1) The chief privacy officer shall develop, with input from the 44 New York state educational conference board and parents, a parents bill 45 of rights for data privacy and security. The parents bill of rights for 46 data privacy and security shall be included with every contract the 47 department or educational agency enters into with a third party contrac- 48 tor where the third party contractor receives student data or teacher or 49 principal data. Every third party contractor that enters into a 50 contract with the department or an educational agency where the third 51 party contractor receives student data or teacher or principal data 52 shall be required to agree in writing to abide by the provisions set 53 forth in the parents bill of rights for data privacy and security. At a 54 minimum, the parents bill of rights for data privacy and security shall 55 include:A. 8353 4 1 (i) who the exclusive persons or entities are that the third party 2 contractor will share the student data or teacher or principal data 3 with, if any; 4 (ii) when the agreement expires and what happens to the student data 5 or teacher or principal data upon expiration of the agreement; 6 (iii) if and how a parent, student, eligible student, teacher or prin- 7 cipal may challenge the accuracy of the student data or teacher or prin- 8 cipal data that is collected; 9 (iv) where the student data or teacher or principal data will be 10 stored, and the security protections taken to ensure such data will be 11 protected, including whether such data will be encrypted; and 12 (v) the exclusive purposes for which the student data or teacher or 13 principal data will be used. 14 (2) The commissioner shall promulgate regulations for a comment period 15 whereby parents may submit comments and suggestions to the chief privacy 16 officer to be considered for inclusion in the parents bill of rights for 17 student data privacy and security. 18 (3) The department shall post the parents bill of rights for student 19 data privacy and security on the department's website. Each educational 20 agency that has an internet website shall also post the parents bill of 21 rights for student data and security on its website. 22 (4) The parents bill of rights for student data privacy and security 23 shall be completed within one hundred twenty days after the effective 24 date of this subdivision. 25 d. (1) Each educational agency shall be able to opt-out of having the 26 student data or teacher or principal data that they are required to 27 report to the department through state or federal law or regulation from 28 being uploaded by the department to the department's educational data 29 portal. 30 (2) Nothing in this paragraph shall allow an educational agency to 31 fail to comply with any student data or teacher or principal data 32 reporting requirements to the department as required by state or federal 33 law or regulation. 34 e. The chief privacy officer shall make publicly available on the 35 department's website a complete list of all student or teacher or prin- 36 cipal data elements collected with an explanation and/or legal or regu- 37 latory authority outlining the reasons such data elements are collected. 38 f. (1) Each third party contractor that receives student data or 39 teacher or principal data pursuant to a contract or other written agree- 40 ment with an educational agency shall be required to notify such educa- 41 tional agency of any breach of security resulting in an unauthorized 42 release of such data in violation of applicable state or federal law, 43 the parents bill of rights for student data privacy and security, the 44 data privacy and security policies of the educational agency and/or 45 binding contractual obligations relating to data privacy and security, 46 in the most expedient way possible and without reasonable delay. The 47 educational agency shall, upon notification by the third party contrac- 48 tor, be required to report to the chief privacy officer any such breach 49 of security and unauthorized release of such data and to report such 50 breach and unauthorized release to law enforcement in the most expedient 51 way possible and without unreasonable delay. 52 (2) In the case of an unauthorized release of student data, the educa- 53 tional agency, or the third party contractor involved, shall notify the 54 parent or eligible student of the unauthorized release of student data 55 that includes personally identifiable information from the student 56 records of such student in the most expedient way possible and withoutA. 8353 5 1 unreasonable delay. In the case of an unauthorized release of teacher or 2 principal data, the educational agency, or the third party contractor 3 involved, shall notify each affected teacher or principal of the unau- 4 thorized release of data that includes personally identifiable informa- 5 tion from the teacher or principal's annual professional performance 6 review in the most expedient way possible and without unreasonable 7 delay. 8 (3) Failure to notify against public policy. (i) A third party 9 contractor shall not fail to notify the educational agency or parent, 10 eligible student, teacher or principal, as applicable, in the most expe- 11 dient way possible and without unreasonable delay. 12 (ii) Each violation of clause (i) of this subparagraph shall consti- 13 tute a class E felony, and shall be punishable by a civil penalty of the 14 greater of five thousand dollars or up to ten dollars per instance of 15 failed notification, provided that the latter amount shall not exceed 16 one hundred fifty thousand dollars. 17 g. If the chief privacy officer determines that a third party contrac- 18 tor, in violation of applicable state or federal law, the data privacy 19 and security policies of the educational agency and/or binding contrac- 20 tual obligations relating to data privacy and security, has re-released 21 any student data or teacher or principal data received from an educa- 22 tional agency to any person or entity not authorized by law to receive 23 such data pursuant to a lawful subpoena or otherwise, the chief privacy 24 officer, after affording the third party contractor with notice and an 25 opportunity to be heard, shall be authorized to: 26 (1) order that the third party contractor be precluded from accessing 27 student data or teacher or principal data, as applicable, from the 28 educational agency from which the contractor obtained the data that was 29 improperly disclosed for a fixed period of up to five years; and/or 30 (2) order that a third party contractor who knowingly and recklessly 31 allows for the unauthorized release of student data or teacher or prin- 32 cipal data be precluded from accessing student data or teacher or prin- 33 cipal data from any educational agency in the state for a fixed period 34 of up to five years; and/or 35 (3) order, in the case of an educational agency that is a public agen- 36 cy subject to competitive bidding requirements, that a third party 37 contractor who knowingly and recklessly allows for the unauthorized 38 release of student data or teacher or principal data, that the third 39 party contractor shall not be deemed a responsible bidder or offerer on 40 any contract with the educational agency from which the contractor 41 obtained the data that was improperly disclosed that involves the shar- 42 ing of student data or teacher or principal data, as applicable for 43 purposes of the provisions of section one hundred three of the general 44 municipal law or paragraph c of subdivision ten of section one hundred 45 sixty-three of the state finance law, as applicable, for a fixed period 46 of up to five years; and/or 47 (4) require the third party contractor to provide training at the 48 contractor's expense on the federal and state law governing confiden- 49 tiality of student data and/or teacher or principal data and the 50 provisions of this subdivision to all its officers and employees with 51 access to such data, prior to being permitted to receive subsequent 52 access to such data from the educational agency from which the contrac- 53 tor obtained the data that was improperly disclosed or from any educa- 54 tional agency; and/or 55 (5) if it is determined that the unauthorized release of student data 56 or teacher or principal data on the part of the third party contractorA. 8353 6 1 was inadvertent and done without intent or gross negligence, the commis- 2 sioner may determine that no penalty be issued upon the third party 3 contractor. 4 h. The commissioner, in consultation with the chief privacy officer, 5 shall promulgate regulations establishing procedures to implement the 6 provisions of this subdivision, including but not limited to procedures 7 for the submission of complaints from parents and/or persons in parental 8 relation to students, classroom teachers or building principals, or 9 other staff of an educational agency, making allegations of improper 10 disclosure of student data and/or teacher or principal data by a third 11 party contractor or its officers or employees that may be subject to the 12 sanctions set forth in paragraph g of this subdivision. Upon receipt of 13 a complaint or other information indicating that such an improper 14 disclosure by a third party contractor may have occurred, the chief 15 privacy officer shall be authorized to investigate, visit, examine and 16 inspect the third party contractor's facilities and records and issue 17 any subpoenas deemed necessary to obtain documentation from, or require 18 the testimony of, any party relating to the alleged improper disclosure 19 of student data or teacher or principal data. 20 i. The commissioner, in consultation with the chief privacy officer, 21 shall promulgate regulations establishing minimum standards for educa- 22 tional agency data security and privacy policies and shall develop one 23 or more model policies for use by educational agencies. Each educational 24 agency, by no later than ninety days after the effective date of this 25 subdivision, shall ensure that it has a policy on data security and 26 privacy in place that is consistent with applicable state and federal 27 laws and applies to student data and, where applicable, to teacher or 28 principal data. Such policy shall be published on the website of the 29 educational agency, if such educational agency has an internet website, 30 and notice of such policy shall be provided to all officers and employ- 31 ees of the educational agency. As applied to student data, such policy 32 shall provide all protections afforded to parents and persons in 33 parental relationships, or students where applicable, required under the 34 Family Educational Rights and Privacy Act, section twelve hundred thir- 35 ty-two-g of title twenty of the United States code, where applicable the 36 Individuals with Disabilities Education Act, sections fourteen hundred, 37 et. seq. of title twenty of the United States code, and the federal 38 regulations implementing such statutes. Each educational agency shall 39 ensure that it has in place provisions in its contracts with third party 40 contractors or in separate data sharing and confidentiality agreements 41 that require that confidentiality of the shared student data or teacher 42 or principal data be maintained in accordance with federal and state law 43 and the educational agency's policy on data security and privacy. 44 j. Each educational agency that enters into a contract or other writ- 45 ten agreement with a third party contractor under which the third party 46 contractor will receive student data or teacher or principal data shall 47 ensure that such contract or agreement include a data security and 48 privacy plan that outlines how all state, federal, and local data secu- 49 rity and privacy contract requirements will be implemented over the life 50 of the contract, consistent with the educational agency's policy on data 51 security and privacy. Such plan shall include, but shall not be limited 52 to, a signed copy of the parents bill of rights for data privacy and 53 security, and a requirement that any officers or employees of the third 54 party contractor who have access to student data or teacher or principal 55 data have received or will receive training on the federal and state law 56 governing confidentiality of such data prior to receiving access.A. 8353 7 1 k. (1)(i) Each violation of any provision of this section by a third 2 party contractor shall be punishable by a civil penalty of up to one 3 thousand dollars; a second violation by the same third party contractor 4 involving the same student data or teacher or principal data shall be 5 punishable by a civil penalty of up to five thousand dollars; any subse- 6 quent violation by the same third party contractor involving the same 7 student data or teacher or principal data shall be punishable by a civil 8 penalty of up to ten thousand dollars. 9 (ii) Each violation of this subdivision shall be considered a separate 10 violation for purposes of civil penalties. 11 (2) The attorney general shall have the authority to enforce compli- 12 ance with this section by investigation and subsequent commencement of a 13 civil action to seek civil penalties for violations of this section, and 14 to seek appropriate injunctive relief. In carrying out such investi- 15 gation and in maintaining such civil action local law enforcement are 16 authorized to subpoena witnesses, compel their attendance, examine them 17 under oath and require that any books, records, documents, papers, or 18 electronic records relevant or material to the inquiry be turned over 19 for inspection, examination or audit, pursuant to the civil practice law 20 and rules. 21 (3) Nothing contained in this subdivision shall be construed as creat- 22 ing a private right of action against the department or an educational 23 agency. 24 l. Nothing in this section shall limit the administrative use of 25 student data or teacher or principal data by a person acting exclusively 26 in the person's capacity as an employee of an educational agency or of 27 the state or any of its political subdivisions, any court or the federal 28 government that is otherwise required by law. 29 § 2. Subdivision 7 of section 156.00 of the penal law, as added by 30 chapter 558 of the laws of 2006, is amended and three new subdivisions 31 10, 11 and 12 are added to read as follows: 32 7. "Access" means to instruct, communicate with, store data in, 33 retrieve from, or otherwise make use of any resources of a computer, 34 physically, directly or by electronic means; including dissemination of 35 data. 36 10. "Educational agency" means an educational agency as such term is 37 defined in subdivision forty-four of section three hundred five of the 38 education law. An educational agency as so defined shall be deemed a 39 governmental instrumentality for purposes of this article. 40 11. "Third party contractor" means a third party contractor as defined 41 in subdivision forty-four of section three hundred five of the education 42 law. 43 12. "Educational computer material" means personally identifiable 44 information from student records or confidential annual professional 45 performance reviews of classroom teachers or principals, of a school 46 district, board of cooperative educational services, school, institution 47 of higher education, or the state education department. 48 § 3. Section 156.30 of the penal law, as amended by chapter 590 of the 49 laws of 2008, is amended to read as follows: 50 § 156.30 Unlawful duplication of computer related material in the first 51 degree. 52 A person is guilty of unlawful duplication of computer related materi- 53 al in the first degree [ material] when having no right to do so, he or 54 she copies, reproduces or duplicates in any manner:A. 8353 8 1 1. any computer data or computer program and thereby intentionally and 2 wrongfully deprives or appropriates from an owner thereof an economic 3 value or benefit in excess of two thousand five hundred dollars;[ or] 4 2. any computer data or computer program with an intent to commit or 5 attempt to commit or further the commission of any felony[ .]; or 6 3. educational computer material with the intent to disseminate in 7 violation of section three hundred five of the education law. 8 Unlawful duplication of computer related material in the first degree 9 is a class E felony. 10 § 4. Section 165.45 of the penal law is amended by adding a new subdi- 11 vision 8 to read as follows: 12 8. The property consists of educational computer material as defined 13 in article one hundred fifty-six of this chapter. 14 § 5. This act shall take effect on the ninetieth day after it shall 15 have become a law, provided, however, the commissioner of education 16 shall within one hundred twenty days after it shall have become law, 17 develop a parents bill of rights for student data privacy and security.