•  Summary 
  •  
  •  Actions 
  •  
  •  Votes 
  •  
  •  Memo 
  •  
  •  Text 

S06007 Text:

                           S T A T E   O F   N E W   Y O R K
       ________________________________________________________________________

                                        6007--A
           Cal. No. 28

                              2013-2014 Regular Sessions

                                   I N  S E N A T E

                                   December 11, 2013
                                      ___________

       Introduced  by  Sens.  FLANAGAN,  RANZENHOFER,  ADDABBO, BONACIC, BOYLE,
         DeFRANCISCO,  FELDER,  HANNON,  LARKIN,  MARTINS,  MAZIARZ,   O'BRIEN,
         SEWARD, VALESKY -- read twice and ordered printed, and when printed to
         be committed to the Committee on Rules -- recommitted to the Committee
         on  Rules  in  accordance  with  Senate  Rule  6,  sec. 8 -- committee
         discharged and said bill committed to the Committee  on  Education  --
         reported  favorably  from  said  committee,  ordered  to first report,
         amended on first report,  ordered  to  a  second  report  and  ordered
         reprinted, retaining its place in the order of second report

       AN  ACT  to  amend  the  education law and the penal law, in relation to
         establishing penalties for  the  unauthorized  release  of  personally
         identifiable  information  from student records and certain records of
         classroom teachers and building principals

         THE PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND  ASSEM-
       BLY, DO ENACT AS FOLLOWS:

    1    Section 1. Section 305 of the education law is amended by adding a new
    2  subdivision 44 to read as follows:
    3    44. UNAUTHORIZED RELEASE OF PERSONALLY IDENTIFIABLE INFORMATION.
    4    A.  AS  USED  IN  THIS  SUBDIVISION THE FOLLOWING TERMS SHALL HAVE THE
    5  FOLLOWING MEANINGS:
    6    (1) "BUILDING PRINCIPAL" MEANS A BUILDING PRINCIPAL SUBJECT TO  ANNUAL
    7  PERFORMANCE  EVALUATION  REVIEW  UNDER  THE  PROVISIONS OF SECTION THREE
    8  THOUSAND TWELVE-C OF THIS CHAPTER.
    9    (2) "CLASSROOM TEACHER" MEANS A TEACHER SUBJECT TO ANNUAL  PERFORMANCE
   10  EVALUATION  REVIEW  UNDER  THE  PROVISIONS  OF  SECTION  THREE  THOUSAND
   11  TWELVE-C OF THIS CHAPTER.
   12    (3) "EDUCATIONAL AGENCY" MEANS A SCHOOL DISTRICT, BOARD OF COOPERATIVE
   13  EDUCATIONAL SERVICES, SCHOOL, INSTITUTION OF  HIGHER  EDUCATION  OR  THE
   14  EDUCATION DEPARTMENT.
   15    (4) "INSTITUTION OF HIGHER EDUCATION" MEANS AN ENTITY WITH A CAMPUS IN
   16  NEW YORK THAT PROVIDES HIGHER EDUCATION, AS DEFINED IN SUBDIVISION EIGHT

        EXPLANATION--Matter in ITALICS (underscored) is new; matter in brackets
                             [ ] is old law to be omitted.
                                                                  LBD13221-05-4
       S. 6007--A                          2

    1  OF SECTION TWO OF THIS TITLE, THAT IS SUBJECT TO THE REQUIREMENTS OF THE
    2  FAMILY  EDUCATIONAL RIGHTS AND PRIVACY ACT, SECTION TWELVE HUNDRED THIR-
    3  TY-TWO-G OF TITLE TWENTY OF THE UNITED STATES CODE.
    4    (5) "PERSONALLY IDENTIFIABLE INFORMATION", AS APPLIED TO STUDENT DATA,
    5  MEANS  PERSONALLY IDENTIFIABLE INFORMATION AS DEFINED IN SECTION 99.3 OF
    6  TITLE THIRTY-FOUR OF THE CODE OF FEDERAL  REGULATIONS  IMPLEMENTING  THE
    7  FAMILY  EDUCATIONAL RIGHTS AND PRIVACY ACT, SECTION TWELVE HUNDRED THIR-
    8  TY-TWO-G OF TITLE TWENTY OF THE UNITED STATES CODE, AND, AS  APPLIED  TO
    9  TEACHER OR PRINCIPAL DATA, MEANS "PERSONALLY IDENTIFYING INFORMATION" AS
   10  SUCH  TERM IS USED IN SUBDIVISION TEN OF SECTION THREE THOUSAND TWELVE-C
   11  OF THIS CHAPTER.
   12    (6) "SCHOOL" MEANS ANY PUBLIC ELEMENTARY OR SECONDARY SCHOOL,  CHARTER
   13  SCHOOL,   UNIVERSAL  PRE-KINDERGARTEN  PROGRAM  AUTHORIZED  PURSUANT  TO
   14  SECTION THIRTY-SIX HUNDRED TWO-E OF THIS CHAPTER, AN  APPROVED  PROVIDER
   15  OF PRESCHOOL SPECIAL EDUCATION, ANY OTHER PUBLICLY FUNDED PRE-KINDERGAR-
   16  TEN  PROGRAM,  AN  APPROVED PRIVATE SCHOOL FOR THE EDUCATION OF STUDENTS
   17  WITH DISABILITIES, A STATE-SUPPORTED SCHOOL SUBJECT TO THE PROVISIONS OF
   18  ARTICLE EIGHTY-FIVE OF THIS CHAPTER, A STATE-OPERATED SCHOOL SUBJECT  TO
   19  THE PROVISIONS OF ARTICLE EIGHTY-SEVEN OR EIGHTY-EIGHT OF THIS CHAPTER.
   20    (7)  "STUDENT"  MEANS  ANY PERSON ATTENDING OR SEEKING TO ENROLL IN AN
   21  EDUCATIONAL AGENCY.
   22    (8) "ELIGIBLE STUDENT" MEANS A STUDENT EIGHTEEN YEARS OR OLDER  OR  AN
   23  EMANCIPATED  MINOR.  AN EMANCIPATED MINOR AS USED IN THIS SECTION REFERS
   24  TO A STUDENT AT LEAST SIXTEEN YEARS OR OLDER WHO IS NO LONGER A  DEPEND-
   25  ENT OF OR IN THE CUSTODY OF A PARENT AS DEFINED IN THIS SECTION.
   26    (9)  "PARENT"  MEANS  A  PARENT, LEGAL GUARDIAN, OR PERSON IN PARENTAL
   27  RELATION TO A STUDENT.
   28    (10) "STUDENT DATA" MEANS  PERSONALLY  IDENTIFIABLE  INFORMATION  FROM
   29  STUDENT RECORDS OF AN EDUCATIONAL AGENCY.
   30    (11)  "TEACHER OR PRINCIPAL DATA" MEANS PERSONALLY IDENTIFIABLE INFOR-
   31  MATION FROM THE RECORDS OF AN EDUCATIONAL AGENCY RELATING TO THE  ANNUAL
   32  PROFESSIONAL  PERFORMANCE  REVIEWS  OF  CLASSROOM TEACHERS OR PRINCIPALS
   33  THAT IS CONFIDENTIAL AND NOT SUBJECT TO RELEASE UNDER THE PROVISIONS  OF
   34  SECTION THREE THOUSAND TWELVE-C OF THIS CHAPTER.
   35    (12)  "THIRD  PARTY CONTRACTOR" SHALL MEAN ANY PERSON OR ENTITY, OTHER
   36  THAN AN EDUCATIONAL AGENCY, THAT RECEIVES STUDENT  DATA  OR  TEACHER  OR
   37  PRINCIPAL  DATA  FROM  AN  EDUCATIONAL  AGENCY PURSUANT TO A CONTRACT OR
   38  OTHER WRITTEN AGREEMENT FOR  PURPOSES  OF  PROVIDING  SERVICES  TO  SUCH
   39  EDUCATIONAL  AGENCY,  INCLUDING  BUT  NOT  LIMITED TO DATA MANAGEMENT OR
   40  STORAGE SERVICES, CONDUCTING STUDIES FOR OR ON  BEHALF  OF  SUCH  EDUCA-
   41  TIONAL AGENCY, OR AUDIT OR EVALUATION OF PUBLICLY FUNDED PROGRAMS.  SUCH
   42  TERM SHALL INCLUDE AN EDUCATIONAL PARTNERSHIP ORGANIZATION THAT RECEIVES
   43  STUDENT  AND/OR  PRINCIPAL  DATA FROM A SCHOOL DISTRICT TO CARRY OUT ITS
   44  RESPONSIBILITIES PURSUANT TO SECTION TWO HUNDRED ELEVEN-E OF THIS  CHAP-
   45  TER AND IS NOT AN EDUCATIONAL AGENCY AS DEFINED IN SUBPARAGRAPH THREE OF
   46  PARAGRAPH  A  OF  THIS  SUBDIVISION, AND A NOT-FOR-PROFIT CORPORATION OR
   47  OTHER NON-PROFIT ORGANIZATION, OTHER THAN AN EDUCATIONAL  AGENCY,  OR  A
   48  FOR-PROFIT  CORPORATION  OR  BUSINESS  ENTITY  THAT IS AFFILIATED WITH A
   49  CHARTER SCHOOL AND PROVIDES MANAGEMENT AND/OR OTHER SERVICES TO  SUPPORT
   50  THE CHARTER SCHOOL IN ACCORDANCE WITH A CHARTER ISSUED PURSUANT TO ARTI-
   51  CLE FIFTY-SIX OF THIS CHAPTER.
   52    B.  (1)  THE COMMISSIONER SHALL APPOINT A CHIEF PRIVACY OFFICER WITHIN
   53  THE DEPARTMENT. THE CHIEF PRIVACY OFFICER SHALL BE QUALIFIED BY TRAINING
   54  OR EXPERIENCE IN STATE AND FEDERAL  EDUCATION  PRIVACY  LAWS  AND  REGU-
   55  LATIONS,  CIVIL  LIBERTIES,  ANNUAL  PROFESSIONAL  PERFORMANCE  REVIEWS,
   56  INFORMATION TECHNOLOGY, AND  INFORMATION  SECURITY.  THE  CHIEF  PRIVACY
       S. 6007--A                          3

    1  OFFICER  SHALL  REPORT  TO THE COMMISSIONER ON MATTERS AFFECTING PRIVACY
    2  AND THE SECURITY OF STUDENT, TEACHER, AND PRINCIPAL DATA.
    3    (2)  THE FUNCTIONS OF THE CHIEF PRIVACY OFFICER SHALL INCLUDE, BUT NOT
    4  BE LIMITED TO:
    5    (I) PROMOTING THE IMPLEMENTATION OF  FAIR  INFORMATION  PRACTICES  FOR
    6  PRIVACY AND SECURITY OF STUDENT DATA OR TEACHER OR PRINCIPAL DATA;
    7    (II) ASSISTING THE COMMISSIONER IN HANDLING INSTANCES OF DATA BREACHES
    8  AS WELL AS ASSISTING THE COMMISSIONER IN DUE PROCESS PROCEEDINGS REGARD-
    9  ING ANY ALLEGED BREACHES OF STUDENT DATA OR TEACHER OR PRINCIPAL DATA;
   10    (III) PROVIDING ASSISTANCE TO EDUCATIONAL AGENCIES WITHIN THE STATE ON
   11  MINIMUM  STANDARDS  AND  BEST  PRACTICES ASSOCIATED WITH PRIVACY AND THE
   12  SECURITY OF STUDENT DATA OR TEACHER OR PRINCIPAL DATA;
   13    (IV) FORMULATING A PROCEDURE WITHIN THE  DEPARTMENT  WHEREBY  PARENTS,
   14  STUDENTS,  TEACHERS,  SUPERINTENDENTS, SCHOOL BOARD MEMBERS, PRINCIPALS,
   15  AND OTHER PERSONS OR ENTITIES THE CHIEF PRIVACY  OFFICER  DETERMINES  IS
   16  APPROPRIATE,  MAY  REQUEST  INFORMATION  PERTAINING  TO  STUDENT DATA OR
   17  TEACHER OR PRINCIPAL DATA IN A TIMELY AND EFFICIENT MANNER;
   18    (V) ASSISTING THE COMMISSIONER IN  ESTABLISHING  A  PROTOCOL  FOR  THE
   19  SUBMISSION OF COMPLAINTS OF POSSIBLE BREACHES OF STUDENT DATA OR TEACHER
   20  OR PRINCIPAL DATA;
   21    (VI)  MAKING RECOMMENDATIONS AS NEEDED REGARDING PRIVACY AND THE SECU-
   22  RITY OF STUDENT DATA ON BEHALF OF THE DEPARTMENT TO  THE  GOVERNOR,  THE
   23  SPEAKER  OF THE ASSEMBLY, THE TEMPORARY PRESIDENT OF THE SENATE, AND THE
   24  CHAIRS OF THE SENATE AND ASSEMBLY EDUCATION COMMITTEES;
   25    (VII) DEVELOPING, WITH INPUT  FROM  THE  NEW  YORK  STATE  EDUCATIONAL
   26  CONFERENCE BOARD AND PARENTS, THE PARENTS BILL OF RIGHTS FOR DATA PRIVA-
   27  CY AND SECURITY; AND
   28    (VIII)  ANY OTHER FUNCTIONS THAT THE COMMISSIONER SHALL DEEM APPROPRI-
   29  ATE.
   30    (3) THE CHIEF PRIVACY OFFICER SHALL HAVE THE POWER TO:
   31    (I) ACCESS ALL RECORDS, REPORTS, AUDITS, REVIEWS,  DOCUMENTS,  PAPERS,
   32  RECOMMENDATIONS, AND OTHER MATERIALS MAINTAINED BY AN EDUCATIONAL AGENCY
   33  THAT RELATE TO STUDENT DATA OR TEACHER OR PRINCIPAL DATA;
   34    (II)  TO  REVIEW  AND  COMMENT  UPON ANY DEPARTMENT PROGRAM, PROPOSAL,
   35  GRANT, OR CONTRACT THAT INVOLVES  THE  PROCESSING  OF  STUDENT  DATA  OR
   36  TEACHER  OR  PRINCIPAL DATA BEFORE THE COMMISSIONER BEGINS OR AWARDS THE
   37  PROGRAM, PROPOSAL, GRANT, OR CONTRACT; AND
   38    (III) ANY OTHER POWERS THAT THE COMMISSIONER SHALL DEEM APPROPRIATE.
   39    (4) THE CHIEF PRIVACY OFFICER SHALL SUBMIT BY JANUARY FIRST, TWO THOU-
   40  SAND FIFTEEN, AND EACH JANUARY FIRST THEREAFTER, A  REPORT  OUTLINING  A
   41  SUMMARY OF ACTIVITIES, RECOMMENDATIONS, COMPLAINTS, AND STATUTORY, REGU-
   42  LATORY  OR  DEPARTMENTAL CHANGES PERTAINING TO THE PROTECTION OF STUDENT
   43  DATA OR TEACHER OR PRINCIPAL DATA. THE  REPORT  SHALL  BE  SUBMITTED  ON
   44  BEHALF  OF  THE DEPARTMENT TO THE GOVERNOR, THE SPEAKER OF THE ASSEMBLY,
   45  THE TEMPORARY PRESIDENT OF THE SENATE, AND THE CHAIRS OF THE SENATE  AND
   46  ASSEMBLY  EDUCATION  COMMITTEES.  THE REPORT SHALL ALSO BE MADE PUBLICLY
   47  AVAILABLE ON THE DEPARTMENT'S WEBSITE.
   48    (5) THE CHIEF PRIVACY OFFICER MAY HOLD MORE THAN ONE  POSITION  WITHIN
   49  THE  DEPARTMENT;  PROVIDED  HOWEVER,  THAT  NO  ADDITIONAL POSITION WILL
   50  INTERFERE WITH THE DUTIES OF THE CHIEF PRIVACY OFFICER OUTLINED IN  THIS
   51  PARAGRAPH.
   52    C.  (1)  THE  CHIEF PRIVACY OFFICER SHALL DEVELOP, WITH INPUT FROM THE
   53  NEW YORK STATE EDUCATIONAL CONFERENCE BOARD AND PARENTS, A PARENTS  BILL
   54  OF  RIGHTS FOR DATA PRIVACY AND SECURITY. THE PARENTS BILL OF RIGHTS FOR
   55  DATA PRIVACY AND SECURITY SHALL BE  INCLUDED  WITH  EVERY  CONTRACT  THE
   56  DEPARTMENT OR EDUCATIONAL AGENCY ENTERS INTO WITH A THIRD PARTY CONTRAC-
       S. 6007--A                          4

    1  TOR WHERE THE THIRD PARTY CONTRACTOR RECEIVES STUDENT DATA OR TEACHER OR
    2  PRINCIPAL  DATA.    EVERY  THIRD  PARTY  CONTRACTOR  THAT  ENTERS INTO A
    3  CONTRACT WITH THE DEPARTMENT OR AN EDUCATIONAL AGENCY  WHERE  THE  THIRD
    4  PARTY  CONTRACTOR  RECEIVES  STUDENT  DATA  OR TEACHER OR PRINCIPAL DATA
    5  SHALL BE REQUIRED TO AGREE IN WRITING TO ABIDE  BY  THE  PROVISIONS  SET
    6  FORTH  IN THE PARENTS BILL OF RIGHTS FOR DATA PRIVACY AND SECURITY. AT A
    7  MINIMUM, THE PARENTS BILL OF RIGHTS FOR DATA PRIVACY AND SECURITY  SHALL
    8  INCLUDE:
    9    (I)  WHO  THE  EXCLUSIVE  PERSONS OR ENTITIES ARE THAT THE THIRD PARTY
   10  CONTRACTOR WILL SHARE THE STUDENT DATA  OR  TEACHER  OR  PRINCIPAL  DATA
   11  WITH, IF ANY;
   12    (II)  WHEN  THE AGREEMENT EXPIRES AND WHAT HAPPENS TO THE STUDENT DATA
   13  OR TEACHER OR PRINCIPAL DATA UPON EXPIRATION OF THE AGREEMENT;
   14    (III) IF AND HOW A PARENT, STUDENT, ELIGIBLE STUDENT, TEACHER OR PRIN-
   15  CIPAL MAY CHALLENGE THE ACCURACY OF THE STUDENT DATA OR TEACHER OR PRIN-
   16  CIPAL DATA THAT IS COLLECTED;
   17    (IV) WHERE THE STUDENT DATA OR  TEACHER  OR  PRINCIPAL  DATA  WILL  BE
   18  STORED,  AND  THE SECURITY PROTECTIONS TAKEN TO ENSURE SUCH DATA WILL BE
   19  PROTECTED, INCLUDING WHETHER SUCH DATA WILL BE ENCRYPTED; AND
   20    (V) THE EXCLUSIVE PURPOSES FOR WHICH THE STUDENT DATA  OR  TEACHER  OR
   21  PRINCIPAL DATA WILL BE USED.
   22    (2) THE COMMISSIONER SHALL PROMULGATE REGULATIONS FOR A COMMENT PERIOD
   23  WHEREBY PARENTS MAY SUBMIT COMMENTS AND SUGGESTIONS TO THE CHIEF PRIVACY
   24  OFFICER TO BE CONSIDERED FOR INCLUSION IN THE PARENTS BILL OF RIGHTS FOR
   25  STUDENT DATA PRIVACY AND SECURITY.
   26    (3)  THE  DEPARTMENT SHALL POST THE PARENTS BILL OF RIGHTS FOR STUDENT
   27  DATA PRIVACY AND SECURITY ON THE DEPARTMENT'S WEBSITE. EACH  EDUCATIONAL
   28  AGENCY  THAT HAS AN INTERNET WEBSITE SHALL ALSO POST THE PARENTS BILL OF
   29  RIGHTS FOR STUDENT DATA AND SECURITY ON ITS WEBSITE.
   30    (4) THE PARENTS BILL OF RIGHTS FOR STUDENT DATA PRIVACY  AND  SECURITY
   31  SHALL  BE  COMPLETED  WITHIN ONE HUNDRED TWENTY DAYS AFTER THE EFFECTIVE
   32  DATE OF THIS SUBDIVISION.
   33    D. (1) EACH EDUCATIONAL AGENCY SHALL BE ABLE TO OPT-OUT OF HAVING  THE
   34  STUDENT  DATA  OR  TEACHER  OR  PRINCIPAL DATA THAT THEY ARE REQUIRED TO
   35  REPORT TO THE DEPARTMENT THROUGH STATE OR FEDERAL LAW OR REGULATION FROM
   36  BEING UPLOADED BY THE DEPARTMENT TO THE  DEPARTMENT'S  EDUCATIONAL  DATA
   37  PORTAL.
   38    (2)  NOTHING  IN  THIS  PARAGRAPH SHALL ALLOW AN EDUCATIONAL AGENCY TO
   39  FAIL TO COMPLY WITH ANY  STUDENT  DATA  OR  TEACHER  OR  PRINCIPAL  DATA
   40  REPORTING REQUIREMENTS TO THE DEPARTMENT AS REQUIRED BY STATE OR FEDERAL
   41  LAW OR REGULATION.
   42    E.  THE  CHIEF  PRIVACY  OFFICER  SHALL MAKE PUBLICLY AVAILABLE ON THE
   43  DEPARTMENT'S WEBSITE A COMPLETE LIST OF ALL STUDENT OR TEACHER OR  PRIN-
   44  CIPAL  DATA ELEMENTS COLLECTED WITH AN EXPLANATION AND/OR LEGAL OR REGU-
   45  LATORY AUTHORITY OUTLINING THE REASONS SUCH DATA ELEMENTS ARE COLLECTED.
   46    F. (1) EACH THIRD PARTY  CONTRACTOR  THAT  RECEIVES  STUDENT  DATA  OR
   47  TEACHER OR PRINCIPAL DATA PURSUANT TO A CONTRACT OR OTHER WRITTEN AGREE-
   48  MENT  WITH AN EDUCATIONAL AGENCY SHALL BE REQUIRED TO NOTIFY SUCH EDUCA-
   49  TIONAL AGENCY OF ANY BREACH OF SECURITY  RESULTING  IN  AN  UNAUTHORIZED
   50  RELEASE  OF  SUCH  DATA IN VIOLATION OF APPLICABLE STATE OR FEDERAL LAW,
   51  THE PARENTS BILL OF RIGHTS FOR STUDENT DATA PRIVACY  AND  SECURITY,  THE
   52  DATA  PRIVACY  AND  SECURITY  POLICIES  OF THE EDUCATIONAL AGENCY AND/OR
   53  BINDING CONTRACTUAL OBLIGATIONS RELATING TO DATA PRIVACY  AND  SECURITY,
   54  IN  THE  MOST  EXPEDIENT  WAY POSSIBLE AND WITHOUT REASONABLE DELAY. THE
   55  EDUCATIONAL AGENCY SHALL, UPON NOTIFICATION BY THE THIRD PARTY  CONTRAC-
   56  TOR,  BE REQUIRED TO REPORT TO THE CHIEF PRIVACY OFFICER ANY SUCH BREACH
       S. 6007--A                          5

    1  OF SECURITY AND UNAUTHORIZED RELEASE OF SUCH DATA  AND  TO  REPORT  SUCH
    2  BREACH AND UNAUTHORIZED RELEASE TO LAW ENFORCEMENT IN THE MOST EXPEDIENT
    3  WAY POSSIBLE AND WITHOUT UNREASONABLE DELAY.
    4    (2) IN THE CASE OF AN UNAUTHORIZED RELEASE OF STUDENT DATA, THE EDUCA-
    5  TIONAL  AGENCY, OR THE THIRD PARTY CONTRACTOR INVOLVED, SHALL NOTIFY THE
    6  PARENT OR ELIGIBLE STUDENT OF THE UNAUTHORIZED RELEASE OF  STUDENT  DATA
    7  THAT  INCLUDES  PERSONALLY  IDENTIFIABLE  INFORMATION  FROM  THE STUDENT
    8  RECORDS OF SUCH STUDENT IN THE MOST EXPEDIENT WAY POSSIBLE  AND  WITHOUT
    9  UNREASONABLE DELAY. IN THE CASE OF AN UNAUTHORIZED RELEASE OF TEACHER OR
   10  PRINCIPAL  DATA,  THE  EDUCATIONAL AGENCY, OR THE THIRD PARTY CONTRACTOR
   11  INVOLVED, SHALL NOTIFY EACH AFFECTED TEACHER OR PRINCIPAL OF  THE  UNAU-
   12  THORIZED  RELEASE OF DATA THAT INCLUDES PERSONALLY IDENTIFIABLE INFORMA-
   13  TION FROM THE TEACHER OR  PRINCIPAL'S  ANNUAL  PROFESSIONAL  PERFORMANCE
   14  REVIEW  IN  THE  MOST  EXPEDIENT  WAY  POSSIBLE AND WITHOUT UNREASONABLE
   15  DELAY.
   16    (3) FAILURE TO  NOTIFY  AGAINST  PUBLIC  POLICY.  (I)  A  THIRD  PARTY
   17  CONTRACTOR  SHALL  NOT  FAIL TO NOTIFY THE EDUCATIONAL AGENCY OR PARENT,
   18  ELIGIBLE STUDENT, TEACHER OR PRINCIPAL, AS APPLICABLE, IN THE MOST EXPE-
   19  DIENT WAY POSSIBLE AND WITHOUT UNREASONABLE DELAY.
   20    (II) EACH VIOLATION OF CLAUSE (I) OF THIS SUBPARAGRAPH  SHALL  CONSTI-
   21  TUTE A CLASS E FELONY, AND SHALL BE PUNISHABLE BY A CIVIL PENALTY OF THE
   22  GREATER  OF  FIVE  THOUSAND DOLLARS OR UP TO TEN DOLLARS PER INSTANCE OF
   23  FAILED NOTIFICATION, PROVIDED THAT THE LATTER AMOUNT  SHALL  NOT  EXCEED
   24  ONE HUNDRED FIFTY THOUSAND DOLLARS.
   25    G. IF THE CHIEF PRIVACY OFFICER DETERMINES THAT A THIRD PARTY CONTRAC-
   26  TOR,  IN  VIOLATION OF APPLICABLE STATE OR FEDERAL LAW, THE DATA PRIVACY
   27  AND SECURITY POLICIES OF THE EDUCATIONAL AGENCY AND/OR BINDING  CONTRAC-
   28  TUAL  OBLIGATIONS RELATING TO DATA PRIVACY AND SECURITY, HAS RE-RELEASED
   29  ANY STUDENT DATA OR TEACHER OR PRINCIPAL DATA RECEIVED  FROM  AN  EDUCA-
   30  TIONAL  AGENCY  TO ANY PERSON OR ENTITY NOT AUTHORIZED BY LAW TO RECEIVE
   31  SUCH DATA PURSUANT TO A LAWFUL SUBPOENA OR OTHERWISE, THE CHIEF  PRIVACY
   32  OFFICER,  AFTER  AFFORDING THE THIRD PARTY CONTRACTOR WITH NOTICE AND AN
   33  OPPORTUNITY TO BE HEARD, SHALL BE AUTHORIZED TO:
   34    (1) ORDER THAT THE THIRD PARTY CONTRACTOR BE PRECLUDED FROM  ACCESSING
   35  STUDENT  DATA  OR  TEACHER  OR  PRINCIPAL  DATA, AS APPLICABLE, FROM THE
   36  EDUCATIONAL AGENCY FROM WHICH THE CONTRACTOR OBTAINED THE DATA THAT  WAS
   37  IMPROPERLY DISCLOSED FOR A FIXED PERIOD OF UP TO FIVE YEARS; AND/OR
   38    (2)  ORDER  THAT A THIRD PARTY CONTRACTOR WHO KNOWINGLY AND RECKLESSLY
   39  ALLOWS FOR THE UNAUTHORIZED RELEASE OF STUDENT DATA OR TEACHER OR  PRIN-
   40  CIPAL  DATA BE PRECLUDED FROM ACCESSING STUDENT DATA OR TEACHER OR PRIN-
   41  CIPAL DATA FROM ANY EDUCATIONAL AGENCY IN THE STATE FOR A  FIXED  PERIOD
   42  OF UP TO FIVE YEARS; AND/OR
   43    (3) ORDER, IN THE CASE OF AN EDUCATIONAL AGENCY THAT IS A PUBLIC AGEN-
   44  CY  SUBJECT  TO  COMPETITIVE  BIDDING  REQUIREMENTS,  THAT A THIRD PARTY
   45  CONTRACTOR WHO KNOWINGLY AND  RECKLESSLY  ALLOWS  FOR  THE  UNAUTHORIZED
   46  RELEASE  OF  STUDENT  DATA  OR TEACHER OR PRINCIPAL DATA, THAT THE THIRD
   47  PARTY CONTRACTOR SHALL NOT BE DEEMED A RESPONSIBLE BIDDER OR OFFERER  ON
   48  ANY  CONTRACT  WITH  THE  EDUCATIONAL  AGENCY  FROM WHICH THE CONTRACTOR
   49  OBTAINED THE DATA THAT WAS IMPROPERLY DISCLOSED THAT INVOLVES THE  SHAR-
   50  ING  OF  STUDENT  DATA  OR  TEACHER OR PRINCIPAL DATA, AS APPLICABLE FOR
   51  PURPOSES OF THE PROVISIONS OF SECTION ONE HUNDRED THREE OF  THE  GENERAL
   52  MUNICIPAL  LAW  OR PARAGRAPH C OF SUBDIVISION TEN OF SECTION ONE HUNDRED
   53  SIXTY-THREE OF THE STATE FINANCE LAW, AS APPLICABLE, FOR A FIXED  PERIOD
   54  OF UP TO FIVE YEARS; AND/OR
   55    (4)  REQUIRE  THE  THIRD  PARTY  CONTRACTOR TO PROVIDE TRAINING AT THE
   56  CONTRACTOR'S EXPENSE ON THE FEDERAL AND STATE  LAW  GOVERNING  CONFIDEN-
       S. 6007--A                          6

    1  TIALITY  OF  STUDENT  DATA  AND/OR  TEACHER  OR  PRINCIPAL  DATA AND THE
    2  PROVISIONS OF THIS SUBDIVISION TO ALL ITS OFFICERS  AND  EMPLOYEES  WITH
    3  ACCESS  TO  SUCH  DATA,  PRIOR  TO BEING PERMITTED TO RECEIVE SUBSEQUENT
    4  ACCESS  TO SUCH DATA FROM THE EDUCATIONAL AGENCY FROM WHICH THE CONTRAC-
    5  TOR OBTAINED THE DATA THAT WAS IMPROPERLY DISCLOSED OR FROM  ANY  EDUCA-
    6  TIONAL AGENCY; AND/OR
    7    (5)  IF IT IS DETERMINED THAT THE UNAUTHORIZED RELEASE OF STUDENT DATA
    8  OR TEACHER OR PRINCIPAL DATA ON THE PART OF THE THIRD  PARTY  CONTRACTOR
    9  WAS INADVERTENT AND DONE WITHOUT INTENT OR GROSS NEGLIGENCE, THE COMMIS-
   10  SIONER  MAY  DETERMINE  THAT  NO  PENALTY BE ISSUED UPON THE THIRD PARTY
   11  CONTRACTOR.
   12    H. THE COMMISSIONER, IN CONSULTATION WITH THE CHIEF  PRIVACY  OFFICER,
   13  SHALL  PROMULGATE  REGULATIONS  ESTABLISHING PROCEDURES TO IMPLEMENT THE
   14  PROVISIONS OF THIS SUBDIVISION, INCLUDING BUT NOT LIMITED TO  PROCEDURES
   15  FOR THE SUBMISSION OF COMPLAINTS FROM PARENTS AND/OR PERSONS IN PARENTAL
   16  RELATION  TO  STUDENTS,  CLASSROOM  TEACHERS  OR BUILDING PRINCIPALS, OR
   17  OTHER STAFF OF AN EDUCATIONAL AGENCY,  MAKING  ALLEGATIONS  OF  IMPROPER
   18  DISCLOSURE  OF  STUDENT DATA AND/OR TEACHER OR PRINCIPAL DATA BY A THIRD
   19  PARTY CONTRACTOR OR ITS OFFICERS OR EMPLOYEES THAT MAY BE SUBJECT TO THE
   20  SANCTIONS SET FORTH IN PARAGRAPH G OF THIS SUBDIVISION. UPON RECEIPT  OF
   21  A  COMPLAINT  OR  OTHER  INFORMATION  INDICATING  THAT  SUCH AN IMPROPER
   22  DISCLOSURE BY A THIRD PARTY CONTRACTOR  MAY  HAVE  OCCURRED,  THE  CHIEF
   23  PRIVACY  OFFICER  SHALL BE AUTHORIZED TO INVESTIGATE, VISIT, EXAMINE AND
   24  INSPECT THE THIRD PARTY CONTRACTOR'S FACILITIES AND  RECORDS  AND  ISSUE
   25  ANY  SUBPOENAS DEEMED NECESSARY TO OBTAIN DOCUMENTATION FROM, OR REQUIRE
   26  THE TESTIMONY OF, ANY PARTY RELATING TO THE ALLEGED IMPROPER  DISCLOSURE
   27  OF STUDENT DATA OR TEACHER OR PRINCIPAL DATA.
   28    I.  THE  COMMISSIONER, IN CONSULTATION WITH THE CHIEF PRIVACY OFFICER,
   29  SHALL PROMULGATE REGULATIONS ESTABLISHING MINIMUM STANDARDS  FOR  EDUCA-
   30  TIONAL  AGENCY  DATA SECURITY AND PRIVACY POLICIES AND SHALL DEVELOP ONE
   31  OR MORE MODEL POLICIES FOR USE BY EDUCATIONAL AGENCIES. EACH EDUCATIONAL
   32  AGENCY, BY NO LATER THAN NINETY DAYS AFTER THE EFFECTIVE  DATE  OF  THIS
   33  SUBDIVISION,  SHALL  ENSURE  THAT  IT  HAS A POLICY ON DATA SECURITY AND
   34  PRIVACY IN PLACE THAT IS CONSISTENT WITH APPLICABLE  STATE  AND  FEDERAL
   35  LAWS  AND  APPLIES  TO STUDENT DATA AND, WHERE APPLICABLE, TO TEACHER OR
   36  PRINCIPAL DATA. SUCH POLICY SHALL BE PUBLISHED ON  THE  WEBSITE  OF  THE
   37  EDUCATIONAL  AGENCY, IF SUCH EDUCATIONAL AGENCY HAS AN INTERNET WEBSITE,
   38  AND NOTICE OF SUCH POLICY SHALL BE PROVIDED TO ALL OFFICERS AND  EMPLOY-
   39  EES  OF  THE EDUCATIONAL AGENCY. AS APPLIED TO STUDENT DATA, SUCH POLICY
   40  SHALL PROVIDE  ALL  PROTECTIONS  AFFORDED  TO  PARENTS  AND  PERSONS  IN
   41  PARENTAL RELATIONSHIPS, OR STUDENTS WHERE APPLICABLE, REQUIRED UNDER THE
   42  FAMILY  EDUCATIONAL RIGHTS AND PRIVACY ACT, SECTION TWELVE HUNDRED THIR-
   43  TY-TWO-G OF TITLE TWENTY OF THE UNITED STATES CODE, WHERE APPLICABLE THE
   44  INDIVIDUALS WITH DISABILITIES EDUCATION ACT, SECTIONS FOURTEEN  HUNDRED,
   45  ET.  SEQ.  OF  TITLE  TWENTY  OF THE UNITED STATES CODE, AND THE FEDERAL
   46  REGULATIONS IMPLEMENTING SUCH STATUTES. EACH  EDUCATIONAL  AGENCY  SHALL
   47  ENSURE THAT IT HAS IN PLACE PROVISIONS IN ITS CONTRACTS WITH THIRD PARTY
   48  CONTRACTORS  OR  IN SEPARATE DATA SHARING AND CONFIDENTIALITY AGREEMENTS
   49  THAT REQUIRE THAT CONFIDENTIALITY OF THE SHARED STUDENT DATA OR  TEACHER
   50  OR PRINCIPAL DATA BE MAINTAINED IN ACCORDANCE WITH FEDERAL AND STATE LAW
   51  AND THE EDUCATIONAL AGENCY'S POLICY ON DATA SECURITY AND PRIVACY.
   52    J.  EACH EDUCATIONAL AGENCY THAT ENTERS INTO A CONTRACT OR OTHER WRIT-
   53  TEN AGREEMENT WITH A THIRD PARTY CONTRACTOR UNDER WHICH THE THIRD  PARTY
   54  CONTRACTOR  WILL RECEIVE STUDENT DATA OR TEACHER OR PRINCIPAL DATA SHALL
   55  ENSURE THAT SUCH CONTRACT OR  AGREEMENT  INCLUDE  A  DATA  SECURITY  AND
   56  PRIVACY  PLAN THAT OUTLINES HOW ALL STATE, FEDERAL, AND LOCAL DATA SECU-
       S. 6007--A                          7

    1  RITY AND PRIVACY CONTRACT REQUIREMENTS WILL BE IMPLEMENTED OVER THE LIFE
    2  OF THE CONTRACT, CONSISTENT WITH THE EDUCATIONAL AGENCY'S POLICY ON DATA
    3  SECURITY AND PRIVACY. SUCH PLAN SHALL INCLUDE, BUT SHALL NOT BE  LIMITED
    4  TO,  A  SIGNED  COPY  OF THE PARENTS BILL OF RIGHTS FOR DATA PRIVACY AND
    5  SECURITY, AND A REQUIREMENT THAT ANY OFFICERS OR EMPLOYEES OF THE  THIRD
    6  PARTY CONTRACTOR WHO HAVE ACCESS TO STUDENT DATA OR TEACHER OR PRINCIPAL
    7  DATA HAVE RECEIVED OR WILL RECEIVE TRAINING ON THE FEDERAL AND STATE LAW
    8  GOVERNING CONFIDENTIALITY OF SUCH DATA PRIOR TO RECEIVING ACCESS.
    9    K.  (1)(I)  EACH VIOLATION OF ANY PROVISION OF THIS SECTION BY A THIRD
   10  PARTY CONTRACTOR SHALL BE PUNISHABLE BY A CIVIL PENALTY  OF  UP  TO  ONE
   11  THOUSAND  DOLLARS; A SECOND VIOLATION BY THE SAME THIRD PARTY CONTRACTOR
   12  INVOLVING THE SAME STUDENT DATA OR TEACHER OR PRINCIPAL  DATA  SHALL  BE
   13  PUNISHABLE BY A CIVIL PENALTY OF UP TO FIVE THOUSAND DOLLARS; ANY SUBSE-
   14  QUENT  VIOLATION  BY  THE SAME THIRD PARTY CONTRACTOR INVOLVING THE SAME
   15  STUDENT DATA OR TEACHER OR PRINCIPAL DATA SHALL BE PUNISHABLE BY A CIVIL
   16  PENALTY OF UP TO TEN THOUSAND DOLLARS.
   17    (II) EACH VIOLATION OF THIS SUBDIVISION SHALL BE CONSIDERED A SEPARATE
   18  VIOLATION FOR PURPOSES OF CIVIL PENALTIES.
   19    (2) THE ATTORNEY GENERAL SHALL HAVE THE AUTHORITY TO  ENFORCE  COMPLI-
   20  ANCE WITH THIS SECTION BY INVESTIGATION AND SUBSEQUENT COMMENCEMENT OF A
   21  CIVIL ACTION TO SEEK CIVIL PENALTIES FOR VIOLATIONS OF THIS SECTION, AND
   22  TO  SEEK  APPROPRIATE  INJUNCTIVE  RELIEF. IN CARRYING OUT SUCH INVESTI-
   23  GATION AND IN MAINTAINING SUCH CIVIL ACTION LOCAL  LAW  ENFORCEMENT  ARE
   24  AUTHORIZED  TO SUBPOENA WITNESSES, COMPEL THEIR ATTENDANCE, EXAMINE THEM
   25  UNDER OATH AND REQUIRE THAT ANY BOOKS, RECORDS,  DOCUMENTS,  PAPERS,  OR
   26  ELECTRONIC  RECORDS  RELEVANT  OR MATERIAL TO THE INQUIRY BE TURNED OVER
   27  FOR INSPECTION, EXAMINATION OR AUDIT, PURSUANT TO THE CIVIL PRACTICE LAW
   28  AND RULES.
   29    (3) NOTHING CONTAINED IN THIS SUBDIVISION SHALL BE CONSTRUED AS CREAT-
   30  ING A PRIVATE RIGHT OF ACTION AGAINST THE DEPARTMENT OR  AN  EDUCATIONAL
   31  AGENCY.
   32    L.  NOTHING  IN  THIS  SECTION  SHALL  LIMIT THE ADMINISTRATIVE USE OF
   33  STUDENT DATA OR TEACHER OR PRINCIPAL DATA BY A PERSON ACTING EXCLUSIVELY
   34  IN THE PERSON'S CAPACITY AS AN EMPLOYEE OF AN EDUCATIONAL AGENCY  OR  OF
   35  THE STATE OR ANY OF ITS POLITICAL SUBDIVISIONS, ANY COURT OR THE FEDERAL
   36  GOVERNMENT THAT IS OTHERWISE REQUIRED BY LAW.
   37    S  2.  Subdivision  7  of section 156.00 of the penal law, as added by
   38  chapter 558 of the laws of 2006, is amended and three  new  subdivisions
   39  10, 11 and 12 are added to read as follows:
   40    7.  "Access"  means  to  instruct,  communicate  with,  store data in,
   41  retrieve from, or otherwise make use of any  resources  of  a  computer,
   42  physically,  directly or by electronic means; INCLUDING DISSEMINATION OF
   43  DATA.
   44    10. "EDUCATIONAL AGENCY" MEANS AN EDUCATIONAL AGENCY AS SUCH  TERM  IS
   45  DEFINED  IN  SUBDIVISION FORTY-FOUR OF SECTION THREE HUNDRED FIVE OF THE
   46  EDUCATION LAW. AN EDUCATIONAL AGENCY AS SO DEFINED  SHALL  BE  DEEMED  A
   47  GOVERNMENTAL INSTRUMENTALITY FOR PURPOSES OF THIS ARTICLE.
   48    11. "THIRD PARTY CONTRACTOR" MEANS A THIRD PARTY CONTRACTOR AS DEFINED
   49  IN SUBDIVISION FORTY-FOUR OF SECTION THREE HUNDRED FIVE OF THE EDUCATION
   50  LAW.
   51    12.  "EDUCATIONAL  COMPUTER  MATERIAL"  MEANS  PERSONALLY IDENTIFIABLE
   52  INFORMATION FROM STUDENT RECORDS  OR  CONFIDENTIAL  ANNUAL  PROFESSIONAL
   53  PERFORMANCE  REVIEWS  OF  CLASSROOM  TEACHERS OR PRINCIPALS, OF A SCHOOL
   54  DISTRICT, BOARD OF COOPERATIVE EDUCATIONAL SERVICES, SCHOOL, INSTITUTION
   55  OF HIGHER EDUCATION, OR THE STATE EDUCATION DEPARTMENT.
       S. 6007--A                          8

    1    S 3. Section 156.30 of the penal law, as amended by chapter 590 of the
    2  laws of 2008, is amended to read as follows:
    3  S 156.30 Unlawful  duplication of computer related material in the first
    4             degree.
    5    A person is guilty of unlawful duplication of computer related MATERI-
    6  AL in the first degree [material] when having no right to do so,  he  or
    7  she copies, reproduces or duplicates in any manner:
    8    1. any computer data or computer program and thereby intentionally and
    9  wrongfully  deprives  or  appropriates from an owner thereof an economic
   10  value or benefit in excess of two thousand five hundred dollars;[or]
   11    2. any computer data or computer program with an intent to  commit  or
   12  attempt to commit or further the commission of any felony[.]; OR
   13    3.  EDUCATIONAL  COMPUTER  MATERIAL  WITH THE INTENT TO DISSEMINATE IN
   14  VIOLATION OF SECTION THREE HUNDRED FIVE OF THE EDUCATION LAW.
   15    Unlawful duplication of computer related material in the first  degree
   16  is a class E felony.
   17    S 4. Section 165.45 of the penal law is amended by adding a new subdi-
   18  vision 8 to read as follows:
   19    8.  THE  PROPERTY CONSISTS OF EDUCATIONAL COMPUTER MATERIAL AS DEFINED
   20  IN ARTICLE ONE HUNDRED FIFTY-SIX OF THIS CHAPTER.
   21    S 5. This act shall take effect on the ninetieth day  after  it  shall
   22  have  become  a  law,  provided,  however, the commissioner of education
   23  shall within one hundred twenty days after it  shall  have  become  law,
   24  develop a parents bill of rights for student data privacy and security.
Go to top
Page display time = 0.115 sec