STATE OF NEW YORK
________________________________________________________________________
8353
IN ASSEMBLY
January 9, 2014
___________
Introduced by M. of A. NOLAN -- read once and referred to the Committee
on Education
AN ACT to amend the education law and the penal law, in relation to
establishing penalties for the unauthorized release of personally
identifiable information from student records and certain records of
classroom teachers and building principals
The People of the State of New York, represented in Senate and Assem-bly, do enact as follows:
1 Section 1. Section 305 of the education law is amended by adding a new
2 subdivision 44 to read as follows:
3 44. Unauthorized release of personally identifiable information.
4 a. As used in this subdivision the following terms shall have the
5 following meanings:
6 (1) "Building principal" means a building principal subject to annual
7 performance evaluation review under the provisions of section three
8 thousand twelve-c of this chapter.
9 (2) "Classroom teacher" means a teacher subject to annual performance
10 evaluation review under the provisions of section three thousand
11 twelve-c of this chapter.
12 (3) "Educational agency" means a school district, board of cooperative
13 educational services, school, institution of higher education or the
14 education department.
15 (4) "Institution of higher education" means an entity with a campus in
16 New York that provides higher education, as defined in subdivision eight
17 of section two of this title, that is subject to the requirements of the
18 Family Educational Rights and Privacy Act, section twelve hundred thir-
19 ty-two-g of title twenty of the United States code.
20 (5) "Personally identifiable information", as applied to student data,
21 means personally identifiable information as defined in section 99.3 of
22 title thirty-four of the code of federal regulations implementing the
23 Family Educational Rights and Privacy Act, section twelve hundred thir-
24 ty-two-g of title twenty of the United States code, and, as applied to
25 teacher or principal data, means "personally identifying information" as
EXPLANATION--Matter in italics (underscored) is new; matter in brackets
[] is old law to be omitted.
LBD13221-04-4
A. 8353 2
1 such term is used in subdivision ten of section three thousand twelve-c
2 of this chapter.
3 (6) "School" means any public elementary or secondary school, charter
4 school, universal pre-kindergarten program authorized pursuant to
5 section thirty-six hundred two-e of this chapter, an approved provider
6 of preschool special education, any other publicly funded pre-kindergar-
7 ten program, an approved private school for the education of students
8 with disabilities, a state-supported school subject to the provisions of
9 article eighty-five of this chapter, a state-operated school subject to
10 the provisions of article eighty-seven or eighty-eight of this chapter.
11 (7) "Student" means any person attending or seeking to enroll in an
12 educational agency.
13 (8) "Eligible student" means a student eighteen years or older or an
14 emancipated minor. An emancipated minor as used in this section refers
15 to a student at least sixteen years or older who is no longer a depend-
16 ent of or in the custody of a parent as defined in this section.
17 (9) "Parent" means a parent, legal guardian, or person in parental
18 relation to a student.
19 (10) "Student data" means personally identifiable information from
20 student records of an educational agency.
21 (11) "Teacher or principal data" means personally identifiable infor-
22 mation from the records of an educational agency relating to the annual
23 professional performance reviews of classroom teachers or principals
24 that is confidential and not subject to release under the provisions of
25 section three thousand twelve-c of this chapter.
26 (12) "Third party contractor" shall mean any person or entity, other
27 than an educational agency, that receives student data or teacher or
28 principal data from an educational agency pursuant to a contract or
29 other written agreement for purposes of providing services to such
30 educational agency, including but not limited to data management or
31 storage services, conducting studies for or on behalf of such educa-
32 tional agency, or audit or evaluation of publicly funded programs. Such
33 term shall include an educational partnership organization that receives
34 student and/or principal data from a school district to carry out its
35 responsibilities pursuant to section two hundred eleven-e of this chap-
36 ter and is not an educational agency as defined in subparagraph three of
37 paragraph a of this subdivision, and a not-for-profit corporation or
38 other non-profit organization, other than an educational agency, or a
39 for-profit corporation or business entity that is affiliated with a
40 charter school and provides management and/or other services to support
41 the charter school in accordance with a charter issued pursuant to arti-
42 cle fifty-six of this chapter.
43 b. (1) The commissioner shall appoint a chief privacy officer within
44 the department. The chief privacy officer shall be qualified by training
45 or experience in state and federal education privacy laws and regu-
46 lations, civil liberties, annual professional performance reviews,
47 information technology, and information security. The chief privacy
48 officer shall report to the commissioner on matters affecting privacy
49 and the security of student, teacher, and principal data.
50 (2) The functions of the chief privacy officer shall include, but not
51 be limited to:
52 (i) Promoting the implementation of fair information practices for
53 privacy and security of student data or teacher or principal data;
54 (ii) Assisting the commissioner in handling instances of data breaches
55 as well as assisting the commissioner in due process proceedings regard-
56 ing any alleged breaches of student data or teacher or principal data;
A. 8353 3
1 (iii) Providing assistance to educational agencies within the state on
2 minimum standards and best practices associated with privacy and the
3 security of student data or teacher or principal data;
4 (iv) Formulating a procedure within the department whereby parents,
5 students, teachers, superintendents, school board members, principals,
6 and other persons or entities the chief privacy officer determines is
7 appropriate, may request information pertaining to student data or
8 teacher or principal data in a timely and efficient manner;
9 (v) Assisting the commissioner in establishing a protocol for the
10 submission of complaints of possible breaches of student data or teacher
11 or principal data;
12 (vi) Making recommendations as needed regarding privacy and the secu-
13 rity of student data on behalf of the department to the governor, the
14 speaker of the assembly, the temporary president of the senate, and the
15 chairs of the senate and assembly education committees;
16 (vii) Developing, with input from the New York state educational
17 conference board and parents, the parents bill of rights for data priva-
18 cy and security; and
19 (viii) Any other functions that the commissioner shall deem appropri-
20 ate.
21 (3) The chief privacy officer shall have the power to:
22 (i) access all records, reports, audits, reviews, documents, papers,
23 recommendations, and other materials maintained by an educational agency
24 that relate to student data or teacher or principal data;
25 (ii) to review and comment upon any department program, proposal,
26 grant, or contract that involves the processing of student data or
27 teacher or principal data before the commissioner begins or awards the
28 program, proposal, grant, or contract; and
29 (iii) any other powers that the commissioner shall deem appropriate.
30 (4) The chief privacy officer shall submit by January first, two thou-
31 sand fifteen, and each January first thereafter, a report outlining a
32 summary of activities, recommendations, complaints, and statutory, regu-
33 latory or departmental changes pertaining to the protection of student
34 data or teacher or principal data. The report shall be submitted on
35 behalf of the department to the governor, the speaker of the assembly,
36 the temporary president of the senate, and the chairs of the senate and
37 assembly education committees. The report shall also be made publicly
38 available on the department's website.
39 (5) The chief privacy officer may hold more than one position within
40 the department; provided however, that no additional position will
41 interfere with the duties of the chief privacy officer outlined in this
42 paragraph.
43 c. (1) The chief privacy officer shall develop, with input from the
44 New York state educational conference board and parents, a parents bill
45 of rights for data privacy and security. The parents bill of rights for
46 data privacy and security shall be included with every contract the
47 department or educational agency enters into with a third party contrac-
48 tor where the third party contractor receives student data or teacher or
49 principal data. Every third party contractor that enters into a
50 contract with the department or an educational agency where the third
51 party contractor receives student data or teacher or principal data
52 shall be required to agree in writing to abide by the provisions set
53 forth in the parents bill of rights for data privacy and security. At a
54 minimum, the parents bill of rights for data privacy and security shall
55 include:
A. 8353 4
1 (i) who the exclusive persons or entities are that the third party
2 contractor will share the student data or teacher or principal data
3 with, if any;
4 (ii) when the agreement expires and what happens to the student data
5 or teacher or principal data upon expiration of the agreement;
6 (iii) if and how a parent, student, eligible student, teacher or prin-
7 cipal may challenge the accuracy of the student data or teacher or prin-
8 cipal data that is collected;
9 (iv) where the student data or teacher or principal data will be
10 stored, and the security protections taken to ensure such data will be
11 protected, including whether such data will be encrypted; and
12 (v) the exclusive purposes for which the student data or teacher or
13 principal data will be used.
14 (2) The commissioner shall promulgate regulations for a comment period
15 whereby parents may submit comments and suggestions to the chief privacy
16 officer to be considered for inclusion in the parents bill of rights for
17 student data privacy and security.
18 (3) The department shall post the parents bill of rights for student
19 data privacy and security on the department's website. Each educational
20 agency that has an internet website shall also post the parents bill of
21 rights for student data and security on its website.
22 (4) The parents bill of rights for student data privacy and security
23 shall be completed within one hundred twenty days after the effective
24 date of this subdivision.
25 d. (1) Each educational agency shall be able to opt-out of having the
26 student data or teacher or principal data that they are required to
27 report to the department through state or federal law or regulation from
28 being uploaded by the department to the department's educational data
29 portal.
30 (2) Nothing in this paragraph shall allow an educational agency to
31 fail to comply with any student data or teacher or principal data
32 reporting requirements to the department as required by state or federal
33 law or regulation.
34 e. The chief privacy officer shall make publicly available on the
35 department's website a complete list of all student or teacher or prin-
36 cipal data elements collected with an explanation and/or legal or regu-
37 latory authority outlining the reasons such data elements are collected.
38 f. (1) Each third party contractor that receives student data or
39 teacher or principal data pursuant to a contract or other written agree-
40 ment with an educational agency shall be required to notify such educa-
41 tional agency of any breach of security resulting in an unauthorized
42 release of such data in violation of applicable state or federal law,
43 the parents bill of rights for student data privacy and security, the
44 data privacy and security policies of the educational agency and/or
45 binding contractual obligations relating to data privacy and security,
46 in the most expedient way possible and without reasonable delay. The
47 educational agency shall, upon notification by the third party contrac-
48 tor, be required to report to the chief privacy officer any such breach
49 of security and unauthorized release of such data and to report such
50 breach and unauthorized release to law enforcement in the most expedient
51 way possible and without unreasonable delay.
52 (2) In the case of an unauthorized release of student data, the educa-
53 tional agency, or the third party contractor involved, shall notify the
54 parent or eligible student of the unauthorized release of student data
55 that includes personally identifiable information from the student
56 records of such student in the most expedient way possible and without
A. 8353 5
1 unreasonable delay. In the case of an unauthorized release of teacher or
2 principal data, the educational agency, or the third party contractor
3 involved, shall notify each affected teacher or principal of the unau-
4 thorized release of data that includes personally identifiable informa-
5 tion from the teacher or principal's annual professional performance
6 review in the most expedient way possible and without unreasonable
7 delay.
8 (3) Failure to notify against public policy. (i) A third party
9 contractor shall not fail to notify the educational agency or parent,
10 eligible student, teacher or principal, as applicable, in the most expe-
11 dient way possible and without unreasonable delay.
12 (ii) Each violation of clause (i) of this subparagraph shall consti-
13 tute a class E felony, and shall be punishable by a civil penalty of the
14 greater of five thousand dollars or up to ten dollars per instance of
15 failed notification, provided that the latter amount shall not exceed
16 one hundred fifty thousand dollars.
17 g. If the chief privacy officer determines that a third party contrac-
18 tor, in violation of applicable state or federal law, the data privacy
19 and security policies of the educational agency and/or binding contrac-
20 tual obligations relating to data privacy and security, has re-released
21 any student data or teacher or principal data received from an educa-
22 tional agency to any person or entity not authorized by law to receive
23 such data pursuant to a lawful subpoena or otherwise, the chief privacy
24 officer, after affording the third party contractor with notice and an
25 opportunity to be heard, shall be authorized to:
26 (1) order that the third party contractor be precluded from accessing
27 student data or teacher or principal data, as applicable, from the
28 educational agency from which the contractor obtained the data that was
29 improperly disclosed for a fixed period of up to five years; and/or
30 (2) order that a third party contractor who knowingly and recklessly
31 allows for the unauthorized release of student data or teacher or prin-
32 cipal data be precluded from accessing student data or teacher or prin-
33 cipal data from any educational agency in the state for a fixed period
34 of up to five years; and/or
35 (3) order, in the case of an educational agency that is a public agen-
36 cy subject to competitive bidding requirements, that a third party
37 contractor who knowingly and recklessly allows for the unauthorized
38 release of student data or teacher or principal data, that the third
39 party contractor shall not be deemed a responsible bidder or offerer on
40 any contract with the educational agency from which the contractor
41 obtained the data that was improperly disclosed that involves the shar-
42 ing of student data or teacher or principal data, as applicable for
43 purposes of the provisions of section one hundred three of the general
44 municipal law or paragraph c of subdivision ten of section one hundred
45 sixty-three of the state finance law, as applicable, for a fixed period
46 of up to five years; and/or
47 (4) require the third party contractor to provide training at the
48 contractor's expense on the federal and state law governing confiden-
49 tiality of student data and/or teacher or principal data and the
50 provisions of this subdivision to all its officers and employees with
51 access to such data, prior to being permitted to receive subsequent
52 access to such data from the educational agency from which the contrac-
53 tor obtained the data that was improperly disclosed or from any educa-
54 tional agency; and/or
55 (5) if it is determined that the unauthorized release of student data
56 or teacher or principal data on the part of the third party contractor
A. 8353 6
1 was inadvertent and done without intent or gross negligence, the commis-
2 sioner may determine that no penalty be issued upon the third party
3 contractor.
4 h. The commissioner, in consultation with the chief privacy officer,
5 shall promulgate regulations establishing procedures to implement the
6 provisions of this subdivision, including but not limited to procedures
7 for the submission of complaints from parents and/or persons in parental
8 relation to students, classroom teachers or building principals, or
9 other staff of an educational agency, making allegations of improper
10 disclosure of student data and/or teacher or principal data by a third
11 party contractor or its officers or employees that may be subject to the
12 sanctions set forth in paragraph g of this subdivision. Upon receipt of
13 a complaint or other information indicating that such an improper
14 disclosure by a third party contractor may have occurred, the chief
15 privacy officer shall be authorized to investigate, visit, examine and
16 inspect the third party contractor's facilities and records and issue
17 any subpoenas deemed necessary to obtain documentation from, or require
18 the testimony of, any party relating to the alleged improper disclosure
19 of student data or teacher or principal data.
20 i. The commissioner, in consultation with the chief privacy officer,
21 shall promulgate regulations establishing minimum standards for educa-
22 tional agency data security and privacy policies and shall develop one
23 or more model policies for use by educational agencies. Each educational
24 agency, by no later than ninety days after the effective date of this
25 subdivision, shall ensure that it has a policy on data security and
26 privacy in place that is consistent with applicable state and federal
27 laws and applies to student data and, where applicable, to teacher or
28 principal data. Such policy shall be published on the website of the
29 educational agency, if such educational agency has an internet website,
30 and notice of such policy shall be provided to all officers and employ-
31 ees of the educational agency. As applied to student data, such policy
32 shall provide all protections afforded to parents and persons in
33 parental relationships, or students where applicable, required under the
34 Family Educational Rights and Privacy Act, section twelve hundred thir-
35 ty-two-g of title twenty of the United States code, where applicable the
36 Individuals with Disabilities Education Act, sections fourteen hundred,
37 et. seq. of title twenty of the United States code, and the federal
38 regulations implementing such statutes. Each educational agency shall
39 ensure that it has in place provisions in its contracts with third party
40 contractors or in separate data sharing and confidentiality agreements
41 that require that confidentiality of the shared student data or teacher
42 or principal data be maintained in accordance with federal and state law
43 and the educational agency's policy on data security and privacy.
44 j. Each educational agency that enters into a contract or other writ-
45 ten agreement with a third party contractor under which the third party
46 contractor will receive student data or teacher or principal data shall
47 ensure that such contract or agreement include a data security and
48 privacy plan that outlines how all state, federal, and local data secu-
49 rity and privacy contract requirements will be implemented over the life
50 of the contract, consistent with the educational agency's policy on data
51 security and privacy. Such plan shall include, but shall not be limited
52 to, a signed copy of the parents bill of rights for data privacy and
53 security, and a requirement that any officers or employees of the third
54 party contractor who have access to student data or teacher or principal
55 data have received or will receive training on the federal and state law
56 governing confidentiality of such data prior to receiving access.
A. 8353 7
1 k. (1)(i) Each violation of any provision of this section by a third
2 party contractor shall be punishable by a civil penalty of up to one
3 thousand dollars; a second violation by the same third party contractor
4 involving the same student data or teacher or principal data shall be
5 punishable by a civil penalty of up to five thousand dollars; any subse-
6 quent violation by the same third party contractor involving the same
7 student data or teacher or principal data shall be punishable by a civil
8 penalty of up to ten thousand dollars.
9 (ii) Each violation of this subdivision shall be considered a separate
10 violation for purposes of civil penalties.
11 (2) The attorney general shall have the authority to enforce compli-
12 ance with this section by investigation and subsequent commencement of a
13 civil action to seek civil penalties for violations of this section, and
14 to seek appropriate injunctive relief. In carrying out such investi-
15 gation and in maintaining such civil action local law enforcement are
16 authorized to subpoena witnesses, compel their attendance, examine them
17 under oath and require that any books, records, documents, papers, or
18 electronic records relevant or material to the inquiry be turned over
19 for inspection, examination or audit, pursuant to the civil practice law
20 and rules.
21 (3) Nothing contained in this subdivision shall be construed as creat-
22 ing a private right of action against the department or an educational
23 agency.
24 l. Nothing in this section shall limit the administrative use of
25 student data or teacher or principal data by a person acting exclusively
26 in the person's capacity as an employee of an educational agency or of
27 the state or any of its political subdivisions, any court or the federal
28 government that is otherwise required by law.
29 § 2. Subdivision 7 of section 156.00 of the penal law, as added by
30 chapter 558 of the laws of 2006, is amended and three new subdivisions
31 10, 11 and 12 are added to read as follows:
32 7. "Access" means to instruct, communicate with, store data in,
33 retrieve from, or otherwise make use of any resources of a computer,
34 physically, directly or by electronic means; including dissemination of
35 data.
36 10. "Educational agency" means an educational agency as such term is
37 defined in subdivision forty-four of section three hundred five of the
38 education law. An educational agency as so defined shall be deemed a
39 governmental instrumentality for purposes of this article.
40 11. "Third party contractor" means a third party contractor as defined
41 in subdivision forty-four of section three hundred five of the education
42 law.
43 12. "Educational computer material" means personally identifiable
44 information from student records or confidential annual professional
45 performance reviews of classroom teachers or principals, of a school
46 district, board of cooperative educational services, school, institution
47 of higher education, or the state education department.
48 § 3. Section 156.30 of the penal law, as amended by chapter 590 of the
49 laws of 2008, is amended to read as follows:
50 § 156.30 Unlawful duplication of computer related material in the first
51 degree.
52 A person is guilty of unlawful duplication of computer related materi-
53 al in the first degree [material] when having no right to do so, he or
54 she copies, reproduces or duplicates in any manner:
A. 8353 8
1 1. any computer data or computer program and thereby intentionally and
2 wrongfully deprives or appropriates from an owner thereof an economic
3 value or benefit in excess of two thousand five hundred dollars;[or]
4 2. any computer data or computer program with an intent to commit or
5 attempt to commit or further the commission of any felony[.]; or
6 3. educational computer material with the intent to disseminate in
7 violation of section three hundred five of the education law.
8 Unlawful duplication of computer related material in the first degree
9 is a class E felony.
10 § 4. Section 165.45 of the penal law is amended by adding a new subdi-
11 vision 8 to read as follows:
12 8. The property consists of educational computer material as defined
13 in article one hundred fifty-six of this chapter.
14 § 5. This act shall take effect on the ninetieth day after it shall
15 have become a law, provided, however, the commissioner of education
16 shall within one hundred twenty days after it shall have become law,
17 develop a parents bill of rights for student data privacy and security.