STATE OF NEW YORK
________________________________________________________________________
5932--A
2013-2014 Regular Sessions
IN SENATE
September 11, 2013
___________
Introduced by Sens. ROBACH, BALL, CARLUCCI, GALLIVAN, HOYLMAN, KRUEGER,
LANZA, LATIMER, MONTGOMERY, SAVINO, SERRANO, TKACZYK, YOUNG -- read
twice and ordered printed, and when printed to be committed to the
Committee on Rules -- recommitted to the Committee on Education in
accordance with Senate Rule 6, sec. 8 -- committee discharged, bill
amended, ordered reprinted as amended and recommitted to said commit-
tee
AN ACT to amend the education law, in relation to the release of
personally identifiable student information
The People of the State of New York, represented in Senate and Assem-bly, do enact as follows:
1 Section 1. The education law is amended by adding a new section 3212-b
2 to read as follows:
3 § 3212-b. Release of personally identifiable information. 1. Defi-
4 nitions. As used in this section:
5 (a) the terms "disclosure," "education program," "education records,"
6 "eligible student," "parent," "party," "personally identifiable informa-
7 tion," "record," and "student" shall have the same meaning as those
8 terms are defined in 34 CFR Part 99.3;
9 (b) the term "institution" shall mean any public or private elementary
10 or secondary school or an institution that provides education to
11 students beyond the secondary education level; secondary education shall
12 have the meaning set forth in subdivision seven of section two of this
13 chapter;
14 2. Limitations on access to, or disclosure of, personally identifiable
15 information. (a) Authorized representatives. The department and district
16 boards of education shall only designate parties that are under their
17 direct control to act as their authorized representatives to conduct any
18 audit or evaluation, or any compliance or enforcement activity in
19 connection with legal requirements that relate to state or district
20 supported educational programs, when any such audit, evaluation or
EXPLANATION--Matter in italics (underscored) is new; matter in brackets
[] is old law to be omitted.
LBD09672-07-4
S. 5932--A 2
1 activity requires or is used as the basis for granting access to
2 personally identifiable student information;
3 (b) Outsourcing. The department, district boards of education and
4 institutions may not disclose personally identifiable information from
5 education records of students without the written consent of eligible
6 students or parents to a contractor, consultant, or other party to whom
7 an agency or institution has outsourced institutional services or func-
8 tions unless that outside party:
9 (1) performs an institutional service or function for which the
10 department, district board of education, or institution would otherwise
11 use employees;
12 (2) is under the direct control of the agency or institution with
13 respect to the use and maintenance of education records;
14 (3) limits internal access to education records to those individuals
15 that are determined to have legitimate educational interests;
16 (4) does not use the education records for any other purposes than
17 those explicitly authorized in its contract;
18 (5) does not disclose any personally identifiable information to any
19 other party:
20 (i) without the prior written consent of the parent or eligible
21 student, or
22 (ii) unless required by statute or court order and the party provides
23 a notice of the disclosure to the department, district board of educa-
24 tion, or institution that provided the information no later than the
25 time the information is disclosed, unless providing notice of the
26 disclosure is expressly prohibited by the statute or court order;
27 (6) maintains reasonable administrative, technical and physical safe-
28 guards to protect the security, confidentiality and integrity of
29 personally identifiable student information in its custody;
30 (7) uses encryption technologies to protect data while in motion or in
31 its custody from unauthorized disclosure using a technology or methodol-
32 ogy specified by the Secretary of the U.S. Department of Health and
33 Human Services in guidance issued under section 13402(h)(2) of Public
34 Law 111-5;
35 (8) has sufficient administrative and technical procedures to monitor
36 continuously the security of personally identifiable information in its
37 custody;
38 (9) conducts a security audit annually and provides the results of
39 that audit to each department, district board of education, or institu-
40 tion that provided educational records;
41 (10) provides the department, district board of education, or institu-
42 tion with a breach remediation plan acceptable to the department,
43 district board of education or institution prior to initial receipt of
44 education records;
45 (11) reports all suspected security breaches to the department,
46 district boards of education, or institution that provided education
47 records as soon as possible but not later than forty-eight hours after a
48 suspected breach was known or would have been known by exercising
49 reasonable diligence;
50 (12) reports all actual security breaches to the department, district
51 boards of education, or institution that provided education records as
52 soon as possible but not later than twenty-four hours after an actual
53 breach was known or would have been known by exercising reasonable dili-
54 gence;
55 (13) in the event of a security breach or unauthorized disclosures of
56 personally identifiable information, pays all costs and liabilities
S. 5932--A 3
1 incurred by the department, district boards of education, or insti-
2 tutions related to the security breach or unauthorized disclosure,
3 including but not limited to the costs of responding to inquiries about
4 the security breach or unauthorized disclosure, of notifying subjects of
5 personally identifiable information about the breach, of mitigating the
6 effects of the breach for the subjects of personally identifiable infor-
7 mation, and of investigating the cause or consequences of the security
8 breach or unauthorized disclosure; and
9 (14) destroys or returns to the department, district boards of educa-
10 tion, or institutions all personally identifiable information in its
11 custody upon request and at the termination of the contract.
12 (c) Studies. The department, district boards of education, or insti-
13 tutions may disclose personally identifiable information from an educa-
14 tion record of a student without the consent of eligible students or
15 parents to a party conducting studies for, or on behalf of, educational
16 agencies or institutions to:
17 (1) develop, validate, or administer predictive tests;
18 (2) administer student aid programs; or
19 (3) improve instruction;
20 Provided that the outside party conducting the study meets all of the
21 requirements for contractors set forth in paragraph (b) of this subdivi-
22 sion;
23 (d) Commercial use prohibited. The department, district boards of
24 education and institutions may not, without the written consent of
25 eligible students or parents, disclose personally identifiable informa-
26 tion from education records to any party for a commercial use, including
27 but not limited to marketing products or services, compilation of lists
28 for sale or rental, development of products or services, or creation of
29 individual, household, or group profiles; nor may such disclosure be
30 made for provision of services other than contracting, studies, and
31 audits or evaluations as authorized and limited by paragraphs (b) and
32 (c) of this subdivision. Any consent from an eligible student or parent
33 must be signed by the student or parent, be dated on the day it was
34 signed, not have been signed more than six months prior to the disclo-
35 sure, must identify the recipient and the purpose of the disclosure, and
36 must state that the information will only be used for that purpose and
37 will not be used or disclosed for any other purpose.
38 3. Data repositories and information practices.
39 (a) The department and district boards of education may not, directly
40 or through contracts with outside parties, maintain personally identifi-
41 able information from education records without the written consent of
42 eligible students or parents unless maintenance of such information is:
43 (1) explicitly mandated in federal or state statute; or
44 (2) administratively required for the proper performance of their
45 duties under the law and is relevant to and necessary for delivery of
46 services; or
47 (3) designed to support a study of students or former students,
48 provided that no personally identifiable information is retained on
49 former students longer than five years after the date of their last
50 enrollment at an institution.
51 (b) The department and district boards of education shall publicly and
52 conspicuously disclose on their web sites and through annual electronic
53 notification to the chairs of the assembly and senate education commit-
54 tees the existence and character of any personally identifiable informa-
55 tion from education records that they, directly or through contracts
S. 5932--A 4
1 with outside parties, maintain. Such disclosure and notifications shall
2 include:
3 (1) the name and location of the data repository where such informa-
4 tion is maintained;
5 (2) the legal authority which authorizes the establishment and exist-
6 ence of the data repository;
7 (3) the principal purpose or purposes for which the information is
8 intended to be used;
9 (4) the categories of individuals on whom records are maintained in
10 the data repository;
11 (5) the categories of records maintained in the data repository;
12 (6) each expected disclosure of the records contained in the data
13 repository, including the categories of recipients and the purpose of
14 such disclosure;
15 (7) the policies and practices of the department or the district
16 boards of education regarding storage, retrievability, access controls,
17 retention, and disposal of the records;
18 (8) the title and business address of the department or district board
19 of education official who is responsible for the data repository, and
20 the name and business address of any contractor or other outside party
21 maintaining the data repository for or on behalf of the department or
22 the district board of education;
23 (9) the procedures whereby eligible students or parents can be noti-
24 fied at their request if the data repository contains a record pertain-
25 ing to them or their children;
26 (10) the procedures whereby eligible students or parents can be noti-
27 fied at their request how to gain access to any record pertaining to
28 them or their children contained in the data repository, and how they
29 can contest its content; and
30 (11) the categories of sources of records in the data repository;
31 (c) The department, district boards of education, and institutions may
32 not append education records with personally identifiable information
33 obtained from other federal or state agencies through data matches with-
34 out the written consent of eligible students or parents unless such data
35 matches are: (1) explicitly mandated in federal or state statute; or (2)
36 administratively required for the proper performance of their duties
37 under the law and are relevant to and necessary for delivery of
38 services.
39 4. Penalties and enforcement. (a) Each violation of any provision of
40 this section by an organization or entity that is not the department, a
41 district board of education, or an institution as defined in paragraph
42 (b) of subdivision one of this section shall be punishable by a civil
43 penalty of up to one thousand dollars; a second violation by the same
44 organization or entity involving the educational records and privacy of
45 the same student shall be punishable by a civil penalty of up to five
46 thousand dollars; any subsequent violation by the same organization or
47 entity involving the educational records and privacy of the same student
48 shall be punishable by a civil penalty of up to ten thousand dollars;
49 and each violation involving a different individual educational record
50 or a different individual student shall be considered a separate
51 violation for purposes of civil penalties;
52 (b) The attorney general shall have the authority to enforce compli-
53 ance with this section by investigation and subsequent commencement of a
54 civil action, to seek civil penalties for violations of this section,
55 and to seek appropriate injunctive relief, including but not limited to
56 a prohibition on obtaining personally identifiable information for an
S. 5932--A 5
1 appropriate time period. In carrying out such investigation and in main-
2 taining such civil action the attorney general or any deputy or assist-
3 ant attorney general is authorized to subpoena witnesses, compel their
4 attendance, examine them under oath and require that any books, records,
5 documents, papers, or electronic records relevant or material to the
6 inquiry be turned over for inspection, examination or audit, pursuant to
7 the civil practice law and rules; subpoenas issued pursuant to this
8 paragraph may be enforced pursuant to the civil practice law and rules.
9 (c) Nothing contained herein shall be construed as creating a private
10 right of action against the department, a district board of education,
11 or an institution as defined in paragraph (b) of subdivision one of this
12 section.
13 5. Administrative use. Nothing in this section shall limit the admin-
14 istrative use of education records by a person acting exclusively in the
15 person's capacity as an employee of a school, a district board of educa-
16 tion or of the state or any of its political subdivisions, any court or
17 the federal government that is otherwise required by law.
18 § 2. This act shall take effect July 1, 2015 and shall apply to school
19 years beginning with the 2015-2016 academic year.
