TITLE OF BILL:
to amend the education law, in relation to the release of personally
identifiable student information by school districts
To enhance privacy protections to students' personally identifiable
student information contained in student education records maintained
by schools and school districts and place additional restrictions on
the release of personally identifiable student information.
SUMMARY OF PROVISIONS:
The Education Law is amended by adding a new section 3212-b to
describe the lawful and unlawful dissemination of disclosable
directory information and personally identifiable student
information. This new section defines, under this act, student;
school; disc10sable directory information (DDI); and personally
identifiable student information (PISI).
Subsection 2 stipulates the legal dissemination of disclosable
directory information and the provisions for the parents or student
in attendance from opting-out of the dissemination of such
information, and the prohibition of the dissemination of personally
identifiable student information, unless the school receives the
affirmative consent to do so from the parent or student in attendance.
Disclosable Directory Information (DDI). The dissemination of a
student's educational record within the school district is not
restricted, and will comport with existing laws and regulations
within said school district. A school district may disseminate
students' directory information to the parent or student in
attendance, and any educational agency, organization, or institution;
and a school district may disseminate students' directory information
to a school club, newspaper, yearbook, honor roll, and the like,
unless the parent or student in attendance prohibits the school
district from doing so.
Personally Identifiable Student Information (PISI). A school district
may only distribute this information with the affirmative consent of
the parent or student in attendance. If a parent or student grants
the affirmative consent, the school may disseminate PISI to: another
parent or student in attendance at the school; to non-profit that
seeks the information for a specific purpose deemed to be beneficial
for the student, and that has not violated the disclosure procedures
stipulated in this section. If the third party violates the wishes of
the custodial parent or student over the age of 18, it is prohibited
from receiving this information for a period of five years.
Furthermore, even with the affirmative consent of the parent or student
in attendance, the school is prohibited from disseminating students'
PISI to a third party for profit-making purposes, such as for
marketing products or services, and selling the information for
Subsection 3 outlines the procedures for school districts notification
of parents or students of their rights under this bill. To achieve
active parental consent, within the first week of each new school
year, the school district must issue a public notice, include in the
student handbook, and send home with the student, information
stipulating the disclosure procedures for the DDI and PISI. The
disclosure information shall consist of the definition of disclosable
directory information and personally identifiable student information
as defined in this act; the procedures for obtaining affirmative
consent for prohibiting the school district from disseminating the
student's DDI to a third party for non-profit purposes; the
procedures for obtaining affirmative consent for authorizing the
school district to disseminate the student's PISI to a third party
for non-profit purposes.
If the school district does not receive a response from the parent or
student 30 days of the dissemination of the disclosure information
notice, the school district will operate under the premise that: (i)
The parent or student did not opt-out, thus allowing the school
district to disseminate the DDI to a third party for non-profit
purposes; and (ii) the parent or student did not opt-in, thus
prohibiting the school district from disseminating the PISI to a
third party for nonprofit purposes
Subsection 4 states that the new law shall not limit an employee of
the board of education, state, court, of federal government from
public school records purely for administrative purposes.
Subsection 5 provides for exemptions with regard to military
recruitment, in order to comply with federal law.
Section 2 of the bill sets the effective date.
Currently, under the federal Family Education Rights Privacy Act,
known as FERPA, schools are required to notify parents at the
beginning of the school year of their right to "opt out" of school
disclosure of a student's personally identifiable information. This
information, which is maintained by the school, is defined under
FERPA as "information ... that would not generally be considered
harmful or an invasion of privacy if disclosed." Students' personally
identifiable information may be requested by and disclosed to
for-profit organizations related to school activities, such as school
ring companies or athletic team apparel and equipment. However,
under FERPA, there are no restrictions on who may request or receive
this information from a school. The U.S. military and institutions of
higher learning have access to student directory information without
parental or student consent. A school also can release a student's
personally identifiable information to another school, the New York
State Education Department, or law enforcement agencies as necessary
without alerting parents and/or students.
A school must annually notify students of their rights under FERPA.
The annual notification must include information regarding a
student's right to inspect and review his or her education records,
the right to seek to amend the records, and the right to consent to
disclosure of personally identifiable information from the records.
However, FERPA does not require the school to notify students of
these rights on an individual basis, so the school may meet FERPA
requirements by posting this information on its website, school
calendar, or student handbook, for example. Also, under FERPA,
non-consensual disclosure of Directory Information may be released to
school-related organizations and businesses. There are no provisions
governing the re-selling of this information in secondary markets,
including to marketers or other nonacademic-related companies, for
example. Nor are there civil penalties to parties that misuse
personal and identifiable information about students. Therefore, once
a student's personally identifiable information is disclosed, it is
difficult to control how and where it is disseminated.
This may result in student's personally identifiable information being
used in direct marketing campaigns and targeted advertising. The
information, once released, also has the potential to compromise
student safety and security if used by the wrong parties.
New York has the opportunity to enhance and strengthen privacy
protections for its students, which is especially critical as
personally identifiable information will be digitized and shared
electronically to audit and evaluate state and local education
programs and to support the Statewide Longitudinal Data Systems. This
makes data security and student safety of paramount concern and the
State has an interest to ensure the disclosure of students'
personally identifiable information meets the standards of the Fair
Information Practice Principles, as outlined by the Federal Trade
Commission: notice/awareness, choice/consent, access/participation,
integrity/security, and enforcement/redress.
While FERPA protects student information privacy it does not go far
enough, nor does it adequately address the privacy issues of the
electronic age and the capacity of marketers and other commercial
enterprises to capture, use, and re-sell student information. Even
with privacy controls in place, it is also far too easy for
individuals to get a hold of student information and use it for
illegal purposes', including identity theft, child abduction in
custody battles, and domestic violence.
Therefore, this proposed legislation will enhance the protection to
New York students and their families by stipulating that a student's
personally identifiable information will only be disclosed to a third
party for non-profit purposes with the consent from the parent or
student, if the student is over age 18. Further, directory
information, which can be disclosed under current law, may be
restricted at the request of a parent or student over the age of 18.
Lastly, this bill further enhances privacy by completely prohibiting
the disclosure of directory information or personally
identifiable information to a third party for profit-making purposes.
This legislation will give parents and students greater control over
disclosure of personally identifiable information to third parties.
It will protect students from their personal information being used
by marketers who re-sell their information in secondary markets. The
sophisticated electronic systems used to identify and breach the
privacy of individuals should not have access to the personally
identifiable information of vulnerable students. This added
protection to New York students would protect them from opportunistic
marketers and from identity theft.
Schools have been found to have varying degrees of conformance with
the basic FERPA privacy requirements. Schools must become more
proactive in providing parents with adequate notice of their rights
to keep students' information private and handling the information as
New York has the opportunity to become a national leader in helping
schools to protect students from violations of their privacy by
affording them added protections and the option not to disclose
Recent proposed amendments to FERPA underscore this need, as students'
personally identifiable information and data will be mined for the
Statewide Longitudinal Data Systems, audit and evaluation of
education programs, and research projects. Student data will be
shared across government agency systems and with researchers,
increasing the risk of data breaches and privacy violations. The
proposed New York legislation would further restrict the release of
personally identifiable information so that there will be fewer
opportunities for data security to be compromised and do harm to an
individual or group of students.
Students need and deserve this extra protection. In the digital age,
the line between a computer-based school directory and the online
world is rapidly disappearing. Computer security breaches are
rampant, exposing supposedly private and proprietary information to
online databases. New York should not wait for a major breach of
student information with serious consequences before acting.
Currently, the online collection of personal information from
children under age 13 is protected under the Federal Trade
Commission's Children's Online Privacy Protection Act (COPPA). COPPA
and how to seek verifiable consent from parents, privacy protections
for children, and restrictions on marketing to children. Students
deserve no less than the same kind of robust privacy protections for
their personal information maintained by their schools.
This legislation would create additional and needed privacy
protections for students while not imposing any mandates or requiring
additional spending by New York schools. The legislation will remind
schools of their very serious obligation to protect student privacy,
the risks of disclosing student information to commercial
enterprises, and the challenges of collecting and disseminating
personal data in the digital age. Schools are stewards of students'
personally identifiable information and as such must adhere to the
highest standards of practice in protecting privacy and
confidentiality. This legislation will provide those standards and
serve as a model for other states seeking to protect the privacy,
safety, and security of its students.
S.7414-A/A.10795-A of 2009-2010
Shall take effect on July 1, 2011 and shall apply to school years
beginning with the 2011-12 school year.