S T A T E O F N E W Y O R K
________________________________________________________________________
6059--A
2013-2014 Regular Sessions
I N A S S E M B L Y
March 13, 2013
___________
Introduced by M. of A. O'DONNELL, MILLMAN, JAFFEE, BENEDETTO, LIFTON,
DUPREY, TITONE, MAISEL, HEVESI, ZEBROWSKI, ENGLEBRIGHT, WEPRIN, STECK,
ABINANTI, MONTESANO, SCHIMMINGER, RAIA, GIBSON, COLTON, BRENNAN,
FINCH, McDONOUGH, P. LOPEZ, COOK, SCHIMEL, SKOUFIS, BRAUNSTEIN,
MALLIOTAKIS, BROOK-KRASNY, MOSLEY, GUNTHER, CUSICK, PAULIN, GOLDFEDER,
FAHY, GABRYSZAK, BORELLI, WEINSTEIN -- Multi-Sponsored by -- M. of A.
ABBATE, ARROYO, BUTLER, CLARK, CROUCH, CYMBROWITZ, DenDEKKER, DINOW-
ITZ, GALEF, GARBARINO, GLICK, GOTTFRIED, JACOBS, KEARNS, LENTOL,
MARKEY, McDONALD, PERRY, RIVERA, SIMANOWITZ, SOLAGES, STEC, SWEENEY,
WEISENBERG -- read once and referred to the Committee on Education --
committee discharged, bill amended, ordered reprinted as amended and
recommitted to said committee
AN ACT to amend the education law, in relation to the release of
personally identifiable student information
THE PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND ASSEM-
BLY, DO ENACT AS FOLLOWS:
Section 1. The education law is amended by adding a new section 3212-b
to read as follows:
S 3212-B. RELEASE OF PERSONALLY IDENTIFIABLE INFORMATION. 1. DEFI-
NITIONS. AS USED IN THIS SECTION:
(A) THE TERMS "DISCLOSURE," "EDUCATION PROGRAM," "EDUCATION RECORDS,"
"ELIGIBLE STUDENT," "PARENT," "PARTY," "PERSONALLY IDENTIFIABLE INFORMA-
TION," "RECORD," AND "STUDENT" SHALL HAVE THE SAME MEANING AS THOSE
TERMS ARE DEFINED IN 34 CFR PART 99.3;
(B) THE TERM "INSTITUTION" SHALL MEAN ANY PUBLIC OR PRIVATE ELEMENTARY
OR SECONDARY SCHOOL OR AN INSTITUTION THAT PROVIDES EDUCATION TO
STUDENTS BEYOND THE SECONDARY EDUCATION LEVEL; SECONDARY EDUCATION SHALL
HAVE THE MEANING SET FORTH IN SUBDIVISION SEVEN OF SECTION TWO OF THIS
CHAPTER;
2. LIMITATIONS ON ACCESS TO, OR DISCLOSURE OF, PERSONALLY IDENTIFIABLE
INFORMATION. (A) AUTHORIZED REPRESENTATIVES. THE DEPARTMENT AND DISTRICT
EXPLANATION--Matter in ITALICS (underscored) is new; matter in brackets
[ ] is old law to be omitted.
LBD09672-04-3
A. 6059--A 2
BOARDS OF EDUCATION SHALL ONLY DESIGNATE PARTIES THAT ARE UNDER THEIR
DIRECT CONTROL TO ACT AS THEIR AUTHORIZED REPRESENTATIVES TO CONDUCT ANY
AUDIT OR EVALUATION, OR ANY COMPLIANCE OR ENFORCEMENT ACTIVITY IN
CONNECTION WITH LEGAL REQUIREMENTS THAT RELATE TO STATE OR DISTRICT
SUPPORTED EDUCATIONAL PROGRAMS, WHEN ANY SUCH AUDIT, EVALUATION OR
ACTIVITY REQUIRES OR IS USED AS THE BASIS FOR GRANTING ACCESS TO
PERSONALLY IDENTIFIABLE STUDENT INFORMATION;
(B) OUTSOURCING. THE DEPARTMENT, DISTRICT BOARDS OF EDUCATION AND
INSTITUTIONS MAY NOT DISCLOSE PERSONALLY IDENTIFIABLE INFORMATION FROM
EDUCATION RECORDS OF STUDENTS WITHOUT THE WRITTEN CONSENT OF ELIGIBLE
STUDENTS OR PARENTS TO A CONTRACTOR, CONSULTANT, OR OTHER PARTY TO WHOM
AN AGENCY OR INSTITUTION HAS OUTSOURCED INSTITUTIONAL SERVICES OR FUNC-
TIONS UNLESS THAT OUTSIDE PARTY:
(1) PERFORMS AN INSTITUTIONAL SERVICE OR FUNCTION FOR WHICH THE
DEPARTMENT, DISTRICT BOARD OF EDUCATION, OR INSTITUTION WOULD OTHERWISE
USE EMPLOYEES;
(2) IS UNDER THE DIRECT CONTROL OF THE AGENCY OR INSTITUTION WITH
RESPECT TO THE USE AND MAINTENANCE OF EDUCATION RECORDS;
(3) LIMITS INTERNAL ACCESS TO EDUCATION RECORDS TO THOSE INDIVIDUALS
THAT ARE DETERMINED TO HAVE LEGITIMATE EDUCATIONAL INTERESTS;
(4) DOES NOT USE THE EDUCATION RECORDS FOR ANY OTHER PURPOSES THAN
THOSE EXPLICITLY AUTHORIZED IN ITS CONTRACT;
(5) DOES NOT DISCLOSE ANY PERSONALLY IDENTIFIABLE INFORMATION TO ANY
OTHER PARTY:
(I) WITHOUT THE PRIOR WRITTEN CONSENT OF THE PARENT OR ELIGIBLE
STUDENT, OR
(II) UNLESS REQUIRED BY STATUTE OR COURT ORDER AND THE PARTY PROVIDES
A NOTICE OF THE DISCLOSURE TO THE DEPARTMENT, DISTRICT BOARD OF EDUCA-
TION, OR INSTITUTION THAT PROVIDED THE INFORMATION NO LATER THAN THE
TIME THE INFORMATION IS DISCLOSED, UNLESS PROVIDING NOTICE OF THE
DISCLOSURE IS EXPRESSLY PROHIBITED BY THE STATUTE OR COURT ORDER;
(6) MAINTAINS REASONABLE ADMINISTRATIVE, TECHNICAL AND PHYSICAL SAFE-
GUARDS TO PROTECT THE SECURITY, CONFIDENTIALITY AND INTEGRITY OF
PERSONALLY IDENTIFIABLE STUDENT INFORMATION IN ITS CUSTODY;
(7) USES ENCRYPTION TECHNOLOGIES TO PROTECT DATA WHILE IN MOTION OR IN
ITS CUSTODY FROM UNAUTHORIZED DISCLOSURE USING A TECHNOLOGY OR METHODOL-
OGY SPECIFIED BY THE SECRETARY OF THE U.S. DEPARTMENT OF HEALTH AND
HUMAN SERVICES IN GUIDANCE ISSUED UNDER SECTION 13402(H)(2) OF PUBLIC
LAW 111-5;
(8) HAS SUFFICIENT ADMINISTRATIVE AND TECHNICAL PROCEDURES TO MONITOR
CONTINUOUSLY THE SECURITY OF PERSONALLY IDENTIFIABLE INFORMATION IN ITS
CUSTODY;
(9) CONDUCTS A SECURITY AUDIT ANNUALLY AND PROVIDES THE RESULTS OF
THAT AUDIT TO EACH DEPARTMENT, DISTRICT BOARD OF EDUCATION, OR INSTITU-
TION THAT PROVIDED EDUCATIONAL RECORDS;
(10) PROVIDES THE DEPARTMENT, DISTRICT BOARD OF EDUCATION, OR INSTITU-
TION WITH A BREACH REMEDIATION PLAN ACCEPTABLE TO THE DEPARTMENT,
DISTRICT BOARD OF EDUCATION OR INSTITUTION PRIOR TO INITIAL RECEIPT OF
EDUCATION RECORDS;
(11) REPORTS ALL SUSPECTED SECURITY BREACHES TO THE DEPARTMENT,
DISTRICT BOARDS OF EDUCATION, OR INSTITUTION THAT PROVIDED EDUCATION
RECORDS AS SOON AS POSSIBLE BUT NOT LATER THAN FORTY-EIGHT HOURS AFTER A
SUSPECTED BREACH WAS KNOWN OR WOULD HAVE BEEN KNOWN BY EXERCISING
REASONABLE DILIGENCE;
(12) REPORTS ALL ACTUAL SECURITY BREACHES TO THE DEPARTMENT, DISTRICT
BOARDS OF EDUCATION, OR INSTITUTION THAT PROVIDED EDUCATION RECORDS AS
A. 6059--A 3
SOON AS POSSIBLE BUT NOT LATER THAN TWENTY-FOUR HOURS AFTER AN ACTUAL
BREACH WAS KNOWN OR WOULD HAVE BEEN KNOWN BY EXERCISING REASONABLE DILI-
GENCE;
(13) IN THE EVENT OF A SECURITY BREACH OR UNAUTHORIZED DISCLOSURES OF
PERSONALLY IDENTIFIABLE INFORMATION, PAYS ALL COSTS AND LIABILITIES
INCURRED BY THE DEPARTMENT, DISTRICT BOARDS OF EDUCATION, OR INSTI-
TUTIONS RELATED TO THE SECURITY BREACH OR UNAUTHORIZED DISCLOSURE,
INCLUDING BUT NOT LIMITED TO THE COSTS OF RESPONDING TO INQUIRIES ABOUT
THE SECURITY BREACH OR UNAUTHORIZED DISCLOSURE, OF NOTIFYING SUBJECTS OF
PERSONALLY IDENTIFIABLE INFORMATION ABOUT THE BREACH, OF MITIGATING THE
EFFECTS OF THE BREACH FOR THE SUBJECTS OF PERSONALLY IDENTIFIABLE INFOR-
MATION, AND OF INVESTIGATING THE CAUSE OR CONSEQUENCES OF THE SECURITY
BREACH OR UNAUTHORIZED DISCLOSURE; AND
(14) DESTROYS OR RETURNS TO THE DEPARTMENT, DISTRICT BOARDS OF EDUCA-
TION, OR INSTITUTIONS ALL PERSONALLY IDENTIFIABLE INFORMATION IN ITS
CUSTODY UPON REQUEST AND AT THE TERMINATION OF THE CONTRACT.
(C) STUDIES. THE DEPARTMENT, DISTRICT BOARDS OF EDUCATION, OR INSTI-
TUTIONS MAY DISCLOSE PERSONALLY IDENTIFIABLE INFORMATION FROM AN EDUCA-
TION RECORD OF A STUDENT WITHOUT THE CONSENT OF ELIGIBLE STUDENTS OR
PARENTS TO A PARTY CONDUCTING STUDIES FOR, OR ON BEHALF OF, EDUCATIONAL
AGENCIES OR INSTITUTIONS TO:
(1) DEVELOP, VALIDATE, OR ADMINISTER PREDICTIVE TESTS;
(2) ADMINISTER STUDENT AID PROGRAMS; OR
(3) IMPROVE INSTRUCTION;
PROVIDED THAT THE OUTSIDE PARTY CONDUCTING THE STUDY MEETS ALL OF THE
REQUIREMENTS FOR CONTRACTORS SET FORTH IN PARAGRAPH (B) OF THIS SUBDIVI-
SION;
(D) COMMERCIAL USE PROHIBITED. THE DEPARTMENT, DISTRICT BOARDS OF
EDUCATION AND INSTITUTIONS MAY NOT, WITHOUT THE WRITTEN CONSENT OF
ELIGIBLE STUDENTS OR PARENTS, DISCLOSE PERSONALLY IDENTIFIABLE INFORMA-
TION FROM EDUCATION RECORDS TO ANY PARTY FOR A COMMERCIAL USE, INCLUDING
BUT NOT LIMITED TO MARKETING PRODUCTS OR SERVICES, COMPILATION OF LISTS
FOR SALE OR RENTAL, DEVELOPMENT OF PRODUCTS OR SERVICES, OR CREATION OF
INDIVIDUAL, HOUSEHOLD, OR GROUP PROFILES; NOR MAY SUCH DISCLOSURE BE
MADE FOR PROVISION OF SERVICES OTHER THAN CONTRACTING, STUDIES, AND
AUDITS OR EVALUATIONS AS AUTHORIZED AND LIMITED BY PARAGRAPHS (B) AND
(C) OF THIS SUBDIVISION. ANY CONSENT FROM AN ELIGIBLE STUDENT OR PARENT
MUST BE SIGNED BY THE STUDENT OR PARENT, BE DATED ON THE DAY IT WAS
SIGNED, NOT HAVE BEEN SIGNED MORE THAN SIX MONTHS PRIOR TO THE DISCLO-
SURE, MUST IDENTIFY THE RECIPIENT AND THE PURPOSE OF THE DISCLOSURE, AND
MUST STATE THAT THE INFORMATION WILL ONLY BE USED FOR THAT PURPOSE AND
WILL NOT BE USED OR DISCLOSED FOR ANY OTHER PURPOSE.
3. DATA REPOSITORIES AND INFORMATION PRACTICES.
(A) THE DEPARTMENT AND DISTRICT BOARDS OF EDUCATION MAY NOT, DIRECTLY
OR THROUGH CONTRACTS WITH OUTSIDE PARTIES, MAINTAIN PERSONALLY IDENTIFI-
ABLE INFORMATION FROM EDUCATION RECORDS WITHOUT THE WRITTEN CONSENT OF
ELIGIBLE STUDENTS OR PARENTS UNLESS MAINTENANCE OF SUCH INFORMATION IS:
(1) EXPLICITLY MANDATED IN FEDERAL OR STATE STATUTE; OR
(2) ADMINISTRATIVELY REQUIRED FOR THE PROPER PERFORMANCE OF THEIR
DUTIES UNDER THE LAW AND IS RELEVANT TO AND NECESSARY FOR DELIVERY OF
SERVICES; OR
(3) DESIGNED TO SUPPORT A STUDY OF STUDENTS OR FORMER STUDENTS,
PROVIDED THAT NO PERSONALLY IDENTIFIABLE INFORMATION IS RETAINED ON
FORMER STUDENTS LONGER THAN FIVE YEARS AFTER THE DATE OF THEIR LAST
ENROLLMENT AT AN INSTITUTION.
A. 6059--A 4
(B) THE DEPARTMENT AND DISTRICT BOARDS OF EDUCATION SHALL PUBLICLY AND
CONSPICUOUSLY DISCLOSE ON THEIR WEB SITES AND THROUGH ANNUAL ELECTRONIC
NOTIFICATION TO THE CHAIRS OF THE ASSEMBLY AND SENATE EDUCATION COMMIT-
TEES THE EXISTENCE AND CHARACTER OF ANY PERSONALLY IDENTIFIABLE INFORMA-
TION FROM EDUCATION RECORDS THAT THEY, DIRECTLY OR THROUGH CONTRACTS
WITH OUTSIDE PARTIES, MAINTAIN. SUCH DISCLOSURE AND NOTIFICATIONS SHALL
INCLUDE:
(1) THE NAME AND LOCATION OF THE DATA REPOSITORY WHERE SUCH INFORMA-
TION IS MAINTAINED;
(2) THE LEGAL AUTHORITY WHICH AUTHORIZES THE ESTABLISHMENT AND EXIST-
ENCE OF THE DATA REPOSITORY;
(3) THE PRINCIPAL PURPOSE OR PURPOSES FOR WHICH THE INFORMATION IS
INTENDED TO BE USED;
(4) THE CATEGORIES OF INDIVIDUALS ON WHOM RECORDS ARE MAINTAINED IN
THE DATA REPOSITORY;
(5) THE CATEGORIES OF RECORDS MAINTAINED IN THE DATA REPOSITORY;
(6) EACH EXPECTED DISCLOSURE OF THE RECORDS CONTAINED IN THE DATA
REPOSITORY, INCLUDING THE CATEGORIES OF RECIPIENTS AND THE PURPOSE OF
SUCH DISCLOSURE;
(7) THE POLICIES AND PRACTICES OF THE DEPARTMENT OR THE DISTRICT
BOARDS OF EDUCATION REGARDING STORAGE, RETRIEVABILITY, ACCESS CONTROLS,
RETENTION, AND DISPOSAL OF THE RECORDS;
(8) THE TITLE AND BUSINESS ADDRESS OF THE DEPARTMENT OR DISTRICT BOARD
OF EDUCATION OFFICIAL WHO IS RESPONSIBLE FOR THE DATA REPOSITORY, AND
THE NAME AND BUSINESS ADDRESS OF ANY CONTRACTOR OR OTHER OUTSIDE PARTY
MAINTAINING THE DATA REPOSITORY FOR OR ON BEHALF OF THE DEPARTMENT OR
THE DISTRICT BOARD OF EDUCATION;
(9) THE PROCEDURES WHEREBY ELIGIBLE STUDENTS OR PARENTS CAN BE NOTI-
FIED AT THEIR REQUEST IF THE DATA REPOSITORY CONTAINS A RECORD PERTAIN-
ING TO THEM OR THEIR CHILDREN;
(10) THE PROCEDURES WHEREBY ELIGIBLE STUDENTS OR PARENTS CAN BE NOTI-
FIED AT THEIR REQUEST HOW TO GAIN ACCESS TO ANY RECORD PERTAINING TO
THEM OR THEIR CHILDREN CONTAINED IN THE DATA REPOSITORY, AND HOW THEY
CAN CONTEST ITS CONTENT; AND
(11) THE CATEGORIES OF SOURCES OF RECORDS IN THE DATA REPOSITORY;
(C) THE DEPARTMENT, DISTRICT BOARDS OF EDUCATION, AND INSTITUTIONS MAY
NOT APPEND EDUCATION RECORDS WITH PERSONALLY IDENTIFIABLE INFORMATION
OBTAINED FROM OTHER FEDERAL OR STATE AGENCIES THROUGH DATA MATCHES WITH-
OUT THE WRITTEN CONSENT OF ELIGIBLE STUDENTS OR PARENTS UNLESS SUCH DATA
MATCHES ARE: (1) EXPLICITLY MANDATED IN FEDERAL OR STATE STATUTE; OR (2)
ADMINISTRATIVELY REQUIRED FOR THE PROPER PERFORMANCE OF THEIR DUTIES
UNDER THE LAW AND ARE RELEVANT TO AND NECESSARY FOR DELIVERY OF
SERVICES.
4. PENALTIES AND ENFORCEMENT. (A) EACH VIOLATION OF ANY PROVISION OF
THIS SECTION BY AN ORGANIZATION OR ENTITY THAT IS NOT THE DEPARTMENT, A
DISTRICT BOARD OF EDUCATION, OR AN INSTITUTION AS DEFINED IN PARAGRAPH
(B) OF SUBDIVISION ONE OF THIS SECTION SHALL BE PUNISHABLE BY A CIVIL
PENALTY OF UP TO ONE THOUSAND DOLLARS; A SECOND VIOLATION BY THE SAME
ORGANIZATION OR ENTITY INVOLVING THE EDUCATIONAL RECORDS AND PRIVACY OF
THE SAME STUDENT SHALL BE PUNISHABLE BY A CIVIL PENALTY OF UP TO FIVE
THOUSAND DOLLARS; ANY SUBSEQUENT VIOLATION BY THE SAME ORGANIZATION OR
ENTITY INVOLVING THE EDUCATIONAL RECORDS AND PRIVACY OF THE SAME STUDENT
SHALL BE PUNISHABLE BY A CIVIL PENALTY OF UP TO TEN THOUSAND DOLLARS;
AND EACH VIOLATION INVOLVING A DIFFERENT INDIVIDUAL EDUCATIONAL RECORD
OR A DIFFERENT INDIVIDUAL STUDENT SHALL BE CONSIDERED A SEPARATE
VIOLATION FOR PURPOSES OF CIVIL PENALTIES;
A. 6059--A 5
(B) THE ATTORNEY GENERAL SHALL HAVE THE AUTHORITY TO ENFORCE COMPLI-
ANCE WITH THIS SECTION BY INVESTIGATION AND SUBSEQUENT COMMENCEMENT OF A
CIVIL ACTION, TO SEEK CIVIL PENALTIES FOR VIOLATIONS OF THIS SECTION,
AND TO SEEK APPROPRIATE INJUNCTIVE RELIEF, INCLUDING BUT NOT LIMITED TO
A PROHIBITION ON OBTAINING PERSONALLY IDENTIFIABLE INFORMATION FOR AN
APPROPRIATE TIME PERIOD. IN CARRYING OUT SUCH INVESTIGATION AND IN MAIN-
TAINING SUCH CIVIL ACTION THE ATTORNEY GENERAL OR ANY DEPUTY OR ASSIST-
ANT ATTORNEY GENERAL IS AUTHORIZED TO SUBPOENA WITNESSES, COMPEL THEIR
ATTENDANCE, EXAMINE THEM UNDER OATH AND REQUIRE THAT ANY BOOKS, RECORDS,
DOCUMENTS, PAPERS, OR ELECTRONIC RECORDS RELEVANT OR MATERIAL TO THE
INQUIRY BE TURNED OVER FOR INSPECTION, EXAMINATION OR AUDIT, PURSUANT TO
THE CIVIL PRACTICE LAW AND RULES; SUBPOENAS ISSUED PURSUANT TO THIS
PARAGRAPH MAY BE ENFORCED PURSUANT TO THE CIVIL PRACTICE LAW AND RULES.
(C) NOTHING CONTAINED HEREIN SHALL BE CONSTRUED AS CREATING A PRIVATE
RIGHT OF ACTION AGAINST THE DEPARTMENT, A DISTRICT BOARD OF EDUCATION,
OR AN INSTITUTION AS DEFINED IN PARAGRAPH (B) OF SUBDIVISION ONE OF THIS
SECTION.
5. ADMINISTRATIVE USE. NOTHING IN THIS SECTION SHALL LIMIT THE ADMIN-
ISTRATIVE USE OF EDUCATION RECORDS BY A PERSON ACTING EXCLUSIVELY IN THE
PERSON'S CAPACITY AS AN EMPLOYEE OF A SCHOOL, A DISTRICT BOARD OF EDUCA-
TION OR OF THE STATE OR ANY OF ITS POLITICAL SUBDIVISIONS, ANY COURT OR
THE FEDERAL GOVERNMENT THAT IS OTHERWISE REQUIRED BY LAW.
S 2. This act shall take effect July 1, 2014 and shall apply to school
years beginning with the 2014-2015 academic year.