assembly Bill A6059A

2013-2014 Legislative Session

Relates to the release of personally identifiable student information

download bill text pdf

Sponsored By

Archive: Last Bill Status - On Floor Calendar


  • Introduced
  • In Committee
  • On Floor Calendar
    • Passed Senate
    • Passed Assembly
  • Delivered to Governor
  • Signed/Vetoed by Governor

do you support this bill?

Actions

view actions (14)
Assembly Actions - Lowercase
Senate Actions - UPPERCASE
Jan 08, 2014 ordered to third reading cal.282
returned to assembly
died in senate
Jun 21, 2013 referred to rules
delivered to senate
passed assembly
Jun 20, 2013 ordered to third reading rules cal.716
rules report cal.716
reported
reported referred to rules
Jun 19, 2013 reported referred to codes
Jun 06, 2013 print number 6059a
amend and recommit to education
Mar 13, 2013 referred to education

Bill Amendments

Original
A (Active)
Original
A (Active)

Co-Sponsors

view all co-sponsors

A6059 - Bill Details

Law Section:
Education Law
Laws Affected:
Add §3212-b, Ed L

A6059 - Bill Texts

view summary

Prohibits the release of personally identifiable student information where parental consent is not provided.

view full text
download pdf
                    S T A T E   O F   N E W   Y O R K
________________________________________________________________________

                                  6059

                       2013-2014 Regular Sessions

                          I N  A S S E M B L Y

                             March 13, 2013
                               ___________

Introduced  by  M.  of  A.  O'DONNELL  --  read once and referred to the
  Committee on Education

AN ACT to amend the  education  law,  in  relation  to  the  release  of
  personally identifiable student information

  THE  PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND ASSEM-
BLY, DO ENACT AS FOLLOWS:

  Section 1. The education law is amended by adding a new section 3212-b
to read as follows:
  S 3212-B. RELEASE OF PERSONALLY IDENTIFIABLE STUDENT  INFORMATION.  1.
DEFINITIONS. AS USED IN THIS SECTION:
  (A)  "DIRECTORY  INFORMATION"  SHALL  MEAN, BUT NOT BE LIMITED TO, THE
STUDENT'S NAME; ADDRESS; TELEPHONE  LISTING;  ELECTRONIC  MAIL  ADDRESS;
PHOTOGRAPH;  DATE AND PLACE OF BIRTH; MAJOR FIELD OF STUDY; GRADE LEVEL;
ENROLLMENT STATUS (UNDERGRADUATE OR GRADUATE, FULL-TIME  OR  PART-TIME);
DATES  OF  ATTENDANCE; PARTICIPATION IN OFFICIALLY RECOGNIZED ACTIVITIES
AND SPORTS; WEIGHT AND HEIGHT OF MEMBERS  OF  ATHLETIC  TEAMS;  DEGREES,
HONORS,  AND  AWARDS  RECEIVED;  THE  MOST  RECENT EDUCATIONAL AGENCY OR
INSTITUTION ATTENDED; STUDENT  ID  NUMBER,  USER  ID,  OR  OTHER  UNIQUE
PERSONAL  IDENTIFIER  USED  BY  A  STUDENT  FOR PURPOSES OF ACCESSING OR
COMMUNICATING IN ELECTRONIC SYSTEMS, BUT ONLY IF THE  IDENTIFIER  CANNOT
BE USED TO GAIN ACCESS TO EDUCATION RECORDS EXCEPT WHEN USED IN CONJUNC-
TION  WITH  ONE  OR  MORE FACTORS THAT AUTHENTICATE THE USER'S IDENTITY,
SUCH AS A PERSONAL IDENTIFICATION NUMBER (PIN), PASSWORD OR OTHER FACTOR
KNOWN OR POSSESSED ONLY BY THE AUTHORIZED USER; AND A STUDENT ID  NUMBER
OR  OTHER  UNIQUE  PERSONAL IDENTIFIER THAT IS DISPLAYED ON A STUDENT ID
BADGE, BUT ONLY IF THE IDENTIFIER CANNOT  BE  USED  TO  GAIN  ACCESS  TO
EDUCATION  RECORDS  EXCEPT  WHEN  USED  IN  CONJUNCTION WITH ONE OR MORE
FACTORS THAT AUTHENTICATE THE USER'S IDENTITY, SUCH AS A PIN,  PASSWORD,
OR OTHER FACTOR KNOWN OR POSSESSED ONLY BY THE AUTHORIZED USER.
  (B)  "PERSONALLY IDENTIFIABLE STUDENT INFORMATION" SHALL MEAN, BUT NOT
LIMITED TO, THE STUDENT'S NAME; THE NAME  OF  THE  STUDENT'S  PARENT  OR

 EXPLANATION--Matter in ITALICS (underscored) is new; matter in brackets
                      [ ] is old law to be omitted.
                                                           LBD09672-03-3

A. 6059                             2

OTHER  FAMILY MEMBERS; THE ADDRESS OF THE STUDENT OR STUDENT'S FAMILY; A
PERSONAL IDENTIFIER, SUCH  AS  THE  STUDENT'S  SOCIAL  SECURITY  NUMBER,
STUDENT NUMBER, OR BIOMETRIC RECORD; OTHER INDIRECT IDENTIFIERS, SUCH AS
THE  STUDENT'S  DATE OF BIRTH, PLACE OF BIRTH, AND MOTHER'S MAIDEN NAME;
OTHER INFORMATION THAT, ALONE OR IN COMBINATION, IS LINKED OR LIKABLE TO
A SPECIFIC STUDENT THAT WOULD ALLOW A REASONABLE PERSON  IN  THE  SCHOOL
COMMUNITY,  WHO DOES NOT HAVE PERSONAL KNOWLEDGE OF THE RELEVANT CIRCUM-
STANCES, TO IDENTIFY THE STUDENT WITH REASONABLE CERTAINTY; OR  INFORMA-
TION  REQUESTED  BY  A  PERSON WHO THE EDUCATIONAL AGENCY OR INSTITUTION
REASONABLY BELIEVES KNOWS THE IDENTITY OF THE STUDENT TO WHOM THE EDUCA-
TION RECORD RELATES.
  (C) "BIOMETRIC RECORD", AS USED IN THE DEFINITION OF "PERSONALLY IDEN-
TIFIABLY STUDENT INFORMATION", SHALL MEAN A RECORD OF ONE OR MORE  MEAS-
URABLE  BIOLOGICAL  OR  BEHAVIORAL  CHARACTERISTICS THAT CAN BE USED FOR
AUTOMATED RECOGNITION OF AN INDIVIDUAL, INCLUDING  FINGERPRINTS,  RETINA
AND  IRIS  PATTERNS,  VOICEPRINTS, DNA SEQUENCE, FACIAL CHARACTERISTICS,
AND HANDWRITING.
  (D) "STUDENT" SHALL MEAN ANY PERSON WITH RESPECT  TO  WHOM  AN  EDUCA-
TIONAL  AGENCY  OR INSTITUTION MAINTAINS EDUCATION RECORDS OR PERSONALLY
IDENTIFIABLE INFORMATION, BUT DOES NOT INCLUDE A PERSON WHO HAS NOT BEEN
IN ATTENDANCE AT SUCH AGENCY OR INSTITUTION.
  (E) "SCHOOL" SHALL MEAN ANY PUBLIC OR PRIVATE ELEMENTARY OR  SECONDARY
SCHOOL OR COLLEGE AS DEFINED IN SECTION TWO OF THIS CHAPTER.
  2.  NEITHER  THE DEPARTMENT, DISTRICT BOARDS OF EDUCATION, NOR SCHOOLS
SHALL DISCLOSE ANY PERSONALLY IDENTIFIABLE STUDENT  INFORMATION  TO  ANY
THIRD  PARTY  WITHOUT PARENTAL CONSENT, OR IN THE CASE OF STUDENTS EIGH-
TEEN YEARS OF AGE OR OLDER THE CONSENT OF THE STUDENT, EXCEPT WHERE:
  (A) DISCLOSURE IS REQUIRED BY LAW; OR
  (B) DISCLOSURE IS PURSUANT TO A COURT ORDER OR SUBPOENA; OR
  (C) DISCLOSURE IS TO A THIRD PARTY PURSUANT TO A CONTRACT WHEREBY  THE
ENTITY  IS  PERFORMING  ADMINISTRATIVE, TECHNICAL OR TRANSACTIONAL FUNC-
TIONS THAT WOULD EITHER BE PERFORMED BY EMPLOYEES OF THE  STATE  DEPART-
MENT  OF EDUCATION, DISTRICT BOARD OF EDUCATION OR SCHOOL, PROVIDED THAT
SAID CONTRACTOR:
  (1) AGREES NOT TO DISCLOSE OR USE THE PERSONALLY IDENTIFIABLE  STUDENT
INFORMATION FOR ANY OTHER PURPOSES;
  (2)  MAINTAINS REASONABLE ADMINISTRATIVE, TECHNICAL AND PHYSICAL SAFE-
GUARDS TO PROTECT THE SECURITY, CONFIDENTIALITY  AND  INTEGRITY  OF  THE
PERSONALLY IDENTIFIABLE STUDENT INFORMATION; AND
  (3)  INDEMNIFIES THE DEPARTMENT, DISTRICT BOARD OF EDUCATION OR SCHOOL
FOR ANY DAMAGES DUE TO A VIOLATION OF THIS SECTION; OR
  (D) DISCLOSURE IS TO A THIRD PARTY FOR THE PURPOSE OF A RESEARCH STUDY
CARRIED OUT BY OR ON THE BEHALF OF THE  DEPARTMENT,  DISTRICT  BOARD  OF
EDUCATION OR SCHOOL; OR
  (E) DISCLOSURE IS FOR THE PURPOSE OF A STATE OR FEDERAL AUDIT OR EVAL-
UATION BY ENTITIES AUTHORIZED UNDER STATE OR FEDERAL LAW; OR
  (F) DISCLOSURE IS NECESSARY DUE TO A HEALTH OR SAFETY EMERGENCY.
  3.  DETAILED  RECORDS  OF  ALL  NON-CONSENSUAL DISCLOSURES PURSUANT TO
SUBDIVISION TWO OF THIS SECTION SHALL BE INCLUDED IN  THE  CORRESPONDING
STUDENT'S EDUCATIONAL RECORDS.
  4. WHERE THE DEPARTMENT, DISTRICT BOARD OF EDUCATION OR SCHOOL MAKES A
DISCLOSURE  PURSUANT TO PARAGRAPH (D) OF SUBDIVISION TWO OF THIS SECTION
AND PURSUANT TO PARAGRAPH (E) OF SUBDIVISION TWO OF THIS  SECTION  WHERE
PRACTICABLE,  IT  SHALL POST ON ITS WEBSITE, SEND HOME VIA MAIL AND MAKE
OTHERWISE PUBLICLY AVAILABLE:

A. 6059                             3

  (A) THE PARTICULAR TYPE OR TYPES OF  PERSONALLY  IDENTIFIABLE  STUDENT
INFORMATION ARE TO BE DISCLOSED;
  (B) THE ENTITY TO WHICH THE DISCLOSURE IS TO BE MADE;
  (C)  THE PURPOSE OF THE STUDY, AUDIT OR EVALUATION AND WHY THE DISCLO-
SURE IS NECESSARY FOR ITS COMPLETION;
  (D) THE SPECIFIC TIME FRAME DURING WHICH THE  PERSONALLY  IDENTIFIABLE
STUDENT INFORMATION WILL BE UTILIZED AND THEN SECURELY DESTROYED;
  (E)  THE ENTITY'S ASSURANCE OF COMPLIANCE WITH ADMINISTRATIVE, TECHNI-
CAL AND PHYSICAL SAFEGUARDS, INCLUDING ALL THE FEDERAL  AND  STATE  DATA
PRIVACY  AND  DATA  SAFEGUARDING RULES THE DEPARTMENT, DISTRICT BOARD OF
EDUCATION AND SCHOOLS ARE SUBJECT TO, TO PROTECT THE SECURITY, CONFIDEN-
TIALITY AND INTEGRITY OF THE PERSONALLY  IDENTIFIABLE  STUDENT  INFORMA-
TION; AND
  (F)  THE ENTITY'S INDEMNIFICATION OF THE DEPARTMENT, DISTRICT BOARD OF
EDUCATION OR SCHOOL FOR ANY VIOLATION OF THIS SECTION.
  5. NOTIFICATION AND CONSENT FORMS SHALL INCLUDE:
  (A) THE SCOPE, PURPOSE AND ALLOWABLE USES OF THE PERSONALLY  IDENTIFI-
ABLE STUDENT INFORMATION;
  (B) THE RISK OF DATA BREACHES AND THE REASONABLE ADMINISTRATIVE, TECH-
NICAL  AND  PHYSICAL  SAFEGUARDS USED TO PROTECT THE SECURITY, CONFIDEN-
TIALITY AND INTEGRITY OF THE PERSONALLY  IDENTIFIABLE  STUDENT  INFORMA-
TION; AND
  (C)  INFORMATION  REGARDING WHO IS LEGALLY AND FINANCIALLY RESPONSIBLE
SHOULD THERE BE A VIOLATION OF THIS SECTION.
  6. THE STATE COMPTROLLER SHALL CARRY  OUT  REGULAR  AUDITS  TO  ENSURE
PROPER  PROCEDURES  HAVE  BEEN  USED; RELEVANT NOTIFICATIONS AND CONSENT
FORMS ARE COMPLETED; AND SECURITY AND PRIVACY PROTECTIONS MEASURES  USED
IN  THE  STORAGE,  TRANSMISSION  AND  USAGE  OF  PERSONALLY IDENTIFIABLE
STUDENT INFORMATION  ARE  EFFECTIVE  AND  ACCURATELY  DESCRIBED  IN  THE
NOTIFICATION DOCUMENTS.
  7.  ANY  ORGANIZATION  OR  COMPANY  FOUND  IN  VIOLATION OF ANY OF THE
PROVISIONS OF THIS SECTION SHALL BE PROHIBITED FROM OBTAINING PERSONALLY
IDENTIFIABLE STUDENT INFORMATION FOR A  PERIOD  OF  NO  LESS  THAN  FIVE
YEARS.
  8.  THE  NEW  YORK  STATE ATTORNEY GENERAL SHALL HAVE THE AUTHORITY TO
OVERSEE AND ENFORCE COMPLIANCE WITH THIS SECTION AND TO IMPOSE APPROPRI-
ATE PENALTIES ON THOSE FOUND IN VIOLATION OF ANY OF ITS PROVISIONS.
  9. ANY DATA SYSTEMS MAINTAINED BY  THE  STATE  OR  DISTRICT  OR  THEIR
REPRESENTATIVES  SHALL,  TO THE MAXIMUM EXTENT PRACTICABLE, CONFORM WITH
THE FEDERAL TRADE COMMISSION'S DATA PRIVACY AND DATA SAFEGUARDING RULES.
  10. NOTHING IN THIS SECTION SHALL  LIMIT  THE  ADMINISTRATIVE  USE  OF
SCHOOL  RECORDS  BY A PERSON ACTING EXCLUSIVELY IN THE PERSON'S CAPACITY
AS AN EMPLOYEE OF A SCHOOL, A BOARD OF EDUCATION OR OF THE STATE OR  ANY
OF  ITS POLITICAL SUBDIVISIONS, ANY COURT OR THE FEDERAL GOVERNMENT THAT
DEMONSTRATES AN APPROPRIATE NEED FOR THE INFORMATION.
  S 2. This act shall take effect July 1, 2013 and shall apply to school
years beginning with the 2013-2014 academic year.

Co-Sponsors

view all co-sponsors

A6059A (ACTIVE) - Bill Details

Law Section:
Education Law
Laws Affected:
Add §3212-b, Ed L

A6059A (ACTIVE) - Bill Texts

view summary

Prohibits the release of personally identifiable student information where parental consent is not provided.

view full text
download pdf
                    S T A T E   O F   N E W   Y O R K
________________________________________________________________________

                                 6059--A

                       2013-2014 Regular Sessions

                          I N  A S S E M B L Y

                             March 13, 2013
                               ___________

Introduced  by  M.  of A. O'DONNELL, MILLMAN, JAFFEE, BENEDETTO, LIFTON,
  DUPREY, TITONE, MAISEL, HEVESI, ZEBROWSKI, ENGLEBRIGHT, WEPRIN, STECK,
  ABINANTI,  MONTESANO,  SCHIMMINGER,  RAIA,  GIBSON,  COLTON,  BRENNAN,
  FINCH,   McDONOUGH,  P. LOPEZ,  COOK,  SCHIMEL,  SKOUFIS,  BRAUNSTEIN,
  MALLIOTAKIS, BROOK-KRASNY, MOSLEY, GUNTHER, CUSICK, PAULIN, GOLDFEDER,
  FAHY, GABRYSZAK, BORELLI, WEINSTEIN -- Multi-Sponsored by -- M. of  A.
  ABBATE,  ARROYO,  BUTLER, CLARK, CROUCH, CYMBROWITZ, DenDEKKER, DINOW-
  ITZ, GALEF,  GARBARINO,  GLICK,  GOTTFRIED,  JACOBS,  KEARNS,  LENTOL,
  MARKEY,  McDONALD,  PERRY, RIVERA, SIMANOWITZ, SOLAGES, STEC, SWEENEY,
  WEISENBERG -- read once and referred to the Committee on Education  --
  committee  discharged,  bill amended, ordered reprinted as amended and
  recommitted to said committee

AN ACT to amend the  education  law,  in  relation  to  the  release  of
  personally identifiable student information

  THE  PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND ASSEM-
BLY, DO ENACT AS FOLLOWS:

  Section 1. The education law is amended by adding a new section 3212-b
to read as follows:
  S 3212-B. RELEASE OF PERSONALLY IDENTIFIABLE INFORMATION.  1.    DEFI-
NITIONS. AS USED IN THIS SECTION:
  (A)  THE TERMS "DISCLOSURE," "EDUCATION PROGRAM," "EDUCATION RECORDS,"
"ELIGIBLE STUDENT," "PARENT," "PARTY," "PERSONALLY IDENTIFIABLE INFORMA-
TION," "RECORD," AND "STUDENT" SHALL HAVE  THE  SAME  MEANING  AS  THOSE
TERMS ARE DEFINED IN 34 CFR PART 99.3;
  (B) THE TERM "INSTITUTION" SHALL MEAN ANY PUBLIC OR PRIVATE ELEMENTARY
OR  SECONDARY  SCHOOL  OR  AN  INSTITUTION  THAT  PROVIDES  EDUCATION TO
STUDENTS BEYOND THE SECONDARY EDUCATION LEVEL; SECONDARY EDUCATION SHALL
HAVE THE MEANING SET FORTH IN SUBDIVISION SEVEN OF SECTION TWO  OF  THIS
CHAPTER;
  2. LIMITATIONS ON ACCESS TO, OR DISCLOSURE OF, PERSONALLY IDENTIFIABLE
INFORMATION. (A) AUTHORIZED REPRESENTATIVES. THE DEPARTMENT AND DISTRICT

 EXPLANATION--Matter in ITALICS (underscored) is new; matter in brackets
                      [ ] is old law to be omitted.
                                                           LBD09672-04-3

A. 6059--A                          2

BOARDS  OF  EDUCATION  SHALL ONLY DESIGNATE PARTIES THAT ARE UNDER THEIR
DIRECT CONTROL TO ACT AS THEIR AUTHORIZED REPRESENTATIVES TO CONDUCT ANY
AUDIT OR EVALUATION,  OR  ANY  COMPLIANCE  OR  ENFORCEMENT  ACTIVITY  IN
CONNECTION  WITH  LEGAL  REQUIREMENTS  THAT  RELATE TO STATE OR DISTRICT
SUPPORTED EDUCATIONAL PROGRAMS,  WHEN  ANY  SUCH  AUDIT,  EVALUATION  OR
ACTIVITY  REQUIRES  OR  IS  USED  AS  THE  BASIS  FOR GRANTING ACCESS TO
PERSONALLY IDENTIFIABLE STUDENT INFORMATION;
  (B) OUTSOURCING. THE DEPARTMENT,  DISTRICT  BOARDS  OF  EDUCATION  AND
INSTITUTIONS  MAY  NOT DISCLOSE PERSONALLY IDENTIFIABLE INFORMATION FROM
EDUCATION RECORDS OF STUDENTS WITHOUT THE WRITTEN  CONSENT  OF  ELIGIBLE
STUDENTS  OR PARENTS TO A CONTRACTOR, CONSULTANT, OR OTHER PARTY TO WHOM
AN AGENCY OR INSTITUTION HAS OUTSOURCED INSTITUTIONAL SERVICES OR  FUNC-
TIONS UNLESS THAT OUTSIDE PARTY:
  (1)  PERFORMS  AN  INSTITUTIONAL  SERVICE  OR  FUNCTION  FOR WHICH THE
DEPARTMENT, DISTRICT BOARD OF EDUCATION, OR INSTITUTION WOULD  OTHERWISE
USE EMPLOYEES;
  (2)  IS  UNDER  THE  DIRECT  CONTROL OF THE AGENCY OR INSTITUTION WITH
RESPECT TO THE USE AND MAINTENANCE OF EDUCATION RECORDS;
  (3) LIMITS INTERNAL ACCESS TO EDUCATION RECORDS TO  THOSE  INDIVIDUALS
THAT ARE DETERMINED TO HAVE LEGITIMATE EDUCATIONAL INTERESTS;
  (4)  DOES  NOT  USE  THE EDUCATION RECORDS FOR ANY OTHER PURPOSES THAN
THOSE EXPLICITLY AUTHORIZED IN ITS CONTRACT;
  (5) DOES NOT DISCLOSE ANY PERSONALLY IDENTIFIABLE INFORMATION  TO  ANY
OTHER PARTY:
  (I)  WITHOUT  THE  PRIOR  WRITTEN  CONSENT  OF  THE PARENT OR ELIGIBLE
STUDENT, OR
  (II) UNLESS REQUIRED BY STATUTE OR COURT ORDER AND THE PARTY  PROVIDES
A  NOTICE  OF THE DISCLOSURE TO THE DEPARTMENT, DISTRICT BOARD OF EDUCA-
TION, OR INSTITUTION THAT PROVIDED THE INFORMATION  NO  LATER  THAN  THE
TIME  THE  INFORMATION  IS  DISCLOSED,  UNLESS  PROVIDING  NOTICE OF THE
DISCLOSURE IS EXPRESSLY PROHIBITED BY THE STATUTE OR COURT ORDER;
  (6) MAINTAINS REASONABLE ADMINISTRATIVE, TECHNICAL AND PHYSICAL  SAFE-
GUARDS  TO  PROTECT  THE  SECURITY,  CONFIDENTIALITY  AND  INTEGRITY  OF
PERSONALLY IDENTIFIABLE STUDENT INFORMATION IN ITS CUSTODY;
  (7) USES ENCRYPTION TECHNOLOGIES TO PROTECT DATA WHILE IN MOTION OR IN
ITS CUSTODY FROM UNAUTHORIZED DISCLOSURE USING A TECHNOLOGY OR METHODOL-
OGY SPECIFIED BY THE SECRETARY OF THE  U.S.  DEPARTMENT  OF  HEALTH  AND
HUMAN  SERVICES  IN  GUIDANCE ISSUED UNDER SECTION 13402(H)(2) OF PUBLIC
LAW 111-5;
  (8) HAS SUFFICIENT ADMINISTRATIVE AND TECHNICAL PROCEDURES TO  MONITOR
CONTINUOUSLY  THE SECURITY OF PERSONALLY IDENTIFIABLE INFORMATION IN ITS
CUSTODY;
  (9) CONDUCTS A SECURITY AUDIT ANNUALLY AND  PROVIDES  THE  RESULTS  OF
THAT  AUDIT TO EACH DEPARTMENT, DISTRICT BOARD OF EDUCATION, OR INSTITU-
TION THAT PROVIDED EDUCATIONAL RECORDS;
  (10) PROVIDES THE DEPARTMENT, DISTRICT BOARD OF EDUCATION, OR INSTITU-
TION WITH A  BREACH  REMEDIATION  PLAN  ACCEPTABLE  TO  THE  DEPARTMENT,
DISTRICT  BOARD  OF EDUCATION OR INSTITUTION PRIOR TO INITIAL RECEIPT OF
EDUCATION RECORDS;
  (11) REPORTS  ALL  SUSPECTED  SECURITY  BREACHES  TO  THE  DEPARTMENT,
DISTRICT  BOARDS  OF  EDUCATION,  OR INSTITUTION THAT PROVIDED EDUCATION
RECORDS AS SOON AS POSSIBLE BUT NOT LATER THAN FORTY-EIGHT HOURS AFTER A
SUSPECTED BREACH WAS KNOWN  OR  WOULD  HAVE  BEEN  KNOWN  BY  EXERCISING
REASONABLE DILIGENCE;
  (12)  REPORTS ALL ACTUAL SECURITY BREACHES TO THE DEPARTMENT, DISTRICT
BOARDS OF EDUCATION, OR INSTITUTION THAT PROVIDED EDUCATION  RECORDS  AS

A. 6059--A                          3

SOON  AS  POSSIBLE  BUT NOT LATER THAN TWENTY-FOUR HOURS AFTER AN ACTUAL
BREACH WAS KNOWN OR WOULD HAVE BEEN KNOWN BY EXERCISING REASONABLE DILI-
GENCE;
  (13)  IN THE EVENT OF A SECURITY BREACH OR UNAUTHORIZED DISCLOSURES OF
PERSONALLY IDENTIFIABLE INFORMATION,  PAYS  ALL  COSTS  AND  LIABILITIES
INCURRED  BY  THE  DEPARTMENT,  DISTRICT  BOARDS OF EDUCATION, OR INSTI-
TUTIONS RELATED TO  THE  SECURITY  BREACH  OR  UNAUTHORIZED  DISCLOSURE,
INCLUDING  BUT NOT LIMITED TO THE COSTS OF RESPONDING TO INQUIRIES ABOUT
THE SECURITY BREACH OR UNAUTHORIZED DISCLOSURE, OF NOTIFYING SUBJECTS OF
PERSONALLY IDENTIFIABLE INFORMATION ABOUT THE BREACH, OF MITIGATING  THE
EFFECTS OF THE BREACH FOR THE SUBJECTS OF PERSONALLY IDENTIFIABLE INFOR-
MATION,  AND  OF INVESTIGATING THE CAUSE OR CONSEQUENCES OF THE SECURITY
BREACH OR UNAUTHORIZED DISCLOSURE; AND
  (14) DESTROYS OR RETURNS TO THE DEPARTMENT, DISTRICT BOARDS OF  EDUCA-
TION,  OR  INSTITUTIONS  ALL  PERSONALLY IDENTIFIABLE INFORMATION IN ITS
CUSTODY UPON REQUEST AND AT THE TERMINATION OF THE CONTRACT.
  (C) STUDIES. THE DEPARTMENT, DISTRICT BOARDS OF EDUCATION,  OR  INSTI-
TUTIONS  MAY DISCLOSE PERSONALLY IDENTIFIABLE INFORMATION FROM AN EDUCA-
TION RECORD OF A STUDENT WITHOUT THE CONSENT  OF  ELIGIBLE  STUDENTS  OR
PARENTS  TO A PARTY CONDUCTING STUDIES FOR, OR ON BEHALF OF, EDUCATIONAL
AGENCIES OR INSTITUTIONS TO:
  (1) DEVELOP, VALIDATE, OR ADMINISTER PREDICTIVE TESTS;
  (2) ADMINISTER STUDENT AID PROGRAMS; OR
  (3) IMPROVE INSTRUCTION;
  PROVIDED THAT THE OUTSIDE PARTY CONDUCTING THE STUDY MEETS ALL OF  THE
REQUIREMENTS FOR CONTRACTORS SET FORTH IN PARAGRAPH (B) OF THIS SUBDIVI-
SION;
  (D)  COMMERCIAL  USE  PROHIBITED.  THE  DEPARTMENT, DISTRICT BOARDS OF
EDUCATION AND INSTITUTIONS MAY  NOT,  WITHOUT  THE  WRITTEN  CONSENT  OF
ELIGIBLE  STUDENTS OR PARENTS, DISCLOSE PERSONALLY IDENTIFIABLE INFORMA-
TION FROM EDUCATION RECORDS TO ANY PARTY FOR A COMMERCIAL USE, INCLUDING
BUT NOT LIMITED TO MARKETING PRODUCTS OR SERVICES, COMPILATION OF  LISTS
FOR  SALE OR RENTAL, DEVELOPMENT OF PRODUCTS OR SERVICES, OR CREATION OF
INDIVIDUAL, HOUSEHOLD, OR GROUP PROFILES; NOR  MAY  SUCH  DISCLOSURE  BE
MADE  FOR  PROVISION  OF  SERVICES  OTHER THAN CONTRACTING, STUDIES, AND
AUDITS OR EVALUATIONS AS AUTHORIZED AND LIMITED BY  PARAGRAPHS  (B)  AND
(C) OF THIS SUBDIVISION.  ANY CONSENT FROM AN ELIGIBLE STUDENT OR PARENT
MUST  BE  SIGNED  BY  THE  STUDENT OR PARENT, BE DATED ON THE DAY IT WAS
SIGNED, NOT HAVE BEEN SIGNED MORE THAN SIX MONTHS PRIOR TO  THE  DISCLO-
SURE, MUST IDENTIFY THE RECIPIENT AND THE PURPOSE OF THE DISCLOSURE, AND
MUST  STATE  THAT THE INFORMATION WILL ONLY BE USED FOR THAT PURPOSE AND
WILL NOT BE USED OR DISCLOSED FOR ANY OTHER PURPOSE.
  3. DATA REPOSITORIES AND INFORMATION PRACTICES.
  (A) THE DEPARTMENT AND DISTRICT BOARDS OF EDUCATION MAY NOT,  DIRECTLY
OR THROUGH CONTRACTS WITH OUTSIDE PARTIES, MAINTAIN PERSONALLY IDENTIFI-
ABLE  INFORMATION  FROM EDUCATION RECORDS WITHOUT THE WRITTEN CONSENT OF
ELIGIBLE STUDENTS OR PARENTS UNLESS MAINTENANCE OF SUCH INFORMATION IS:
  (1) EXPLICITLY MANDATED IN FEDERAL OR STATE STATUTE; OR
  (2) ADMINISTRATIVELY REQUIRED FOR  THE  PROPER  PERFORMANCE  OF  THEIR
DUTIES  UNDER  THE  LAW AND IS RELEVANT TO AND NECESSARY FOR DELIVERY OF
SERVICES; OR
  (3) DESIGNED TO SUPPORT  A  STUDY  OF  STUDENTS  OR  FORMER  STUDENTS,
PROVIDED  THAT  NO  PERSONALLY  IDENTIFIABLE  INFORMATION IS RETAINED ON
FORMER STUDENTS LONGER THAN FIVE YEARS AFTER  THE  DATE  OF  THEIR  LAST
ENROLLMENT AT AN INSTITUTION.

A. 6059--A                          4

  (B) THE DEPARTMENT AND DISTRICT BOARDS OF EDUCATION SHALL PUBLICLY AND
CONSPICUOUSLY  DISCLOSE ON THEIR WEB SITES AND THROUGH ANNUAL ELECTRONIC
NOTIFICATION TO THE CHAIRS OF THE ASSEMBLY AND SENATE EDUCATION  COMMIT-
TEES THE EXISTENCE AND CHARACTER OF ANY PERSONALLY IDENTIFIABLE INFORMA-
TION  FROM  EDUCATION  RECORDS  THAT THEY, DIRECTLY OR THROUGH CONTRACTS
WITH OUTSIDE PARTIES, MAINTAIN. SUCH DISCLOSURE AND NOTIFICATIONS  SHALL
INCLUDE:
  (1)  THE  NAME AND LOCATION OF THE DATA REPOSITORY WHERE SUCH INFORMA-
TION IS MAINTAINED;
  (2) THE LEGAL AUTHORITY WHICH AUTHORIZES THE ESTABLISHMENT AND  EXIST-
ENCE OF THE DATA REPOSITORY;
  (3)  THE  PRINCIPAL  PURPOSE  OR PURPOSES FOR WHICH THE INFORMATION IS
INTENDED TO BE USED;
  (4) THE CATEGORIES OF INDIVIDUALS ON WHOM RECORDS  ARE  MAINTAINED  IN
THE DATA REPOSITORY;
  (5) THE CATEGORIES OF RECORDS MAINTAINED IN THE DATA REPOSITORY;
  (6)  EACH  EXPECTED  DISCLOSURE  OF  THE RECORDS CONTAINED IN THE DATA
REPOSITORY, INCLUDING THE CATEGORIES OF RECIPIENTS AND  THE  PURPOSE  OF
SUCH DISCLOSURE;
  (7)  THE  POLICIES  AND  PRACTICES  OF  THE DEPARTMENT OR THE DISTRICT
BOARDS OF EDUCATION REGARDING STORAGE, RETRIEVABILITY, ACCESS  CONTROLS,
RETENTION, AND DISPOSAL OF THE RECORDS;
  (8) THE TITLE AND BUSINESS ADDRESS OF THE DEPARTMENT OR DISTRICT BOARD
OF  EDUCATION  OFFICIAL  WHO IS RESPONSIBLE FOR THE DATA REPOSITORY, AND
THE NAME AND BUSINESS ADDRESS OF ANY CONTRACTOR OR OTHER  OUTSIDE  PARTY
MAINTAINING  THE  DATA  REPOSITORY FOR OR ON BEHALF OF THE DEPARTMENT OR
THE DISTRICT BOARD OF EDUCATION;
  (9) THE PROCEDURES WHEREBY ELIGIBLE STUDENTS OR PARENTS CAN  BE  NOTI-
FIED  AT THEIR REQUEST IF THE DATA REPOSITORY CONTAINS A RECORD PERTAIN-
ING TO THEM OR THEIR CHILDREN;
  (10) THE PROCEDURES WHEREBY ELIGIBLE STUDENTS OR PARENTS CAN BE  NOTI-
FIED  AT  THEIR  REQUEST  HOW TO GAIN ACCESS TO ANY RECORD PERTAINING TO
THEM OR THEIR CHILDREN CONTAINED IN THE DATA REPOSITORY,  AND  HOW  THEY
CAN CONTEST ITS CONTENT; AND
  (11) THE CATEGORIES OF SOURCES OF RECORDS IN THE DATA REPOSITORY;
  (C) THE DEPARTMENT, DISTRICT BOARDS OF EDUCATION, AND INSTITUTIONS MAY
NOT  APPEND  EDUCATION  RECORDS WITH PERSONALLY IDENTIFIABLE INFORMATION
OBTAINED FROM OTHER FEDERAL OR STATE AGENCIES THROUGH DATA MATCHES WITH-
OUT THE WRITTEN CONSENT OF ELIGIBLE STUDENTS OR PARENTS UNLESS SUCH DATA
MATCHES ARE: (1) EXPLICITLY MANDATED IN FEDERAL OR STATE STATUTE; OR (2)
ADMINISTRATIVELY REQUIRED FOR THE PROPER  PERFORMANCE  OF  THEIR  DUTIES
UNDER  THE  LAW  AND  ARE  RELEVANT  TO  AND  NECESSARY  FOR DELIVERY OF
SERVICES.
  4. PENALTIES AND ENFORCEMENT. (A) EACH VIOLATION OF ANY  PROVISION  OF
THIS  SECTION BY AN ORGANIZATION OR ENTITY THAT IS NOT THE DEPARTMENT, A
DISTRICT BOARD OF EDUCATION, OR AN INSTITUTION AS DEFINED  IN  PARAGRAPH
(B)  OF  SUBDIVISION  ONE OF THIS SECTION SHALL BE PUNISHABLE BY A CIVIL
PENALTY OF UP TO ONE THOUSAND DOLLARS; A SECOND VIOLATION  BY  THE  SAME
ORGANIZATION  OR ENTITY INVOLVING THE EDUCATIONAL RECORDS AND PRIVACY OF
THE SAME STUDENT SHALL BE PUNISHABLE BY A CIVIL PENALTY OF  UP  TO  FIVE
THOUSAND  DOLLARS;  ANY SUBSEQUENT VIOLATION BY THE SAME ORGANIZATION OR
ENTITY INVOLVING THE EDUCATIONAL RECORDS AND PRIVACY OF THE SAME STUDENT
SHALL BE PUNISHABLE BY A CIVIL PENALTY OF UP TO  TEN  THOUSAND  DOLLARS;
AND  EACH  VIOLATION INVOLVING A DIFFERENT INDIVIDUAL EDUCATIONAL RECORD
OR A  DIFFERENT  INDIVIDUAL  STUDENT  SHALL  BE  CONSIDERED  A  SEPARATE
VIOLATION FOR PURPOSES OF CIVIL PENALTIES;

A. 6059--A                          5

  (B)  THE  ATTORNEY GENERAL SHALL HAVE THE AUTHORITY TO ENFORCE COMPLI-
ANCE WITH THIS SECTION BY INVESTIGATION AND SUBSEQUENT COMMENCEMENT OF A
CIVIL ACTION, TO SEEK CIVIL PENALTIES FOR VIOLATIONS  OF  THIS  SECTION,
AND  TO SEEK APPROPRIATE INJUNCTIVE RELIEF, INCLUDING BUT NOT LIMITED TO
A  PROHIBITION  ON  OBTAINING PERSONALLY IDENTIFIABLE INFORMATION FOR AN
APPROPRIATE TIME PERIOD. IN CARRYING OUT SUCH INVESTIGATION AND IN MAIN-
TAINING SUCH CIVIL ACTION THE ATTORNEY GENERAL OR ANY DEPUTY OR  ASSIST-
ANT  ATTORNEY  GENERAL IS AUTHORIZED TO SUBPOENA WITNESSES, COMPEL THEIR
ATTENDANCE, EXAMINE THEM UNDER OATH AND REQUIRE THAT ANY BOOKS, RECORDS,
DOCUMENTS, PAPERS, OR ELECTRONIC RECORDS RELEVANT  OR  MATERIAL  TO  THE
INQUIRY BE TURNED OVER FOR INSPECTION, EXAMINATION OR AUDIT, PURSUANT TO
THE  CIVIL  PRACTICE  LAW  AND  RULES; SUBPOENAS ISSUED PURSUANT TO THIS
PARAGRAPH MAY BE ENFORCED PURSUANT TO THE CIVIL PRACTICE LAW AND RULES.
  (C) NOTHING CONTAINED HEREIN SHALL BE CONSTRUED AS CREATING A  PRIVATE
RIGHT  OF  ACTION AGAINST THE DEPARTMENT, A DISTRICT BOARD OF EDUCATION,
OR AN INSTITUTION AS DEFINED IN PARAGRAPH (B) OF SUBDIVISION ONE OF THIS
SECTION.
  5. ADMINISTRATIVE USE. NOTHING IN THIS SECTION SHALL LIMIT THE  ADMIN-
ISTRATIVE USE OF EDUCATION RECORDS BY A PERSON ACTING EXCLUSIVELY IN THE
PERSON'S CAPACITY AS AN EMPLOYEE OF A SCHOOL, A DISTRICT BOARD OF EDUCA-
TION  OR OF THE STATE OR ANY OF ITS POLITICAL SUBDIVISIONS, ANY COURT OR
THE FEDERAL GOVERNMENT THAT IS OTHERWISE REQUIRED BY LAW.
  S 2. This act shall take effect July 1, 2014 and shall apply to school
years beginning with the 2014-2015 academic year.

Comments

Open Legislation comments facilitate discussion of New York State legislation. All comments are subject to moderation. Comments deemed off-topic, commercial, campaign-related, self-promotional; or that contain profanity or hate speech; or that link to sites outside of the nysenate.gov domain are not permitted, and will not be published. Comment moderation is generally performed Monday through Friday.

By contributing or voting you agree to the Terms of Participation and verify you are over 13.