1. juvenile delinquency records;
2. criminal records;
3. medical and health records; and
4. student biometric information.

1. adopt technologies, safeguards and practices that align with the NIST CSF;
2. comply with the BOCES’ data security and privacy policy and applicable laws impacting the BOCES;
3. limit internal access to PII to only those employees or sub-contractors that need access to provide the contracted services;
4. not use the PII for any purpose not explicitly authorized in its contract;
5. not disclose any PII to any other party without the prior written consent of the parent or eligible student (i.e., students who are eighteen years old or older):
   a. except for authorized representatives of the third-party contractor to the extent they are carrying out the contract; or
   b. unless required by statute or court order and the third-party contractor provides notice of disclosure to the BOCES, unless expressly prohibited.
6. maintain reasonable administrative, technical and physical safeguards to protect the security, confidentiality and integrity of PII in its custody;
7. use encryption to protect PII in its custody; and
8. not sell, use, or disclose PII for any marketing or commercial purpose, facilitate its use or disclosure by others for marketing or commercial purpose, or permit another party to do so. Third party contractors may release PII to subcontractors engaged to perform the contractor’s obligations, but such subcontractors must abide by data protection obligations of state and federal law, and the contract with the BOCES.

1. outline how all state, federal, and local data security and privacy contract requirements over the life of the contract will be met, consistent with this policy;
2. specify the safeguards and practices it has in place to protect PII;
3. demonstrate that it complies with the requirements of Section 121.3(c) of this Part;
4. specify how those who have access to student and/or teacher or principal data receive or will receive training on the federal and state laws governing confidentiality of such data prior to receiving access;
5. specify if the third-party contractor will utilize sub-contractors and how it will manage those relationships and contracts to verify personally identifiable information is protected;
6. specify how the third-party contractor will manage data security and privacy incidents that implicate personally identifiable information including specifying any plans to identify breaches and unauthorized disclosures, and to promptly notify the BOCES;
7. describe if, how and when data will be returned to the BOCES, transitioned to a successor contractor, at the BOCES’ direction, deleted or destroyed by the third-party contractor when the contract is terminated or expires.

• Identify and/or define the types of private information that is to be kept secure;
• Include procedures to identify any breaches of security that result in the release of private information; and
• Include procedures to notify persons affected by the security breach as required by law.

1. publicly posted or displayed;
2. visibly printed on any ID badge, card or time card;
3. placed in files with unrestricted access; or
4. used for occupational licensing purposes.

4574-R

INFORMATION AND DATA PRIVACY, SECURITY, PRIVACY AND BREACH AND NOTIFICATION REGULATION

The BOCES will inventory its computer programs and electronic files to determine the types of information that is maintained or used by the BOCES, and review the safeguards in effect to secure and protect that information.

I. Student and Teacher/Principal “Personally Identifiable Information” under Education Law §2-d

A. Definitions

“Biometric record,” as applied to student PII, means one or more measurable biological or behavioral characteristics that can be used for automated recognition of person, which includes fingerprints, retina and iris patterns, voiceprints, DNA sequence, facial characteristics, and handwriting.

“Personally Identifiable Information” (PII) as applied to students means the following information for BOCES students:

1. the student's name;
2. the name of the student's parent or other family members;
3. the address of the student or student's family;
4. a personal identifier, such as the student's social security number, student number, or biometric record;
5. other indirect identifiers, such as the student's date of birth, place of birth, and mother's maiden name;
6. other information that, alone or in combination, is linked or linkable to a specific student that would allow a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty; or
7. information requested by a person who the BOCES reasonably believes knows the identity of the student to whom the education record relates.

“Personally Identifiable Information” (PII) as applied to teachers and principals means results of Annual Professional Performance Reviews that identify the individual teachers and principals, which are confidential under Education Law §§3012-c and 3012-d, except where required to be disclosed under state law and regulations.

“Third-Party Contractor” means any person or entity, other than an educational agency (i.e., a school, school district, BOCES or State Education Department), that receives student or teacher/principal PII from the educational agency pursuant to a contract or other written agreement for purposes of providing services to such educational agency, including but not limited to data management or storage services, conducting studies for or on behalf of the educational agency, or audit or evaluation of publicly funded programs. This includes an educational partnership organization that receives student and/or teacher/principal PII from a school district to carry out its responsibilities pursuant to Education Law §211-e (for persistently lowest-achieving schools or schools under registration review) and is not an educational agency.  This also includes a not-for-profit corporation or other nonprofit organization, other than an educational agency.

B. Complaints of Breaches or Unauthorized Releases of PII

If a parent/guardian, eligible student, teacher, principal or other BOCES employee believes or has evidence that student or teacher/principal PII has been breached or released without authorization, he/she must submit this complaint in writing to the BOCES. Complaints may be received by the Data Privacy Officer, but may also be received by any BOCES employee, who must immediately notify the Data Privacy Officer.  This complaint process will be communicated to parents, eligible students, teachers, principals, and other BOCES employees.

C. Notification of Student and Teacher/Principal PII Breaches

If a third-party contractor has a breach or unauthorized release of PII, it must promptly notify the Data Privacy Officer in the most expedient way possible, without unreasonable delay, but no more than seven calendar days after the breach’s discovery.

• a brief description of the breach or unauthorized release,
• the dates of the incident and the date of discovery, if known;
• a description of the types of PII affected;
• an estimate of the number of records affected;
• a brief description of the BOCES’ investigation or plan to investigate; and
• contact information for representatives who can assist parents or eligible students with additional questions.

II. “Private Information” under State Technology Law §208 (as may be applicable with regard to certain data maintained by BOCES)

A. Definitions

“Private information” means either:

1. personal information  consisting of any information in combination with any one or more of the following data elements, when either the data element or the personal information plus the data element is not encrypted or encrypted with an encryption key that has also been accessed or acquired:
• Social security number;
• Driver’s license number or non-driver identification card number;
• Account number, credit or debit card number, in combination with any required security code, access code,  password or other information which would permit access to an individual’s financial account;
• account number or credit or debit card number, if that number could be used to access a person’s financial account without other information such as a password or code; or
• biometric information (data generated by electronic measurements of a person’s physical characteristics, such as fingerprint, voice print, or retina or iris image) used to authenticate or ascertain a person’s identity; or
  
  
2. a username or email address, along with a password, or security question and answer, that would permit access to an online account.

“Private information” does not include information that can lawfully be made available to the general public pursuant to federal or state law or regulation.

B. Procedure for Identifying Security Breaches

In determining whether information has been acquired, or is reasonably believed to have been acquired, by an unauthorized person or a person without valid authorization, the BOCES will consider:

Once it has been determined that a security breach has occurred, the BOCES will take the following steps (if required by applicable legal requirements):

1. If the breach involved computerized data owned or licensed by the BOCES, the BOCES will notify those New York State residents whose private information was, or is reasonably believed to have been accessed or acquired by a person without valid authorization. The disclosure to affected individuals will be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, or any measures necessary to determine the scope of the breach and to restore the integrity of the system.  The BOCES will consult with the New York State Office of Information Technology Services to determine the scope of the breach and restoration measures.
2. If the breach involved computer data maintained by the BOCES, the BOCES will notify the owner or licensee of the information of the breach immediately following discovery, if the private information was or is reasonably believed to have been accessed or acquired by a person without valid authorization.

The required notice will include (a) BOCES contact information, (b) a description of the categories information that were or are reasonably believed to have been accessed or acquired without authorization, (c) which specific elements of personal or private information were or are reasonably believed to have been acquired and (d) the telephone number and website of relevant state and federal agencies that provide information on security breach response and identity theft protection and prevention. This notice will be directly provided to the affected individuals by either:

1. Written notice
2. Electronic notice, provided that the person to whom notice is required has expressly consented to receiving the notice in electronic form; and that the BOCES keeps a log of each such electronic notification. In no case, however, will the BOCES require a person to consent to accepting such notice in electronic form as a condition of establishing a business relationship or engaging in any transaction.
3. Telephone notification, provided that the BOCES keeps a log of each such telephone notification.

However, if the BOCES can demonstrate to the State Attorney General that (a) the cost of providing notice would exceed $250,000; or (b) that the number of persons to be notified exceeds 500,000; or (c) that the BOCES does not have sufficient contact information, substitute notice may be provided.  Substitute notice would consist of all of the following steps:

1. E-mail notice when the BOCES has such address for the affected individual;
2. Conspicuous posting on the BOCES’ website, if they maintain one; and
3. Notification to major media.

However, the BOCES is not required to notify individuals if the breach was inadvertently made by individuals authorized to access the information, and the BOCES reasonably determines the breach will not result in misuse of the information, or financial or emotional harm to the affected persons.  The BOCES will document its determination in writing and maintain it for at least five years, and will send it to the State Attorney General within ten days of making the determination.

Once notice has been made to affected New York State residents, the BOCES shall notify the State Attorney General, the State Department of State, and the State Office of Information Technology Services as to the timing, content, and distribution of the notices and approximate number of affected persons.