Parents' Bill of Rights for Data Privacy & Security

  • In accordance with New York State Education Law Section 2-d, the Brewster Central School District hereby sets forth the following Parents’ Bill of Rights for Data Privacy and Security, which is applicable to all students and their parents and legal guardians.  

    1. New York State Education Law Section 2-d (“Section 2-d”) and the Family Educational Rights and Privacy Act (“FERPA”) protect the confidentiality of personally identifiable information. Section 2-d and FERPA assures the confidentiality of records with respect to "third parties," and provides parents with the right to consent to disclosures of personally identifiable information contained in their child’s education records.  Exceptions to this include school employees, officials and certain State and Federal officials who have a legitimate educational need to access such records. In addition, the District will, upon request of parents, or eligible students, or if otherwise required by law, disclose student records to officials of another school district in which a student seeks to enroll.
    2. A student's personally identifiable information shall not be sold or released for any commercial purposes; 
    3. Personally Identifiable Information (PII) includes, but is not limited to: 
      1. The student's name; 
      2. The name of the student's parent or other family members;
      3. The address of the student or student's family; 
      4. A personal identifier, such as the student's social security number, student number, or biometric record;
      5. Other indirect identifiers, such as the student's date of birth, place of birth, and mother's maiden name;
      6. Other information that, alone or in combination, is linked or linkable to a specific student that would allow a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty; or
      7. Information requested by a person who the District reasonably believes knows the identity of the student to whom the education record relates.
    4. In accordance with FERPA, Section 2-d and BOE Policy 7240 (Student Records), parents have the right to inspect and review the complete contents of their child's education record; 
    5. The Brewster Central School District has in place numerous safeguards that meet or exceed industry standards and best practices to protect the personally identifiable information of students. These safeguards, include but are not limited to, encryption, firewalls, and password protection, which must be in place when any student data, including personally identifiable information, is stored or transferred.
    6. New York State, through the New York State Education Department, collects a number of student data elements for authorized uses.  A complete list of all student data elements collected by the State is available for public review, at  Inventory of Data Elements Collected by NYSED
    7. Parents have the right to submit complaints about possible breaches of student data and teachers or principals have the right to submit complaints about possible breaches of teacher or principal APPR data.  Any such complaint must be submitted, in writing, to:

      Jim Treloar
      Chief Privacy Officer/Director of Technology & Innovation
      50 Foggintown Road
      Brewster, NY  10509
      jtreloar@brewsterschools.org

    8. Supplemental Information for Third-Party Contracts

    For purposes of further ensuring confidentiality and security of student data, each contract (“Agreement”) the District enters into with a third party contractor shall include a signed addendum to the Parents’ Bill of Rights whereby the Contractor agrees to abide by the Districts Parents’ Bill of Rights and assures that they have a Data Security and Privacy Plan in place that includes the following:

    1. Exclusive Purposes for which Student Data Will Be Used.  Use of Personally Identifiable Information, PII, under the Agreement will be limited to that necessary for the Contractor to perform the duties outlined in the Agreement and the services associated with that function.  The Contractor further agrees that no PII will be sold or used for marketing or commercial purposes.
    2. Protective Measures Regarding Third Parties. The Contractor will ensure that any subcontractor or other person or entity with whom the Contractor shares student data and/or teacher or principal data, if applicable, agrees to abide by all of the components of applicable state and federal law, including Education Law 2-d, the District’s Parents Bill of Rights, and the Family Educational Rights and Privacy Act (“FERPA”).  In addition, the Contractor will ensure that each subcontractor, person or entity with whom the Contractor shares student data and/or teacher or principal data has a Data Security and Privacy Plan in place.  
    3. Storage of Data.  Contractor will maintain administrative, technical, and physical safeguards that align with the NIST Cybersecurity Framework and are otherwise consistent with industry standards and best practices, including but not limited to encryption, as specified by the Secretary of the United States Department of Health and Human Services in any guidance issued under Section 13402(H)(2) of Public Law 111-5 to protect the security, confidentiality, and integrity of PII, as applied to student data and/or teacher or principal data, within its custody, including password protection, firewalls, and email archiving (for information stored digitally) and manual lock and key (for physical copies of such information), while such data is in transit or within its custody.  
    4. Breach of Personally Identifiable Information. The Contractor must notify the Brewster Central School District of any breach or unauthorized release of PII within 24 hours of any such breach or Contractor’s knowledge of such breach.  The Contractor shall promptly reimburse the District and/or its Participants for the full cost of notifying a parent, eligible student, teacher, or principal of an unauthorized release of PII by the Contractor, its subcontractors, and/or assignees.
    5. Expiration of Agreement.  Upon expiration of the Agreement, Contractor will ensure that all student data are returned to the District or provide confirmation to the District that the data in its possession has been securely destroyed, at the sole discretion of the District.  Contractor will also ensure that all emails containing personally identifiable student information are returned to the District and deleted from the Contractor’s email account.  
    6. Parental Challenge to Accuracy of Data.  In the event a parent or eligible student wishes to challenge the accuracy of the student data collected by the Contractor, such parent or eligible student shall have an opportunity for a hearing to challenge the content of his or her education records, in accordance with the District’s Policy #7240 (Student Records).  

     Updated 11/2019