Skip to main content
WNYRIC Main Office
Erie 1 BOCES
355 Harlem Road
West Seneca, NY 14224

Our Offices
BOCES We Serve

WNYRIC on Facebook
Technology Solutions
Strengthening Security and Privacy

New regulations impact school data operations

Laptop with shield.

The data security and privacy obligations of third-party contractors, including educational agencies, are at the forefront of a state-wide effort to protect personally identifiable information. A January 2019 meeting of the Board of Regents has proposed a new Part 121 to the New York State Educational Department (NYSED) Commissioner’s regulations.

Aware of the impact on the 100 school districts WNYRIC represents, staff members have been involved in the process in order to stay informed and ready to prepare districts for changes soon to come.

“Originally, the focus on security of personally identifiable information of students and school personnel was put into motion with educational law 2-D in 2014,” explained David Scalzo, WNYRIC manager of data integration and data support services.

At first glance, Part 121 draft regulations require some big steps be made on the part of school districts.

“Right now, most districts don’t have  a data protection officer to oversee the

implementation of policies and procedures required by Education Law 2-D, but the draft regulations require that districts designate one or more employees to serve in that role,” said Scalzo. “Regional Information Centers (RICs), including WNYRIC, are working on an implementation roadmap, and other materials to assist data protection officers and their districts with compliance.”

School districts did have an opportunity to share their feedback on the drafted Part 121 regulations. A 60-day public comment period required under the State Administrative Procedure Act ended on March 31, 2019. It is anticipated that the proposed amendments will be in effect by the 2019-20 school year.

The NYSED chief privacy officer created a Data Privacy Advisory Council (DPAC),

composed of various stakeholders including parents, industry advocates, administrative and teacher organizations and information technology experts. The DPAC, which includes WNYRIC representatives, is tasked with assisting in the development

of regulatory language and recommending technical standards for educational agency data security and privacy policies and practices.

The DPAC chose the National Institute for Standards and Technology (NIST)

Cybersecurity Framework for the technical standards. The Framework consists of five functions: detect, respond, recover, identify and protect. These functions provide a high- level, strategic view of the lifecycle of an organization’s management of cybersecurity risk. The framework then identifies underlying key categories and subcategories.

“WNYRIC, as part of the collaboration effort with other RICs across New York state, will provide assistance for our districts, including a model policy for data privacy, model terms and conditions for use in contracts and agreements with

third-party contractors, and a tool to assist in implementation of the cyber security framework,” Scalzo said.

Current timelines list Dec. 31, 2019, as the date when educational agencies are required to adopt a security and privacy policy that implements the Part 121 requirements.

Additional deadlines and target dates are forthcoming.

For more information, visit the New York State Education Department’s Website,

< Back  |  View All Articles