Assessment of Public Comment for the Proposed Addition of Part 121 to the Regulations of the Commissioner Relating to Student Data Privacy
ASSESSMENT OF PUBLIC COMMENT
Following publication of the Notice of Revised Rule Making in the State Register on October 23, 2019, the Department received the following comments on the proposed amendment:
1. COMMENT: A commenter asked how schools that work with a third-party contractor to produce the class photographs or yearbooks could comply with the requirements of Education Law 2-d related to marketing since the photography and yearbook companies help notify the students/families about yearbooks and class photos and help the schools with the sales process. Another commenter inquired about whether the release of student information (such as parents’ names and home address) to the company that takes school photographs so that samples may be sent to parents for them to order is a commercial purpose. The commenter asked how families can be contacted so that they can purchase school photographs.
RESPONSE: See Response to Comment # 56 contained in Attachment D. It would depend on the facts and circumstances of each disclosure as to whether Education Law 2-d and the proposed amendments would apply. The Department plans to issue guidance in the near future on theses issues to help provide educational agencies with additional guidance on these issues.
2. COMMENT: A commenter wrote that the prohibition on the use, disclosure, or sale of personally identifiable information (PII) for a commercial or marketing purpose could be read to apply to the traditional, school-sanctioned sale of school photos and yearbooks. The commenter stated that it had experienced disruption in its ability to provide efficient Picture Day services to schools in New York, due to concerns raised by schools about their ability to provide student roster data to Lifetouch pursuant to Education Law §2-d. The commenter wrote that §121.9 (a)(4) suggests that a purpose expressly authorized in a contract with a third party contractor is allowable even if the purpose is “commercial” by nature while §121.2(a)’s prohibition of use for any “commercial and marketing purpose” calls into question whether the sale of school photographs to parents is permissible even when expressly contemplated and authorized by the contract between the third-party contractor (photographer) and the educational agency. The commenter suggested that the rule should be revised to add state that: “Nothing herein shall be deemed to prohibit a school from disclosing personally identifiable student information to a third party contractor pursuant to a contract or written agreement for a specified purpose determined by the school to be in the educational interest of the student, including but not limited to school photography and the sale of yearbooks, provided that such contract or agreement includes a data security and privacy plan that outlines how all state, federal, and local data security and privacy contract requirements will be implemented over the life of the contract.”
RESPONSE: See Response to Comment #1 above. The proposed amendment implements Education Law §2-d and therefore no amendments are necessary.
3. COMMENT: A commenter asked who should be appointed as Data Protection Officer (DPO), and whether the DPO should be filled a cabinet level employee. The commenter opined that it should not be the Director of Technology or Chief Information Officer as such an appointment could result in conflicts of interest.
RESPONSE: Section 121.8 of the proposed rule provides that Data Protection Officers must have the appropriate knowledge, training and experience to administer the functions described in the rule, and further provides that a current employee of an educational agency may perform this function in addition to other job responsibilities. SED believes that the background of a DPO would vary based upon the educational agency. While we understand the concerns raised as to conflicts of interest, the language in the proposed rule was drafted to avoid prescribing a one size fits all approach in response to concerns raised around funding from the field. SED believes that the proposed language builds in flexibility to permit educational agencies and their boards of education to appoint a DPO based on a risk management approach.
4. COMMENT: A commenter wrote that the regulation should apply to all staff PII and not just to student PII and APPR data, requested that SED provide guidance documents, and stated that funding for the DPO as it “is a huge undertaking and a full-time job.”
RESPONSE: The statute explicitly defines covered data as student data (personally identifiable information from the student records of an educational agency) and teacher or principal data (personally identifiable information from the records of an educational agency relating to the annual professional performance reviews of classroom teachers or principals that is confidential and not subject to release under the provisions of Education Law §§3012-c and 3012-d). It does not contemplate expanding the definition of personally identifiable information as proposed by the commenter and such a change would go beyond the scope of the proposed rulemaking. No change is necessary.
5. COMMENT: A commenter asked NYSED to address vendor compliance on a statewide basis by approving software for instructional use; requested more time to for the roll-out of the regulations; stated that the Data Privacy Officer is an unfunded mandate and requires budgeting considerations within a 2% tax cap; and opined that the regulation seems to be a “hand slap on districts and parent advocates for their support against INBloom Data Dashboard” as “the state has saddled districts with this restrictive policy.”
RESPONSE: Each school district is responsible for ensuring that their third party contracts, including those for instructional software, are compliant with Education Law §2-d and the proposed rule; including approved software for instructional use. The regulations were initially proposed in January 2019 and have gone through several public comment periods consistent with the State Administrative Procedure Act §202(1)(a). Further, the proposed rule is consistent with the requirements of Education Law §2-d and implements the statute. Moreover, the data privacy officer can be an existing employee and in accordance with Education Law §2-d, there needs to a district employee that is already responsible for these activities. Therefore, the Department does not believe this is an unfunded mandate. No change is necessary.
6. COMMENT: A comment was made about a copyrighted image the Department was purported to have used in a public presentation.
RESPONSE: The comment is outside the scope of this rulemaking. As such, no response is necessary.
7. COMMENT: Commenter wrote that “these regulations will impact teacher innovation in the instructional realm stifling the use of tools and pedagogy meant to create engaging learning environments.”
RESPONSE: No change is necessary. The proposed rule is consistent with Education Law §2-d’s provisions.
8. COMMENT: A commenter wrote that the regulation is unclear with respect to the ability of districts to permit their students to choose to participate in College Board’s Student Search Service, and that “District confusion about the scope of the regulation will result in the decrease of four-year college-going rates in New York by up to 8,000 students per year, with a disproportionate impact on underrepresented students, and New York families will be cut off from scholarship and college planning information that they have relied upon since 1972.” The writer also stated that “… the College Board does not meet the definition of “third party contractor” and “is not acting as a third-party contractor providing services to educational agencies when educational agencies pay test fees for their students to participate in nationwide administrations of College Board standardized assessments.” The commenter wrote that “students taking College Board assessments complete a College Board answer sheet, which is returned to the College Board at the end of the test administration, along with test answer sheets from students around the country” and that the “data is received directly from the student, not from the educational agency.” The commenter further wrote that “… the College Board does not sell student information, and the only result of opting-in to Search (with the right to opt-out at any time) is getting mail from colleges and scholarship organizations” and requested that “SED revise the regulation to clarify that the College Board is not a “third party contractor” within the meaning of Part 121 and Ed Law 2-D.”
RESPONSE: No change is necessary. The Department is committed to promoting sound information practices and policies that will ensure the security and privacy of student data and improve academic achievement. To the extent the commenter seeks a response on a specific set of circumstances and activities of the College Board, it would depend on the facts and circumstances of each disclosure of any student data as to how Education Law §2-d would apply. The proposed amendment implements Education law §2-d.
9. COMMENT: A commenter wrote to “oppose the radically weakening of the student privacy law, Education Law §2-d, which would occur if these proposed regulations were adopted. This law, originally enacted by the State Legislature in 2014, banned outright the sale of student data or its use for marketing purposes. In contrast, these proposed regulations would encourage the further commercialization and marketing of personal student data by the College Board, the ACT and many other school vendors, with potentially damaging consequences. They would encourage the further expansion of an unfettered marketplace in student data, without the ability of parents, districts or government officials to prevent its misuse. Instead of weakening the provisions in the law, the State Education Department should focus on strengthening the privacy Parent Bill of Rights and rigorously enforcing the law, to ensure that the widespread collection and disclosure of my child’s sensitive data is minimized and kept safe from breach and abuse.”
RESPONSE: The rule as written is consistent with Education Law §2-d and section 121.9(a)(8) prohibits any third party contractor from selling any personally identifiable information or using or disclosing it for any marketing or commercial purpose or facilitating its use or disclosure by any other party for any marketing or commercial purpose or permitting another party to do so. The purpose of the proposed rule is to strengthen the data privacy and security posture and practices of educational agencies. No change is necessary.
10. COMMENT: A commenter, writing as a parent of two middle school-aged children growing up in a digital world, asked SED to “hurry to create a comprehensive and intensive data privacy and security plan. This should cover our students' and parents' personal information for all New Yorkers.”
RESPONSE: No change is necessary. The purpose of the proposed rule is consistent with Education Law §2-d and strengthens the data privacy and security practices of educational agencies.
11. COMMENT: Another commenter asked SED not to “cave in to Google and other large corporate interests that seek to have NY lower their data privacy standards in a centralized fashion” and suggests that “all districts should be able to follow the lead of more data-protective districts like that in Irvington, NY which provide a robust data protection plan for their students and their students' families, NY should be a leader in preparing a comprehensive and intensive data privacy and security plan that pertains to both student and parent/guardian information statewide.” The commenter also suggested that the EU's GDPR would be a good starting point for SED as it continues its drafting process.
RESPONSE: The underlying statute being implemented by the proposed regulation is NYS Education Law §2-d. The European Union’s General Data Protection Regulation does not apply. Also see response to #10. No change is necessary.
12. COMMENT: A commenter stated that “data privacy initiatives, school district technology policies, and protections against ransomware attacks is imperative as schools handle a lot of personal data and may not have strong technology teams, leaving them vulnerable to attacks” and further stated that “… districts should have robust data protection plans that include monitoring all systems that have access to students’ testing and assessment data, information from their Google accounts, and students’ and parents’/guardians’ personally identifiable information (PII). “
RESPONSE: No change is necessary. Also see response to #10.
13. COMMENT: Several higher education institutions commented that the proposed rule would create barriers and limit high school students access to post-secondary education. Specifically, the commenters believe that sections 121.9(a)(8) and 121,9(a)(5) would raise significant barriers to low income students receiving information about their college and scholarship opportunities if the College Board is considered a third-party contractor under the proposed rule, and asked SED to confirm this. The commenters stated that “without this confirmation, we are concerned that school districts will be uncertain and will feel constrained to direct the College Board not to identify their public school students to colleges and scholarship organizations, and that unintended result will set back equity and access to higher education. The commenter also requested that the definition of personally identifiable information be modified to specifically exclude the type of student information used to register for a college entrance examination, which the commenter stated was “simply directory information.”
A commenter stated that many schools and districts around the country provide “directory information to the test administrator for each student” which is used to create labels that are affixed to student answer sheets. This process eliminates the need for students to enter that information themselves, thereby saving time and avoiding data errors.
The commenter stated that on the day students take a college entrance exam such as the SAT, ACT, PSAT, “… the students select whether they wish to opt-in to a college search opportunity, agreeing to allow their high school and college information on their answer sheet, along with their contact information and their exam score range, to be available to colleges, universities and scholarship organizations around the country. With student consent, colleges and not-for-profit scholarship organizations may reach out to students to educate them about the college’s offerings, admissions process, scholarships, and financial aid.” The commenter stated that if the College Board were deemed a third party contractor, and prohibited from sharing information with colleges and scholarship organizations, students under the age of 18 who take the PSATs and SAT (the vast majority of test takers) would need parental consent to receive information about colleges and scholarship opportunities which could “impact the ability of students, particularly in disenfranchised communities, to connect with colleges and scholarship organizations and receive information needed for college planning.”
RESPONSE: No change is necessary. While the Department agrees that an educational agency should communicate with students about beneficial educational programs such as scholarships, college access, enrichment and similar programs, it must determine whether each disclosure fits within the ambits of Education Law §2-d depending on the facts and circumstances. The Department is committed to promoting sound information practices and policies that will ensure the security and privacy of student data and improve academic achievement. To the extent the commenter seeks a response on a specific set of circumstances and activities of the College Board, it would depend on the facts and circumstances of each disclosure of any student data as to how Education Law §2-d would apply. The proposed amendment implements the law.
14. COMMENT: A commenter requested that “a comprehensive and intensive data privacy and security plan as it pertains to students' and parents'/guardians' information state-wide is put into place and effective as soon as possible” and further commented that “we must protect our data and privacy with vigor.”
RESPONSE: No change is necessary. The purpose of the proposed rule is to strengthen the data privacy and security posture and practices of educational agencies. As needed, SED will develop guidance documents to assist educational agencies in implementing the rule when adopted.
15. COMMENT: A commenter stated that SED should “consider a process whereby a determination can be made similar to HIPAA’s “low probability of compromise” that would allow for minor events not to be classified as a breach reportable to the CPO. The commenter stated that incidents such as a school teacher accidentally sending home student A’s daily communication sheet to student B’s parent by mistake or a medical order for speech services faxed to the doctor’s office on file for a student that is no longer a patient there occur regularly” to “… reduce the administrative burden (on the school and the office of the CPO) if events such as these did not need to be reported to the parents nor the CPO as well.”
RESPONSE: No change is necessary. The proposed rule implements Education Law §2-d. SED will develop guidance documents to assist educational agencies in implementing the rule when adopted, as needed.
16. COMMENT: A commenter wrote that SED has failed to fully address certain concerns raised during earlier rule making comment periods, specifically, that SED did not amend the definition of third-party contractor “to include not only entities that “receive” student, teacher or principal data, but entities that also “have access to” student, teacher, and parent data, including those that “collect”, “process”, “disclose”, “use”, or “monetize” this data” and also did not more directly address the use of biometric surveillance technology within the regulations. The commenter asked SED to impose a moratorium on the use of biometric surveillance technology in New York schools.
RESPONSE: SED is aware of the concerns raised about the use of technology that utilizes biometric data in schools and continues to research and review these issues. Regarding comments on amending the definition of third-party contractor, SED has carefully considered the commenter’s statements. The definition of third-party contractor in the proposed rule is consistent with the definition in the underlying statute. Therefore, no changes are necessary.
17. COMMENT: A commenter wrote that the definitions of “commercial” and “marketing purpose” in the proposed rule goes beyond that of the underlying statute. The commenter asked whether a technology company could use reports “that a particular feature on its product crashes during classroom use … to fix the crash and prevent it from happening in the future.” The commenter also asked if a company that receives student data from a school and needs to “use” the student data to provide the contracted service would be prohibited from receiving remuneration for providing that service. The commenter proposed that SED revise the definition of “Commercial or Marketing Purpose” to mean “… the sale of education records and the personally identifiable information contained therein; the use of education records and the personally identifiable information contained therein for advertising purposes; or to market products or services to students without prior consent of the parent or eligible student, to the extent that such directed materials are for products and services that support an educational purpose or goal.”
RESPONSE: The Department believes that the definition of commercial or marketing purpose is consistent with the intent of Education Law §2-d which prohibits the sale or use of personally identifiable information for marketing or commercial purposes and does not make the distinction. The statute also prohibits the use of personally identifiable information for any purposes not explicitly authorized in the contract. The requirements of the proposed rule and its underlying statute apply only to personally identifiable information and not de-identified data or aggregate data which cannot be re-identified or used to identify an individual. No change is necessary.
18. COMMENT: A commenter wrote that it remains in “full support of the vast majority of proposed provisions but has concerns about the potential impact of these regulations on students' ability to opt in to receive targeted informational materials regarding college options. It stated that it currently receives information about prospective students who have taken various entrance exams such as the SAT, PSAT, or ACT, thereby allowing it to send out targeted informational material to help students learn about their college options. It stated that students must opt in to this service, and can opt out at any time, so this is a purely voluntary program offered for the student's convenience, and that this program helps it reach traditionally underrepresented students, allowing for streamlined delivery of targeted and relevant information on programs of interest, financial aid, and potential scholarship opportunities. The commenter further stated that the current draft of the rule is silent as to whether this voluntary information disclosure to colleges will continue to be allowed. The commenter wrote that if disallowed, or if school districts interpret that the practice has been disallowed, this will suppress the number of students who successfully opt in to this service, and will limit the commenters ability to continue to send targeted advertising materials to inform students of scholarship and educational opportunities.” The commenter requested that SED explicitly clarify that this category of voluntary information disclosure to colleges will be allowed to continue.
RESPONSE: No change is necessary. See response to Comment #13.
19. COMMENT: A commenter stated that if the regulation’s adoption “continues to be moved back, then the compliance dates should also be moved back. Another commenter requested an extension of the public comment period.
RESPONSE: Education Law §2-d became effective in 2015. The proposed amendment implements Education Law §2-d. The regulations were initially proposed in January 2019 and have gone through several public comment periods consistent with the State Administrative Procedure Act §202(1)(a). Further, the proposed rule is consistent with the requirements of Education Law §2-d and implements the statute. No changes are necessary.