Student Data Privacy Officer Objective
Established by administrative regulation, the Student Data Privacy Officer monitors all issues relate to the protection of student data collected as part of district operations.
The Student Data Privacy Officer will likely, but not necessarily, be the Chief Information Officer (CIO) for the district. The Student Data Privacy Officer is a title that is added to the existing responsibilities of an existing employee. As such, the Student Data Privacy Officer’s direct supervisor is determined by his or her primary role within the district. However, all duties and responsibilities specifically related to the role of Student Data Privacy Officer will be overseen directly by the Superintendent of Schools.
Managing student data safely is a complicated issue that our school district takes very seriously. However, we begin this case study with the caveat that we are NOT experts in this area. We are practitioners who are trying to manage a constantly evolving field. It is a challenge to stay informed and up to date on best practice in this ever changing landscape- but the threat of not addressing these issue is potentially severe. At BH-BL, we address the issue on multiple fronts. In order to better understand our approach, it is helpful to discuss the concept of student data privacy using this diagram:
The lock in the middle represents the location of all of the
important and sensitive information that we collect on our
students in order to function effectively as a school district.
This includes information on demographics, academics, special education, discipline, health, food services, and transportation. This data is held securely in servers that are protected by state of the art firewalls and disaster recovery procedures. Most of this data is in highly secure servers at the North East Regional Information Center (NERIC). Some of the data is housed in secure servers inside the district. A small portion of this secure data is housed in contracted space with the particular vendor.
Yes. Student data that is collected and secured by the district is shared outside of this protected area in two ways:
New York State requires that we share some of student and staff data with NYSED for a variety of reasons. Our Chief Information Officer (CIO) carefully maps the data that is requested to the corresponding fields in our secure databases and pushes that data to the NYS Data Warehouse. This process is overseen and “certified” by the Superintendent of Schools. The data pushed to the Data Warehouse is maintained securely (details of security protocol) The exact data fields requested by NYSED change periodically. These changes are monitored by our Student Privacy Officer, who makes an annual report to the Board of Education. Any substantive changes in reporting requirements are brought to the Board of Education on an as needed basis. NYS publishes a list of the fields being pushed to the NYS Data Warehouse. The most recent list can be accessed here.
There are many software applications that require the input of limited student data in order function effectively. When we share student data with a third party vendor, the following three principles are followed:
1. The vendor/application must be approved by the Data Privacy Officer as compliant with federal and state privacy laws. The process is as follows:
2. Once a vendor is approved by the district, the district shares the minimal amount of data necessary for the software to function effectively.
3. Any data transferred to a third party vendor must be transferred through secure networking protocol.
This is our list of immediate needs. We think that this question warrants further discussion and the aggregate list could inform NYSED efforts in this area.
Help us to evaluate/assess privacy policies of 3rd Party vendors
at the NY state or BOCES level so that we can more efficiently
approve them on the local level. Perhaps a global scale or
Help us specifically with Google. It has become a major ecosystem in NYS K-12 education but it is difficult to ensure that it is compliant with the necessary federal and state privacy laws.
Develop a network of Student Data Privacy Officers similar to the DATAG CIO Listserv.
The district complies with the Family Educational Rights and Privacy Act (FERPA). Parents and 18-year-old students may inspect official records relating to them including progress reports, grades, aptitude and achievement test scores, psychological tests, and teacher evaluations. A record may be challenged by parents or 18 year olds when they believe it to be inaccurate or misleading. The principal may remove designated material if in agreement with the challenge. Definitions of school official and additional procedures under FERPA can be found in the Board of Education Policy Manual.
Individual student records are confidential and are not released to colleges, employers, or elsewhere without written permission, subject to the following exceptions. District schools may forward educational records to other schools that have requested them and in which a BH-BL student seeks or intends to enroll. What the law refers to as directory information may be made public for school purposes unless a parent informs us in writing that they do not want this information made public. Directory information that we may make public includes: a student’s name, address, phone number, grade level, honor or award received, dates of attendance, photograph, age, membership in a school athletic team, activity or club, and (for athletes only) height and weight. Directory information is primarily made public so that students’ accomplishments can be included in various publications such as a concert program, yearbook, or honor roll.
As required by federal law, the high school provides a list of senior class member names, addresses and phone numbers to the military services—unless parents inform the high school principal in writing by September 15 that they do not want their child included in such lists.
Parents and 18-year-old students have the right to opt out of the disclosure of directory information by contacting their school principal. Parents should also inform the Superintendent if they do not wish their child’s likeness to be included on the district website, Facebook page or in occasional photos or videos taken by the media or district staff for school-related purposes.
Also, in accordance with the federal Protection of Pupil Rights amendment, the district hereby notifies parents that our schools may occasionally conduct student surveys that touch on topics such as political affiliation, income, or beliefs or religious practices of the student. In such cases, a letter will be sent home explaining parent rights to opt a child out from such a survey before it is conducted.
Questions about school policies in connection with family rights and privacy laws can be addressed to building principals or the Superintendent.
The BH-BL School District is committed to ensuring student privacy in accordance with local, state and federal regulations and district policies. [STUDENT PRIVACY - POLICY 5550] [STUDENT RECORDS - POLICY 5500] To this end and pursuant to U.S. Department of Education (DOE) regulations (Education Law §2-d), the district is providing the following Parents’ Bill of Rights for Data Privacy and Security:
This bill of rights is subject to change based on regulations of the commissioner of education and the SED chief privacy officer, as well as emerging guidance documents from SED. For example, these changes/additions will include requirements for districts to share information about third-party contractors that have access to student data, including:
If you would like more information, please contact: Student Data Privacy Officer Tracy Falvo, BH-BL High School, 88 Lakehill Road, Burnt Hills, NY 12027. (518) 399-9141, ext. 83255 or email@example.com. More information is also available on the following websites: