Home > Community Corner > Parent & Student Resources > Data Security & Privacy

Data Security & Privacy

Learn more about data security & privacy at BH-BL

Welcome to BH-BL’s Data Security and Privacy page. In today’s digital age, protecting the personal information of our students, staff, and families is of utmost importance. As a New York State school district, we are committed to maintaining the highest standards of data security and privacy in compliance with state and federal regulations. This page serves as a resource for our community, providing information on our policies, practices, and initiatives designed to safeguard sensitive data. We believe in transparency and empowering our stakeholders with knowledge about how we collect, use, and protect personal information in our educational environment. For more information on parent/guardian rights regarding student data privacy, please review the following links:

If at any time district officials learn that student and/or teacher/principal data has been compromised, parents and guardians will be notified and the data breach will be reported to the New York State Education Department.

How to File a Complaint

Parents/guardians and others who have concerns or wish to file a complaint about possible breach or improper disclosure of data may do so using this form.

Contact Data Protection Officer Doug Carlton | (518) 399-9141, ext. 85117 | with any questions or concerns about data privacy or security.

Student Data Protection

Personally identifiable student information (PII) that is collected and secured by the district is shared outside of this protected area in two ways:

Data is shared with New York State. New York State requires that we share some of student and staff data with NYSED for a variety of reasons. Our Chief Information Officer (CIO) carefully maps the data that is requested to the corresponding fields in our secure databases and pushes that data to the NYS Data Warehouse. This process is overseen and “certified” by the Superintendent of Schools. The data pushed to the Data Warehouse is maintained securely (details of security protocol) . The exact data fields requested by NYSED change periodically. These changes are monitored by our Student Protection Officer, who makes an annual report to the Board of Education. Any substantive changes in reporting requirements are brought to the Board of Education on an as needed basis. NYS publishes a list of the fields being pushed to the NYS Data Warehouse.

Data is shared with approved third party software vendors. There are many software applications that require the input of limited student data in order function effectively. When we share student data with a third party vendor, the following three principles are followed:

    1. The vendor must be approved. The district will only share personally identifiable student data with approved vendors. The vendor/application must be approved by the Data Protection Officer as compliant with federal and state privacy laws through the execution of a contract between the vendor and the District that meets all of the requirements of NYS Education Law 2-d for proper protection of student data.
    2. Once a vendor is approved by the district, the district shares the minimal amount of data necessary for the software to function effectively.
    3. Any data transferred to a third party vendor must be transferred through secure networking protocol.

BH-BL Approved Third Party Software Vendor Catalog (All approved third party vendors are listed in this database.)

Information and Data Privacy, Security Breach, and Notifications

The Board adopts the National Institute for Standards and Technology Cybersecurity Framework Version 2.0 (NIST CSF) for data security and protection. The Data Protection Officer is responsible for ensuring the district’s systems follow NIST CSF and adopt technologies, safeguards and practices which align with it.  If at any time district officials learn that student and/or teacher/principal data has been compromised, parents and guardians will be notified and the data breach will be reported to the New York State Education Department.

For more information, review our Data Security & Privacy Policy (P8635).

Reporting Required by the NYS Education Department

Family Educational Rights & Privacy Act (FERPA)

The district complies with the Family Educational Rights and Privacy Act (FERPA). Parents and 18-year-old students may inspect official records relating to them including progress reports, grades, aptitude and achievement test scores, psychological tests, and teacher evaluations. A record may be challenged by parents or 18 year olds when they believe it to be inaccurate or misleading. The principal may remove designated material if in agreement with the challenge. Definitions of school official and additional procedures under FERPA can be found in the Board of Education Policy Manual.

Individual student records are confidential and are not released to colleges, employers, or elsewhere without written permission, subject to the following exceptions. District schools may forward educational records to other schools that have requested them and in which a BH-BL student seeks or intends to enroll. What the law refers to as directory information may be made public for school purposes unless a parent informs us in writing that they do not want this information made public. Directory information that we may make public includes: a student’s name, address, phone number, grade level, honor or award received, dates of attendance, photograph, age, membership in a school athletic team, activity or club, and (for athletes only) height and weight. Directory information is primarily made public so that students’ accomplishments can be included in various publications such as a concert program, yearbook, or honor roll.

As required by federal law, the high school provides a list of senior class member names, addresses and phone numbers to the military services—unless parents inform the high school principal in writing by September 15 that they do not want their child included in such lists.

Parents and 18-year-old students have the right to opt out of the disclosure of directory information by contacting their school principal. Parents should also inform the Superintendent if they do not wish their child’s likeness to be included on the district website, Facebook page or in occasional photos or videos taken by the media or district staff for school-related purposes.

Also, in accordance with the federal Protection of Pupil Rights amendment, the district hereby notifies parents that our schools may occasionally conduct student surveys that touch on topics such as political affiliation, income, or beliefs or religious practices of the student. In such cases, a letter will be sent home explaining parent rights to opt a child out from such a survey before it is conducted.

Questions about school policies in connection with family rights and privacy laws can be addressed to building principals or the Superintendent.

The NYS Education Department’s Education Law §2-d Bill of Rights for Data Privacy and Security

The BH-BL School District is committed to ensuring student privacy in accordance with local, state and federal regulations and district policies. To this end and pursuant to U.S. Department of Education (DOE) regulations (Education Law §2-d), the district is providing the following Parents’ Bill of Rights for Data Privacy and Security. Parents and eligible students1 can expect the following:

  1. A student’s personally identifiable information (PII)2 cannot be sold or released for any commercial purpose.
  2. The right to inspect and review the complete contents of the student’s education record stored or maintained by an educational agency.
  3. State and federal laws,3 such as NYS Education Law §2-d and the Family Educational Rights and Privacy Act, that protect the confidentiality of a student’s PII, and safeguards associated with industry standards and best practices, including but not limited to, encryption, firewalls, and password protection, must be in place when data is stored or transferred.
  4. A complete list of all student data elements collected by NYSED is available for public review at www.nysed.gov/data-privacy-security, and by writing to: Chief Privacy Officer, New York State Education Department, 89 Washington Avenue, Albany, NY 12234.
  5. The right to have complaints about possible breaches and unauthorized disclosures of student data addressed. Complaints should be directed to: Data Protection Officer Doug Carlton, BH-BL High School, 88 Lakehill Road, Burnt Hills, NY 12027. (518) 399-9141, ext. 85117 or dcarlton@bhbl.org. Complaints may be submitted to NYSED online at www.nysed.gov/data-privacy-security, by mail to: Chief Privacy Officer, New York State Education Department, 89 Washington Avenue, Albany, NY 12234, by email to privacy@nysed.gov, or by telephone at 518-474-0937.
  6. To be notified in accordance with applicable laws and regulations if a breach or unauthorized release of their student’s PII occurs.
  7. BH-BL School District staff that handle PII will receive training on applicable state and federal laws, the District’s policies, and safeguards associated with industry standards and best practices that protect PII.
  8. BH-BL School District contracts with vendors that receive PII will address statutory and regulatory data privacy and security requirements.

1. “Parent” means a parent, legal guardian, or person in parental relation to a student. These rights may not apply to parents of eligible students defined as a student eighteen years or older. “Eligible Student” means a student 18 years and older.

2. “Personally identifiable information,” as applied to student data, means personally identifiable information as defined in section 99.3 of title thirty-four of the code of federal regulations implementing the family educational rights and privacy act, section twelve hundred thirty-two-g of title twenty of the United States code, and, as applied to teacher or principal data, means “personally identifying information” as such term is used in subdivision ten of section three thousand twelve-c of this chapter.

3. Information about other state and federal laws that protect student data such as the Children’s Online Privacy Protection Act, the Protection of Pupil Rights Amendment, and NY’s Personal Privacy Protection Law can be found at http://www.nysed.gov/student-data-privacy/federal-laws-protect-student-data.

Overview of the Data Warehouse – Student Information Repository System (SIRS)

The purpose of the New York State Student Information Repository System (SIRS) is to provide a single source of standardized individual student records for analysis at the local, regional, and State levels to improve student performance, and to meet State and federal reporting and accountability requirements. Data in the repository are available only to users with a legitimate educational interest. Local Education Agencies (LEAs) must use this system to report certain data to the New York State Education Department (NYSED).

Personally identifiable data in SIRS are available only to users with a legitimate educational interest.

Components of SIRS

  • Level 0 is a web-based application hosted by a Level 1 data center. It provides LEAs with the ability to enter (or load) and validate data against New York State (NYS) data collection formatting and business rules. Validated data is exported from Level 0 in a format that can be loaded directly into the Level 1 repository.
  • Level 1 consists of Data Warehouses operated by a Level 1 data center or a Big 5 school district. Each Level 1 center establishes its own schedule for loading data to Level 1.
  • The Level 2 Repository is a single statewide data warehouse where all required student data from Level 1 are combined. This level holds records for all students, teachers, and non-teaching professionals. Level 2 provides data for many purposes including, but not limited to, developing The New York State School Report Card; determining the accountability status of public and charter schools and districts; reporting Institutional Master File (IMF) and Personnel Master File (PMF) data; determining teacher and principal accountability; linking student data with those of teachers and principals; meeting federal reporting requirements; informing policy decisions; and meeting other State needs for individual student data.
  • Level 0 Historical is an application that provides the sole process for updating individual student and Staff Evaluation historical data that currently resides in the data warehouse. Historical records are defined as any data warehouse record submitted prior to the current school year.

More information is also available on the following websites: