Management, compliance & auditing

A school district's guide for Education Law §2-d compliance

Patrick Mallory
March 9, 2021 by
Patrick Mallory

During the 2014-2105 fiscal year, the New York State Education Department enacted Education Law §2-d, which includes a series of provisions designed to enhance protections surrounding personally identifiable information (PII) held by schools and school districts. This includes both student records, administrative documents and teacher evaluations.

Education Law §2-d also identified other requirements that public schools and districts must adopt, including a parent’s bill of rights for data privacy and new compliance and regulatory controls.

So what does this all mean for school districts? Here is a quick overview of the key components that you need to know and a few tips to help you stay compliant.

What are the Education Law §2-d requirements?

The law adopted in 2014 was a foundational structure that the New York Legislature and the New York State Education Department could build on in the coming years. 

Since 2014, the initial Education Law §2-d has been supplemented with Part 121 in January 2020, which adds additional student data privacy regulations to be overseen by the education commissioner.

PII privacy standards

The privacy and security requirements within Education Law §2-d match those outlined within the Family Educational Rights and Privacy Act (FERPA):

  1. The student’s name
  2. The name of the student’s parent or other family members
  3. The address of the student or student’s family
  4. A personal identifier, such as the student’s social security number, student number or biometric record
  5. Other indirect identifiers, such as the student’s date of birth, place of birth and mother’s maiden name
  6. Other information alone or in combination is linked or linkable to a specific student that would allow a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty
  7. Information requested by a person who the educational agency or institution reasonably believes knows the identity of the student to whom the education record relates
  8. Information relating to students covered by the Individuals with Disabilities Education Act (IDEA)
  9. Records of an educational agency relating to the annual professional performance reviews of classroom teachers or principals that are confidential and not subject to release under the provisions of education law

PII does not include randomized, aggregated or de-identified data.

Chief privacy officer’s powers

The state's chief privacy officer has the authority to enforce and validate any policy, standard, technology or system involved in storing or processing PII. They can also require educational agencies to conduct a privacy and security risk assessment to ensure protections are adhering to regulations.

Data security standards

Education Law §2-d identifies that the education department will adopt the National Institute for Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity Version 1.1. NIST will now be a mandatory guideline for New York educational agencies to use to reduce cyber risk.

As NIST does not provide a specific set of requirements, but rather a process for agencies to use, schools will design their cybersecurity protocols to meet their needs.

Educational agency data protection officer

The new law requires each state education agency and district to designate at least one employee of that organization to be their data protection officer. 

These individuals will be required to implement the policies required by Education Law §2-d and serve as the point of contact for data security and privacy matters.

Educational agency data collection restrictions

Education Law §2-d restricts educational agencies from selling, using or disclosing PII for marketing or commercial purposes, or to provide it in any way that may facilitate its use by others. 

Agencies must include data minimizations and protections in data-sharing agreements to protect student and teacher PII.

Policy requirements

Beginning in January 2020, all New York educational agencies must create and publish a data security privacy policy that is in line with Education Law §2-d mandates and NIST standards. The policy must include the following components:

  • Every use of PII by the educational agency shall benefit students and the educational agency (improve academic achievement, empower parents and students with information and/or advance efficient and effective school operations)
  • PII shall not be included in public reports or other documents
  • The policy must incorporate the protections afforded to parents or eligible students under FERPA, IDEA and their implementing regulations

  • Specific data security protections:
    • Data systems monitoring
    • Data encryption
    • Incident response plans
    • Limitations on access to PII
    • Safeguards to ensure PII is not accessed by unauthorized individuals when transmitted over communication networks
    • Destruction of PII when no longer needed
  • Application of all restrictions, requirements and safeguards to third-party contractors

Training for educational agency employees

All educational agencies must provide annual privacy and security awareness training for all employees that have access to PII.

Parent’s bill of rights for data privacy and security

A parent’s bill of rights was also identified within Education Law §2-d and this standard must be included in every third-party contract where a contractor may receive or handle PII.

Third-party data security and privacy plan

All contracts with third-party contractors must include a data security and privacy plan to accomplish several items: 

  1. Outlines how all state, federal and local data security and privacy contract requirements will be implemented
  2. Includes a signed copy of the parent’s bill of rights
  3. Includes a requirement that any officers or employees of the third-party contractor with access to PII will receive training on the necessary New York and federal laws 

Third-party contractors

All third-party contractors working on behalf of an educational agency with access to PII must also adopt the safeguards outlined within Education Law §2-d, relevant organizational data security and privacy policies and the NIST guidelines.

Any violation could include the inability to access PII for up to five years, training, fines or limits to publish procurement bidding.

Other Education Law §2-d regulation requirements: Reports, penalties and notifications

Notifications of a breach and unauthorized release

All education agencies must report every discovery or report of a breach or data release, including by third-party contractors, no more than 10 days after the initial discovery to the state’s chief privacy officer.

All affected parties must also be notified no more than 14 days after the discovery of the breach or data release unless it is part of a law enforcement effort.

Parent complaints of a breach or unauthorized release of PII

The law also outlines the procedures for parents to submit complaints and have them investigated where they believe unauthorized data has been released or breached.

A report of the finding must be provided within 30 days of the initial submission of the complaint.

Right of parents and eligible students to inspect and review student’s education records

Parents and students also have the right to review a student’s education record directly, after their identity is verified, within 45 days of the receipt of the request. The records could be provided in printed or electronic format, using appropriate security safeguards.

Tips to simplify Education Law §2-d compliance

Although it’s important to contact your internal legal, compliance and administrative resources to ensure Education Law §2-d compliance, partnering with an employee training provider can help you simplify the planning and implementation of your compliance efforts.

Security awareness and training providers like Infosec provide out-of-the-box solutions to help you address many Education Law §2-d requirements such as training for educational agency employees. Security awareness and training platforms like Infosec IQ provide FERPA, PII and additional employee training built specifically for school districts. This helps you stay compliant but also gives you the resources to educate every employee to avoid the cybersecurity and privacy risks facing your district.

Training partners even provide tools to help you deliver your data security privacy policy, document policy acknowledgment from employees or contractors and produce reports. You can give your data protection officer full control of your employee training platform or send them reports to monitor and document your district’s compliance efforts.

Learn more about the industry’s leading security awareness and training provider and how they can help your district remain compliant.

Moving forward

It is recommended that school districts contact their school attorney, the state chief privacy officer, and their administrative team if they need support in implementing Education Law §2-d or evaluating if their current policies, systems, contracts or training meet the standard.

There is no doubt the new regulations will mean a lot of changes to how educational agencies operate, but the goal is to provide better security and protection for all who work and learn in New York’s public schools.



Education Law §2-d, The State Education Department. 

How EdPrivacy Supports NYS Education Law 2-d Updates and Additions, Education Framework. 

The Time for Enforcement of Education Law § 2-d is Coming – Proposed Regulations

Regarding Privacy and Security of Student Data and Teacher or Principal Data, Keane & Beane.

Framework for Improving Critical Infrastructure Cybersecurity, National Institute of Standards and Technology.

Education Law Section 2-D Definitions, New York State Education Department.

Patrick Mallory
Patrick Mallory

Patrick’s background includes cyber risk services consulting experience with Deloitte Consulting and time as an Assistant IT Director for the City of Raleigh. Patrick also has earned the OSCP, CISSP, CISM, and Security+ certifications, holds Master's Degrees in Information Security and Public Management from Carnegie Mellon University, and assists with graduate level teaching in an information security program.

Patrick enjoys staying on top of the latest in IT and cybersecurity news and sharing these updates to help others reach their business and public service goals.