Data Privacy & Security Service Digital Digest_Summer 2019

Data Protection Officers: Who Will Be Your Unicorn? by Matthew Hejna, Nassau BOCES

POSSIBLE DUTIES AND RESPONSIBILITIES: • Primary point of contact for data security and privacy. • Implement privacy governance measures to manage the use of personally identifiable information to ensure compliance with Education Law §2-d (e.g. PII is only used for the benefit of students and the educational agency). • Coordinate the implementation of the policies and procedures required under Education Law §2-d and Part 121. • Monitor the educational agency’s compliance with state and federal data privacy laws and regulations. • Develop a procedure for parents and eligible students to file complaints about breaches or unauthorized releases of student data and for the complaints to be addressed. • Facilitate the delivery of an annual information privacy and security awareness training. • Review projects, contracts and procurements that will create, collect or process personally identifiable information for compliance (privacy impact and data security assessment). SOME SUGGESTED KNOWLEDGE, SKILLS AND ABILITIES: • Ability to gain a working knowledge of state and federal laws that protect personally identifiable information, including Education Law § 2-d, and FERPA. knowledge of basic data security and privacy concepts. • Ability to interact effectively with people at all organizational levels of the agency. • Ability to exercise leadership, influence change and implement solutions. • Ability to handle confidential and sensitive information with discretion. • Ability to gain a working

The proposed addition of Part 121 to the Regulations of the Commissioner relating to student data privacy (Education Law §2-d) requires the designation of a Data Protection Officer (DPO): “Each educational agency shall designate one or more employees to serve as the educational agency’s data protection officer(s) to be responsible for the implementation of the policies and procedures required in Education Law §2-d and this Part, and to serve as the point of contact for data security and privacy for the educational agency. Such officer(s) must have the appropriate knowledge, training and experience to administer the functions described in this part. This requirement may be fulfilled by a current employee(s) of the educational agency who may perform this function in addition to other job responsibilities.” While the proposed regulations are still pending, the Chief Privacy Officer has issued the following guidance so school districts can start considering what administrative position these responsibilities would fall under: ORGANIZATIONAL RELATIONSHIP: • It is recommended that the DPO’s reporting structure provide access to leaders with decision making authority. • It is recommended that the DPO/ school district annually report on the agency’s data security and privacy posture/performance to its Board. • A DPO will need to collaborate with internal stakeholders (IT, information security, internal audit, school attorneys, etc.) to effectively fulfil this role.

Two examples of how other school districts have approached similar positions are cited in an EdSurge News article by Emily Tate, “Chief Privacy Officers: The Unicorns of K-12 Education” (February 25, 2019). Both the Denver Public Schools’ Student Data Privacy Officer and Baltimore County’s Director of Innovation and Digital Safety work closely with legal and school leadership teams to establish vendor contracts and district policies and procedures to ensure that their schools are compliant with federal and state privacy laws and to build trust with their communities. The article also references a January 2019 report issued by the Center of Democracy & Technology, “Chief Privacy Officers: Who Are They and Why Education Leaders Need Them.” This in-depth study “focuses on a variety of practices that can support [the role of a Chief Privacy Officer], and is divided into two sections: first, the role that education organizations can play in making CPOs successful, and second, the role that CPOs should play in protecting student privacy across the organization.” This comprehensive brief also includes an appendix with a sample job description, along with examples of tasks for potential candidates to assess their content knowledge and working style. Regardless of when the new legislation is approved, the report advises school districts to take a proactive approach: “Rather than wait for a data incident or legal mandate, education leaders can support their efforts to effectively use data by being proactive and empowering a senior leader to ensure the organization fulfills its responsibilities to protect the student data with which it is entrusted.”

Made with FlippingBook Learn more on our blog