Data Privacy & Security Digital Digest_Spring 2020

Data Privacy & Security Service DPS DIGITAL DIGEST- SPRING 2020

The Education Law 2-d Part 121 Issue

IN THIS ISSUE: RIC One DPS COVID-19 Response Ed Law 2-d/Part 121 Resources Special Feature on Student Data Privacy Expert Linnette Attai

Coming Soon! RIC One GST Data Privacy & Security Awareness Training

We are pleased to announce that GST RIC has developed online Data Privacy and Security Awareness Training designed specifically to meet the Annual Employee Training Education Law 2-d Part 121 requirement. The course consists of three modules:

Meet Linnette Attai, President and Founder of PlayWell, LLC

Understanding Laws, Regulations,

When we have questions around Student Data Privacy we know exactly who to call: Linnette Attai, President and Founder of PlayWell, LLC. Linnette has been guiding organizations on data privacy governance and user safety for over 25 years and speaks nationally on data privacy matters. You may have been fortunate enough to sit in on one of her sessions at ISTE or at the annual Future of Education Technology Conference. Her sessions are always informative and never disappoint.

Linnette is also a TEDx speaker and the author of the books, “Student Data Privacy: Building a School Compliance Program,” “Protecting Student Data Privacy: Classroom Fundamentals,” and the forthcoming, “Student Data Privacy: Managing Vendor Relationships” (Summer 2020), published by Rowman & Littlefield. Even with all of these accomplishments and commitments, Linnette has always been accessible and available to support the RIC One Data Privacy and Security Initiative. When asked to provide a DPS Digital Debrief or to participate in a virtual book chat, Linnette has always agreed without hesitation. Because Linnette is always ready and willing to share her data privacy expertise, Nassau BOCES/ RIC and Eastern Suffolk BOCES/RIC were able to establish a virtual book chat on Linnette’s first book “Student Data Privacy: Building a School Compliance Program.” We believe this book is a must-read for district administrators responsible for data privacy and governance. In addition, Linnette’s interview for the DPS Digital Debrief provided steps for school districts to manage and protect their student data. Note: This recording can be accessed by DPS subscribers at Visit PlayWell, LLC to learn more about Linnette and her global compliance consulting firm.

Policies, and Procedures

Understanding, Recognizing, and Avoiding Threats

left off, what modules have been completed, and a progress bar shows users where they are in terms of completing the course. DPS districts will be notified when the training is available and will need to contact their local RIC to access this new online training resource.

• Developing Good Habits and Best Practices

The full online course provides 75-90 minutes of information security content that can be completed in multiple sittings. The course tracks where the user

Comptroller’s Corner

The Office of the Comptroller conducted four district Information Technology audits since January 2020. The results demonstrate a clear need for districts to address sensitive IT controls and to provide cybersecurity training for staff.

social media on district computers. • Three districts did not provide IT security awareness training to employees and officials. • One district did not restrict user permissions to the network and the student information system software application (SIS) based on job duties. • Three districts did not disable inactive user accounts and did not adequately restrict user permissions based on job duties. • One district did not appoint a Chief Information Officer responsible for all IT matters. • Two districts did not adopt a disaster recovery plan. • One district did not establish written procedures for password management, wireless security, remote access and managing user access rights.

Out of the three districts audited:

• Two districts did not limit or monitor employees’ personal Internet browsing and their use of

Data Privacy & Security Service, Issue 18

Page 1

Data Privacy & Security Service, Issue 18

Page 2

Education Law 2-d Part 121 Updates

RIC One DPS Resources and Updates

Did you know that RIC One DPS provides resources for each Part 121 requirement? Visit the RIC One DPS Resources page to find an Overview and Toolkit for each requirement. These free resources, available to all New York State school districts, contain guidance and worksheets to help districts implement Part 121 and data privacy best practices. Part 121 Implementation Resources

It’s official! The Education Law 2-d Part 121 regulations were adopted on January 29, 2020. Districts should be working toward compliance for the nine requirements illustrated above, with the Data Security and Privacy Policy due by July 1, 2020. Contact your local RIC for additional resources and support.

RIC One DPS Subscriber Resources

The latest version update includes: • Numeric and Alphabetical Product Directory • Additional fields to help districts comply with NIST Cybersecurity Framework requirements • Export Data feature now provides more usability and functionality • New Complex Password Requirement to make the system more secure

DPS Service Subscribers can visit riconedpss. org and log in to access a variety of exclusive subscriber resources. All Digital Blasts (timely information on latest security risks), Digital Debriefs (interviews with Data Privacy and Security Experts), and Digital Digests (quarterly newsletters on Data Privacy and Security) are archived and available to DPS subscribers. In addition, DPS subscribers have access to online Information Security professional development and access to the DPS Inventory Tool, a tool developed to help districts develop and post their Bill of Rights Supplemental information. RIC One DPS recently released version 3.0 of the Inventory Tool.


RIC One has developed a new NIST Cybersecurity Framework (CSF) resource to assist districts with their initial work. This resource provides an introduction to the NIST CSF and focuses on the Identify function of the framework to help agencies “manage cybersecurity risk to systems, people, assets, data, and capabilities.” Contact your local RIC to access this valuable resource.

COVID-19 Digital Blasts Check the Digital Blast archive for the latest blasts on COVID-19 related cybersecurity threats. Go to and log in to acces s these timely blasts and additional resources.

Not a current DPS service subscriber? Contact your local RIC to learn more.

Data Privacy & Security Service, Issue 18

Page 3 Data Privacy & Security Service, Issue 18

Page 4

DPS COVID-19 Response

DPS District Spotlight Irvington School District’s Data Privacy & Security Page

Visitors do not need to navigate away from Irvington’s Data Privacy and Security page to scroll through Irvington’s supplemental information product listing, a very convenient feature. Irvington School District’s Data Privacy and Security page is an exemplary example of how a school district can meet the Part 121 Bill of Rights Supplemental Information requirement with creativity and transparency.

Irvington School District has created a Data Privacy and Security Page on their website that shares information with the school community on Data Privacy under Education Law 2-d and on the RIC One Data Privacy and Security Initiative. In addition, Irvington School District has embedded their Bill of Rights Supplemental Information page from the DPS Inventory Tool into their Data Privacy and Security page, which is pretty cool. helpful resource on third-party contractor requirements under Education Law 2-d developed by Linnette Attai of Playwell, LLC and the Future of Privacy Forum. This three page guide addresses compliance, data protection, key requirements for third-party contractors and enforcement penalties. Use this link to view this helpful resource.

Hours of Cybersecurity

On-Line Courses Available through FedVTE Environment (FedVTE) now “provides free online cybersecurity training to federal, state, local, tribal, and territorial government employees, federal contractors, and US military veterans. The Federal Virtual Training There are “hundreds of hours of cybersecurity on-demand courses” to choose from. Visit fedvte. to view the course catalog, to create an account, or to access free FedVTE and CISA courses.

As teachers, students, and school leaders continue towork remotely, questions have arisen about student data privacy and security related to compliance with Ed Law 2-d and Part 121 of the Commissioner’s Regulations. RIC One, the 12 Regional Information Centers working together, have created a COVID-19 Response page to address these questions and to provide a comprehensive set of resources. There are also some resources related to digital hygiene that can be used with staff. For more information regarding Education Law 2-d and instructional continuity planning, please contact your local RIC.

Ed Law 2-d Third-Party Contract FAQ

Resource: “NY Education Law 2-d: Third Party Contractor Requirements at a Glance” Ferpa Sherpa has posted a

Schools may be adopting new software products to effectively deliver remote instruction. Use this FAQ to help determine if a new product is Ed Law 2-d compliant. We also recommend consulting with legal counsel. Q: How do I know if a software product is subject to Ed Law 2-d? A software product that does not collect any personally identifiable information (PII) for students, or any teacher or principal APPR data, is not subject to Ed Law 2-d. If a software product does collect student PII and/or teacher or principal APPR data, the product is subject to this law even if the product is free. Q: If a product does collect student PII and/or teacher and principal APPR data, how do I know the software product is Ed Law 2-d compliant? Software products that collect PII are only Ed Law 2-d compliant when the vendor signs an Ed Law 2-d privacy agreement and provides supplemental product information. Q: Is a product Ed Law 2-d compliant if the vendor privacy policy lists acceptable privacy practices? Unfortunately, the answer is no. It doesn’t matter how good the public privacy policy looks or how exemplary a vendor’s privacy practices appear to be. Unless the vendor signs an Ed Law 2-d privacy agreement with a BOCES or district the product is not considered to be Ed Law 2-d compliant.

Thank you for reading the latest issue of the Data Privacy & Security Digital Digest. Contact your Local RIC for additional information on the Data Privacy and Security Initiative (DPS) and to view additional subscription components.

Data Privacy & Security Service, Issue 18

Page 5

Data Privacy & Security Service, Issue 18

Page 6

Page 1 Page 2-3 Page 4-5 Page 6-7

Made with FlippingBook - professional solution for displaying marketing and sales documents online