Three Things to Note in New York’s Attempt to Safeguard Students’ Personal Info
Written by Adarsh Mahesh
State education agencies have an important role in providing guidance that ensures privacy risks are minimized while ensuring that data can still be used in the best interests of students.
To that end, the New York State Education Department recently proposed regulatory changes to more clearly specify what educational agencies and their third-party contractors should do to safeguard the personally identifiable information of students and other school personnel. The regulations address a number of issues, but three things stood out to us in these proposed changes that we wanted to highlight as they are critical and still too uncommon:
- Thoughtful engagement with diverse stakeholder groups
- Attention to data minimization, deletion, and retention
- Addressing privacy capacity at the state and local level
Thoughtful engagement with diverse stakeholder groups
The New York State Education Department mentioned in its press release that the Data Privacy Advisory Council (DPAC), which was tasked with drafting the guidelines, had a diverse representation amongst its members, most notable among them parents and teacher organizations, and additionally held 14 public forums across the state to seek public comments.
Despite the huge role parents and teachers play in the education of a student, they are rarely involved in conversations around the use of student data. Engaging parents and teachers provides opportunities for the stakeholders that work most closely with students and have the most at risk when it comes to decisions that are made about their data to inform the conversation.
Attention to data minimization, deletion, and retention
The proposed amendments mandate that education agencies and third-party contractors implement privacy-protective practices like:
- Employing the practice of data minimization by requiring the educational agency to take steps to minimize collection, processing, and transmission of personally identifiable information.
- Creating detailed data retention and deletion policies, along with purpose specification, and provide parents a description of when and in what format the student data will be returned to the educational agency after the expiration of the contract, and/or whether, when, and how the data will be destroyed.
Deleting personal data once it is no longer necessary to provide a service, along with data minimization measures, assist in ensuring that students’ sensitive data is not retained for longer than necessary and is safeguarded from being used outside of its intended context. CDT recently released an issue brief that explains the finer nuances of data minimization, deletion, and retention in education and offers practical policy and technical solutions to help the education sector in retaining data that can serve students and deleting information that is no longer needed.
Adding privacy capacity at the state and local level
New York is one of a handful of states with a student privacy law that requires the state to hire a chief privacy officer that will handle all matters affecting privacy and security of student, teacher, and principal data. The proposed regulatory changes go a step further by adding additional privacy capacity at the local level. Each educational agency would now have to designate one or more employees to serve as the agency’s data protection officer(s). The officer(s) would be responsible for the implementation of the policies and procedures as required by the law, and serve as the point of contact for data security and privacy for the educational agency.
Having someone with the appropriate knowledge, training, and experience to lead the agency’s privacy work is important to advance efforts to use data to improve student outcomes while ensuring that data are protected. CDT recently released another issue brief detailing the role such a privacy officer can play in education agencies, and the impact this can have on making sure data and technology are being used to make sure students get the education they deserve, while still protecting their privacy. It also includes helpful information for schools trying to fill this vital role with a sample job description and interview questions.
Although the job of protecting student data is never finished, New York State Education Department deserves attention for considering these three issues that are important to effectively and efficiently protecting student data while supporting its use to improve student outcomes and opportunities.