Education Law §2-d Compliance Update and Reminders

July 28, 2023

By: Kristin Warner

On July 19, 2023, the New York State Education Department (NYSED) issued a memo indicating its Privacy Office will begin monitoring educational agencies’ websites for compliance with New York State Education Law §2-d and the Family Educational Rights and Privacy Act (FERPA)* beginning this fall. In addition, the Privacy Office will be reaching out to these agencies to ensure compliance with other aspects of Education Law §2-d, such as annual Education Law 2-d mandated training and FERPA requirements. School districts, BOCES, and charter schools must comply with Education Law §2-d and FERPA.

What Will They Be Looking For on the Website?

For Education Law §2-d compliance, the Privacy Office will be looking for three things:

  • Whether the website contains a Parent’s Bill of Rights (PBOR), which must include but is not limited to information as to how parents or eligible students (if over the age of 18) can file a complaint.
  • Supplemental information for all third-party contracts where the contractor will be receiving student data or principal or teacher APPR-related data. This supplemental information may be contained within a separate 2-d Rider attached to your contracts or may have been provided as part of the contractor’s own Data Privacy Plan or Agreement.
  • Your Board’s data security and privacy policy. This policy should implement the requirements of the Education Law §2-d regulations found in Part 121 and align with the NIST CSF standards.

For FERPA compliance, the Privacy Office has indicated it will be looking to ensure the FERPA Annual Notification, the directory information policy, and parent opt-out forms are available on your websites.

Other Compliance Issues

Data Protection Officer Contact Information: The Privacy Office has also begun and will continue to email the data protection officers listed on the educational agencies’ website to ensure the accuracy of the information.

Annual Training Compliance: The memo states some agencies will be asked to share information regarding their annual data privacy and security awareness training to ensure compliance with 8 NYCRR §121.7. This information may include training sign-in sheets, certificates of completion, dates of training, the training itself or the name of the training service.

Bond, Schoeneck & King is available to conduct an audit of your compliance with 2-d and/or provide 2023-24 annual 2-d training in various formats (e.g., in-person; live virtual; taped virtual) along with required supporting documentation.

If you would like more information about compliance assistance, training or have any questions regarding the information contained in this client alert, please contact Kristin Warner or the attorney at the firm with whom you are regularly in contact.

*NYSED’s authority to enforce FERPA is an open issue that can be discussed with clients on an individual basis.