Data Privacy

The Brentwood Union Free School District is committed to protecting the privacy and security of each and every student’s data. Parents should be aware of the following rights they have concerning their child’s data: 

1. A student's personally identifiable information cannot be sold or released for any commercial purposes.


2.  Parents have the right to inspect and review the complete contents of their child's education record.


3. The confidentiality of a student’s personally identifiable information is protected by existing state and federal laws, and safeguards such as encryption, firewalls, and password protection, must be in place when data is stored or transferred. Third party contractors are required to employ technology, safeguards and practices that align with the National Institute of Standards and Technology Cybersecurity Framework.


4. A complete list of all student data elements collected by the State Education Department is available for public review at http://www.nysed.gov/data-privacy-security/student-data-inventory or by writing to the Office of Information & Reporting Services, New York State Education Department, Room 863 EBA, 89 Washington Avenue, Albany, NY 12234.


5. Parents have the right to file complaints about possible breaches of student data. Parents may submit a complaint regarding a potential breach by the District to Candice Cheng, Data Protection Officer, 52 3^rd Ave, Brentwood, NY 11717.  The School District shall promptly acknowledge any complaints received and commence an investigation into the complaint, while taking the necessary precautions to protect personally identifiable information. The School District shall provide a response detailing its findings from the investigation no more than sixty (60) days after receipt of the complaint.


6. Parents may access the State Education Department’s Parents’ Bill of Rights at http://www.nysed.gov/data-privacy-security/bill-rights-data-privacy-and-security-parents-bill-rights.  Parents have the right to file a complaint with the State Education Department’s Chief Privacy officer by writing to Chief Privacy Officer, New York State Education Department, 89 Washington Avenue, Albany, NY 12234.  Complaints may also be submitted using the form available at the following website http://www.nysed.gov/data-privacy-security/report-improper-disclosure.

Supplemental Information Regarding Third-Party Contractors:

In the course of complying with its obligations under the law and providing educational services, Brentwood Union Free School District has entered into agreements with certain third-party contractors. Pursuant to such agreements, third-party contractors may have access to "student data" and/or "teacher or principal data." Each contract the Agency enters into with a third party contractor where the third party contractor receives student data or teacher or principal data will include information addressing the following:

1. The exclusive purposes for which the student data or teacher or principal data will be used;


2. How the third-party contractor will ensure that the subcontractors, or other authorized persons or entities to whom the third-party contractor will disclose the student data or teacher or principal data, if any, will abide by all applicable data protection and security requirements, including but

not limited to those outlined in applicable state and federal laws and regulations (e.g., FERPA; Education Law §2-d);

3. The duration of the contract, including the contract’s expiration date and a description of what will happen to the student data or teacher or principal data upon expiration of the contract or other written agreement (e.g., whether, when and in what format it will be returned to the educational agency, and/or whether, when and how the data will be destroyed).


4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected;


5. Where the student data or teacher or principal data will be stored, described in such a manner as to protect data security, and the security protections taken to ensure such data will be protected and data security and privacy risks mitigated; and


6. Address how the data will be protected using encryption while in motion and at rest.

Third-Party Contractors are required to:

1. Adopt technologies, safeguards and practices that align with the NIST Cybersecurity Framework;


2. Comply with the data security and privacy policy of the educational agency with whom it contracts; Education Law § 2-d; and this Part;


3. Limit internal access to personally identifiable information to only those employees or sub-contractors that need access to provide the contracted services;


4. Not use the personally identifiable information for any purpose not explicitly authorized in its contract;


5. Not disclose personally identifiable information to any other party without the prior written consent of the parent or eligible student; or 
   1. except for authorized representatives of the third-party contractor such as a subcontractor or assignee to the extent they are carrying out the contract and in compliance with state and federal law, regulations and its contract with the educational agency; or
   
   
   2.  unless required by statute or court order and the third-party contractor provides a notice of disclosure to the department, district board of education, or institution that provided the information no later than the time the information is disclosed, unless providing notice of disclosure is expressly prohibited by the statute or court order.
       
6. Maintain reasonable administrative, technical and physical safeguards to protect the security, confidentiality and integrity of personally identifiable student information in its custody;


7. Use encryption technology to protect data while in motion or in its custody from unauthorized disclosure as specified in Education Law § 2-d;


8. Not sell personally identifiable information nor use or disclose it for any marketing or commercial purpose or facilitate its use or disclosure by any other party for any marketing or commercial purpose or permit another party to do so.


9. Notify Brentwood Union Free School District of any breach of security resulting in an unauthorized release of student data or teacher or principal data, in the most expedient way possible and without unreasonable delay;


10. Ensure that all data protection obligations imposed by state and federal law and contract shall apply to any subcontractors engaged to perform its contractual obligations;


11. Provide a data security and privacy plan outlining
    1. how all state, federal and local data security and privacy contract requirements will be implemented over the life of the contract;
    
    
    2. specify the administrative, operational and technical safeguards and practices it has in place to protect personally identifiable information that it will receive under the contract;
    
    
    3. demonstrate that it complies with the requirements of Section 121.3(c) of 8 CRR-NY Part 121.
    
    
    4. specify how officers or employees of the third-party contractor and its assignees who have access to student data, or teacher or principal data receive or will receive training on the federal and state laws governing confidentiality of such data prior to receiving access;
    
    
    5. specify if the third-party contractor will utilize sub-contractors and how it will manage those relationships and contracts to ensure personally identifiable information is protected;
    
    
    6. specify how the third-party contractor will manage data security and privacy incidents that implicate personally identifiable information including specifying any plans to identify breaches and unauthorized disclosures, and to promptly notify the educational agency;
    
    
    7. describe whether, how and when data will be returned to the educational agency, transitioned to a successor contractor, at the educational agency’s option and direction, deleted or destroyed by the third-party contractor when the contract is terminated or expires 


12. Provide a signed copy of this Bill of Rights to Brentwood Union Free School District thereby acknowledging that they are aware of and agree to abide by this Bill of Rights.

This Bill of Rights is subject to change based on regulations of the Commissioner of Education and the New York State Education Department’s Chief Privacy Officer, as well as emerging guidance documents.

Revision sent to the Board of Education for Information:	05/21/20
Approved by the Board of Education:	06/18/20

 

PDF

(This policy replaces previously approved Board of Education Policy #5125)

The Board of Education recognizes its legal responsibility to maintain the confidentiality of student records. As part of this responsibility, the Board will ensure that eligible students and parents/guardians have the right to inspect and review education records, the right to seek to amend education records and the right to have some control over the disclosure of information from the education record. The procedures for ensuring these rights will be consistent with state and federal law, including the Family Educational Rights and Privacy Act of 1974 (FERPA) and its implementing regulations.

The Board also recognizes its responsibility to ensure the orderly retention and disposition of the District’s student records in accordance with Schedule LGS-1 as adopted by the Board in policy 1120.

The District will use reasonable methods to provide access to student educational records only to those who are authorized under the law and to authenticate the identity of the requestor. The district will document requests for and release of records and retain the documentation in accordance with law. Furthermore, pursuant to Chapter 56 of the Laws of 2014, the district will execute agreements with third-party contractors who collect, process, store, organize, manage or analyze student personally identifiable information (PII) to ensure that the contractors comply with the law in using appropriate means to safeguard the data.

The Superintendent of Schools shall be responsible for ensuring that all requirements under law and the Commissioner’s regulations are carried out by the District.

Definitions

Authorized Representative: an authorized representative is any individual or entity designated by a State or local educational authority or a Federal agency headed by the Secretary, the Comptroller General or the Attorney General to carry out audits, evaluations, or enforcement or compliance activities relating to educational programs.

Educational Record: means those records, in any format, directly related to the student and maintained by the district or by a party acting on behalf of the district, except:

(a) records in the sole possession of the individual who made it and not accessible or revealed to any other person except a substitute (e.g., memory joggers);

(b) records of the district’s law enforcement unit;

(c) grades on peer-graded papers before they are collected and recorded by a teacher.

Eligible Student: a student who has reached the age of 18 or is attending postsecondary school.

Legitimate educational interest: a school official has a legitimate educational interest if they need to review a student’s record in order to fulfill their professional responsibilities.

Personally, identifiable information (PII): as it pertains to students, is information that would allow a reasonable person in the school or its community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty. Such data might include a social security number, student identification number, parents name and/or address, a biometric record, etc. This term is fully defined in federal regulations at 34 CFR 99.3.

School official: a person who has a legitimate education interest in a student record who is employed by the district as an administrator, supervisor, instructor or support staff member (including health or medical staff and law enforcement unit personnel); a member of the Board of Education; a person or company with whom the district has contracted to perform a special task (such as attorney, auditor, medical consultant or therapist); or a parent or student serving on an official committee, such as disciplinary or grievance committee, or assisting another school official performing their tasks.

Third party contractor: is any person or entity, other than an educational agency (which includes schools, school districts, BOCES, or the State Education Department), that receives student or teacher/principal PII from an educational agency pursuant to a contract or other written agreement for purposes of providing services to such educational agency, including but not limited to data management or storage services, conducting studies for or on behalf of such educational agency, or audit or evaluation of publicly funded programs. This includes educational partnership organizations that receive student or teacher/principal PII from a school district to carry out responsibilities under Education law §211-e (for persistently lowest-achieving schools or schools under registration review) and is not an educational agency. This also includes not-for-profit corporations or other nonprofit organizations, other than an educational agency.

Volunteers: Volunteers may be considered school officials for the purposes of access to personally identifiable information if they are under the direct control of the district, are trained in the requirements of law under this policy, have a legitimate educational interest, and the district uses reasonable methods to limit access to only the information necessary to fulfill their volunteer duties. Volunteers may only access the information necessary for the assignment and must not disclose student information to anyone other than a school official with a legitimate educational interest. The Building Principal will provide adequate training on confidentiality of student records

 

Annual Notification

At the beginning of each school year, the District will publish a notification that informs parents, guardians and eligible students currently in attendance of their rights under FERPA and New York State Law and the procedures for exercising those rights. A “Parents” Bill of Rights for Data Privacy and Security will be posted on the district website and included in any agreements with third-party contractors (see 8635-E). The notice and ‘Bill of Rights’ will also be provided to parents, guardians, and students who enroll during the school year. 

 

The notice and Parents Bill of Rights will include a statement that the parent/guardian or eligible student has a right to: 

1. Inspect and review the student’s education records;
2. Request that records be amended to ensure that they are not inaccurate, misleading, or otherwise in violation of the student’s privacy rights;
3. Consent to disclosure of personally identifiable information contained in the student’s education records, except to the extent that FERPA authorizes disclosure without consent; and
4. File a complaint with the United States Department of Education alleging failure of the District to comply with FERPA and its regulations; and/or file a complaint regarding a possible data breach by a third party contract with the district and/or the New York State Education Department’s Chief Privacy Officer for failure to comply with state law.

In addition, the annual notice and Parents Bill of Rights will inform parents/guardians and students:

1. that it is the District’s policy to disclose personally identifiable information from student records, without consent, to other school officials within the District whom the District has determined to have legitimate educational interests. The notice will define ‘school official’ and ‘legitimate educational interest.’

2. that, upon request, the District will disclose education records without consent to officials of another school district in which a student seeks or intends to enroll or is actually enrolled.

3. that personally identifiable information will be released to third party authorized representatives for the purposes of educational program audit, evaluation, enforcement or compliance purposes.

4. that the district, at its discretion, releases directory information (see definition below) without prior consent, unless the parent/guardian or eligible student has exercised their right to prohibit release of the information without prior written consent. The district will not sell directory information.

5. that upon request, the district will disclose a high school student’s name, address and telephone number to military recruiters and institutions of higher learning unless the parent or secondary school student exercise their right to prohibit release of the information without prior written consent.

6. of the procedure for exercising the right to inspect, review and request amendment of student records.

7. that the district will provide information as a supplement to the ‘Parents Bill of Rights’ about third parties with which the district contracts that use or have access to personally identifiable student data.

The district may also release student education records, or the personally identifiable information contained within, without consent, where permitted under federal law and regulation. For a complete list of exceptions to FERPA’s prior consent requirements see accompanying regulation 5500-R, Section 5.

In the absence of the parent or secondary school student exercising their right to opt out of the release of information to the military, the district is required to, under federal law, release the information indicated in number five (5) above.

Directory Information

The District has the option under FERPA of designating certain categories of student information as “directory information.” The Board directs that “directory information” include a student’s: name, address and telephone number.

Information about a homeless student’s living situation will be treated as a student educational record and will not be deemed directory information. A parent/guardian or eligible student may elect, but cannot be compelled, to consent to release of a student’s address information in the same way they would for other student education records. The district’s McKinney-Vento liaison will take reasonable measures to provide homeless students with information on educational, employment, or other postsecondary opportunities and other beneficial activities. The district permits the parent/guardian to select the school’s address as the student’s address for purposes of directory information.

Social security numbers or other personally identifiable information will not be considered directory information.

Students who opt out of having directory information shared are still required to wear their student ID cards.

Once the proper FERPA notification is given by the District, a parent/guardian or eligible student will have 14 days to notify the District of any objections they have to any of the “directory information” designations. If no objection is received, the district may release this information without prior approval of the parent/guardian or eligible student for the release. Once the student or parent/guardian provides the “opt-out,” it will remain in effect after the student is no longer enrolled in the school district.

The District may elect to provide a single notice regarding both directory information and information disclosed to military recruiters and institutions of higher education. 

Cross-ref: 1120, School District Records

4321, Programs for Students with Disabilities Under IDEA and Part 89

5550, Student Privacy

Ref: Family Educational Rights and Privacy Act, 20 USC 1232g; 34 CFR Part 99

No Child Left Behind Act, 20 USC §7908

10 USC §503 as amended by §544 of the National Defense Reauthorization Act for FY 2002

Education Law § 225

Public Officers Law §87(2)(a)

Arts and Cultural Affairs Law, Article 57-A (Local Government Records Law)

8 NYCRR 185.12 (Appendix I) Records Retention and Disposition, Schedule ED-1 for Use by School Districts and BOCES

 

Approved by the Board of Education: 2/25/10

Revision approved by the Board of Education: 7/08/25

 

PDF