Parents and eligible students¹ can expect the following:

1. A student’s personally identifiable information (PII)² cannot be sold or released for any commercial purpose.
2. The right to inspect and review the complete contents of the student’s education record stored or maintained by an educational agency.
3. State and federal laws,³ such as NYS Education Law §2-d and the Family Educational Rights and Privacy Act, that protect the confidentiality of a student’s PII, and safeguards associated with industry standards and best practices, including but not limited to, encryption, firewalls, and password protection, must be in place when data is stored or transferred.
4. A complete list of all student data elements collected by NYSED is available for public review at www.nysed.gov/data-privacy-security, and by writing to: Chief Privacy Officer, New York State Education Department, 89 Washington Avenue, Albany, NY 12234.
5. The right to have complaints about possible breaches and unauthorized disclosures of student data addressed. Complaints may be submitted to NYSED online at www.nysed.gov/data-privacy-security, by mail to: Chief Privacy Officer, New York State Education Department, 89 Washington Avenue, Albany, NY 12234, by email to privacy@nysed.gov, or by telephone at 518-474-0937. Parents and other stakeholders are also encouraged to contact Jericho UFSD’s Director of Technology Dr. Patrick Fogarty if they believe a data breach has taken place. He can be reached by phone (516 203-3600 ext. 3413) or email (pfogarty@jerichoschools.org).
6. To be notified in accordance with applicable laws and regulations if a breach or unauthorized release of their student’s PII occurs.
7. Educational agency workers that handle PII will receive training on applicable state and federal laws, the educational agency’s policies, and safeguards associated with industry standards and best practices that protect PII.
8. Educational agency contracts with vendors that receive PII will address statutory and regulatory data privacy and security requirements.

¹ “Parent” means a parent, legal guardian, or person in parental relation to a student. These rights may not apply to parents of eligible students defined as a student eighteen years or older. “Eligible Student” means a student 18 years
and older.

² “Personally identifiable information,” as applied to student data, means personally identifiable information as defined in section 99.3 of title thirty-four of the code of federal regulations implementing the family educational rights and privacy act, section twelve hundred thirty-two-g of title twenty of the United States code, and, as applied to teacher or principal data, means “personally identifying information” as such term is used in subdivision ten of section three thousand twelve-c of this chapter.

³ Information about other state and federal laws that protect student data such as the Children's Online Privacy Protection Act, the Protection of Pupil Rights Amendment, and NY’s Personal Privacy Protection Law.

Jericho Confidentiality and Data Security and Privacy Standards Addendum

This Addendum to (the “Agreement”) is made and entered into this  day of ______, 2023, by and between   (the “Vendor”), having its principal place of business at _______________, and the Jericho Union Free School District (the “School District”), having its principal place of business at 99 Cedar Swamp Road, Jericho, New York 11753.
WHEREAS, the School District and the Vendor have entered into the Agreement, as set forth above, on; and
WHEREAS, the Vendor will receive “student data” as that terms is defined in New York Education Law section 2-d; and
WHEREAS, both the School District and Vendor are desirous of fulfilling their respective obligations under federal and state data security and privacy laws, including, but not limited to, New York Education Law section 2-d;

NOW THEREFORE, in consideration of the mutual promises and covenants contained in this Addendum and the Agreement, the parties hereto mutually agree as follows:

a. SERVICE PROVIDER, its employees, and/or agents agree that all information obtained in connection with the services provided for in this Agreement is deemed confidential information. SERVICE PROVIDER, its employees, and/or agents shall not use, publish, discuss, disclose or communicate the contents of such information, directly or indirectly with third parties, except as provided for in this Agreement. SERVICE PROVIDER further agrees that any information received by SERVICE PROVIDER, its employees, and/or agents during the course of the services provided pursuant to this Agreement which concerns the personal, financial, or other affairs of SCHOOL DISTRICT, its employees, agents, clients, and/or students will be treated by SERVICE PROVIDER, its employees, and/or agents in full confidence and will not be revealed to any other persons, firms, or organizations.

b. SERVICE PROVIDER acknowledges that it may receive and/or come into contact with personally identifiable information, as defined by New York Education Law Section 2-d, from records maintained by SCHOOL DISTRICT that directly relate to a student(s) (hereinafter referred to as “education record”). SERVICE PROVIDER understands and acknowledges that it shall have in place sufficient protections and internal controls to ensure that information is safeguarded in accordance with applicable laws and regulations, and understands and agrees that it is responsible for complying with state data security and privacy standards for all personally identifiable information from education records, and it shall:

i. limit internal access to education records to those individuals that are determined to have legitimate educational interests;

ii. not use the education records for any purposes other than those explicitly authorized in this Agreement;

iii. maintain reasonable administrative, technical and physical safeguards to protect the security, confidentiality and integrity of education records in its custody; and

iv. use encryption technology to protect data while in motion or in its custody from unauthorized disclosure using a technology or methodology specified by the secretary of the United States Department of Health and Human Services in guidance issued under Section 13402(H)(2) of Public Law 111-5 and the National Institute of Standards and Technology Cyber Security Framework Version 1.1.

c. SERVICE PROVIDER further understands and agrees that it is responsible for submitting a data security and privacy plan to SCHOOL DISTRICT prior to the start of the term of this Agreement. Such plan shall outline how all state, federal and local data security and privacy contract requirements will be implemented over the life of the contract consistent with SCHOOL DISTRICT’s policy on data security and privacy, as adopted. Further, such plan shall include a signed copy of SCHOOL DISTRICT’s Parents’ Bill of Rights and the training requirement established by SERVICE PROVIDER for all employees who will receive personally identifiable information from student records (hereinafter referred to as “student data”).

d. SERVICE PROVIDER understands that as part of SCHOOL DISTRICT’s obligations under New York Education Law Section 2-d, SERVICE PROVIDER is responsible for providing SCHOOL DISTRICT with supplemental information to be included in SCHOOL DISTRICT’s Parents’ Bill of Rights. Such supplemental information shall be provided to SCHOOL DISTRICT within ten (10) days of execution of this Agreement and shall include:

i. the exclusive purposes for which the student data will beused;

ii. how SERVICE PROVIDER will ensure that subcontractors, persons or entities that SERVICE PROVIDER will share the student data with, if any, will abide by data protection and securityrequirements;

iii. that student data will be returned or destroyed upon expiration of the Agreement;

iv. if and how a parent, student, or eligible student may challenge the accuracy of the student data that is collected; and

v. where the student data will be stored (described in such a manner as to protect data security), and the security protections taken to ensure such data will be protected, including whether such data will be encrypted.

e. In the event of a breach of the within confidentiality and data security and privacy standards provision and unauthorized release of student data, SERVICE PROVIDER shall immediately notify SCHOOL DISTRICT and advise it as to the nature of the breach and steps SERVICE PROVIDER has taken to minimize said breach. Said notification must be made within seven (7) days of the breach. In the case of required notification to a parent or eligible student, SERVICE PROVIDER shall promptly reimburse SCHOOL DISTRICT for the full cost of such notification. In the event that law enforcement becomes involved in a data breach in the SCHOOL DISTRICT, the vendor must cooperate with the SCHOOL DISTRICT and law enforcement to investigate and/or remediate the breach.

f. In the event that SERVICE PROVIDER fails to notify SCHOOL DISTRICT of a breach, said failure shall be punishable by a civil penalty of the greater of $5,000 or up to $10 per student, teacher and principal whose data was released, provided that the maximum penalty imposed shall not exceed the maximum penalty imposed under General Business Law, section 899-aa(6)(a). Upon conclusion of an investigation, if the Chief Privacy Officer determines that a third-party contractor has through its actions or omissions caused student data or teacher or principal data to be breached or released to any person or entity not authorized by law to receive such data in violation of applicable state or federal law, the data and security policies of the educational agency, and/or any binding contractual obligations, the Chief Privacy Officer shall notify the third-party contractor of such finding and give the third-party contractor no more than 30 days to submit a written response.

g. Except as set forth in paragraph (f) above, in the event SERVICE PROVIDER violates Education Law 2-d, said violation shall be punishable by a civil penalty of up to $1,000. A second violation involving the same data shall be punishable by a civil penalty of up to $5,000. Any subsequent violation involving the same data shall be punishable by a civil penalty of up to $10,000. Each violation shall be considered a separate violation for purposes of civil penalties and the total penalty shall not exceed the maximum penalty imposed under General Business Law section 899-aa(6)(a).

h. SERVICE PROVIDER shall indemnify and hold SCHOOL DISTRICT harmless from any claims arising from its breach of the within confidentiality and data security and privacy standards provision.

Upon termination of this Agreement, SERVICE PROVIDER shall return or destroy all confidential information obtained in connection with the services provided herein and/or student data. Destruction of the confidential information and/or student data shall be accomplished utilizing an approved method of confidential destruction,including, shredding, burning or certified/witnessed destruction of physical materials and verified erasure of magnetic media using approved methods of electronic file destruction. The parties further agree that the terms and conditions set forth herein shall survive the expiration and/or termination of this Agreement.

Jericho UFSD Data Security and Privacy Plan

As per the Agreement between the undersigned and the Jericho Union Free School District, this plan must be completed by the Service Provider within 10 days of execution of the Agreement.

1. Exclusive Purposes for Data Use

a. Please list the exclusive purposes for which the student data [or teacher or principal data] will be used by the service provider.

2. Data Accuracy/Correction Practices

a. Parent [student, eligible student, teacher or principal] may challenge the accuracy of the data by...

3. Subcontractor Oversight Details

a. This contract has subcontractors: Yes No
b. Describe how the contractor will ensure subcontractors abide by data protection and security requirements, including but not limited to those outlined in applicable state and federal laws and regulations:

4. Security Practices

a. Where is the data stored? (described in such a manner as to protect data security)

b. The security protection practices taken to ensure data will be protected include:

5. Contract Lifecycle Practices

   a. The agreement expires __________________
   b. When the agreement expires,

   i. How long is the student data [or teacher or principal data] retained?
   ii. How is the student data disposed?

6. Encryption Practices
   a. Data encryption is applied in accordance with Education Law 2-d 5(f)(5)

7. Training Practices

   a. Training on federal and state law governing confidentiality is provided for all officers, employees, or assignees who have access to student [or teacher or principal data]