New York Codes, Rules and Regulations
Title 8 - EDUCATION DEPARTMENT
Chapter II - Regulations of the Commissioner
Subchapter E - Elementary and Secondary Education
Part 121 - Strengthening Data Privacy and Security in NY State Educational Agencies to Protect Personally Identifiable Information
Section 121.5 - Data Security and Privacy Standard
Current through Register Vol. 46, No. 12, March 20, 2024
(a) As required by Education Law § 2-d(5), the Department adopts the National Institute for Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity Version 1.1 (NIST Cybersecurity Framework or NIST CSF) as the standard for data security and privacy for educational agencies.
(b) Each educational agency shall adopt and publish a data security and privacy policy that implements the requirements of this Part and aligns with the NIST CSF no later than October 1, 2020.
(c) Each educational agency's data security and privacy policy must also address the data privacy protections set forth in Education Law § 2-d(5) (b)(1) and (2) as follows:
(d) An educational agency's data security and privacy policy shall include all the protections afforded to parents or eligible students, where applicable, under FERPA and the Individuals with Disabilities Education Act ( 20 U.S.C. 1400 et seq.), and the federal regulations implementing such statutes.
(e) Each educational agency must publish its data security and privacy policy on its website and provide notice of the policy to all its Officers and employees.
