New York Codes, Rules and Regulations
Title 8 - EDUCATION DEPARTMENT
Chapter II - Regulations of the Commissioner
Subchapter E - Elementary and Secondary Education
Part 121 - Strengthening Data Privacy and Security in NY State Educational Agencies to Protect Personally Identifiable Information
Section 121.9 - Third Party Contractors
Universal Citation: 8 NY Comp Codes Rules and Regs ยง 121.9
Current through Register Vol. 46, No. 12, March 20, 2024
(a) In addition to all other requirements for third-party contractors set forth in this Part, each third-party contractor that will receive student data or teacher or principal data shall:
(1) adopt
technologies, safeguards and practices that align with the NIST Cybersecurity
Framework;
(2) comply with the data
security and privacy policy of the educational agency with whom it contracts;
Education Law §
2-d; and this Part;
(3) limit internal access to personally
identifiable information to only those employees or sub-contractors that need
access to provide the contracted services;
(4) not use the personally identifiable
information for any purpose not explicitly authorized in its
contract;
(5) not disclose any
personally identifiable information to any other party without the prior
written consent of the parent or eligible student:
(i) except for authorized representatives of
the third-party contractor such as a subcontractor or assignee to the extent
they are carrying out the contract and in compliance with state and federal
law, regulations and its contract with the educational agency; or
(ii) unless required by statute or court
order and the third-party contractor provides a notice of disclosure to the
department, district board of education, or institution that provided the
information no later than the time the information is disclosed, unless
providing notice of disclosure is expressly prohibited by the statute or court
order.
(6) maintain
reasonable administrative, technical and physical safeguards to protect the
security, confidentiality and integrity of personally identifiable information
in its custody;
(7) use encryption
to protect personally identifiable information in its custody while in motion
or at rest; and
(8) not sell
personally identifiable information nor use or disclose it for any marketing or
commercial purpose or facilitate its use or disclosure by any other party for
any marketing or commercial purpose or permit another party to do so.
(b) Where a third-party contractor engages a subcontractor to perform its contractual obligations, the data protection obligations imposed on the third-party contractor by state and federal law and contract shall apply to the subcontractor.
Disclaimer: These regulations may not be the most recent version. New York may have more current or accurate information. We make no warranties or guarantees about the accuracy, completeness, or adequacy of the information contained on this site or the information linked to on the state site. Please check official sources.
This site is protected by reCAPTCHA and the Google
Privacy Policy and
Terms of Service apply.