Parents and guardians of students attending school in the Commack Union Free School District are advised that they have the following rights with regard to student data:

(1)   Student data will not be released or sold by the District for commercial purposes.  PII, as defined by Education Law 2-d and FERPA, includes direct identifiers such as a student’s name or identification number, parent’s name or address, and indirect identifiers such as a student’s date of birth, which when linked to or combined with other information can be used to distinguish or trace a student’s identity.  

(2)   A parent or guardian has the right to inspect and review the complete contents of his or her child’s education record stored or maintained by an educational agency.  This right may not apply to parents of an Eligible Student.   

(3)   State and Federal laws such as Education Law 2-d; the Commissioner of Education’s Regulations; the Federal Educational Rights and Privacy Act; Children’s Online Privacy Protection Act; Protection of Pupil Rights Amendment; the Individuals with Disabilities Education Act protect the confidentiality of personally identifiable information. 

(4)   Safeguards associated with industry standards and best practices including but not limited to encryption, firewalls and password protection must be in place when student PII is stored or transferred.  

(5)   A list of all student data elements collected by New York State is available for public view at http://www.nysed.gov/data-privacy-security/student-data-inventory and by writing to Mr. Jose Santiago, Chief Data Privacy Officer at 480 Clay Pitts Road, East Northport, NY 11731. 631-912-2030, or [email protected]

(6)   Parents and guardians have the right to have complaints about possible breaches of student data addressed.  Complaints should be addressed to Mr. Jose Santiago, 480 Clay Pitts Road, East Northport, NY 11731, 631-912-2030, or [email protected] or Chief Privacy Officer, New York State Education Department, 89 Washington Avenue, Albany, NY 12234; by email to [email protected] or by telephone at 518-474-0937.

(7)   To be notified in accordance with applicable laws and regulations if a breach or unauthorized release of PII occurs. 

(8) Educational agency workers that handle PII will receive training on applicable state and federal laws, policies and safeguards associated with industry standards and best practices that protect PII.  

(9)  Educational agency contracts with vendors that receive PII will address statutory and regulatory data privacy and security requirements. 

 

This Parent Bill of Rights will be included with every contract entered into by the District with an outside contractor if the contractor will receive student data or teacher or principal data.  This Parent Bill of Rights will be supplemented to include information about each contract that the District enters into with an outside contractor receiving confidential student data or teacher or principal data, including the exclusive purpose(s) for which the data will be used, how the contractor will ensure confidentiality and data protection and security requirements, the date of expiration of the contract and what happens to the data upon the expiration of the contract, if and how the accuracy of the data collected can be challenged, where the data will be stored and the security protections that will be taken.  

 

“District Data” means all information obtained by the Service Provider from the District or by the Service Provider in connection with the services provided by Service Provider pursuant to the Agreement, including but not limited to business, administrative and financial data, intellectual property, student and personnel data, and metadata.  The term, “District Data” does not include any information made publicly available by the District, with the exception of Personally Identifiable Information from student and personnel data.  

(1)   Use of District Data by Service Provider.  The District Data received by the Service Provider will be used only to perform Service Provider’s obligations pursuant to the Agreement and for no other purpose.

(2)   Storage and Security Protections.  The Service Provider will store and process District Data in accordance with commercial best practices, including appropriate administrative, physical, and technical safeguards, to secure District Data from unauthorized access, disclosure, alteration and use. The Service Provider will use industry-standard and up-to-date security tools and technologies such as anti-virus protections and intrusion detection methods in providing services pursuant to the Agreement.  Service Provider will conduct periodic risk assessments and remediate any identified security vulnerabilities in a timely manner. 

(3)   Sharing Information with Other Persons and Entities.  The Service Provider will only share District Data with entities or persons authorized by the Agreement.  To the extent that District Data will be shared by the Service Provider with other authorized entities or persons not employed by Service Provider, the Service Provider will ensure that those persons or entities will be required to agree in writing that it/they will comply with all terms of the Agreement’s Plan for Security and Protection of Personally Identifiable Information, and any other Agreement provision relating to confidentiality of records and data security and privacy, including, but not limited to this Exhibit A.

(4)   Destruction/Return of Data.  Upon the termination of the Agreement for any reason, the Service Provider will, as directed by the District in writing, securely destroy (“securely destroy” means taking actions that render data written on physical (e.g., hard copy) or electronic media unrecoverable by both ordinary and extraordinary means) or return all District Data received by the Service Provider as soon as reasonably possible.  The District’s decision will be made in connection with all applicable laws, including the New York Arts and Cultural Affairs Law and the Records Retention and Disposition Schedule ED-1.  In connection with the secure destruction of any District Data, the Service Provider will provide a certificate of destruction (form and substance satisfactory to the District) to the District. 

(5)   Challenge to Accuracy of Data.  A parent or guardian, student, teacher or principal can challenge the accuracy of the Data received by the Service Provider by following applicable law (e.g., Family Educational Rights and Privacy Act), employment agreements, and policies, rules and regulations.  If the Service Provider receives a challenge to the accuracy of Data from a parent or guardian, student, teacher or principal, the Service Provider will notify the District in writing.  The Service Provider will not amend any Data without a written request from the District.