Skip to main content
New York

New York Student Data Privacy

Requires Signed Agreement
Does not require signed agreement

Districts must execute written data privacy agreements with any vendor that collects or stores student information.

Summary:

New York’s Education Law §2-d, along with Part 121 of the Commissioner’s Regulations, establishes comprehensive protections for student data privacy and security. It requires every school district, BOCES, and charter school to safeguard personally identifiable information (PII) from unauthorized access, use, or disclosure. Under this law, districts must appoint a Data Protection Officer (DPO), adopt a Data Security and Privacy Policy aligned with NIST standards, and ensure that all third-party vendors sign a written Data Privacy Agreement (DPA) — commonly the NYSED Model DPA (Exhibit E) — before accessing student data. The law also prohibits the sale or commercial use of PII, mandates encryption of data in transit and at rest, and provides parents with rights to review and challenge the accuracy of their child’s information.

Key Requirements:

  • Written Agreements: Districts must execute a signed Data Privacy Agreement (DPA) with every vendor that collects, stores, or shares student or staff PII.
  • Data Protection Officer (DPO): Each district must appoint a DPO to oversee compliance, training, and breach response.
  • Data Security and Privacy Policy: Districts must adopt and publish a policy aligned with NIST cybersecurity standards.
  • Encryption: All PII must be encrypted both in transit and at rest.
  • Parental Rights: Parents have the right to inspect and review their child’s educational records and challenge inaccuracies.
  • Breach Notification: Districts must notify affected parties within 10 days of discovering a data breach.
  • No Commercial Use: Vendors are strictly prohibited from selling, using, or sharing PII for marketing or commercial purposes.
  • Transparency: Districts must publicly post executed DPAs and a “Parents’ Bill of Rights for Data Privacy and Security” on their websites.

NY State Resources:

How can EdPrivacy help?

Edprivacy streamlines New York Education Law §2-d and Part 121 compliance by automating the vendor vetting and agreement management process for districts. Instead of tracking individual contracts and policies manually, edprivacy centralizes everything in one secure dashboard. The platform helps to post signed Data Privacy Agreement's (DPA) or Exhibit E's, stores and effective dates and expiration dates, and provides a batch renewal process so that you can request and track renewals and updates. It also posts each vendor’s Parents’ Bill of Rights document, links to their Privacy Policy and Terms of Use, and provides a public approved technology list for reports or audits.

For ongoing monitoring, edprivacy integrates vendor privacy policy reviews, breach policy monitoring, and districtwide risk scoring, so districts can easily demonstrate adherence to Ed Law §2-d, respond quickly to vendor changes, and ensure that every approved app, tool, and service continues to meet New York’s strict student data privacy requirements.