Skip To Main Content

Education Law 2-D Rider

ADDENDUM TO AGREEMENT

Regarding

Data Privacy and Security

In Accordance with Section 2-d of the New York Education Law

This is an addendum (the "Addendum") to an agreement entered into by between __________, with its principal place of business located at __________ ("Contractor"), and Highland Central School District, with its principal place of business located at 320 Pancake Hollow Road Highland, NY 12528 ("District"). Upon being executed by Contractor's and District's authorized representatives, this Addendum shall be deemed to have been in full force and effect as of the effective date of the Agreement it amends.

WHEREAS, the District is an educational agency within the meaning of New York State Education Law, Section 2-d (“Section 2-d”), and Contractor is a third-party contractor within the meaning of Section 2-d; and

WHEREAS, Contractor and its authorized officers, employees, students and agents shall have access to “student personally identifiable information (PII)," “student data" and/or "teacher or principal data" regulated by Section 2-d; and

WHEREAS, the provisions of this Addendum are intended to comply with Section 2-d in all respects. To the extent that any term of the Agreement conflicts with the terms of this Addendum, the terms of this Addendum shall apply and be given effect.

NOW, THEREFORE, it is mutually agreed that the Agreement is hereby amended in accordance with this Addendum, as follows:

1.         Confidential Information

1.1       Contractor agrees that in performing the Original Agreement with the District, Contractor may have access to confidential information in the possession of the District, including student, teacher or principal personally identifiable information (“PII”).  For the purposes of this Addendum and the Original Agreement, it is agreed that the definition of Confidential Information includes all documentary, electronic or oral information made known to Contractor or developed or maintained by Contractor through any activity related to the Original Agreement. This Confidential information includes student, teacher and/or principal data (as the terms are defined under Section 2-d.

1.2       Contractor agrees to comply with Section 2-d, and the corresponding regulations promulgated by the Commissioner of Education of New York (“Commissioner”) thereunder.  In addition, Contractor agrees to comply with any changes in Section 2-d, or the Commissioner’s regulations that may be amended or modified during the term of the Original Agreement. Upon request by the District, Contractor shall provide the District with copies of its policies and related procedures that pertain to the protection of PII. It may be made available in a form that does not violate Contractor’s own information security policies, confidentiality obligations, and applicable laws.

1.3       Upon expiration of the Agreement to which this Addendum applies, without a successor agreement in place, Contractor shall assist the District in exporting all student, teacher and/or principal data previously received by Contractor from, or developed on behalf of, the District, and Contractor shall, at the request of the District, either securely delete any student, teacher and/or principal data remaining in Contractor's possession or return the student, teacher and/or principal data to the District. If student, teacher and/or principal data is to be maintained by Contractor for any lawful purpose, such data shall remain in an encrypted format and shall be stored on systems maintained by Contractor in a secure data facility located within the United States.

1.4       The parties further agree that the terms and conditions set forth in this Confidential Information section and all of its subparts shall survive the expiration and/or termination of the Original Agreement.

2.         Data Inspection and Challenges to Data

Education Law Section 2-d and FERPA provide parents and eligible students the right to inspect and review their child's or the eligible student’s PII stored or maintained by the District. To the extent PII is held by Contractor pursuant to the Original Agreement, Contractor shall respond within thirty (30) calendar days to the District’s requests for access to PII so the District can facilitate such review by a parent or eligible student. If a parent or eligible student contacts Contractor directly to review any of the PII held by Contractor pursuant to the Original Agreement, Contractor shall promptly notify the District and refer the parent or eligible student to the District.

In the event that a student's parent or an eligible student wishes to challenge the accuracy of student data (pertaining to the particular student) that may include records maintained, stored, transmitted, and/or generated by Contractor pursuant to the Agreement, the challenge will be processed in accordance with the procedures of the District.

A teacher or principal who wishes to challenge the accuracy of data pertaining to the teacher or principal personally, which is disclosed to Contractor pursuant to the Agreement, shall do so in accordance with the procedures for challenging APPR data, as established by the District.

3.         Training

Contractor represents and warrants that any of its officers, employees, and/or assignees who will have access to student, teacher and/or principal data pursuant to the Original Agreement will receive training on the federal and state laws governing confidentiality of such student, teacher and/or principal data, prior to obtaining initial or any further access to such data.

4.         Use/Disclosure of Data

4.1       Contractor shall not sell or use for any commercial purpose student, teacher and/or principal data that is received by Contractor pursuant to the Agreement or developed by Contractor to fulfill its responsibilities pursuant to the Agreement.

4.2       Contractor shall use the student, teacher and/or principal data, records, or information solely for the exclusive purpose of and limited to that necessary for the Contractor to perform the duties and services required under the Original Agreement.  Such services include, but are not limited to photography and the related processing of any photographs.  Contractor shall not collect or use educational records of the District or any student, teacher and/or principal data of the District for any purpose other than as explicitly authorized in this Addendum or the Original Agreement.

4.3       Contractor shall ensure, to the extent that it receives student, teacher and/or principal data pursuant to the Agreement, that it will not share Confidential Information with any additional parties, including an authorized subcontractor or non-employee agent, without prior written consent of the District. Contractor shall indemnify and hold the District harmless from the acts and omissions of the Contractor’s employees and subcontractors.   

 

5.         Contractor's Additional Obligations under Section 2-d and this Addendum

Contractor acknowledges that, with respect to any student, teacher and/or principal data received through its relationship with the District pursuant to the Agreement it is obliged to maintain a Data Security & Privacy Plan, and fulfill the following obligations:

·      execute, comply with and incorporate to this Addendum as Exhibit A, as required Section 2-d, the Parents’ Bill of Rights for Data Privacy and Security developed by the District, as well as the supplemental information in Exhibit B;

·      store all data transferred to Contractor pursuant to the Agreement by the District, in an electronic format on systems maintained by Contractor in a secure data facility located within the United States or hard copies under lock and key;

·      limit internal access to student, teacher and/or principal data to Contractor's officers, employees and agents who are determined to need such access to such records or data to perform the services set forth in the Original Agreement;

·      not disclose student, teacher and/or principal data to any other party who is not an authorized representative of Contractor using the information to carry out Contractor's obligations under the Agreement, unless: (I) the other party has the prior written consent of the applicable student's parent or of the eligible student; or (II) the other party has the prior written consent of the applicable teacher or principal; or (III) the disclosure is required by statute or court order, and notice of the disclosure is provided to the District no later than five business days before such information is required or disclosed (unless such notice is expressly prohibited by the statute or court order);

·      use reasonable administrative, technical and physical safeguards that align with the NIST Cybersecurity Framework and are otherwise consistent with industry standards and best practices, including but not limited to encryption, firewalls and password protection as  specified by the Secretary of the United States  Department of HHS in any guidance issued under P.L. 111-5, Section 13402(H)(2), to protect the security, confidentiality and integrity of student and/or staff data of the District while in motion or in custody of Contractor from unauthorized disclosure;

·      not mine Confidential Information for any purposes other than those agreed to in writing by the Parties.  Data mining or scanning of user content for the purpose of advertising or marketing to students or their parents is prohibited; notify the District, in the most expedient way possible and without unreasonable delay, of any breach of security resulting in an unauthorized release of any PII.  In addition, Contractor shall take immediate steps to limit and mitigate the damage of such security breach or unauthorized release to the greatest extent practicable, and promptly reimburse the District for the full cost of any notifications the District makes as a result of the security breach or unauthorized release.  Contractor further acknowledges and understands that Contractor may be subject to civil and criminal penalties in accordance with Section 2-d for violations of Section 2-d and/or this Agreement.

·      understand that any breach of the privacy or confidentiality obligations set forth in this Addendum may, at the sole discretion of the District, result in the District immediately terminating this Agreement; and

·      familiarize its applicable officers, employees and agents with this Addendum and with the "Parents' Bill of Rights for Data Privacy and Security."

The Contractor acknowledges that failure to fulfill these obligations shall be a breach of the Agreement.

6.         Except as specifically amended herein, all of the terms contained in the Original Agreement are hereby ratified and confirmed in all respects, and shall continue to apply with full force and effect.

IN WITNESS WHEREOF, Contractor and the District execute this Addendum to the Agreement as follows: 

Contractor __________

District _____________