Charter Data PrivacyJurisdictional Research
Home/New York State/Ed Law 2-d

Ed Law 2-d

NY Education Law § 2-d

Statute
NY Education Law § 2-d (Article 2)
Regulations
8 NYCRR Part 121
Enacted / Last Major Amendment
Originally 2014; substantially amended 2019; Part 121 promulgated 2020
Jurisdictional Layer
New York State (state)

Summary

THE major NY student data privacy statute. Requires every educational agency to adopt a Parents' Bill of Rights, designate a Data Protection Officer, align with NIST CSF, train staff annually, and tightly govern third-party-contractor data sharing.

Key Terms

Educational agency
School district, BOCES, charter school, NYSED, etc.
Third-party contractor
Any non-educational-agency entity that receives student data
Student data
Broader than FERPA 'education record'; includes PII about a student
Teacher or principal data
APPR-related teacher/principal records — separate but parallel protections

School-side obligations

  • Publish a Parents' Bill of Rights for Data Privacy and Security
  • Designate a Data Protection Officer (8 NYCRR § 121.6)
  • Adopt data security policy aligned with NIST Cybersecurity Framework
  • Provide annual data privacy and security training to all employees handling student data
  • Maintain an inventory of third-party contractors and data accessed
  • Publish supplemental information about each third-party contractor
  • Notify parents and NYSED CPO of any unauthorized release (breach)
  • Establish a parental complaint procedure
  • Include required data privacy provisions in every third-party contract

Vendor-side obligations

  • Sign contract incorporating Parents' Bill of Rights as supplement
  • Adopt NIST CSF-aligned technologies, safeguards, practices
  • Use student PII ONLY for authorized purposes
  • NOT sell, market, or commercialize student PII
  • Notify educational agency of breach without unreasonable delay, no later than 7 calendar days
  • Provide signed compliance certification
  • Permit on-site audit
  • Return or destroy PII at contract termination

Breach notification

Vendor → school: ≤7 calendar days from discovery. School → parents and NYSED CPO: ≤10 calendar days from receiving vendor notice (or self-discovery).

Enforcement

NYSED Chief Privacy Officer. Civil penalties up to $10,000 per violation, $25,000 per school year for material violations. No express private right of action; Article 78 review available.

NCSC AI Toolkit — Scanner Fields

These fields in the NCSC AI Toolkit derive from this statute:

ed_law_2d_compliantrequires_DPOrequires_parents_bill_of_rightsrequires_third_party_supplemental_inforequires_annual_employee_trainingcybersecurity_framework_requiredbreach_notification_window_vendor_to_schoolbreach_notification_window_school_to_parents

Case Law — Verification Queue

Pending vLex verification. Never cite these without verification.

  • Doe v. Albany City School District
    TBD
    Ed Law 2-d enforcement; verify on vLex
  • NYSED CPO enforcement actions
    TBD
    Administrative proceedings; vLex search

Open Questions / Unsettled Law

  • AI tutoring tools fit awkwardly within Part 121's third-party-contractor frame
  • De-identification standards: when is data sufficiently de-identified?
  • Sub-processor flow-through obligations
  • Free-tier edtech (teacher self-signup) is the largest compliance gap