When almost every day brings word of hackers breaking into computer systems of large corporations and stealing the personal information of millions of customers, the Farmingdale Board of Education took a step forward, on Dec. 10, to protect the personally identifiable information (PII) of the district’s students. At their final meeting of calendar year, the seven-member Board of Education reviewed significant changes to district’s existing student records management policy.
The last item of business on this snowy night was a report given by Assistant Superintendent Administration Barbara J. Horsley. The veteran school administrator said the proposed changes were developed in a policy committee made of education board members, principals and other information technology professionals employed by the school district.
“We made sure to include a broad spectrum of people in order to develop consensus for these changes,” said Horsley.
The most significant change proposed would contractually require third party vendors who collect, store and analyze student records to comply with a state law—adopted last June by the New York State Assembly—to add significant protocols to safeguard that data. That data not only includes basics like name, date of birth, contact information and attendance records but also a photograph of each student and their participation in school activities. If the child is a student athlete, their weight and height are in the district’s database. Student social security numbers are not kept on file.
Spelled out in the contracts will be a “data security and privacy plan” that would require vendors to among other things: Limit the access of education records only to those employees who have a legitimate educational interest. Train employees in confidentiality procedures. Prohibit the use of student records for any other purposes than those authorized by the contract. Mandate the use of encryption technology for all files. Contractors would not be allowed to disclose any identifiable information about a student without their prior written consent or the consent of their parents. Breach of access procedures would also have to be in place as well as a notification plan to alert the district if student records have been hacked.
The new contracts would also include a copy of the “Parents’ Bill of Rights.” Also adopted from state law, the board passed the measure to create this data security manifesto at their
November meeting. Beyond notifying parents of the new protections required by vendors, it also informs them of their rights to complain about data breaches. Not only are parents able to register their concerns with the superintendent, but they can also contact the state education department’s newly christened Chief Privacy Officer. The bill of rights is already available online at the district’s website, www.farmingdaleschools.org.
The revised student records management policy will be voted on at the first Board of Education meeting of the year in January.