In today’s digital classroom, finding the right tool to engage students is a priority. However, as an educator in New York State, bringing a new platform into your workflow involves more than just hitting "sign up." Because we handle Personally Identifiable Information (PII), we are bound by strict state and federal laws—most notably New York State Education Law Section 2-d and Part 121 of the Commissioner of Education's Regulations.
This guide outlines the process for requesting new platforms and explains why these safeguards are essential for protecting our students and our school.
--------------------------------------------------------------------------------
1. What exactly is PII?
Before requesting a tool, it’s helpful to know what we’re protecting. Personally Identifiable Information (PII) is any data that can be used to distinguish or trace a student's identity.
- Direct Identifiers: Name, address, or student ID number.
- Indirect Identifiers: Date of birth or other data points that, when combined, could identify a student.
If a website or app requires a student to log in, enter their name, or even just tracks their activity in a way that links back to them, it is likely handling PII.
2. The Legal "Why": Protecting Students from Commercialism
One of the most important aspects of Education Law 2-d is the Commercial or Marketing Purpose prohibition. By law, student PII cannot be sold or released for any commercial purpose, including:
- Receiving payment for data.
- Using data for advertising.
- Using student info to "improve" or market products to students.
Many free apps "pay" for their services by using user data for these purposes. Our vetting process ensures that any vendor we use legally waives these rights.
3. The Step-by-Step Request Process
Step A: Check for Existing Approval
Before submitting a new request, check if the tool is already vetted. If KIPP NYC has an existing Data Privacy Agreement (DPA) with the vendor, the process is much faster.
Step B: The Security Vetting
If the tool is new, the Tech and Legal teams must reach out to the vendor to secure a Data Privacy Agreement (DPA). This is a formal contract where the vendor agrees to:
- NIST Alignment: Their security practices must materially align with the NIST Cybersecurity Framework, the gold standard for school data security.
- Encryption: They must transform PII into an unusable form (encryption) while it is stored or being sent over the internet.
- Breach Notification: They must agree to notify the school within seven business days if any unauthorized access to data occurs.
Step C: Legal Review and "Redlining"
If a vendor provides their own terms or tries to change ours (known as "redlining"), our legal team must review them to ensure they don't compromise the protections required by the Parents' Bill of Rights.
Step D: Transparency and Public Posting
Once an agreement is signed, we are required to post Supplemental Information (Exhibit B of the DPA) on our website. This tells parents exactly what data is being collected and how it is being protected.
4. Why Does It Take So Long?
You may find that a site works one day and is blocked the next. This often happens because our filters use AI to dynamically categorize websites based on new security scans. If a site is not a "trusted 3rd party" in our Google environment, it hasn't yet passed the legal hurdles mentioned above.
Because this process involves legal negotiations and a deep dive into a vendor's technical safeguards (including their administrative and physical controls), it can take time. We handle these requests in the order they are received, balancing them against district-wide security priorities.
Summary Checklist for Teachers
- Does it need a login? If yes, it needs a DPA.
- Is it "free"? Be cautious; the "cost" might be the students' data.
- Plan ahead: Submit requests several weeks (or even months) before you need them.
- Have an alternative: In case the vendor refuses to sign our legal protections, have a backup vetted tool ready.
By following this process, we aren't just checking boxes—we are ensuring that our students can learn in a digital environment that is safe, secure, and free from commercial exploitation
Comments
0 comments
Article is closed for comments.