Purpose
District data is collected and stored by the Central New York Regional Information Center (CNYRIC) for the purpose of supporting districts participating in the CNYRIC’s services. District data will be used exclusively for the purposes of these services.
Data Ownership
Each participating district is the sole owner of its data, including but not limited to data transmitted by the district to the CNYRIC.
District data includes personally identifiable information (PII). PII is any information to which unauthorized access, disclosure, modification, destruction, or disruption of access or use could adversely impact students or district personnel. The privacy of the data we collect for districts is addressed by OCM BOCES Policy 2311, Confidentiality of Computerized Information.
Standards
The data protection procedures utilized by the CNYRIC comply with Service Organization Control (SOC) 2 security and privacy principles and criteria. Information describing SOC 2 principles and criteria is available from the American Institute of CPA’s at http://www.aicpa.org/.
Participating districts will be notified when there are changes to the data protection procedures adhered to by the CNYRIC.
The CNYRIC trains and supervises all personnel on data security and privacy standards. This includes departmental-level training on procedures specific to the type of data managed by each department. This also includes annual refresher training on policy and procedures.
Failure of CNYRIC personnel to comply with the specifics of this privacy and security notice may result in corresponding disciplinary measures, (see OCM BOCES policy 2311, Confidentiality of Computerized Information).
Periodically, the CNYRIC Data Privacy & Security Officer will monitor systems and processes to assure compliance, taking or recommending corrective actions whenever necessary. Additionally, when considering revisions to systems/services or evaluating new services/systems, SOC 2 principles and criteria are included in the processes.
Systems Description
Connections to all data systems are made only through a firewall, connections use encryption (SSL), virtual private networks (VPN), secure file transfer protocol (SFTP), and password hashing. Routine security patching and upgrading of systems, including desktop systems, are performed systematically. A variety of software is used to monitor systems for intrusion vulnerability.
Access Control
Access and authorization to data at the CNYRIC is based on a least privileged philosophy; user access is restricted by only allowing privileges to individuals based on job classification and function which must be approved by their department manager and, in some cases, an assistant director. Access control policy and procedures are communicated at least annually to the CNYRIC personnel and are supervised continuously by the CNYRIC management.
Access to reports provided by the CNYRIC and our permissions to make any changes to data or access to data is controlled by the participating districts’ trusted agents. The list of trusted agents is updated annually through a process that includes written approval from school district superintendents and notifying all CNYRIC employees about the current list of trusted agents.
Acceptable Use
Breach & Breach Notification
In the event of an adversarial or accidental data breach, the CNYRIC will adhere to policy 4571, Information Security Breach and Notification. Other issues of concern to districts or CNYRIC employees are to be communicated to the CNYRIC Data Privacy & Security Officer, Steven Tryon (315/433.2280, sjtryon@cnyric.org). All issues will be reviewed by the CNYRIC management team and addressed as necessary or as required by policy or law.
Data Retention & Disposal
District data is retained for no longer than necessary to fulfill the purposes described above or as required by law. When data is disposed by the CNYRIC it is done so in a manner that prevents loss, theft, misuse, or unauthorized access. The CNYRIC adheres to the ED-1 New York Records Retention Policy. The CNYRIC may not dispose of district data in the SIRS Level 2 - Data Warehouse as it is in the possession of New York State. The SIRS reporting process allows for records to be deleted in the regional, Level 1 - Data warehouse that are in error. The CNYRIC will dispose of records to correct data upon written request by the District’s trusted agent for each system.
The quality of district data is the sole responsibility of the participating district. Parental choice and consent is only expressed to the participating district, not to the CNYRIC. Corrections to district data must be expressed and made through the participating district.
Authorized Data Transfer
Prior to the transfer of any district data, the CNYRIC will receive the written permission of the district by a district trusted agent.
The CNYRIC will inform the district upon receipt of a request by legal authorities for the participating district’s data. The CNYRIC will give the participating district the opportunity to challenge the disclosure.
Third-party Services
When services utilized by the CNYRIC cause district data to reside off-site of the CNYRIC locations or give access to district data to individuals or entities who are not CNYRIC personnel, they must agree to and include in their contract for services, the following:
-
District data will be used solely for the purpose defined in the applicable contract which will be consistent with one or more of the purposes for which district data is provided to the CNYRIC;
-
District data will not be shared with any other entity or individual without the written permission of the CNYRIC unless required by statute or court order and the party provided a notice of the disclosure to the CNYRIC no later than the time the information is disclosed, unless providing notice of the disclosure is expressly prohibited by the statute or court order. The CNYRIC will only give permission for the sharing of district data in accord with the provisions of the Authorized Data Transfer section above;
-
Upon the expiration of the contract, the third party service provider will delete any electronic district data in its possession and will notify the CNYRIC when the data has been deleted and/or disposed;
-
District data will be corrected upon request by the CNYRIC and the CNYRIC will be notified when the data has been corrected;
-
A requirement to comply with all Federal and State laws and regulations governing security and privacy of district data;
-
A description of the physical location of district data in their possession and of the administrative, technical, and physical safeguards utilized to assure the privacy and security of data in their possession and when transmitted;
-
Communicate with the CNYRIC in no less than 24 hours of any data breach or in the event district data is requested by legal authorities;
-
Internal access within the third party to district data is limited to those individuals that are determined to need such records or data to perform the services set forth in their contract with the CNYRIC;
-
Any officers or employees of the third party service provider who have access to district data have received or will receive training on the federal and state laws governing security and privacy of such data prior to receiving access to it.
Changes to Data Privacy & Security Notice
If this Notice is changed, the changes will be posted on the CNYRIC website and/or other appropriate venues accessible to participating districts.
This notice is reviewed at least annually for needed updates and to assure compliance with current Federal and New York State data privacy and security requirements.