8 NYCRR Section 121.3
(c) The bill of rights shall also include supplemental information for each contract the educational agency enters into with a third-party contractor where the third-party contractor receives student data or teacher or principal data. The supplemental information must be developed by the educational agency and include the following information:
(1) the exclusive purposes for which the student data or teacher or principal data will be used by the third-party contractor, as defined in the contract;
(2) how the third-party contractor will ensure that the subcontractors, or other authorized persons or entities to whom the third-party contractor will disclose the student data or teacher or principal data, if any, will abide by all applicable data protection and security requirements, including but not limited to those outlined in applicable state and federal laws and regulations (e.g., FERPA; Education Law § 2-d);
(3) the duration of the contract, including the contract’s expiration date and a description of what will happen to the student data or teacher or principal data upon expiration of the contract or other written agreement (e.g., whether, when and in what format it will be returned to the educational agency, and/or whether, when and how the data will be destroyed).
(4) if and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected;
(5) where the student data or teacher or principal data will be stored, described in such a manner as to protect data security, and the security protections taken to ensure such data will be protected and data security and privacy risks mitigated; and
(6) address how the data will be protected using encryption while in motion and at rest.
| 8NYCRR 121.3 Requirement | Company Policy Provision |
|---|---|
| (c)(2) Supplemental Information: Subcontractor Compliance and how the TPC ensures they abide by all applicable data protection and security requirements (e.g., FERPA; Ed Law § 2-d). | SSY Terms of Use, School Addendum, Section 2, states that IYP employees, subcontractors, and agents involved in handling Student Data "will maintain the confidentiality" and "shall not redisclose such data except as necessary in order to provide the Solutions". The Physical Security Policy, Sections 8-10, generally requires third-parties to comply with IYP's physical security requirements. Note: There is no explicit requirement for subcontractors to be contractually bound to all provisions of Education Law § 2-d. |
| (c)(3) Supplemental Information: Contract Duration and Data Handling upon expiration (expiration date, return/destruction details). | SSY Security Statement, Section 6 ("Removal of RECORDS"), states that at "CONTRACT COMPLETION," staff will remove RECORDS from operational and backup data stores within sixty (60) days. The SSY Terms of Use, School Addendum, Section 4, offers a shorter 72-hour deletion window upon written request, with backup data removed within 60 days. |
| (c)(4) Supplemental Information: Data Accuracy Challenge procedure for a parent, student, teacher or principal to challenge the accuracy of the collected data. | SSY Security Statement, Section 6 ("Correction of RECORDS") and Section 3.1, directs Individuals or Guardians to "present themselves to the organization". The Organization (LEA) staff, Studio staff, and IYP staff may modify all records, and Guardians and Individuals may modify their own records "at the ORGANIZATION’S discretion". |
| (c)(5) Supplemental Information: Data Storage and Security details on where the data will be stored and the security protections taken to mitigate risks. | Storage Location: SSY Security Statement, Section 5, specifies the database/web services are hosted using Amazon Web Services in us-east-1 (North Virginia). Security Protections: SSY Security Statement, Section 5, details the use of Amazon CloudWatch, GuardDuty, and CloudTrail for monitoring, threat detection, and auditing. The SSY Privacy Policy, Section 3, mentions using strict procedures, limited access, data encryption, and firewalls. |
| (c)(6) Supplemental Information: Encryption addressing how data will be protected using encryption while in motion and at rest. | In Motion (In Transit): The SSY Security Statement, Section 5, and the SSY Privacy Policy, Section 3, confirm all communications are encrypted end-to-end via SSL. At Rest: The Cryptography Policy, Page 2, specifies that "Confidential Data at Rest" uses the AES algorithm with a 256 bit key length. |
