Privacy Policy

Table Of Contents

Policy on Data Privacy and Security
Data Collection Transparency and Restrictions
Chief Privacy Officer
Data Protection Officer
Public Prep Data Privacy and Security Standards
Third-Party Contractors
Parents' Bill of Rights for Data Privacy and Security
Right of Parents and Eligible Students to Inspect and Review Students' Education Records
Complaints of Breach or Unauthorized Release of Student Data and/or Teacher or Principal Data
Reporting a Breach or Unauthorized Release
Investigation of Reports of Breach or Unauthorized Release by the Chief Privacy Officer
Notification of a Breach or Unauthorized Release
Compliance with Public Prep Acceptable Use Policy for Technology and the Internet
Annual Data Privacy and Security Training
Notification of Policy

Effective: October 2020

Policy on Data Privacy and Security

This Policy addresses Public Prep Charter School Academies’ (“Public Prep”) responsibility to adopt appropriate administrative, technical, and physical safeguards and controls to protect and maintain the confidentiality, integrity, and availability of its data, data systems, and information technology resources.

Public Prep is committed to maintaining the privacy and security of student data and teacher and principal data and will follow all applicable laws and regulations for the handling and storage of this data in by Public Prep and when disclosing or releasing it to others, including, but not limited to, third-party contractors. Public Prep adopts this policy to implement the requirements of Education Law Section 2-d and its implementing regulations, as well as to align the School's data privacy and security practices with the National Institute for Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity (Version 1.1).

Definitions

As provided in Education Law Section 2-d and/or its implementing regulations, the following terms, as used in this policy, will mean:

  • a) "Breach" means the unauthorized acquisition, access, use, or disclosure of student data and/or teacher or principal data by or to a person not authorized to acquire, access, use, or receive the student data and/or teacher or principal data.
  • b) "Building principal" means a building principal subject to annual performance evaluation review under the provisions of Education Law Section 3012-c.
  • c) "Classroom teacher" means a teacher subject to annual performance evaluation review under the provisions of Education Law Section 3012-c.
  • d) "Commercial or marketing purpose" means the sale of student data; or its use or disclosure for purposes of receiving remuneration, whether directly or indirectly; the use of student data for advertising purposes, or to develop, improve, or market products or services to students.
  • e) "Contract or other written agreement" means a binding agreement between an educational agency and a third-party, which includes, but is not limited to, an agreement created in electronic form and signed with an electronic or digital signature or a click-wrap agreement that is used with software licenses, downloaded, and/or online applications and transactions for educational technologies and other technologies in which a user must agree to terms and conditions prior to using the product or service.
  • f) "Disclose" or "disclosure" means to permit access to, or the release, transfer, or other communication of personally identifiable information by any means, including oral, written, or electronic, whether intended or unintended.
  • g) "Education records" means an education record as defined in the Family Educational Rights and Privacy Act and its implementing regulations, 20 USC Section 1232g and 34 CFR Part 99, respectively.
  • h) "Educational agency" means a school district, charter school, board of cooperative educational services (BOCES), or the New York State Education Department (NYSED).
  • i) "Eligible student" means a student who is eighteen years or older.
  • j) "Encryption" means methods of rendering personally identifiable information unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified or permitted by the Secretary of the United States Department of Health and Human Services in guidance issued under 42 USC Section 17932(h)(2).
  • k) "FERPA" means the Family Educational Rights and Privacy Act and its implementing regulations, 20 USC Section 1232g and 34 CFR Part 99, respectively.
  • l) "NIST Cybersecurity Framework" means the U.S. Department of Commerce National Institute for Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity (Version 1.1). A copy of the NIST Cybersecurity Framework is available at the Office of Counsel, State Education Department, State Education Building, Room 148, 89 Washington Avenue, Albany, New York 12234.
  • m) "Parent" means a parent, legal guardian, or person in parental relation to a student.
  • n) "Personally identifiable information (PII)," as applied to student data, means personally identifiable information as defined in 34 CFR Section 99.3 implementing the Family Educational Rights and Privacy Act, 20 USC Section 1232g, and, as applied to teacher or principal data, means personally identifying information as this term is defined in Education Law Section 3012-c(10).
  • o) "Release" has the same meaning as disclosure or disclose.
  • p) "Student" means any person attending or seeking to enroll in an educational agency.
  • q) "Student data" means personally identifiable information from the student records of an educational agency.
  • r) "Teacher or principal data" means personally identifiable information from the records of an educational agency relating to the annual professional performance reviews of classroom teachers or principals that is confidential and not subject to release under the provisions of Education Law Sections 3012-c and 3012-d.
  • s) "Third-party contractor" means any person or entity, other than an educational agency, that receives student data or teacher or principal data from an educational agency pursuant to a contract or other written agreement for purposes of providing services to the educational agency, including but not limited to data management or storage services, conducting studies for or on behalf of the educational agency, or audit or evaluation of publicly funded programs. This term will include an educational partnership organization that receives student and/or teacher or principal data from a school to carry out its responsibilities pursuant to Education Law Section 211-e and is not an educational agency, and a not-for-profit corporation or other nonprofit organization, other than an educational agency.
  • t) "Unauthorized disclosure" or "unauthorized release" means any disclosure or release not permitted by federal or state statute or regulation, any lawful contract or written agreement, or that does not respond to a lawful order of a court or tribunal or other lawful order.

Data Collection Transparency and Restrictions

As part of its commitment to maintaining the privacy and security of student data and teacher and principal data, Public Prep will take steps to minimize its collection, processing, and transmission of PII.

Public Prep will monitor its data systems, develop incident response plans, limit access to PII to Public Prep employees, interns, volunteers, independent contractors, and third-party contractors who need such access to fulfill their professional responsibilities or contractual obligations, and destroy PII when it is no longer needed.

Additionally, Public Prep will:

  • a) Not sell PII nor use or disclose it for any marketing or commercial purpose or facilitate its use or disclosure by any other party for any marketing or commercial purpose or permit another party to do so.
  • b) Ensure that it has provisions in its contracts with third-party contractors or in separate data sharing and confidentiality agreements that require the confidentiality of shared student data or teacher or principal data be maintained in accordance with law, regulation, and Public Prep policy.

Except as required by law or in the case of educational enrollment data, Public Prep will not report to NYSED the following student data elements:

  • a) Juvenile delinquency records;
  • b) Criminal records;
  • c) Medical and health records; and
  • d) Student biometric information.

Certain federal laws and regulations provide additional rights regarding confidentiality of and access to student records, as well as permitted disclosures without consent.

Chief Privacy Officer

The Commissioner of Education has appointed a Chief Privacy Officer who will report to the Commissioner on matters affecting privacy and the security of student data and teacher and principal data. Among other functions, the Chief Privacy Officer is authorized to provide assistance to educational agencies within the state on minimum standards and best practices associated with privacy and the security of student data and teacher and principal data.

Public Prep will comply with its obligation to report breaches or unauthorized releases of student data or teacher or principal data to the Chief Privacy Officer in accordance with Education Law Section 2-d, its implementing regulations, and this policy.

The Chief Privacy Officer has the power, among others, to:

  • a) Access all records, reports, audits, reviews, documents, papers, recommendations, and other materials maintained by the School that relate to student data or teacher or principal data, which includes, but is not limited to, records related to any technology product or service that will be utilized to store and/or process PII; and
  • b) Based upon a review of these records, require the School to act to ensure that PII is protected in accordance with laws and regulations, including but not limited to requiring the School to perform a privacy impact and security risk assessment.

Data Protection Officer

Public Prep has designated an employee to serve as the Public Prep’s Data Protection Officer. The Data Protection Officer for Public Prep will be appointed (or re-appointed, as the case may be) at Public Prep’s Annual Meeting at such other time annually as Public Prep may designate from time to time.

The Data Protection Officer is responsible for the implementation and oversight of this policy and any related procedures including those required by Education Law Section 2-d and its implementing regulations to develop and maintain a comprehensive Data Privacy and Security Program. The Data Protection Officer will serve as the main point of contact for Public Prep’s Data Privacy and Security Program.

Public Prep will ensure that the Data Protection Officer has the appropriate knowledge, training, and experience to administer these functions. The Data Protection Officer may perform these functions in addition to other job responsibilities.

Public Prep Data Privacy and Security Standards

Public Prep will use the National Institute for Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity (Version 1.1) (Framework) as the standard for its data privacy and security program. The Framework is a risk-based approach to managing cybersecurity risk and is composed of three parts: the Framework Core, the Framework Implementation Tiers, and the Framework Profiles. The Framework provides a common taxonomy and mechanism for organizations to:

  • a) Describe their current cybersecurity posture;
  • b) Describe their target state for cybersecurity;
  • c) Identify and prioritize opportunities for improvement within the context of a continuous and repeatable process;
  • d) Assess progress toward the target state; and
  • e) Communicate among internal and external stakeholders about cybersecurity risk.

Public Prep will protect the confidentiality and privacy of student and teacher/principal PII while stored or transferred by:

  • a) Ensuring that every use and disclosure of PII by Public Prep benefits students and Public Prep by considering, among other criteria, whether the use and/or disclosure will:
  1. Improve academic achievement;
  2. Empower parents and students with information; and/or
  3. Advance efficient and effective school operations.
  • b) Not including PII in public reports or other public documents. The Data Protection Officer will, together with program offices, determine whether a proposed use of PII is not included in public reports or other documents, or otherwise publicly disclosed.
  • c) Using industry standard safeguards and best practices, such as encryption, firewalls, and passwords.

The School affords all protections under FERPA and the Individuals with Disabilities Education Act and their implementing regulations to parents or eligible students, where applicable.

Third-Party Contractors

Public Prep Responsibilities:
Public Prep will ensure that whenever it enters into a contract or other written agreement with a third-party contractor and the third-party contractor will receive student data or teacher or principal data from Public Prep, the contract or written agreement will include provisions requiring that confidentiality of shared student data or teacher or principal data be maintained in accordance with federal and state laws and regulations, and Public Prep policy.

In addition, Public Prep will ensure that the contract or written agreement includes the third-party contractor's data privacy and security plan that has been accepted by Public Prep.

The third-party contractor's data privacy and security plan must, at a minimum:

  • a) Outline how the third-party contractor will implement all state, federal, and local data privacy and security contract requirements over the life of the contract, consistent with Public Prep policy;
  • b) Specify the administrative, operational, and technical safeguards and practices the third-party contractor has in place to protect PII that it will receive under the contract;
  • c) Demonstrate that the third-party contractor complies with the requirements of 8 NYCRR Section 121.3(c);
  • d) Specify how officers or employees of the third-party contractor and its assignees who have access to student data or teacher or principal data receive or will receive training on the federal and state laws and regulations governing confidentiality of this data prior to receiving access;
  • e) Specify if the third-party contractor will utilize subcontractors and how it will manage those relationships and contracts to ensure PII is protected;
  • f) Specify how the third-party contractor will manage data privacy and security incidents that implicate PII including specifying any plans to identify breaches and unauthorized disclosures, and to promptly notify Public Prep;
  • g) Describe whether, how, and when data will be returned to Public Prep, transitioned to a successor contractor, at the Public Prep’s option and direction, deleted or destroyed by the third-party contractor when the contract is terminated or expires; and

Public Prep will also ensure that the contract or written agreement with the third-party contractor includes a signed copy of the Parents' Bill of Rights for Data Privacy and Security.

Third-Party Contractor Responsibilities:
Each third-party contractor, that enters into a contract or other written agreement with Public Prep under which the third-party contractor will receive student data or teacher or principal data from Public Prep, is required to:

  • a) Adopt technologies, safeguards, and practices that align with the NIST Cybersecurity Framework;
  • b) Comply with Public Prep’s data security and privacy policy, Education Law Section 2-d and its implementing regulations, and applicable laws impacting the School;
  • c) Limit internal access to PII to only those employees or subcontractors that need access to provide the contracted services;
  • d) Not use the PII for any purpose not explicitly authorized in its contract;
  • e) Not disclose any PII to any other party without the prior written consent of the parent or eligible student (i.e., students who are eighteen years old or older):
  1. Except for authorized representatives of the third-party contractor such as a subcontractor or assignee to the extent they are carrying out the contract and in compliance with law, regulation, and its contract with the School; or
  2. Unless required by law or court order and the third-party contractor provides notice of disclosure to NYSED, the Board, or the institution that provided the information no later than the time the information is disclosed, unless providing notice of the disclosure is expressly prohibited by law or court order;
  • f) Maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of PII in its custody;
  • g) Use encryption to protect PII in its custody while in motion or at rest; and
  • h) Not sell PII nor use or disclose it for any marketing or commercial purpose or facilitate its use or disclosure by any other party for any marketing or commercial purpose or permit another party to do so.

Where a third-party contractor engages a subcontractor to perform its contractual obligations, the data protection obligations imposed on the third-party contractor by state and federal laws and contract with Public Prep apply to the subcontractor.

If the third-party contractor has a breach or unauthorized release of PII, it will promptly notify Public Prep in the most expedient way possible without unreasonable delay but no more than seven (7) calendar days after the breach’s discovery.

Click-Wrap Agreements:
Periodically, Public Prep staff may wish to use software, applications, or other technologies in which the user must "click" a button or box to agree to certain online terms of service prior to using the software, application, or other technology. These are known as "click-wrap agreements" and are considered legally binding "contracts or other written agreements" under Education Law Section 2-d and its implementing regulations.

Public Prep staff are prohibited from using software, applications, or other technologies pursuant to a click-wrap agreement in which the third-party contractor receives student data or teacher or principal data from the School unless they have received prior approval from the School's Data Protection Officer or designee.

Public Prep will develop and implement procedures requiring prior review and approval for staff use of any software, applications, or other technologies pursuant to click-wrap agreements.

Parents' Bill of Rights for Data Privacy and Security

Public Prep will publish its Parents' Bill of Rights for Data Privacy and Security (Bill of Rights) on its website. Additionally, Public Prep will include the Bill of Rights with every contract or other written agreement it enters into with a third-party contractor under which the third-party contractor will receive student data or teacher or principal data from Public Prep.

Public Prep’s Bill of Rights will state in clear and plain English terms that:

  • a) Student PII will be collected and disclosed only as necessary to achieve educational purposes in accordance with State and Federal Law;
  • b) A student's PII cannot be sold or released for any marketing or commercial purposes by Public Prep or any third-party contractor. Public Prep will not sell student personally identifiable information and will not release it for marketing or commercial purposes, other than directory information released by Public Prep in accordance with Public Prep policy;
  • c) Parents have the right to inspect and review the complete contents of their child's education record;
  • d) State and federal laws, such as NYS Education Law §2-d and the Family Educational Rights and Privacy Act, protect the confidentiality of PII, and safeguards associated with industry standards and best practices, including but not limited to encryption, firewalls, and password protection, must be in place when data is stored or transferred;
  • e) A complete list of all student data elements collected by the State Education Department is available for public review at the following website http://www.nysed.gov/data-privacy-security/student-data-inventory or by writing to Chief Privacy Officer, New York State Education Department, Room 865 EBA, 89 Washington Avenue, Albany, New York 12234; and
  • f) Parents have the right to have complaints about possible breaches and unauthorized disclosures of student data addressed. Complaints should be directed to (insert school contact information including title, phone number, email and mailing address here). Complaints can also be directed to the New York State Education Department by mail to the Chief Privacy Officer, New York State Education Department, 89 Washington Avenue, Albany, New York 12234, by email to privacy@mail.nysed.gov, or by telephone at 5178-474-0937. Complaints may also be submitted online by using the form available at the following website http://www.nysed.gov/data-privacy-security/report-improper-disclosure.
  • g) Parents have the right to be notified in accordance to applicable laws and regulations if a breach or unauthorized release of their student’s PII occurs.
  • h) Parents can expect that Public Prep employees who handle PII will receive annual training on applicable federal and state laws, regulations, educational agency’s policies and safeguards which will be in alignment with industry standards and best practices to protect PII.

The Bill of Rights will also include supplemental information for each contract Public Prep enters into with a third-party contractor where the third-party contractor receives student data or teacher or principal data from Public Prep. The supplemental information must be developed by the School and include the following information:

  • a) The exclusive purposes for which the student data or teacher or principal data will be used by the third-party contractor, as defined in the contract;
  • b) How the third-party contractor will ensure that the subcontractors, or other authorized persons or entities to whom the third-party contractor will disclose the student data or teacher or principal data, if any, will abide by all applicable data protection and security requirements, including but not limited to those outlined in applicable laws and regulations (e.g., FERPA; Education Law Section 2-d);
  • c) The duration of the contract, including the contract's expiration date, and a description of what will happen to the student data or teacher or principal data upon expiration of the contract or other written agreement (e.g., whether, when, and in what format it will be returned to the School, and/or whether, when, and how the data will be destroyed);
  • d) If and how a parent, student, eligible student, teacher, or principal may challenge the accuracy of the student data or teacher or principal data that is collected;
  • e) Where the student data or teacher or principal data will be stored, described in a manner as to protect data security, and the security protections taken to ensure the data will be protected and data privacy and security risks mitigated; and
  • f) Address how the data will be protected using password protections, administrative procedures, encryption while in motion and at rest, and firewalls.

Public Prep will publish on its website the supplement to the Bill of Rights (i.e., the supplemental information described above) for any contract or other written agreement it has entered into with a third-party contractor that will receive PII from Public Prep. The Bill of Rights and supplemental information may be redacted to the extent necessary to safeguard the privacy and/or security of the Public Prep s data and/or technology infrastructure.

Right of Parents and Eligible Students to Inspect and Review Students' Education Records

Consistent with the obligations of the School under FERPA, parents and eligible students have the right to inspect and review a student's education record by making a request directly to the School in a manner prescribed by the School.

Public Prep will ensure that only authorized individuals are able to inspect and review student data. To that end, Public Prep will take steps to verify the identity of parents, guardians, or eligible students who submit requests to inspect and review an education record and verify the individual's authority to do so.

Requests by a parent, guardian, or eligible student for access to a student's education records must be directed to the School and not to a third-party contractor. Public Prep may require that requests to inspect and review education records be made in writing.

Public Prep will notify parents, guardians, and eligible students annually of their right to request to inspect and review the student’s education record including any student data stored or maintained by the School through its annual FERPA notice. A notice separate from Public Prep 's annual FERPA notice is not required.

Public Prep will comply with a request for access to records within a reasonable period, but not more than 45 calendar days after receipt of a request barring extenuating circumstances.

If the parent, guardian, or eligible student consents, Public Prep may provide the records electronically. Public Prep must transmit the PII in a way that complies with laws and regulations. Safeguards associated with industry standards and best practices, including but not limited to encryption and password protection, must be in place when education records requested by a parent, guardian, or eligible student are electronically transmitted.

Complaints of Breach or Unauthorized Release of Student Data and/or Teacher or Principal Data

Public Prep will inform parents/guardians, through its Parents' Bill of Rights for Data Privacy and Security, that they have the right to submit complaints about possible breaches of student data to the Chief Privacy Officer at NYSED. In addition, Public Prep has established the following procedures for parents, guardians, eligible students, teachers, principals, and other Public Prep staff to file complaints with Public Prep about breaches or unauthorized releases of student data and/or teacher or principal data:

  • a) All complaints must be submitted to the Public Prep's Data Protection Officer in writing, utilizing a complaint form available on Public Prep’s website.
  • b) Upon receipt of a complaint, Public Prep will promptly acknowledge receipt of the complaint, commence an investigation, and take the necessary precautions to protect PII.
  • c) Following the investigation of a submitted complaint, Public Prep will provide the individual who filed the complaint with its findings. This will be completed within a reasonable period of time, but no more than 60 calendar days from the receipt of the complaint by Public Prep.
  • d) If Public Prep requires additional time, or where the response may compromise security or impede a law enforcement investigation, Public Prep will provide the individual who filed the complaint with a written explanation that includes the approximate date when Public Prep anticipates that it will respond to the complaint.

These procedures will be disseminated to parents, guardians, eligible students, teachers, principals, and other School staff.

Public Prep will maintain a record of all complaints of breaches or unauthorized releases of student data and their disposition in accordance with applicable data retention policies.

Reporting a Breach or Unauthorized Release

Public Prep’s Data Protection Officer will report every discovery or report of a breach or unauthorized release of student data or teacher or principal data within the School to the Chief Privacy Officer without unreasonable delay, but no more than ten calendar days after the discovery.

Each third-party contractor that receives student data or teacher or principal data pursuant to a contract or other written agreement entered into with Public Prep will be required to promptly notify Public Prep of any breach of security resulting in an unauthorized release of the data by the third-party contractor or its assignees in violation of applicable laws and regulations, the Parents' Bill of Rights for Student Data Privacy and Security, Public Prep policy, and/or binding contractual obligations relating to data privacy and security, in the most expedient way possible and without unreasonable delay, but no more than seven calendar days after the discovery of the breach.

In the event of notification from a third-party contractor, Public Prep will in turn notify the Chief Privacy Officer of the breach or unauthorized release of student data or teacher or principal data no more than ten calendar days after it receives the third-party contractor's notification using a form or format prescribed by NYSED.

Investigation of Reports of Breach or Unauthorized Release by the Chief Privacy Officer

The Chief Privacy Officer is required to investigate reports of breaches or unauthorized releases of student data or teacher or principal data by third-party contractors. As part of an investigation, the Chief Privacy Officer may require that the parties submit documentation, provide testimony, and may visit, examine, and/or inspect the third-party contractor's facilities and records.

Upon the belief that a breach or unauthorized release constitutes criminal conduct, the Chief Privacy Officer is required to report the breach and unauthorized release to law enforcement in the most expedient way possible and without unreasonable delay.

Third-party contractors are required to cooperate with the School and law enforcement to protect the integrity of investigations into the breach or unauthorized release of PII.

Upon conclusion of an investigation, if the Chief Privacy Officer determines that a third-party contractor has through its actions or omissions caused student data or teacher or principal data to be breached or released to any person or entity not authorized by law to receive this data in violation of applicable laws and regulations, Public Prep policy, and/or any binding contractual obligations, the Chief Privacy Officer is required to notify the third-party contractor of the finding and give the third-party contractor no more than 30 days to submit a written response.

If after reviewing the third-party contractor's written response, the Chief Privacy Officer determines the incident to be a violation of Education Law Section 2-d, the Chief Privacy Officer will be authorized to:

  • a) Order the third-party contractor be precluded from accessing PII from the affected educational agency for a fixed period of up to five years;
  • b) Order that a third-party contractor or assignee who knowingly or recklessly allowed for the breach or unauthorized release of student data or teacher or principal data be precluded from accessing student data or teacher or principal data from any educational agency in the state for a fixed period of up to five years;
  • c) Order that a third-party contractor who knowingly or recklessly allowed for the breach or unauthorized release of student data or teacher or principal data will not be deemed a responsible bidder or offeror on any contract with an educational agency that involves the sharing of student data or teacher or principal data, as applicable for purposes of General Municipal Law Section 103 or State Finance Law Section 163(10)(c), as applicable, for a fixed period of up to five years; and/or
  • d) Require the third-party contractor to provide additional training governing confidentiality of student data and/or teacher or principal data to all its officers and employees with reasonable access to this data and certify that the training has been performed at the contractor's expense. This additional training is required to be performed immediately and include a review of laws, rules, and regulations, including Education Law Section 2-d and its implementing regulations.

If the Chief Privacy Officer determines that the breach or unauthorized release of student data or teacher or principal data on the part of the third-party contractor or assignee was inadvertent and done without intent, knowledge, recklessness, or gross negligence, the Chief Privacy Officer may make a recommendation to the Commissioner that no penalty be issued to the third-party contractor.

The Commissioner would then make a final determination as to whether the breach or unauthorized release was inadvertent and done without intent, knowledge, recklessness or gross negligence and whether or not a penalty should be issued.

Notification of a Breach or Unauthorized Release

Public Prep will notify affected parents, eligible students, teachers, and/or principals in the most expedient way possible and without unreasonable delay, but no more than 60 calendar days after the discovery of a breach or unauthorized release of PII by Public Prep or the receipt of a notification of a breach or unauthorized release of PII from a third-party contractor unless that notification would interfere with an ongoing investigation by law enforcement or cause further disclosure of PII by disclosing an unfixed security vulnerability. Where notification is delayed under these circumstances, Public Prep will notify parents, eligible students, teachers, and/or principals within seven calendar days after the security vulnerability has been remedied or the risk of interference with the law enforcement investigation ends.

Notifications will be clear, concise, use language that is plain and easy to understand, and to the extent available, include:

  • a) A brief description of the breach or unauthorized release, the dates of the incident and the date of discovery, if known;
  • b) A description of the types of PII affected;
  • c) An estimate of the number of records affected;
  • d) A brief description of the School's investigation or plan to investigate; and
  • e) Contact information for representatives who can assist parents or eligible students that have additional questions.

Notification will be directly provided to the affected parent, guardian, eligible student, teacher, or principal by first-class mail to their last known address, by email, or by telephone.

Where a breach or unauthorized release is attributed to a third-party contractor, the third-party contractor is required to pay for or promptly reimburse the School for the full cost of this notification.

The Data Protection Officer must annually report to the Board of Education on data privacy and security activities and progress, any changes to data privacy and security measures, the number and disposition of reported breaches, if any, and a summary of any complaints submitted pursuant to Education Law 2-d.

Compliance with Public Prep Acceptable Use Policy for Technology and the Internet

All officers and staff must comply with the School’s Acceptable Use Policy when using the Public Prep’s resources. Access privileges will be granted in accordance with the user’s job responsibilities. Access privileges will be limited to the extent necessary to accomplish assigned tasks in accordance with Public Prep’s mission and business functions. Access privileges will be discontinued for those who are no longer with Public Prep.

Annual Data Privacy and Security Training

Public Prep will annually provide data privacy and security awareness training to its officers and staff with access to PII. This training will include, but not be limited to, training on the applicable laws and regulations that protect PII and how staff can comply with these laws and regulations. Public Prep may deliver this training using online training tools. Additionally, this training may be included as part of the training that Public Prep already offers to its workforce. All officers and staff who have access to PII must complete this training annually.

Notification of Policy

Public Prep will publish this policy on its website and provide notice of the policy to all its officers and staff.

Adopted October 2020