Broome-Tioga BOCES is fully committed to protecting the confidentiality of student information under our stewardship. This Privacy Notice explains how we collect, share, use, and protect the student information within the systems and services that we manage on behalf of school districts.

Why do we collect student information?
Student data is collected and used by Broome-Tioga BOCES for the sole purpose of supporting the specific services that school districts contract with us. These services include the management of student information systems, special education systems, cafeteria systems, New York State Education Department (NYSED) reporting systems, data dashboard services, student email and collaboration systems and other systems that may store or transmit student information. These systems are necessary in order for districts to manage the day-to-day operations of their schools and comply with New York State reporting requirements.

Broome-Tioga BOCES, through its South Central Regional Information Center, provides services to a consortium of 50 public school districts and their associated BOCES centers in Broome, Tioga, Delaware, Chenango, Madison, Otsego, Schoharie and Greene counties of New York State. Although less common, some school districts outside this region and some non-public school district entities also cross-contract for Broome-Tioga BOCES services.

Can Broome-Tioga BOCES provide access to student data?
Although student information often resides on systems that are managed and may be physically located at Broome-Tioga BOCES, all student data housed within these systems belongs to the respective school districts.

Broome-Tioga BOCES will not release or provide access to student data to parents, students or other outside parties, including vendors or other unauthorized agencies, without the expressed written consent of the school district that is responsible for the data. Requests for student information or access received by Broome-Tioga BOCES from unauthorized parties will be referred to the respective school district for authorization using the Third-Party Data Authorization Process.

If, for any reason, Broome-Tioga BOCES intends to use student information in a manner different from that stated at the time of collection, we will notify the school district and school administration will have a choice as to whether or not Broome-Tioga BOCES can use student information in such a way.

If students or parents wish to review, update or correct student information, they should follow the policies and procedures of their local school district.

What student information is collected?
Only student information relevant and necessary to the services that school districts purchase from Broome-Tioga BOCES is collected. No other student information is collected. The specific information that is collected varies from one service to another and includes Personally Identifiable Information (PII). PII is data that identifies a specific student, can be used to distinguish one student from another or be used in combination with other information to identify the student.

PII includes, but is not limited to, a student’s name, address, social security number, email, unique school identification number, grades, locker combination, student photos, individualized education programs (IEPs), biometric records, medical records, date of birth, place of birth, driver license numbers, bank account numbers, mother’s maiden name and any access codes or passwords that permit access to personal records.

How is student information secured?
Broome-Tioga BOCES is committed to protecting the personally identifiable information of students and maintaining its accuracy. Broome-Tioga BOCES implements physical, administrative, and technical safeguards to protect student information from unauthorized access, use and disclosure. Measures for protecting data include, but are not limited to:
          •    Password protection and authentication to establish the identity of all persons accessing systems housing student  data and at the appropriate level of authority.
          •    Stringent account provisioning and deprovisioning and authorization procedures.
          •    Encrypted transmission of student data.
          •    Secured file structures limiting student information access to only authorized employees.
          •    Badge-protected access to all facilities that house electronic systems that may contain student data and hardcopy student records.
          •    Privacy requirements incorporated into all contracts with vendors and consultants who come into contact with student data.
          •    Anti-virus, filtering and anti-malware services and established, monthly, security patches applied to all servers and systems.
          •    Annual privacy risk assessment and review of security and privacy controls.
 
BOCES also regularly promotes awareness of student data security and privacy issues and trains staff on security and privacy standards. This includes an annual mandatory training session for all BOCES staff and managers regarding security and privacy policies, guidelines and practices.
 

How is student information retained and disposed?
Student data is retained for no longer than necessary to fulfill the purposes for which it was collected or as required by law. Student data, whether in electronic or hard copy form, will be deleted by Broome-Tioga BOCES personnel who have proper authorization from the school district to do so. Once authorized, Broome-Tioga BOCES staff will ensure that data is anonymized, disposed of or destroyed in a manner that prevents loss, theft, misuse or unauthorized access.

Broome-Tioga BOCES adheres to New York State’s ED-1 Records Retention and Disposition Schedule which establishes minimum periods of time that records must be retained. Additionally, Broome-Tioga BOCES may not dispose of student data that is reported to the New York State Student Information Repository System (SIRS). While the SIRS reporting process allows for records to be deleted in the regional, Level 1–Data Warehouse that are in error, New York State takes possession of this data after it is reported to the Level 2–Data Warehouse. At that time, reported student information becomes subject to New York State’s privacy policies.


Who else besides the school and Broome-Tioga BOCES has access to student information?
Sometimes individuals and organizations outside the schools and Broome-Tioga BOCES, such as software support teams and technical consultants, have access to student data by the nature of the work they do. For some Broome-Tioga BOCES services, student information is physically hosted off-site of the schools and Broome-Tioga BOCES within the secured systems of service providers.

In these cases, Broome-Tioga BOCES requires stringent contractual obligations for security and privacy of student data in compliance with the New York State Common Core Implementation Reform Act of March, 2014. Contracts with these providers include the following stipulations:
1.    Student information will be used solely for the purpose defined in the contract and related directly to supporting Broome-Tioga BOCES services.

2.    Student information will not be shared with any other entity or individual without the express permission of Broome-Tioga BOCES (if authorized by the school district) unless required by statute or a court order.

3.    Upon the expiration of the contract, the third-party service provider will delete any electronic student data in its possession, will return any non-electronic documents containing student data that it has in its possession and will notify Broome-Tioga BOCES when the data has been deleted or disposed.

4.    Student information will be corrected upon request by Broome-Tioga BOCES (if authorized by the school district) and Broome-Tioga BOCES will be notified when the data has been corrected.

5.    All federal and state laws and regulations governing security and privacy of student information must be abided by.

6.    A description of the physical location of student information in the service provider’s possession must be provided, as well as a description of the administrative, technical and physical safeguards utilized to assure the privacy and security of student information in their possession and when transmitted.

7.    Communication with Broome-Tioga BOCES in no less than 24 hours of any data breach or in the event that student information is requested by legal authorities.

8.    The service provider must comply with the Broome-Tioga BOCES Parents’ Bill of Rights for Data Privacy and Security, as required by New York State Education Law Section 2-d.

9.    Access to student data within the third-party service provider is limited to those individuals that need such records or data to perform the services set forth in this contract.

10.    Employees of the third-party service provider who have access to student data have received or will receive training on the federal and state laws governing security and privacy of such data prior to receiving access to it.

How is the quality of student information managed?
School districts are solely responsible for the accuracy of the student data that their employees enter into and utilize within systems covered under Broome-Tioga BOCES services.

New York State has defined a multi-level process for exporting student data to the New York State Education Department Student Information Repository System (SIRS database). The first step in this process is to import data to Level 0 of the system, resolve any errors that result and validate the accuracy of this data.

 For districts that participate in Broome-Tioga BOCES’ Managed Data Service, Broome-Tioga BOCES takes an active role working with school district staff to correct errors during the Level 0 process. Although Broome-Tioga BOCES offers error correction assistance, school district staff is responsible for making all changes to student data. Broome-Tioga BOCES staff will only make such changes if written authorization is provided by the school district.


Is student data security and privacy monitored and enforced?
Broome-Tioga BOCES monitors its privacy policies and practices, including this Privacy Notice, to ensure compliance with the most recent state and federal laws and has been audited to ensure compliance with the requirements set forth in the Service Organization Control (SOC) 2 security and privacy principles and criteria. Information describing the SOC 2 principles and criteria is available from the American Institute of CPA’s at: http://www.aicpa.org

Broome-Tioga BOCES also self-monitors to ensure that internal security and privacy processes and procedures meet the requirements described in this Notice. This includes formalized processes for the regular assessment of risks and regular review of security and privacy procedures and documents.

What choices do students and parents have regarding the collection and use of student information?
All choices available to students and parents regarding the collection, use and disclosure of student information are governed by the policies and procedures of each student’s respective school district and are outside the jurisdiction of Broome-Tioga BOCES. All requests received by Broome-Tioga BOCES to opt-out or limit data collection, data use and information disclosure for a specific student will be referred to the school district of that student.

What if I have a complaint or dispute?
Inquiries, complaints, disputes or Freedom of Information requests concerning specific student data should be directed to the local school district(s) responsible for the student information.
If you have an inquiry, complaint, or dispute specific to Broome-Tioga BOCES privacy policies or practices, please allow thirty (30) days for us to document and respond to your request. All documented inquiries, complaints and disputes will be collected and reviewed by the Security and Privacy Committee to determine whether appropriate actions were followed and to assess if changes to procedures and/or policies should be implemented to further improve Broome-Tioga BOCES services. All submissions will be documented and cataloged and an appropriate response will be provided.


 Please send all inquiries, complaints or dispute information to:        
              Dan Myers
              Acting Broome-Tioga BOCES Chief Privacy Officer
              [email protected]
              607-766-3750
 
What if there is a data security breach?
If there is an accidental or an intrusive data security breach, Broome-Tioga BOCES will adhere to the Broome-Tioga BOCES Student Data Breach Protocol. Employees who become aware of a suspected or actual security breach must report the matter immediately as follows:
          •    School district employees: Contact your superintendent’s office immediately.
          •    BOCES’ staff: Contact your manager immediately.

How will changes to the Broome-Tioga BOCES' privacy policies and procedures be communicated?
When we need to update this notice or modify it in a way that does not impact our usage of student information, we will post a notice for 30 days on Broome-Tioga BOCES’ website.
 If we are going to use student information in a manner different from that stated at the time of collection, we will directly notify the school district responsible for the information and the district will have a choice as to whether or not Broome-Tioga BOCES can use the information in such a way.

How is student information privacy governed?
The Student Data Security and Privacy Committee is a standing committee providing strategic guidance and oversight for Broome-Tioga BOCES’ information security and privacy efforts. The role of the committee is to infuse Broome-Tioga BOCES into the operations of Broome-Tioga BOCES by setting policy, establishing authorities and implementing accountability as described in the  Student Data Security and Privacy Committee Charter.

Membership includes both internal and external stakeholders who, by virtue of their role, have responsibility for student information security and/or privacy. Members include:

          •    A Broome-Tioga BOCES Board member
          •    A BOCES district superintendent
          •    Three school superintendents
          •    One attorney specializing in education law
          •    One Broome-Tioga BOCES management representative
          •    Broome-Tioga BOCES Chief Privacy Officer

                                                                       

Broome-Tioga BOCEs' Security and Privacy Principles
Every Broome-Tioga BOCES staff member is obligated to serve as a steward of data and information held by Broome-Tioga BOCES and to protect the security and privacy of information and information technology systems. The Security and Privacy Principles below provide the guiding framework for decision making and management of security and privacy at Broome-Tioga BOCES.
Confidentiality – Only authorized individuals will have access to information.

Quality – Information must be reliable and accurate.

Availability – Information must be available when it is needed.

Responsibility – Accountability for the security and privacy of information must be clearly defined within Broome-Tioga BOCES.

Awareness – Broome-Tioga BOCES staff members and users of Broome-Tioga BOCES services must be made aware of standards, expectations and policies adopted by Broome-Tioga BOCES for protecting the security and privacy of information.

Ethics – The management of security and privacy and the use of information must always be handled in an ethical manner.

Diversity – Security and privacy policy must incorporate the diverse viewpoints of information stakeholders.

Proportionality – Security and privacy safeguards must be proportionate to the risks.

Integration – Security and privacy standards are integrated into the processes of Broome-Tioga BOCES consistently and within a framework of established safeguards.

Responsiveness – Broome-Tioga BOCES must respond in a timely and coordinated manner to prevent and effectively react to security and privacy breaches and threats.

Evaluation – Security and privacy risks, controls and standards must be regularly reviewed and continuously improved.

Fairness – The rights and dignity of individuals will be preserved while carrying out security and privacy goals.

Transparency – Schools and individuals are informed about how their information will be used, disclosed and retained.

Consent – Broome-Tioga BOCES will obtain consent, or allow for schools and individuals to opt out of the collection, use, disclosure and retention of information.

Relevance – Broome-Tioga BOCES will only collect information that is relevant and required to support school services or the purposes identified.

Retention – Broome-Tioga BOCES will keep information only as long as required and will always dispose of all information in a manner that maintains confidentiality.

Disclosure – Disclosure of information to third parties is strictly limited and only as approved by authorized school district staff.

Access – Broome-Tioga BOCES will always allow school districts and those that they authorize to access their data.

Openness – Broome-Tioga BOCES is open to suggestions, complaints and disputes regarding privacy and security and maintains procedures for redress of grievances.