AGREEMENT, made as of the _____ day of ______________, between the Town of Montgomery, a municipal subdivision of the State of New York with offices located at 110 Bracken Road, Montgomery, NY 12549 (hereinafter referred to as the “Town”), and the Valley Central School District, a municipal corporation of the State of New York, with offices located at 944 State Rt. 17K, Montgomery, NY 12549 (hereinafter referred to as the “District”). The Town
and District also are referred to herein singularly as “Party” and collectively as “Parties.”
WHEREAS, the Town and the District wish to enter into an inter-governmental agreement for the purpose of the facilitation and the carrying out of a School Resource Officer program as set forth herein; and
WHEREAS, this Agreement is made pursuant to General Municipal Law, Article 5- G; and
WHEREAS, it is in the best interest of the District to obtain the services of police officers employed by the Town to serve as “School Resource Officers” (SROs), in the District’s Berea Elementary School, East Coldenham Elementary School, Middle School, and High School during the school year period; and
WHEREAS, it is in the best interest, safety, and welfare of the residents of the Town that the Town provide the services of police officers employed by it to the District to serve as SROs in the aforesaid schools during the school year period; and
WHEREAS, the Parties believe that the provision of SROs to schools in the District will serve to advance key objectives in the mutual interests of the Parties, including, but not limited to:
1) the reduction of incidents of school violence;
2) the maintenance of a safe and secure
environment on school grounds; and
3) the reduction of criminal offenses committed by juveniles
and young adults on school grounds.
NOW, THEREFORE, in consideration of the mutual covenants, promises, representations and conditions contained herein, the Parties hereto agree as follows:
ADDENDUM TO AGREEMENT
Regarding Data Privacy and Security
In Accordance with Section 2-d of the New York Education Law
This is an addendum (the “Addendum”) to an agreement entered into by between the Village of Maybrook, with its principal place of business located at 111 Schipps Lane, Maybrook, New York 12543 (“Contractor”), and the Valley Central School District, with its principal place of business located at 944 State Rt. 17K, Montgomery, New York, 12549 (“District”). Upon being executed
by Contractor’s and District’s authorized representatives, this Addendum shall be deemed to have been in full force and effect as of the effective date of the Agreement it amends.
WHEREAS, the District is an educational agency within the meaning of New York State Education Law, Section 2-d (“Section 2-d”), and Contractor is a third-party contractor within the meaning of Section 2-d; and
WHEREAS, Contractor and its authorized officers, employees, students and agents shall have access to “student personally identifiable information (PII),” “student data” and/or “teacher or principal data” regulated by Section 2-d; and
WHEREAS, the provisions of this Addendum are intended to comply with Section 2-d in all respects. To the extent that any term of the Agreement conflicts with the terms of this Addendum, the terms of this Addendum shall apply and be given effect.
NOW, THEREFORE, it is mutually agreed that the Agreement is hereby amended in accordance with this Addendum, as follows:
1. Confidential Information
1.1 Contractor agrees that in performing the Agreement with the District, Contractor may have access to confidential information in the possession of the District, including student, teacher or principal personally identifiable information (“PII”). For the purposes of this Addendum and the
Agreement, it is agreed that the definition of Confidential Information includes all documentary, electronic or oral information made known to Contractor or developed or maintained by Contractor through any activity related to the Agreement. This Confidential information includes student,
teacher and/or principal data (as the terms are defined under Section 2-d).
1.2 Contractor agrees to comply with Section 2-d, and the corresponding regulations promulgated by the Commissioner of Education of New York (“Commissioner”) thereunder. In addition, Contractor agrees to comply with any changes in Section 2-d, or the Commissioner’s
regulations that may be amended or modified during the term of the Agreement. Upon request by the District, Contractor shall provide the District with copies of its policies and related procedures that pertain to the protection of PII. It may be made available in a form that does not violate Contractor’s own information security policies, confidentiality obligations, and applicable laws.
1.3 Upon expiration of the Agreement to which this Addendum applies, without a successor agreement in place, Contractor shall assist the District in exporting all student, teacher and/or principal data previously received by Contractor from, or developed on behalf of, the District, and Contractor shall, at the request of the District, either securely delete any student, teacher and/or principal data remaining in Contractor’s possession or return the student, teacher and/or principal data to the District. If student, teacher and/or principal data is to be maintained by Contractor for any lawful purpose, such data shall remain in an encrypted format and shall be stored on systems
maintained by Contractor in a secure data facility located within the United States.
1.4 The parties further agree that the terms and conditions set forth in this Confidential Information section and all of its subparts shall survive the expiration and/or termination of the Agreement.
2. Data Inspection and Challenges to Data
Education Law Section 2-d and FERPA provide parents and eligible students the right to inspect and review their child’s or the eligible student’s PII stored or maintained by the District. To the extent PII is held by Contractor pursuant to the Agreement, Contractor shall respond within thirty (30) calendar days to the District’s requests for access to PII so the District can facilitate such
review by a parent or eligible student. If a parent or eligible student contacts Contractor directly to review any of the PII held by Contractor pursuant to the Agreement, Contractor shall promptly notify the District and refer the parent or eligible student to the District.
In the event that a student’s parent or an eligible student wishes to challenge the accuracy of student data (pertaining to the particular student) that may include records maintained, stored, transmitted,
and/or generated by Contractor pursuant to the Agreement, the challenge will be processed in accordance with the procedures of the District.
A teacher or principal who wishes to challenge the accuracy of data pertaining to the teacher or principal personally, which is disclosed to Contractor pursuant to the Agreement, shall do so in accordance with the procedures for challenging APPR data, as established by the District.
3. Training
Contractor represents and warrants that any of its officers, employees, and/or assignees who will have access to student, teacher and/or principal data pursuant to the Agreement will receive training on the federal and state laws governing confidentiality of such student, teacher and/or principal data, prior to obtaining initial or any further access to such data.
4. Use/Disclosure of Data
4.1 Contractor shall not sell or use for any commercial purpose student, teacher and/or principal data that is received by Contractor pursuant to the Agreement or developed by Contractor to fulfill its responsibilities pursuant to the Agreement.
4.2 Contractor shall use the student, teacher and/or principal data, records, or information solely for the exclusive purpose of and limited to that necessary for the Contractor to perform the duties and services required under the Agreement. Such services include, but are not limited to school resource officer services. Contractor shall not collect or use educational records of the
District or any student, teacher and/or principal data of the District for any purpose other than as explicitly authorized in this Addendum or the Agreement.
4.3 Contractor shall ensure, to the extent that it receives student, teacher and/or principal data pursuant to the Agreement, that it will not share Confidential Information with any additional parties, including an authorized subcontractor or non-employee agent, without prior written
consent of the District. Contractor shall indemnify and hold the District harmless from the acts and omissions of the Contractor’s employees and subcontractors.
5. Contractor’s Additional Obligations under Section 2-d and this Addendum
Contractor acknowledges that, with respect to any student, teacher and/or principal data received through its relationship with the District pursuant to the Agreement it is obliged to maintain a Data Security & Privacy Plan, and fulfill the following obligations:
• execute, comply with and incorporate to this Addendum as Exhibit A, as required Section 2-d, the Parents’ Bill of Rights for Data Privacy and Security developed by the District, as well as the supplemental information in Exhibit B;
• store all data transferred to Contractor pursuant to the Agreement by the District, in an electronic format on systems maintained by Contractor in a secure data facility located within the United States or hard copies under lock and key;
• limit internal access to student, teacher and/or principal data to Contractor’s officers, employees and agents who are determined to need such access to such records or data to perform the services set forth in the Agreement;
• not disclose student, teacher and/or principal data to any other party who is not an authorized representative of Contractor using the information to carry out Contractor’s obligations under the Agreement, unless: (I) the other party has the prior written consent of the applicable student’s parent or of the eligible student; or (II) the other party has the prior written consent of the applicable teacher or principal; or (III) the disclosure is required by statute or court order, and notice of the disclosure is provided to the District no later
than five business days before such information is required or disclosed (unless such notice is expressly prohibited by the statute or court order);
use reasonable administrative, technical and physical safeguards that align with the NIST Cybersecurity Framework and are otherwise consistent with industry standards and best practices, including but not limited to encryption, firewalls and password protection as specified by the Secretary of the United States Department of HHS in any guidance issued under P.L. 111-5, Section 13402(H)(2), to protect the security, confidentiality and integrity of student and/or staff data of the District while in motion or in custody of Contractor from unauthorized disclosure;
• not mine Confidential Information for any purposes other than those agreed to in writing by the Parties. Data mining or scanning of user content for the purpose of advertising or marketing to students or their parents is prohibited; notify the District, in the most expedient way possible and without unreasonable delay, of any breach of security resulting in an unauthorized release of any PII. In addition, Contractor shall take immediate steps
to limit and mitigate the damage of such security breach or unauthorized release to the greatest extent practicable, and promptly reimburse the District for the full cost of any notifications the District makes as a result of the security breach or unauthorized release.
Contractor further acknowledges and understands that Contractor may be subject to civil and criminal penalties in accordance with Section 2-d for violations of Section 2-d and/or this Addendum.
• understand that any breach of the privacy or confidentiality obligations set forth in this Addendum may, at the sole discretion of the District, result in the District immediately terminating this Agreement; and
• familiarize its applicable officers, employees and agents with this Addendum and with the “Parents’ Bill of Rights for Data Privacy and Security.”
The Contractor acknowledges that failure to fulfill these obligations shall be a breach of the Agreement.
6. Except as specifically amended herein, all of the terms contained in the Agreement are hereby ratified and confirmed in all respects, and shall continue to apply with full force and effect.
Exhibit A
District’s Parents’ Bill of Rights
The privacy and security of personally identifiable student data are of paramount importance. Parents (includes legal guardians or persons in parental relationships) and Eligible Students (student 18 years and older) can expect the following:
A student’s personally identifiable information cannot be sold or released for any commercial purposes. PII, as defined by Education Law § 2-d and the Family Educational Rights and Privacy Act (“FERPA”), includes direct identifiers such as a student’s name or identification number, parent’s name, or address; and indirect identifiers such as a student’s date of birth, which when
linked to or combined with other information can be used to distinguish or trace a student’s identity. Please see FERPA’s regulations at 34 CFR 99.3 for a more complete definition. State and federal laws (Education Law § 2-d, the Commissioner of Education’s Regulations at 8 NYCRR Part 121, and FERPA), protect the confidentiality of students’ personally identifiable information, and safeguards associated with industry standards and best practices, such as encryption, firewalls, and password protection, must be in place when such
data is stored or transferred.
Consistent with the adoption by the New York State Legislature of the Common Core Implementation Reform Act of 2014, all parents have the following rights:
• To inspect and review the complete contents of their child’s education record, as defined in the District’s Student Records policy;
• To access a complete list of all student data elements collected by the State, which is available for public review at http://www.nysed.gov/data-privacy-security/student-datainventory or by writing to the Office of Information & Reporting Services, New York State Education Department, Room 863 EBA, 89 Washington Avenue, Albany, NY 12234;
• To have complaints about possible breaches of student data heard and determined.
Complaints should be submitted to NYSED at http://www.nysed.gov/data-privacysecurity/report-improper-disclosure or directed in writing to the Chief Privacy Officer, New York State Education Department, 89 Washington Avenue, Albany, NY 12234, or by email to the Chief Privacy Officer at privacy@nysed.gov or by telephone at (518) 474-0937. Complaints can also be submitted to the District’s Data Protection Officer at (845) 457-2400 or 944 State Route 17K, Montgomery, NY 12549.
To be notified in accordance with applicable laws and regulations if a breach or
unauthorized release of PII occurs.
• Educational agency workers that handle PII will receive training on applicable state and federal laws, policies, and safeguards associated with industry standards and best practices that protect PII.
• Educational agency contracts with vendors that receive PII will address statutory and regulatory data privacy and security requirements.
* In the event the Commissioner of Education issues an enhanced Bill of Rights and/or promulgates regulations setting forth additional elements to be included in the Parents’ Bill of Rights, the Valley Central School District reserves the right to revise this document accordingly.
Exhibit B
Supplemental Information
Pursuant to Education Law § 2-d and Section 121.3 of the Commissioner’s Regulations, the Educational Agency (EA) is required to post information to its website about its contracts with third-party contractors that will receive Personally Identifiable Information (PII).
Name of Contractor: Town Of Montgomery
Description of the purpose(s) for which Contractor will receive/access PII: Provision of School Resource Officers to the District
Type of PII that Contractor will receive/access: Student PII
Contract Term: September 1, 2022- June 30, 2023
Subcontractor Written Agreement Requirement: Contractor will not utilize subcontractors without a written contract that requires the subcontractors to adhere to, at a minimum, materially similar data protection obligations imposed on the contractor by state and federal laws and regulations, and the Contract. (check applicable option): Contractor will not utilize subcontractors.
Data Transition and Secure Destruction: Upon expiration or termination of the Contract, Contractor shall:
• Securely transfer data to EA, or a successor contractor at the EA’s
option and written discretion, in a format agreed to by the parties.
• Securely delete and destroy data
Challenges to Data Accuracy: Parents, teachers or principals who seek to challenge the accuracy of PII will do so by contacting the EA. If a correction to data is deemed necessary, the EA will notify Contractor. Contractor agrees to facilitate such corrections within 21 days of receiving the EA’s written request.
Secure Storage and Data Security: Please describe where PII will be stored and the protections taken to ensure
PII will be protected: (check all that apply)
☐ Using a cloud or infrastructure owned and hosted by a third party.
☐ Using Contractor owned and hosted solution
☐ Other:
Please describe how data security and privacy risks will be mitigated in a
manner that does not compromise the security of the data:
Contractor will use reasonable administrative, technical and physical
safeguards that align with the NIST Cybersecurity Framework and are
otherwise consistent with industry standards and best practices, including but
not limited to: encryption, firewalls, and password protection as specified by
the Secretary of the United States Department of HHS in any guidance
issued under P.L. 111-5, Section 13402(H)(2), to protect the security,
confidentiality and integrity of student data of the District while in motion or
in custody of Contractor from unauthorized disclosure.
Encryption: Data will be encrypted while in motion and at rest.