New York Student Data Privacy Legal Compliance Guide

New York Law Provision or RegulationCompliant Microsoft Provision(s)
Education Law § 2-d (4)(f)
Restriction on sale or marketing of personally identifiable information (“PII”)

Microsoft Online Services Data Protection Addendum -> Data Protection Terms -> Nature of Data Processing; Ownership -> Processing to Provide Customer the Online Services
Education Law § 2-d (6)(a)
Breach notification requirements
Microsoft Online Services Data Protection Addendum -> Data Protection Terms -> Data Security -> Security Incident Notification

Microsoft Online Services Data Protection Addendum -> Appendix A – Security Measures -> Information Security Incident Management
Education Law § 2-d (6)(c)
Reimbursement of agency for cost of notification due to unauthorized release
Does not appear to be addressed by Microsoft’s standard documents.
Education Law § 2-d (6)(d)-(e)Do not impose legal requirements on third-party contractors; address the potential consequences for a third-party contractor in the event the Chief Privacy Officer determines there has been a violation.
Education Law § 2-d (7)(a)-(b)Do not impose legal requirements on third-party contractors; address the potential consequences for a third-party contractor in the event the Chief Privacy Officer determines there has been a violation.
8 NYCRR § 121.2(c)
Requirements of a written agreement addressing confidentiality, compliance with state and federal law, educational agency’s policies
Microsoft Online Services Data Protection Addendum -> Data Protection Terms -> Processor Confidentiality Commitment

See also Microsoft Online Services Data Protection Addendum -> Appendix A – Security Measures

Microsoft Online Services Data Protection Addendum -> Data Protection Terms -> Data Security -> Security Practices and Policies
8 NYCRR § 121.3(a)-(c)
“Bill of Rights” developed by educational agency to be included in every contract
Compliance provisions addressing the specific requirements of the “bill of rights” are listed below.
8 NYCRR § 121.3(c)(1)
Purpose for which data will be used
Microsoft Online Services Data Protection Addendum -> Data Protection Terms -> Nature of Data Processing; Ownership
8 NYCRR § 121.3(c)(2)
Requirements for subcontractors’ use of data
Microsoft Online Services Data Protection Addendum -> Data Protection Terms -> Data Security -> Security Practices and Policies

See also Microsoft Online Services Data Protection Addendum -> Appendix A – Security Measures
8 NYCRR § 121.3(c)(3)
Disposition of data upon termination of contract
Microsoft Online Services Data Protection Addendum -> Data Protection Terms -> Data Retention and Deletion
8 NYCRR § 121.3(c)(4)
Method for challenging the accuracy of data collected
Does not appear to be addressed by Microsoft’s standard documents.
8 NYCRR § 121.3(c)(5)
Storage of data and security protections
Microsoft Online Services Data Protection Addendum -> Data Protection Terms -> Data Transfers and Location

See also Microsoft Online Services Terms -> Attachment 1 – Notices -> Location of Customer Data at Rest for Core Online Services

Microsoft Online Services Data Protection Addendum -> Data Protection Terms -> Data Security -> Security Practices and Policies

See also Microsoft Online Services Data Protection Addendum -> Appendix A – Security Measures
8 NYCRR § 121.3(c)(6)
Encryption of data
Microsoft Online Services Data Protection Addendum -> Attachment 3 – European Union General Data Protection Regulation Terms -> Relevant GDPR Obligations: Articles 28, 32, and 33
8 NYCRR § 121.6(a)(1)
Data security and privacy plan must address: implementation of state, federal, local requirements
Microsoft Online Services Data Protection Addendum -> Data Protection Terms -> Data Security -> Security Practices and Policies

See also Microsoft Online Services Data Protection Addendum -> Appendix A – Security Measures
8 NYCRR § 121.6(a)(2)
Safeguards to protect PII
Microsoft Online Services Data Protection Addendum -> Data Protection Terms -> Data Security -> Security Practices and Policies

See also Microsoft Online Services Data Protection Addendum -> Appendix A – Security Measures
8 NYCRR § 121.6(a)(3)
Compliance with 8 NYCRR § 121.3.
See Compliant Microsoft Provisions addressed above that correspond to 8 NYCRR § 121.3.
8 NYCRR § 121.6(a)(4)
Training for employees on federal and state laws governing confidentiality of data
Microsoft Online Services Data Protection Addendum -> Data Protection Terms -> Processor Confidentiality Commitment

See also Microsoft Online Services Data Protection Addendum -> Appendix A – Security Measures
8 NYCRR § 121.6(a)(5)
Identification and management of subcontractors
Microsoft Online Services Data Protection Addendum -> Data Protection Terms -> Notice and Controls on Use of Subprocessors
8 NYCRR § 121.6(a)(6)
Breach management and notification
Microsoft Online Services Data Protection Addendum -> Data Protection Terms -> Data Security -> Security Incident Notification

Microsoft Online Services Data Protection Addendum -> Appendix A – Security Measures -> Information Security Incident Management
8 NYCRR § 121.6(a)(7)
Disposition of data upon termination of contract
Microsoft Online Services Data Protection Addendum -> Data Protection Terms -> Data Retention and Deletion
8 NYCRR § 121.9(a)(1)
Adoption of technologies, safeguards and practices that align with the NIST Cybersecurity Framework
Does not appear to be addressed by Microsoft’s standard documents.
8 NYCRR § 121.9(a)(2)
Compliance with educational agency’s data security and privacy policy and Education Law §2-d
Most of these requirements appear to be addressed by Microsoft’s Online Services Terms and Microsoft Online Services Data Protection Addendum, except to the extent addressed herein.
8 NYCRR § 121.9(a)(3)
Limit internal access to PII
Microsoft Online Services Data Protection Addendum -> Data Protection Terms -> Data Security -> Security Practices and Policies
8 NYCRR § 121.9(a)(4)
Use of PII
Microsoft Online Services Data Protection Addendum -> Data Protection Terms -> Nature of Data Processing -> Processing for Microsoft’s Legitimate Business Operations
8 NYCRR § 121.9(a)(5)
Circumstances under which PII may be disclosed
Microsoft Online Services Data Protection Addendum -> Data Protection Terms -> Disclosure of Processed Data
8 NYCRR § 121.9(a)(6)
Safeguards to protect security and confidentiality of PII
Microsoft Online Services Data Protection Addendum -> Data Protection Terms -> Data Security -> Security Practices and Policies

See also Microsoft Online Services Data Protection Addendum -> Appendix A – Security Measures
8 NYCRR § 121.9(a)(7)
Encryption of PII
Microsoft Online Services Data Protection Addendum -> Attachment 3 – European Union General Data Protection Regulation Terms -> Relevant GDPR Obligations: Articles 28, 32, and 33
8 NYCRR § 121.9(a)(8)
Restriction on sale or marketing of PII
Microsoft Online Services Data Protection Addendum -> Data Protection Terms -> Nature of Data Processing; Ownership -> Processing to Provide Customer the Online Services
8 NYCRR § 121.9(b)
Restrictions on subcontractors
Microsoft Online Services Data Protection Addendum -> Data Protection Terms -> Notice and Controls on Use of Subprocessors
8 NYCRR § 121.10(a)
Notifications of breach and unauthorized release
Microsoft Online Services Data Protection Addendum -> Data Protection Terms -> Data Security -> Security Incident Notification

Microsoft Online Services Data Protection Addendum -> Appendix A – Security Measures -> Information Security Incident Management
8 NYCRR § 121.10(c)
Requirements for cooperation with educational agencies and law enforcement to protect the integrity into investigations into breaches or unauthorized release
Does not appear to be specifically addressed by Microsoft’s standard documents.
8 NYCRR § 121.10(f)
Reimbursement of agency for cost of notification due to unauthorized release
Does not appear to be specifically addressed by Microsoft’s standard documents.
8 NYCRR § 121.10(g)
Specific requirements for notice in the event of breach or unauthorized release
The requirement of notification is addressed generally by the following section of Microsoft’s Online Services Data Protection Addendum. However, the DPA does not address each of the specific issues required by Sec. 121.10. (g).

Microsoft Online Services Data Protection Addendum -> Data Protection Terms -> Data Security -> Security Incident Notification
8 NYCRR § 121.10(h)
Notification directly to affected parent, student, teach or principal
Does not appear to be addressed by Microsoft’s standard documents.
8 NYCRR § 121.11(a)Measures -> Information Security Incident Management
8 NYCRR § 121.11(b) – (f)Do not impose legal requirements on third-party contractors; address the potential consequences for a third-party contractor in the event the Chief Privacy Officer determines there has been a violation.