Data Security and Privacy

Technology is an integral part of the teaching and learning experience in the Mattituck-Cutchogue Union Free School District. The ever-increasing availability of online teaching and learning resources comes with inherent risks and concerns regarding student data, privacy and student work. We as a district have a responsibility to ensure that student's data and privacy is adequately protected while using any online digital resource for school work. The Mattituck-Cutchogue Union Free School District is providing the following information/resources for parents, teachers, and the community so that they can better understand what student data is, how student data is collected and used and the laws and practices that the district adheres to in order to protect student data and privacy.

If you have any questions or concerns regarding data privacy and security, or suspect there has been a data breach, please contact Kelly Urraro, Technology Director and Data Protection Officer (DPO). Phone: (631) 298-4242 x3700 or email: [email protected]

In the event of a data breach the public will be notified via our district's communication platform.

Parent and Staff Information

The Mattituck-Cutchogue Union Free School District oversees a wide range of information about students. The district manages personally identifiable information (PII) about students in accordance with the federal laws known as FERPA and COPPA. More information regarding federal and state laws, district policies and guidelines that address technology use and student data privacy are listed below.

New York State Data Privacy and Security

  • NYSED October 28, 2020 Memo Regarding Data Security and Privacy
  • NYSED Data Security and Privacy Policy
  • Ed Law 2D - Education Law § 2-d went into effect in April 2014. The focus of the statute was to foster privacy and security of personally identifiable information (PII) of students and certain PII related to classroom teachers and principals. 

  • Part 121 Amendment to Ed Law 2D- Although the proposed regulations largely restate the requirements of Education Law § 2-d, there are new elements, including the adoption by the New York State Education Department of a data security and privacy standard, as was required by the statute. The Department will adopt the National Institute for Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity Version 1.1 (CSF or Framework).

Federal & State Laws that Impact Technology Use & Student Privacy

MUFSD Policies and Guidelines for Student Data and Security

Third Party Ed Law 2D Privacy Agreement

NSYED Model Data Privacy Agreement and Instructions for Third Party Vendors

The District will ensure that whenever it enters into a contract or other written agreement with a third-party contractor under which the third-party contractor will receive student data or teacher or principal data from the District, the contract or written agreement will include provisions requiring that confidentiality of shared student data or teacher or principal data be maintained in accordance with law, regulation, and District policy.

In addition, the District will ensure that the contract or written agreement includes the third-party contractor's data privacy and security plan that has been accepted by the District. The third-party contractor's data privacy and security plan must, at a minimum:

  1. Outline how the third-party contractor will implement all state, federal, and local data privacy and security contract requirements over the life of the contract, consistent with District policy.

  2. Specify the administrative, operational, and technical safeguards and practices the third-party contractor has in place to protect PII that it will receive under the contract;

  3. Demonstrate that the third-party contractor complies with the requirements of 8 NYCRR Section 121.3(c);

  4. Specify how officers or employees of the third-party contractor and its assignees who have access to student data or teacher or principal data receive or will receive training on the laws governing confidentiality of this data prior to receiving access;

  5. Specify if the third-party contractor will utilize subcontractors and how it will manage those relationships and contracts to ensure PII is protected;

  6. Specify how the third-party contractor will manage data privacy and security incidents that implicate PII including specifying any plans to identify breaches and unauthorized disclosures, and to promptly notify the District;

  7. Describe whether, how, and when data will be returned to the District, transitioned to a successor contractor, at the District's option and direction, deleted or destroyed by the third-party contractor when the contract is terminated or expires; and

  8. Include a signed copy of the Parents' Bill of Rights for Data Privacy and Security

Supplemental Ed Law 2D Agreements with Third Party Vendors

Additional Resources