heading
Follow us on twitter Follow us on pintrest Follow us on linkedIn Follow us on instagram Follow us on Flickr
log in Events
Data Privacy Notice

Purpose

District data is collected and stored by the Central New York Regional Information Center (CNYRIC) for the purpose of supporting districts participating in the CNYRIC’s services. District data will be used exclusively for the purposes of these services.

Data Ownership

Each participating district is the sole owner of its data, including but not limited to data transmitted by the district to the CNYRIC.

 

District data includes personally identifiable information (PII). PII is any information to which unauthorized access, disclosure, modification, destruction, or disruption of access or use could adversely impact students or district personnel. The privacy of the data we collect for districts is addressed by OCM BOCES Policy 2311, Confidentiality of Computerized Information.

Standards

The data protection procedures utilized by the CNYRIC comply with Service Organization Control (SOC) 2 security and privacy principles and criteria. Information describing SOC 2 principles and criteria is available from the American Institute of CPA’s at http://www.aicpa.org/.

 

Participating districts will be notified when there are changes to the data protection procedures adhered to by the CNYRIC.

 

The CNYRIC trains and supervises all personnel on data security and privacy standards. This includes departmental-level training on procedures specific to the type of data managed by each department. This also includes annual refresher training on policy and procedures.

 

Failure of CNYRIC personnel to comply with the specifics of this privacy and security notice may result in corresponding disciplinary measures, (see OCM BOCES policy 2311, Confidentiality of Computerized Information).

 

Periodically, the CNYRIC Data Privacy & Security Officer will monitor systems and processes to assure compliance, taking or recommending corrective actions whenever necessary. Additionally, when considering revisions to systems/services or evaluating new services/systems, SOC 2 principles and criteria are included in the processes.

Systems Description

All storage is located at 6075 East Molloy Road, Syracuse, NY 13221. A backup site is located at 355 Harlem Road, West Seneca, NY 14224 and a tape storage facility is located at McEvoy Center, 1710 NYS Route 13, Cortland NY 13045. All storage is maintained in locked, key card accessible rooms.

 

Connections to all data systems are made only through a firewall, connections use encryption (SSL), virtual private networks (VPN), secure file transfer protocol (SFTP), and password hashing. Routine security patching and upgrading of systems, including desktop systems, are performed systematically. A variety of software is used to monitor systems for intrusion vulnerability.

Access Control

Access and authorization to data at the CNYRIC is based on a least privileged philosophy; user access is restricted by only allowing privileges to individuals based on job classification and function which must be approved by their department manager and, in some cases, an assistant director. Access control policy and procedures are communicated at least annually to the CNYRIC personnel and are supervised continuously by the CNYRIC management.

 

Access to reports provided by the CNYRIC and our permissions to make any changes to data or access to data is controlled by the participating districts’ trusted agents. The list of trusted agents is updated annually through a process that includes written approval from school district superintendents and notifying all CNYRIC employees about the current list of trusted agents.

Breach & Breach Notification

In the event of an adversarial or accidental data breach, the CNYRIC will adhere to policy 4571, Information Security Breach and Notification. Other issues of concern to districts or CNYRIC employees are to be communicated to the CNYRIC Data Privacy & Security Officer, Steven Tryon (315/433.2280, sjtryon@cnyric.org). All issues will be reviewed by the CNYRIC management team and addressed as necessary or as required by policy or law.

Data Retention & Disposal

District data is retained for no longer than necessary to fulfill the purposes described above or as required by law. When data is disposed by the CNYRIC it is done so in a manner that prevents loss, theft, misuse, or unauthorized access. The CNYRIC adheres to the ED-1 New York Records Retention Policy. The CNYRIC may not dispose of district data in the SIRS Level 2 - Data Warehouse as it is in the possession of New York State. The SIRS reporting process allows for records to be deleted in the regional, Level 1 - Data warehouse that are in error. The CNYRIC will dispose of records to correct data upon written request by the District’s trusted agent for each system.

 

The quality of district data is the sole responsibility of the participating district. Parental choice and consent is only expressed to the participating district, not to the CNYRIC. Corrections to district data must be expressed and made through the participating district.

Authorized Data Transfer

Prior to the transfer of any district data, the CNYRIC will receive the written permission of the district by a district trusted agent.

 

The CNYRIC will inform the district upon receipt of a request by legal authorities for the participating district’s data. The CNYRIC will give the participating district the opportunity to challenge the disclosure.

Third-party Services

When services utilized by the CNYRIC cause district data to reside off-site of the CNYRIC locations or give access to district data to individuals or entities who are not CNYRIC personnel, they must agree to and include in their contract for services, the following:

 
  • District data will be used solely for the purpose defined in the applicable contract which will be consistent with one or more of the purposes for which district data is provided to the CNYRIC;

  • District data will not be shared with any other entity or individual without the written permission of the CNYRIC unless required by statute or court order and the party provided a notice of the disclosure to the CNYRIC no later than the time the information is disclosed, unless providing notice of the disclosure is expressly prohibited by the statute or court order. The CNYRIC will only give permission for the sharing of district data in accord with the provisions of the Authorized Data Transfer section above;

  • Upon the expiration of the contract, the third party service provider will delete any electronic district data in its possession and will notify the CNYRIC when the data has been deleted and/or disposed;

  • District data will be corrected upon request by the CNYRIC and the CNYRIC will be notified when the data has been corrected;

  • A requirement to comply with all Federal and State laws and regulations governing security and privacy of district data;

  • A description of the physical location of district data in their possession and of the administrative, technical, and physical safeguards utilized to assure the privacy and security of data in their possession and when transmitted;

  • Communicate with the CNYRIC in no less than 24 hours of any data breach or in the event district data is requested by legal authorities;

  • Internal access within the third party to district data is limited to those individuals that are determined to need such records or data to perform the services set forth in their contract with the CNYRIC;

  • Any officers or employees of the third party service provider who have access to district data have received or will receive training on the federal and state laws governing security and privacy of such data prior to receiving access to it.

Changes to Data Privacy & Security Notice

If this Notice is changed, the changes will be posted on the CNYRIC website and/or other appropriate venues accessible to participating districts.


This notice is reviewed at least annually for needed updates and to assure compliance with current Federal and New York State data privacy and security requirements.
Proudly serving 50 school districts in the Cayuga-Onondaga, Onondaga-Cortland-Madison, Oswego, and Tompkins-Seneca-Tioga BOCES regions
READ
Data Warehouse to host several opportunities for educators and administrators:
Save the dates for the following opportunities hosted by the CNYRIC's Data Warehouse team. eDoctrina Presentation June 6 – 8:30-10:00 a.m. – Educator Suite demonstration ... more >>

Meet our Featured Teacher: Kristy Townsend:
  "Using technology effectively has created a classroom culture of collaboration."    Kristy Townsend ... more >>

CNYRIC team members participate in Earth Day Litter Cleanup:
The outdoor space surrounding the CNYRIC received special attention on Saturday, April 22, thanks to several team members. Together, Joe Napoli, Teresa Fragola, Tammy Mahady, Shelly McConnell, ... more >>

Meet our Featured Teacher: Justin Ashworth:
    "The students must own the learning. The tools and partnerships that are available today can help empower students to control their ... more >>

Is your district's website ADA compliant?:
In recent months, several school districts in New York State have been contacted by the Office of Civil Rights (OCR) regarding website compliance violations of  section 508 of the Rehabilitation ... more >>

Meet our Featured Administrator: Mr. Andy Eldridge:
    "The technology isn't the star of the show, but a means to ensure high-level learning is occurring." ... more >>

More Stories >>        
FOLLOW
INSPIRE
...
Quicklinks
Services
About Us
Directions
Contact
Staff Directory
Districts / BOCES
Help Desk
Events
News
Staff Only
Vendors


Privacy
Departments
AV Repair
Data Center
Data Warehouse
Disaster Recovery/Information Security
e-Communications
Financial Services
Food Service Management
Instructional Technology
Local Government Service
Managed Technical Support
Network/Telecom/E-Rate
Printing
Student Services
Test Scoring
Central New York Regional Information Center
6075 East Molloy Road
PO Box 4866
Syracuse, NY 13221

Phone: 315.433.8300
Fax: 315.433.8368

CNYRIC Help Desk
Phone: 315.433.8345
Email: helpdesk@cnyric.org
give us feedback
soc audit
Developed by CNYRIC