ED Law 2D & Data Privacy and Security

ED Law 2D & Data Privacy and Security

ED Law §2-D & Data Privacy and Security

New York State Education Law §2-d Part 121 of the Commissioner's Regulation requires that each educational agency shall publish their Data Security and Privacy Policy and their Parents' Bill of Rights for Data Privacy and Security.

The law also requires that with each contract an educational agency enters with a third-party contractor, that receives personally identifiable information (PII), must contain a signed bill of rights and supplemental information. In turn, each educational agency will have to publish, on its website, the signed bill of rights and supplemental information to the bill of rights for each software contract.

Data Protection Officer (DPO)

Name:  TheriJo Climenhaga

Email:    [email protected]

Phone:    607-264-9332

Mailing Address:  PO Box 485, Cherry Valley, NY 13320

Data Security and Privacy Policies

District Data Privacy Inventory Tool (DPIT)

The Data Privacy Inventory Tool compiles a list of district software as required by Education Law §2-d Part 121 Regulations. It provides a means for sharing our parents' bill of rights, supplemental information and compliance with components of the NIST Cybersecurity Framework. 


Key Categories of the Data Privacy Inventory Tool

Contract Source: How the software product is procured; either BOCES, District, or District - Free

Supporting Documentation: Document links or attachments to signed parent's bill or rights and supplemental information   


Note: Information posted in the data privacy inventory tool is continually updated.


CVSCS Unauthorized Disclosure Complaint Form

Parents, eligible students (students who are at least 18 years of age), principals, teachers, and employees of an educational agency may file a complaint about a possible breach or improper disclosure of student data and/or protected teacher or principal data using this form. This form will be submitted to the Superintendent/DPO. Please do NOT include any information in this form that would constitute student personally identifiable information.

After submitting the form, the DPO will promptly acknowledge receipt of the report within 24 hours.

When the fact finding process is complete, the DPO will provide the reporting party with the findings made at the conclusion of the fact finding process; this should occur no later than 60 days after the receipt of the initial report, and, if additional time is needed the report shall be given a written explanation within the 60 days that includes the approximate date when the findings will be available.

Please note that the CVSCS DPO shall maintain a record of each report received of a possible Breach or Unauthorized Disclosure, the steps taken to investigate the report, and the findings resulting from the investigation in accordance with applicable record retention policies.

First Name
Last Name
Phone Number
Email Address
Role/Relationship to Student
District/Building Affiliation
Description of Event(s):
Description of Possible Disclosed Data:
Description of How Reporter Learned of Possible Disclosure:

To validate your submission, please answer the following math problem:

captcha math problem
View text-based website