Board of Education briefed on state regulations

JOHNSTOWN — The Greater Johnstown School District Board of Education on Wednesday was briefed on pending new state Education Department regulations to strengthen security of information for both students and school personnel.

“It really is a good thing,” said Rachel Heroth, district director of technology and instructional leadership.

She gave a presentation on proposed state law changes at the board’s session at Johnstown High School. She said there is a “buzz” in the educational technology world about the changes.

“Those updates are not actually in place yet,” she said.

But Heroth said the state Board of Regents is expected to act May 8 to adopt the changes, with amendments to state Education Law effective July 1.

She said one million kids in New York state were victims of identity theft in 2017. Some of that activity, she said, is due to parents “sharing” information.” She said the problem is growing and it is not just a school district problem.

The state Education Department has proposed regulatory changes to increase information security measures to safeguard the Personally Identifiable Information, or PII, of students and certain school personnel. Proposed amendments outline requirements for educational agencies and their third-party contractors to ensure security and privacy of such protected information.

Proposed regulations outline the data security and privacy obligations of educational agencies and third-party contractors and establish requirements for contracts and other written agreements where PII will be provided to a third-party contractor.

Heroth said that eventually, the Johnstown school system – like other districts — will have to be compliant.

She mentioned four main areas, starting with third-party contracts districts have currently regarding technology and their surrounding privacy issues.

“This really affects the software we use in our classrooms,” Heroth said.

Other areas include data security and privacy, for which a policy will have to be adopted for, she said.

Heroth said staff and student training will be part of the changes, as well as the need to establish a “data protection officer,” which most likely is her. She said the district can have good software, but identity theft relates to personal decisions regarding information.

“It really comes down to users,” she said. “It’s really a human problem.”

Additionally, the new regulations establish a National Institute of Standards and Technology (NIST) Cybersecurity Framework as the standard for all educational agencies’ data security and privacy programs and direct educational agencies to ensure that all employees that handle PII receive annual data security and privacy training.

Board member Kathryn Zajicek asked about possible funding from the state to cover these changes.

“There is no funding to support it,” Heroth said. “It’s an unfunded mandate.”

She said there may be some software costs, but overall she’s not sure how much new changes will cost.

Superintendent Patricia Kilburn said some of the technology could impact how videos are handled.

“A lot of stuff we get is open-sourced and free,” she said.

Officials said some of the changes could also impact social media, such as Facebook.

“That comes down to behavior,” Heroth said.

Michael Anich covers Johnstown and Fulton County news. He can be reached at