When the New York State Comptroller audits the State Education Department and needs access to student records protected by Education Law § 2-d, does the Comptroller have to comply with the law's special rules for 'third party contractors'?

Plain-English summary

The State Comptroller's office was auditing the State Education Department's efforts to reduce chronic absenteeism. The audit required the Comptroller's staff to look at student data, which Education Law § 2-d protects as confidential personally identifiable information. Both offices agreed the Comptroller could access the data. They disagreed about whether the Comptroller, while doing so, had to comply with § 2-d's special rules for "third party contractors", in particular, encryption-while-in-custody requirements and limits on internal access.

The Education Department's argument: when the Comptroller signs a confidentiality agreement to receive the data, that's a written contract for purposes of § 2-d, making the Comptroller a "third party contractor" subject to the section's rules.

AG Schneiderman rejected that. The Comptroller's authority to audit state agencies comes directly from Article V, § 1 of the New York Constitution, not from any contract. The Comptroller is not "providing services" to the Education Department; he is performing an independent constitutional audit function. A confidentiality agreement is not a services contract. And the auditing function is not converted into a services contract just because § 2-d's definition of "third party contractor" includes services like "audit or evaluation of publicly funded programs", because that language refers to the kind of audits private accountants do for school districts under Education Law § 2116-a(3), not the State Comptroller's constitutional audit.

Important caveat: the AG was not saying the Comptroller can ignore student data privacy. The opinion notes that the Comptroller would still be subject to the federal Family Educational Rights and Privacy Act (FERPA) for any FERPA-protected data. The opinion's holding is narrow: § 2-d's third-party-contractor regime doesn't apply.

Currency note

This opinion was issued in 2017. Subsequent statutory amendments, court decisions, or later AG opinions may have changed the analysis. Treat this page as historical context, not current legal advice. Verify current law before relying on any specific rule, deadline, or remedy mentioned here.

Historical context

What the opinion meant for the Comptroller's office

The Comptroller's audit staff did not have to follow § 2-d's contractor-specific encryption-in-custody and access-limitation procedures when handling SED student data, although they were free to follow them as a matter of practice. The audit could proceed under the Comptroller's constitutional framework plus FERPA's federal protections.

What the opinion meant for SED and other educational agencies

When the State Comptroller comes to audit, the agency cannot impose § 2-d's third-party-contractor regime on the audit team. Confidentiality agreements between SED and the Comptroller's office are administrative tools, not contracts that alter the constitutional reporting structure.

Why this is a separation-of-powers point

The opinion reads as a quiet defense of the Comptroller's independence. If a state agency could redefine the Comptroller as a "contractor" by demanding a confidentiality agreement, the agency could effectively impose conditions on its own auditor. The constitutional audit authority would be diluted. The AG read § 2-d to avoid that result.

Common questions

Q: What is Education Law § 2-d?
A: New York's student data privacy statute. It places obligations on "educational agencies" (school districts, BOCES, the State Education Department) and on "third party contractors" who receive student data. Contractors must limit internal access, use HHS-specified encryption, and meet other data-handling rules.

Q: How does the State Comptroller's audit authority differ from a private auditor's?
A: The Comptroller is constitutionally authorized (Article V, § 1) to audit the State's accounts and operations. A private auditor doing a school district's annual audit under Education Law § 2116-a(3) is hired by the district, paid by the district, and performs services for the district. The two are different sources of authority.

Q: Does this opinion mean the Comptroller can ignore student data privacy?
A: No. The opinion explicitly notes that FERPA still applies to the Comptroller. It also doesn't disturb the Comptroller's own internal data-protection protocols. The narrow holding is just that § 2-d's contractor regime doesn't add a separate compliance layer.

Q: What about a confidentiality agreement between OSC and SED?
A: The AG treats it as a practical tool to memorialize handling procedures, not as a contract that converts the auditor into a service provider. Signing such an agreement does not trigger § 2-d's third-party-contractor obligations.

Q: Did the Legislature intend "audit" in § 2-d to cover the State Comptroller?
A: The AG concluded it did not. Section 2-d's reference to "audit or evaluation of publicly funded programs" naturally covers private accountants engaged by educational agencies (and similar contracted services). It would be odd to read it to cover the constitutional auditor of state finances, who is not a service provider in any conventional sense.

Background and statutory framework

Education Law § 2-d was enacted to put New York-specific data-protection rules around student personally identifiable information held by educational agencies. The statute defines "educational agency" (§ 2-d(1)(c)) to include the State Education Department and other public-education entities. It separately defines "third party contractor" (§ 2-d(1)(k)) as an entity that receives student data "from an educational agency pursuant to a contract or other written agreement for purposes of providing services to such educational agency."

The key textual hooks for the AG's analysis are "pursuant to a contract" and "for purposes of providing services to" the educational agency. The Comptroller's audit fails both: the audit happens under constitutional authority, not contract, and is for the State, not in service to SED.

The Comptroller's authority is anchored in N.Y. Const. art. V, § 1 ("The Comptroller shall be required: To audit all vouchers before payment...") and amplified in State Finance Law § 8. Patterson v. Carey, 41 N.Y.2d 714, 723 (1977), confirms the Comptroller is the State's independent auditing official.

For separately-protected data, FERPA (20 U.S.C. § 1232g; 34 C.F.R. Part 99) imposes federal obligations on the Comptroller's staff to the extent they access FERPA records. The HITECH encryption guidance (Pub. L. No. 111-5 § 13402(h)(2)), referenced in § 2-d, describes the encryption methodology a third-party contractor would have to use; the AG's holding excuses the Comptroller from that specific obligation.

Citations and references

Statutes:
- N.Y. Education Law § 2-d (with subsections 2-d(1)(c) and 2-d(1)(k))
- N.Y. Education Law § 2116-a(3) (annual school district audit by independent accountant)
- N.Y. Const. art. V, § 1 (Comptroller audit authority)
- N.Y. State Finance Law § 8
- Pub. L. No. 111-5 § 13402(h)(2) (HITECH encryption guidance)
- 20 U.S.C. § 1232g; 34 C.F.R. Part 99 (FERPA)

Cases:
- Patterson v. Carey, 41 N.Y.2d 714, 723 (1977), Comptroller is the independent auditing official for the State

Source

• Landing page: https://ag.ny.gov/libraries-documents/opinions/opinions-year
• Original PDF: https://ag.ny.gov/sites/default/files/opinions/2017-f1_pw.pdf

Original opinion text

Education Law §§ 2-d, 2-d(1)(c), 2-d(1)(k), 2116-a(3); Public Law 111-5 § 13402(h)(2); New York Constitution Article V § 1; State Finance Law § 8

The State Comptroller and his designees are not "third party contractors," as defined in Education Law § 2-d, when auditing the State Education Department under the Comptroller's constitutional authority.

December 21, 2017

Nancy Groenwegen
Counsel
Office of the State Comptroller
110 State Street, 14th Floor
Albany, New York 12236

Formal Opinion
No. 2017-F1

Dear Ms. Groenwegen:

You have requested an opinion regarding whether Education Law § 2-d applies to the Comptroller or his designees performing an audit of the State Education Department (SED). Specifically, you have explained that in connection with an audit of SED's efforts to reduce chronic absenteeism, designees of the Comptroller (hereinafter "OSC") must access student data that is protected by law as confidential personally identifiable information. SED agrees that OSC may access the information; the disagreement is only as to whether OSC is a "third party contractor," as defined in Education Law § 2-d, subject to the special rules, described below, that govern access to and use of students' personally identifiable information by third party contractors. SED has suggested that the confidentiality agreement that OSC enters with the entities it audits, including SED, constitutes a contract that renders OSC subject to section 2-d's rules. As explained below, we are of the opinion that OSC is not a third party contractor under section 2-d and thus is not subject to that section's rules.

Education Law § 2-d limits the collection and use of personally identifiable information from the student records maintained by an "educational agency," which includes SED. Education Law § 2-d(1)(c). As relevant here, a third party contractor that receives student data must satisfy certain obligations, including limiting internal access to education records to those individuals who are determined to have legitimate educational interests and, to protect data from unauthorized disclosure while it is in the third party contractor's custody, using an encryption technology or methodology specified by the Secretary of the United States Department of Health & Human Services in guidance issued under section 13402(h)(2) of Public Law 111-5.

A "third party contractor" is defined by section 2-d to be "any person or entity, other than an educational agency, that receives student data . . . from an educational agency pursuant to a contract or other written agreement for purposes of providing services to such educational agency." Education Law § 2-d(1)(k).

The Comptroller and OSC are not "third party contractors" under Education Law § 2-d. Specifically, they will not be receiving student data from SED "pursuant to a contract or other written agreement for purposes of providing services to" SED. The Comptroller is the independent auditing official for the affairs of the State, whose authority to audit departments of the State derives from the state Constitution. Patterson v. Carey, 41 N.Y.2d 714, 723 (1977); N.Y. Const. Art. V, § 1; see also State Finance Law § 8. It is under this authority, not pursuant to a contract between OSC and SED, that he and his designees are conducting the instant audit, in the course of which they will receive student data from SED. Moreover, the confidentiality agreement between OSC and SED is not a contract for OSC to provide services to SED. Finally, while the services that a third party contractor might provide to an educational agency include "audit or evaluation of publicly funded programs," this reference does not draw OSC within the ambit of section 2-d. Education Law § 2-d(1)(k). We note that school districts, also "educational agencies", must have an annual audit conducted by an independent accountant. Education Law § 2116-a(3). Thus, our conclusion that OSC is not a third party contractor does not render the "audit" language of section 2-d meaningless.

In sum, we conclude that the Comptroller and his designees are not "third party contractors" subject to the requirements for such contractors established by Education Law § 2-d when auditing SED under the Comptroller's constitutional authority.

Very truly yours,

ERIC T. SCHNEIDERMAN