§ 106-b. Use of biometric identifying technology in schools. 1. As used in this section:
a. "biometric identifying technology" shall mean any tool using an automated or semi-automated process that assists in verifying a person's identity based on a person's biometric information.
b. "biometric information" shall mean any measurable physical, physiological or behavioral characteristics that are attributable to a person, including but not limited to facial characteristics, fingerprint characteristics, hand characteristics, eye characteristics, vocal characteristics, and any other characteristics that can be used to identify a person including, but are not limited to: fingerprints; handprints; retina and iris patterns; DNA sequence; voice; gait; and facial geometry.
c. "facial recognition" shall mean any tool using an automated or semi-automated process that assists in uniquely identifying or verifying a person by comparing and analyzing patterns based on the person's face.
2. a. Except as authorized in paragraph b of this subdivision, public and nonpublic elementary and secondary schools, including charter schools, shall be prohibited from purchasing or utilizing biometric identifying technology for any purpose, including school security, until July first, two thousand twenty-two or until the commissioner of education authorizes such purchase or utilization as provided in subdivision three of this section, whichever occurs later.
b. Schools may utilize biometric identifying technology for the following purposes: (i) fingerprint identification of prospective school employees where utilized for the purpose of compliance with a provision of the education law or the regulations of the commissioner of education or (ii) to exclusively identify employees that have consented in writing to the use of such technology or in the case of employees represented under article fourteen of the civil service law, where the employee organization representing such employee has consented in writing to the use of such technology.
3. a. The commissioner of education shall not authorize the purchase or utilization of biometric identifying technology, including but not limited to facial recognition technology, without the director first issuing a report prepared in consultation with the state education department, making recommendations as to the circumstances in which the utilization of such technology is appropriate in public and nonpublic elementary and secondary schools, including charter schools, and what restrictions and guidelines should be enacted to protect individual privacy, civil rights, and civil liberty interests. Such report shall be made public and presented to the governor, the temporary president of the senate, and the speaker of the assembly, and shall consider, evaluate and present recommendations concerning:
i. the privacy implications of collecting, storing, and/or sharing biometric information of students, teachers, school personnel and the general public entering a school or school grounds;
ii. the potential impact of the use of biometric identifying technology on student civil liberties and student civil rights, including the risks and implications of the technology resulting in false facial identifications, and whether the risks of false facial identifications differs for different subgroups of individuals based on race, national origin, gender, age and other factors, and any other reasonable accuracy concerns with respect to technology;
iii. whether, and under what circumstances, such technology may be used for school security and the effectiveness of such technology to protect students and school personnel;
iv. whether, and under what circumstances and in what manner, information collected may be used by schools and shared with students, parents or guardians, outside agencies including law enforcement agencies, individuals, litigants, the courts, and any other third parties;
v. the length of time biometric information may be retained and whether, and in what manner, such information may be required to be permanently destroyed;
vi. the risk of an unauthorized breach of biometric information and appropriate consequences therefor;
vii. expected maintenance costs resulting from the storage and use of facial recognition images and other biometric information, including the cost of appropriately securing sensitive data, performing required updates to protect against an unauthorized breach of data, and potential costs associated with an unauthorized breach of data;
viii. analysis of other schools and organizations, if any, that have implemented facial recognition technology and other biometric identifying technology programs;
ix. the appropriateness and potential implications of using any existing databases, including but not limited to, local law enforcement databases, as part of biometric identifying technology;
x. whether, and in what manner such biometric identifying technology should be assessed and audited, including but not limited to, vendor datasets, adherence to appropriate standards of algorithmic fairness, accuracy, and other performance metrics, including with respect to subgroups of persons based on race, national origin, gender, and age;
xi. whether, and in what manner, the use of such technology should be disclosed by signs and the like in such schools, as well as communicated to parents, guardians, students, and district residents; and
xii. existing legislation, including but not limited to section two-d of the education law, that may be implicated by or in conflict with biometric technology to ensure the maintenance of records related to the use of such technology, protect the privacy interests of data subjects, and avoid any breaches of data.
b. The director, in consultation with the commissioner of education, shall consult with stakeholders and other interested parties when preparing such report. The state education department, the division of criminal justice services, law enforcement authorities and the state university of New York and the city university of New York shall, to the extent practicable, identify and provide representatives to the office of information technology, at the request of the director, in order to participate in the development and drafting of such report.
4. The director shall, via scheduled public hearings and other outreach methods, seek feedback from teachers, school administrators, parents, individuals with expertise in school safety and security, and individuals with expertise in data privacy issues and student privacy issues, and individuals with expertise in civil rights and civil liberties prior to making such recommendations.