OLR Bill Analysis

sHB 7017

AN ACT CONCERNING STUDENT DATA PRIVACY.

SUMMARY:

This bill restricts how software and information contractors and website, internet services, and mobile application operators can use student information.

Software and information contractors that do business with boards of education, the State Board of Education (SBE), or the State Department of Education (SDE) must agree to contract provisions that, among other things, prohibit using identifiable student information for advertising and require notifying a student, parent, or guardian as soon as practical, but not later than 48 hours, after a contractor suspects an information security breach.

Under the bill, website, Internet services, or mobile application operators that are not under contract but obtain student information are prohibited from, among other things, (1) using identifiable student information for advertising or, (2) in most cases, selling such information.

The bill also requires school districts to withhold the release of student directory information if the local or regional board of education determines that a request for such information is not related to school purposes.

The bill does not provide any specific enforcement mechanism or penalties. But current law provides a civil penalty of $500 for each violation, provided the penalty cannot exceed $500,000 for any single event, for a person's willful failure to safeguard another person's personal information.

EFFECTIVE DATE: October 1, 2015, and the provision regarding contracts is applicable to any contract entered into on or after that date.

1 — RESTRICTIONS ON SOFTWARE AND INFORMATION CONTRACTORS

The bill places a number of restrictions on how software and electronic information services contractors can use student information.

It defines contractors as individuals, businesses, or other entities that (1) provide educational software or services for storing, managing, or retrieving electronic student records and (2) receive student records under a written contract with a local or regional board of education, SBE, or SDE.

Under the bill, such contractors are banned from using (1) student records for any purposes other than those the contract authorizes or (2) personally identifiable information contained in student records for advertising.

Student Records

The bill defines student records as any information (1) directly related to a student that boards of education, SDE, or SBE maintains and (2) acquired through a student's use of educational software that a teacher or other public education employee assigned. Student records do not include de-identified student information allowed under the contract that the contractor uses to:

1. improve educational products for adaptive learning purposes and for customizing student learning,

2. demonstrate the contractor's product effectiveness for marketing purposes, and

3. develop and improve the contractor's products and services.

De-identified student information means any information that cannot be used to identify an individual student.

Contract Requirements

Under the bill, every contract that a board of education, SDE, or SBE enters into with a contractor must include:

1. a statement that student records remain the property of, and under the control of, the board of education, SDE, or SBE;

2. a statement that the contractor will not use student records for any purposes except those the contract authorizes;

3. a description of the procedures for a student, parent, or guardian to (a) review personally identifiable information in the student record and (b) correct erroneous information, if any, in the record;

4. a description of the actions the contractor agrees to take to ensure student record security and confidentiality;

5. a description of the procedures for notifying a student, parent, or guardian and the board of education, SBE, or SDE (as appropriate) as soon as practical, but not later than 48 hours, after the contractor becomes aware of, or suspects, that any student record under the contractor's control has been subject to unauthorized access or suspected unauthorized access;

6. a statement that the contractor and the board of education, SBE, or SDE will ensure compliance with the federal Family Educational Rights and Privacy Act of 1974 (FERPA), 20 USC 1232g (see BACKGROUND).

7. a description of how a student, parent, or legal guardian of a student may retain possession and control of student-generated content and, if applicable, how a student, parent, or guardian can transfer the student-generated content to an email account; and

8. a statement that the contractor will not retain or have available student records after completing the contracted services unless a student, parent, or guardian chooses to establish or maintain an electronic account with the contractor to store student-generated content.

Under the bill “student-generated content” includes materials a student creates, including essays, research papers, portfolios, creative writing, music or other audio files or photographs, except that it does not include student responses to a standardized assessments. The exclusion for responses to standardized assessments would appear to apply to students' Connecticut Mastery Test scores.

Noncompliant Contracts Void

Under the bill, any contract that conflicts with the bill's contract requirement provisions is void.

2 — RESTRICTIONS ON WEBSITE, ONLINE SERVICE, AND APPLICATIONS OPERATORS

The bill restricts Internet website, online service, and application operators from using student information, referred to in the bill as covered information.

The bill prohibits operators from:

1. engaging in advertising on the operator's or any other website, service, or application, that uses any covered information that the operator acquired because a student, parent, or legal guardian used the operator's website, service, or application;

2. using covered information created or gathered by the website, service, or application to create a student profile, except in furthering school purposes;

3. selling covered information, unless the sale is part of the purchase, merger or acquisition of an operator by a successor operator and the successor operator continues to be subject to the bill's provisions; and

4. disclosing covered information.

The bill applies the restrictions to operators even though they are not under contract with a board of education, SBE, or SDE.

Operators

The bill defines these entities as operators of websites, online services, or mobile applications that are designed, used, and marketed for “school purposes,” which are activities directed by, or customarily occur at the direction of, a public school teacher or board of education and include classroom or at-home instruction, administrative activities, and collaboration among students, school personnel, or parents or guardians of students. (It is not clear what “customarily occur at the direction” of a teacher or board of education means in this context.)

Covered Information

Under the bill, “covered information” means personally identifiable information in any medium or format that:

1. a student, parent, or legal guardian creates or provides by using the operator's website, service, or application for school purposes;

2. an employee or agent of a board of education creates or provides to an operator for school purposes; or

3. an operator gathers through the operator's website, service, or application and identifies a student, including (a) information in the student's records or email account, (b) first or last name, (c) home address, (d) telephone number, (e) date of birth, (f) electronic mail address, (g) discipline records, (h) test results, (i) grades, (j) evaluations, (k) criminal records, (l) medical records, (n) health records, (o) Social Security number, (p) biometric information, (q) disabilities, (r) socioeconomic information, (s) food purchases, (t) political affiliations, (u) religious affiliations, (v) text messages, (w) documents, (x) student identifiers, (y) search activity, and (z) photographs or voice recordings.

Exceptions That Permit Disclosure

The bill allows operators to disclose covered information for the following reasons:

1. to further the website, service, or application's school purposes, provided the recipient of the information (a) uses the information to improve the website, service, or application's operability and functioning within the student's classroom or school and (b) complies with the bill's requirements to protect the information from unauthorized users and to delete student information upon the student, parent, or guardian's request;

2. to ensure compliance with federal and state law;

3. in response to judicial processes;

4. to protect the safety of users or others, or the security of the website, service, or application; or

5. to a service provider the operator hires to provide services for the website, service, or application, provided the operator contractually (a) prohibits the provider from using any covered information for any purpose other than contracted service to, or on behalf of, the operator, (b) prohibits the provider from disclosing any of the operator-provided covered information to subsequent third parties, and (c) requires the provider to protect confidential information from unauthorized access in accordance with industry standards.

Requirement to Protect and, Upon Request, Delete Information

Under the bill, an operator must (1) protect covered information from unauthorized access, whenever and however stored or maintained, in accordance with industry standards, and (2) delete a student's covered information if a student, parent, or guardian or the board of education requests the information be deleted.

Current state consumer protection law has a similar provision that requires anyone who possesses another person's personal information to safeguard, among other things, the data and computer files from misuse by third parties (CGS 42-471). It also requires the data be destroyed or made unusable before it is disposed of. Willful violators may be subject to civil penalties of $500 for each violation, provided the penalty cannot exceed $500,000 for any single event.

Use of Student Information to Improve Operator's Service

The bill permits an operator to use de-identified student covered information to improve the operator's website, service, or application and to market the effectiveness of the website, service, or application. Another portion of the bill allows the operator to use covered information to maintain, develop, support or improve the operator's website, service, or application without specifying that the information first be de-identified. These two provisions overlap regarding using the information to improve a website or application, but one calls for the information to be de-identified and the other does not.

It permits an operator to use aggregated de-identified student covered information for improvement and development of websites, services, or applications for school purposes.

3 — AUTHORITY TO WITHHOLD STUDENT DIRECTORY INFORMATION

The bill also requires school districts to withhold the release of student directory information if the local or regional board of education determines the request for the information is not related to school purposes. Under FERPA, a district may disclose directory information if a parent has not made a request to restrict disclosure (see BACKGROUND). Under the bill a district must refuse to disclose directory information if the school district determines the request is not related to school purposes. If the determination is made that the request is related to school purposes, then the district may disclose the information.

BACKGROUND

FERPA

FERPA is the federal law that protects the privacy of student education records, with some exceptions (20 USC 1232g). One exception is FERPA allows school districts to disclose information they designate as “directory information” without prior parental consent (or student consent if the student is age 18 or older). Once a year, districts must notify parents of the policy and give them the opportunity to restrict the disclosure of directory information. Unless the parent affirmatively requests limiting disclosure, the district can disclose directory information. Under FERPA, directory information includes a student's name, date of birth, place of birth, address, telephone listing, photo, and other information.

COMMITTEE ACTION

Education Committee

Joint Favorable Substitute

Yea

33

Nay

0

(03/27/2015)