Connecticut Seal

General Assembly

 

Raised Bill No. 7017

January Session, 2015

 

LCO No. 5179

 

*05179_______ED_*

Referred to Committee on EDUCATION

 

Introduced by:

 

(ED)

 

AN ACT CONCERNING STUDENT DATA PRIVACY.

Be it enacted by the Senate and House of Representatives in General Assembly convened:

Section 1. (NEW) (Effective October 1, 2015, and applicable to any agreement entered into on or after said date) (a) For the purposes of this section:

(1) "Contractor" means an individual, business or other entity that provides educational software or services for the electronic storage, management and retrieval of student records and receives such student records pursuant to a written agreement with a local or regional board of education;

(2) "Deidentified student information" means any information that cannot be used to identify an individual student;

(3) "Student generated content" includes materials created by a student including, but not limited to, essays, research papers, portfolios, creative writing, music or other audio files or photographs, except that it does not include student responses to a standardized assessment; and

(4) "Student record" includes any information directly related to a student that is maintained by a local or regional board of education and any information acquired from a student through the use of educational software assigned to the student by a teacher or employee of a local or regional board of education, except that it does not include deidentified student information used by the contractor to improve educational products for adaptive learning purposes and for customizing student learning, to demonstrate the effectiveness of contractor's products in the marketing of those products and to develop and improve the contractors' products and services.

(b) Every agreement that a local or regional board of education enters into with a contractor shall include, but is not limited to, the following:

(1) A statement that student records continue to be the property of and under the control of the local or regional board of education;

(2) A description of the means by which a student may retain possession and control of student generated content and, if applicable, the means by which a student may transfer such student generated content to an electronic mail account;

(3) A statement that the contractor shall not use student records for any purposes other than those authorized pursuant to the contract;

(4) A description of the procedures by which a parent or legal guardian of a student who is younger than eighteen years of age and a student who is eighteen years of age or older may review personally identifiable information in the student records and correct erroneous information;

(5) A description of the actions the contractor will take to ensure the security and confidentiality of student records;

(6) A description of the procedures for notifying a parent or legal guardian of a student who is younger than eighteen years of age and a student who is eighteen years of age or older in an instance where an unauthorized person or entity accesses student records in any manner;

(7) A statement that student records shall not be retained or available to the contractor upon completion of the contracted services unless a student chooses to establish or maintain an electronic account with the contract for the purpose of storing student generated content; and

(8) A statement that the contractor and the local or regional board of education shall ensure compliance with the Family Educational Rights and Privacy Act of 1974, 20 USC 1232g, (FERPA).

(c) A contractor shall not use (1) student records for any purposes other than those authorized pursuant to the agreement, and (2) personally identifiable information in student records to engage in targeted advertising.

(d) Any agreement which conflicts with the provisions of this section shall be void.

Sec. 2. (NEW) (Effective October 1, 2015) (a) For the purposes of this section:

(1) "Operator" means an operator of an Internet web site, online service, online application or mobile application that is designed, used and marketed for elementary and secondary school purposes;

(2) "Elementary and secondary school purposes" means activities that customarily occur at the direction of an elementary or secondary teacher or a local or regional board of education, including, but not limited to, instruction in the classroom or at home, administrative activities and collaboration between students, school personnel or parents;

(3) "Covered information" means personally identifiable information, in any media or format, that (A) is created or provided by a student or a parent or legal guardian of a student who is younger than eighteen years of age to an operator in the course of the student, parent or legal guardian using the operator's site, service or application for elementary and secondary school purposes, (B) is created or provided by an employee or agent of a local or regional board of education to an operator, or (C) is gathered by an operator through the operation of the operator's Internet web site, service or application and identifies a student, including, but not limited to, information in the student's records or electronic mail account, first or last name, home address, telephone number, electronic mail address, discipline records, test results, grades, evaluations, criminal records, medical records, health records, Social Security number, biometric information, disabilities, socioeconomic information, food purchases, political affiliations, religious affiliations, text messages, documents, student identifiers, search activity, photos or voice recordings; and

(4) "Deidentified student covered information" means any information that cannot be used to identify an individual student.

(b) An operator shall not:

(1) Engage in targeted advertising on the operator's Internet web site, service or application, or target advertising on any other site, service or application when the targeting of the advertising is based upon any information, including covered information, that the operator acquired because of the use of the operator's Internet web site, service or application;

(2) Use information created or gathered by the operator's site, service or application to create a profile about a minor student except in furtherance of elementary and secondary school purposes;

(3) Sell a minor student's information, including covered information, except if selling is part of the purchase, merger or acquisition of an operator by another operator, provided the operator and successor operator continue to be subject to the provisions of this section regarding covered information; and

(4) Disclose covered information, unless the disclosure is made: (A) In furtherance of the elementary and secondary school purposes of the site, service or application, provided the recipient of the covered information uses such covered information to improve the operability and functionality of the Internet web site, service or application within the student's classroom or school and complies with subsection (d) of this section; (B) to ensure compliance with federal and state law; (C) in response to judicial process; (D) to protect the safety of users or others or security of the Internet web site, service or application; or (E) to a service provider, provided the operator contractually (i) prohibits the service provider from using any covered information for any purpose other than providing the contracted service to, or on behalf of, the operator, (ii) prohibits the service provider from disclosing any covered information provided by the operator with subsequent third parties, and (iii) requires the service provider protect confidential information from unauthorized access in accordance with current industry standards.

(c) No provision in subsection (b) of this section shall be construed to prohibit the use of covered information by the operator to maintain, develop, support or improve the operator's Internet web site, service or application.

(d) An operator shall (1) protect confidential information from unauthorized access, whenever and however stored or maintained, in accordance with current industry standards, and (2) delete a student's covered information if the local or regional board of education requests deletion of such covered information that is under the control of such board of education.

(e) An operator may (1) use deidentified student covered information to improve the operator's Internet web site, service or application and to demonstrate or market the effectiveness of the operator's Internet web site, service or application, and (2) share aggregated deidentified student covered information for improvement and development of Internet web sites, services or applications for elementary and secondary school purposes.

Sec. 3. (NEW) (Effective October 1, 2015) Upon determination that there is good cause, a local or regional board of education may disclose directory information, as defined in the regulations implementing the Family Educational Rights and Privacy Act of 1974, 20 USC 1232g, (FERPA), as from time to time amended, at 34 CFR 99.3, to any person requesting such directory information.

This act shall take effect as follows and shall amend the following sections:

Section 1

October 1, 2015, and applicable to any agreement entered into on or after said date

New section

Sec. 2

October 1, 2015

New section

Sec. 3

October 1, 2015

New section

Statement of Purpose:

To protect the privacy of student information.

[Proposed deletions are enclosed in brackets. Proposed additions are indicated by underline, except that when the entire text of a bill or resolution or a section of a bill or resolution is new, it is not underlined.]