Connecticut Seal

General Assembly

 

Substitute Bill No. 7017

    January Session, 2015

 

*_____HB07017ED____033015____*

AN ACT CONCERNING STUDENT DATA PRIVACY.

Be it enacted by the Senate and House of Representatives in General Assembly convened:

Section 1. (NEW) (Effective October 1, 2015, and applicable to any agreement entered into on or after said date) (a) For the purposes of this section:

(1) "Contractor" means an individual, business or other entity that provides educational software or services for the electronic storage, management or retrieval of student records and receives such student records pursuant to a written contract with a local or regional board of education, the State Board of Education or the Department of Education;

(2) "De-identified student information" means any information that cannot be used to identify an individual student;

(3) "Student-generated content" includes materials created by a student including, but not limited to, essays, research papers, portfolios, creative writing, music or other audio files or photographs, except that it does not include student responses to a standardized assessment; and

(4) "Student record" includes any information directly related to a student that is maintained by a local or regional board of education, the State Board of Education or the Department of Education and any information acquired from a student through the use of educational software assigned to the student by a teacher or employee of a local or regional board of education, the State Board of Education or the Department of Education, except that it does not include de-identified student information allowed under the contract to be used by the contractor to (A) improve educational products for adaptive learning purposes and for customizing student learning, (B) demonstrate the effectiveness of the contractor's products in the marketing of those products, and (C) develop and improve the contractor's products and services.

(b) Every contract that a local or regional board of education, the State Board of Education or the Department of Education enters into with a contractor shall include, but need not be limited to, the following:

(1) A statement that student records continue to be the property of and under the control of the local or regional board of education, the State Board of Education or the Department of Education;

(2) A description of the means by which a student, parent or legal guardian of a student may retain possession and control of student-generated content and, if applicable, the means by which a student, parent or legal guardian of a student may transfer such student-generated content to an electronic mail account;

(3) A statement that the contractor shall not use student records for any purposes other than those authorized pursuant to the contract;

(4) A description of the procedures by which a student, parent or legal guardian of a student may review personally identifiable information contained in the student record and correct erroneous information, if any, in such student record;

(5) A description of the actions the contractor shall take to ensure the security and confidentiality of student records;

(6) A description of the procedures for notifying a student, parent or legal guardian of a student and the local or regional board of education, the State Board of Education or the Department of Education as soon as practical, but not later than forty-eight hours after the contractor becomes aware of or suspects that any student record under the control of the contractor has been subject to unauthorized access or suspected unauthorized access;

(7) A statement that student records shall not be retained or available to the contractor upon completion of the contracted services unless a student, parent or legal guardian of a student chooses to establish or maintain an electronic account with the contractor for the purpose of storing student-generated content; and

(8) A statement that the contractor and the local or regional board of education, the State Board of Education or the Department of Education shall ensure compliance with the Family Educational Rights and Privacy Act of 1974, 20 USC 1232g.

(c) A contractor shall not use (1) student records for any purposes other than those authorized pursuant to the contract, or (2) personally identifiable information contained in student records to engage in advertising.

(d) Any contract that conflicts with the provisions of this section shall be void.

Sec. 2. (NEW) (Effective October 1, 2015) (a) For the purposes of this section:

(1) "Operator" means an operator of an Internet web site, online service, online application or mobile application that is designed, used and marketed for elementary and secondary school purposes;

(2) "Elementary and secondary school purposes" means activities that are directed by or that customarily occur at the direction of an elementary or secondary school teacher or a local or regional board of education, including, but not limited to, instruction in the classroom or at home, administrative activities and collaboration among students, school personnel or parents or legal guardians of students;

(3) "Covered information" means personally identifiable information, in any media or format, that (A) is created or provided by a student, parent or legal guardian of a student in the course of the student, parent or legal guardian using the operator's Internet web site, service or application for elementary and secondary school purposes, (B) is created or provided by an employee or agent of a local or regional board of education and provided to an operator for elementary and secondary school purposes, or (C) is gathered by an operator through the operation of the operator's Internet web site, service or application and identifies a student, including, but not limited to, information in the student's records or electronic mail account, first or last name, home address, telephone number, date of birth, electronic mail address, discipline records, test results, grades, evaluations, criminal records, medical records, health records, Social Security number, biometric information, disabilities, socioeconomic information, food purchases, political affiliations, religious affiliations, text messages, documents, student identifiers, search activity, photographs or voice recordings; and

(4) "De-identified student covered information" means any information that cannot be used to identify an individual student.

(b) An operator shall not:

(1) Engage in advertising on the operator's Internet web site, service or application, or advertising on any other Internet web site, service or application when such advertising uses any covered information that the operator acquired in the course of a student, parent or legal guardian using the operator's Internet web site, service or application;

(2) Use covered information created or gathered by the operator's Internet web site, service or application to create a profile of a student, except in furtherance of elementary and secondary school purposes;

(3) Sell covered information, unless the sale is part of the purchase, merger or acquisition of an operator by a successor operator and the operator and successor operator continue to be subject to the provisions of this section regarding covered information; and

(4) Disclose covered information, unless the disclosure is made: (A) In furtherance of the elementary and secondary school purposes of the Internet web site, service or application, provided the recipient of the covered information uses such covered information to improve the operability and functionality of the Internet web site, service or application within the student's classroom or school and complies with subsection (d) of this section; (B) to ensure compliance with federal and state law; (C) in response to judicial process; (D) to protect the safety of users or others, or the security of the Internet web site, service or application; or (E) to an entity hired by the operator to provide services for the operator's Internet web site, service or application, provided the operator contractually (i) prohibits the service provider from using any covered information for any purpose other than providing the contracted service to, or on behalf of, the operator, (ii) prohibits the service provider from disclosing any covered information provided by the operator to subsequent third parties, and (iii) requires the service provider to protect confidential information from unauthorized access in accordance with current industry standards.

(c) No provision in subsection (b) of this section shall be construed to prohibit the use of covered information by the operator to maintain, develop, support or improve the operator's Internet web site, service or application.

(d) An operator shall (1) protect covered information from unauthorized access, whenever and however stored or maintained, in accordance with current industry standards, and (2) delete a student's covered information if a student, parent or legal guardian of a student or the local or regional board of education requests deletion of such covered information.

(e) An operator may (1) use de-identified student covered information to improve the operator's Internet web site, service or application and to demonstrate or market the effectiveness of the operator's Internet web site, service or application, and (2) use aggregated de-identified student covered information for improvement and development of Internet web sites, services or applications for elementary and secondary school purposes.

Sec. 3. (NEW) (Effective October 1, 2015) (a) For the purposes of this section, "directory information" has the same meaning as provided in 34 CFR 99.3, as amended from time to time.

(b) Upon determination by a local or regional board of education that a request for directory information is related to school purposes, the local or regional board of education may disclose directory information to any person requesting such directory information. If the local or regional board of education determines that a request for directory information is not related to school purposes, the local or regional board of education shall not disclose such directory information.

This act shall take effect as follows and shall amend the following sections:

Section 1

October 1, 2015, and applicable to any agreement entered into on or after said date

New section

Sec. 2

October 1, 2015

New section

Sec. 3

October 1, 2015

New section

Statement of Legislative Commissioners:

In Section 1(b)(4), "contained" was inserted before "in the student record" for clarity and ", if any, in such student record" was inserted after "erroneous information" for clarity; in Section 1(b)(8), ", the State Board of Education or the Department of Education" was inserted after "regional board of education" for consistency and accuracy; in Section 1(c), "contained" was inserted before "in student records" for clarity; in Section 2(a)(2), "school" was inserted before "teacher" for clarity; in Section 2(b)(1), "is based upon" was changed to "uses" for clarity; and in Section 2(b)(3) "except if" was changed to "unless" and "provided" was changed to "and" for clarity and accuracy.

ED

Joint Favorable Subst.