Connecticut Seal

General Assembly

File No. 527

    February Session, 2016

Substitute House Bill No. 5469

House of Representatives, April 7, 2016

The Committee on Education reported through REP. FLEISCHMANN of the 18th Dist., Chairperson of the Committee on the part of the House, that the substitute bill ought to pass.

AN ACT CONCERNING STUDENT DATA PRIVACY.

Be it enacted by the Senate and House of Representatives in General Assembly convened:

Section 1. (NEW) (Effective October 1, 2016, and applicable to contracts entered into, amended or renewed on or after said date) (a) For the purposes of this section:

(1) "Contractor" means an individual, business or other entity that provides educational software or services for the electronic storage, management or retrieval of student records and receives such student records pursuant to a written contract with a local or regional board of education, the State Board of Education or the Department of Education;

(2) "De-identified student information" means any information that cannot be used to identify an individual student;

(3) "Student-generated content" means any student materials created by a student including, but not limited to, essays, research papers, portfolios, creative writing, music or other audio files or photographs, except "student-generated content" does not include student responses to a standardized assessment; and

(4) "Student record" means any information directly related to a student that is maintained by a local or regional board of education, the State Board of Education or the Department of Education and any information acquired from a student through the use of educational software assigned to the student by a teacher or employee of a local or regional board of education, the State Board of Education or the Department of Education, except "student record" does not include de-identified student information allowed under the contract to be used by the contractor to (A) improve educational products for adaptive learning purposes and customize student learning, (B) demonstrate the effectiveness of the contractor's products in the marketing of such products, and (C) develop and improve the contractor's products and services.

(b) On and after October 1, 2016, every contract that a local or regional board of education, the State Board of Education or the Department of Education enters into with a contractor shall include, but need not be limited to, the following:

(1) A statement that student records and student-generated content are not the property of or under the control of a contractor;

(2) A description of the means by which a student, parent or legal guardian of a student may retain possession and control of student-generated content and, if applicable, the means by which a student, parent or legal guardian of a student may transfer such student-generated content to an electronic mail account;

(3) A statement that the contractor shall not use student records for any purposes other than those authorized pursuant to the contract;

(4) A description of the procedures by which a student, parent or legal guardian of a student may review personally identifiable information contained in the student record and correct erroneous information, if any, in such student record;

(5) A description of the actions the contractor shall take to ensure the security and confidentiality of student records;

(6) A description of the procedures for notifying a student, parent or legal guardian of a student and the local or regional board of education, the State Board of Education or the Department of Education as soon as practical, but not later than forty-eight hours after the contractor becomes aware of or suspects that any student record under the control of the contractor has been subject to unauthorized access or suspected unauthorized access;

(7) A statement that student records shall not be retained or available to the contractor upon completion of the contracted services unless a student, parent or legal guardian of a student chooses to establish or maintain an electronic account with the contractor for the purpose of storing student-generated content;

(8) A statement that the contractor and the local or regional board of education, the State Board of Education or the Department of Education shall ensure compliance with the Family Educational Rights and Privacy Act of 1974, 20 USC 1232g;

(9) A statement that the laws of the state of Connecticut shall govern the rights and duties of the contractor and the local or regional board of education, the State Board of Education or the Department of Education; and

(10) A statement that if any provision of the contract or the application of the contract is held invalid by a court of competent jurisdiction, the invalidity does not affect other provisions or applications of the contract which can be given effect without the invalid provision or application.

(c) A contractor shall not use (1) student records for any purposes other than those authorized pursuant to the contract, or (2) personally identifiable information contained in student records to engage in advertising.

(d) Any provision of a contract entered into between a contractor and a local or regional board of education, the State Board of Education or the Department of Education on or after October 1, 2016, that conflicts with any provision of this section shall be void.

(e) Any contract entered into on and after October 1, 2016, that does not include a provision required by subsection (b) of this section shall be void, provided the local or regional board of education, the State Board of Education or the Department of Education has given reasonable notice to the contractor and the contractor has failed within a reasonable time to amend the contract to include the provision required by subsection (b) of this section.

(f) Not later than five business days after executing a contract pursuant to this section, a local or regional board of education shall provide notice to any student and the parent or legal guardian of a student affected by the contract. The notice shall (1) state that the contract has been executed and the date that such contract was executed, (2) provide a brief description of the contract and the purpose of the contract, (3) state what student-generated content or student records may be collected as a result of the contract, and (4) state that the parent or legal guardian of a student affected by the contract may choose to not have such student participate in the execution of the contract.

Sec. 2. (NEW) (Effective October 1, 2016) (a) For the purposes of this section:

(1) "Operator" means any person who (A) operates an Internet web site, online service or mobile application with actual knowledge that such Internet web site, online service or mobile application is used for school purposes and was designed and marketed for school purposes, and (B) collects, maintains or uses student information;

(2) "School purposes" means purposes that customarily take place at the direction of a teacher or a local or regional board of education, or aid in the administration of school activities, including, but not limited to, instruction in the classroom, administrative activities and collaboration among students, school personnel or parents or legal guardians of students;

(3) "Student information" means personally identifiable information regarding a student that is (A) created or provided by a student or the parent or legal guardian of a student, to the operator in the course of the student, parent or legal guardian using the operator's Internet web site, online service or mobile application for school purposes, (B) created or provided by an employee or agent of a local or regional board of education to an operator for school purposes, or (C) gathered by an operator through the operation of the operator's Internet web site, online service or mobile application and identifies a student, including, but not limited to, information in the student's records or electronic mail account, first or last name, home address, telephone number, date of birth, electronic mail address, discipline records, test results, grades, evaluations, criminal records, medical records, health records, Social Security number, biometric information, disabilities, socioeconomic information, food purchases, political affiliations, religious affiliations, text messages, documents, student identifiers, search activity, photographs, voice recordings, survey responses or behavioral assessments;

(4) "Student" means a child who is a resident of the state and enrolled in (A) a preschool program participating in the state-wide public school information system, pursuant to section 10-10a of the general statutes, or (B) grades kindergarten to twelve, inclusive, in a public school;

(5) "De-identified student information" means any student information that has been altered to prevent the identification of an individual student; and

(6) "Targeted advertising" means presenting an advertisement to a student where the selection of the advertisement is based on student information or inferred from the usage of the operator's Internet web site, online service or mobile application by such student.

(b) An operator shall (1) implement and maintain reasonable security procedures and practices, in accordance with current industry standards, to protect student information from unauthorized access, destruction, use, modification or disclosure, and (2) delete any student information if a student, parent or legal guardian of a student or local or regional board of education requests the deletion of such student information.

(c) An operator shall not knowingly:

(1) Engage in targeted advertising on the operator's Internet web site, online service or mobile application, or on any other Internet web site, online service or mobile application;

(2) Use student information to create a profile of a student for purposes other than the furtherance of school purposes;

(3) Sell student information, unless the sale is part of the purchase, merger or acquisition of an operator by a successor operator and the operator and successor operator continue to be subject to the provisions of this section regarding student information; or

(4) Disclose student information, unless the disclosure is made (A) in furtherance of school purposes of the Internet web site, online service or mobile application, provided the recipient of the student information uses such student information to improve the operability and functionality of the Internet web site, online service or mobile application and complies with subsection (b) of this section; (B) to ensure compliance with federal or state law; (C) in response to a judicial order; (D) to protect the safety of users or others, or the security of the Internet web site, online service or mobile application; or (E) to an entity hired by the operator to provide services for the operator's Internet web site, online service or mobile application, provided the operator contractually (i) prohibits the entity from using student information for any purpose other than providing the contracted service to, or on behalf of, the operator, (ii) prohibits the entity from disclosing student information provided by the operator to subsequent third parties, and (iii) requires the entity to comply with subsection (b) of this section.

(d) An operator may use student information (1) to maintain, support, evaluate or diagnose the operator's Internet web site, online service or mobile application, or (2) for adaptive learning purposes or customized student learning.

(e) An operator may use de-identified student information (1) to develop or improve the operator's Internet web site, online service or mobile application, or other Internet web sites, online services or mobile applications owned by the operator, or (2) to demonstrate or market the effectiveness of the operator's Internet web site, online service or mobile application.

(f) An operator may share aggregated de-identified student information for the improvement and development of Internet web sites, online services or mobile applications designed for school purposes.

(g) Nothing in this section shall be construed to (1) limit the ability of a law enforcement agency to obtain student information from an operator as authorized by law or pursuant to a court order, (2) limit the ability of a student or the parent or legal guardian of a student to download, transfer or otherwise save or maintain student information, (3) impose a duty upon a provider of an interactive computer service, as defined in 47 USC 230, as amended from time to time, to ensure compliance with this section by third-party information content providers, as defined in 47 USC 230, as amended from time to time, (4) impose a duty upon a seller or provider of online services or mobile applications to ensure compliance with this section with regard to such online services or mobile applications, (5) limit an Internet service provider from providing a student, parent or legal guardian of a student or local or regional board of education with the ability to connect to the Internet, (6) prohibit an operator from advertising other Internet web sites, online services or mobile applications that are used for school purposes to parents or legal guardians of students, provided such advertising does not result from the operator's use of student information, or (7) apply to Internet web sites, online services or mobile applications that are designed and marketed for use by individuals generally, even if the account credentials created for an operator's Internet web site, online service or mobile application may be used to access Internet web sites, online services or mobile applications that are designed and marketed for use by individuals generally.

Sec. 3. (NEW) (Effective July 1, 2016) (a) For the purposes of this section, "directory information" has the same meaning as provided in 34 CFR 99.3, as amended from time to time.

(b) Upon determination by a local or regional board of education that a request for directory information is related to school purposes, the local or regional board of education may disclose directory information to any person requesting such directory information. If the local or regional board of education determines that a request for directory information is not related to school purposes, the local or regional board of education shall not disclose such directory information.

This act shall take effect as follows and shall amend the following sections:

Section 1

October 1, 2016, and applicable to contracts entered into, amended or renewed on or after said date

New section

Sec. 2

October 1, 2016

New section

Sec. 3

July 1, 2016

New section

Statement of Legislative Commissioners:

In Sections 1(b) and 1(e), references to "October 1, 2016" were added for consistency and clarity, in Section 2(c)(4)(C), "process" was changed to "order" for accuracy and in Section 2(g)(6) "the operator's" was added before "use" for clarity.

ED

Joint Favorable Subst.

 

The following Fiscal Impact Statement and Bill Analysis are prepared for the benefit of the members of the General Assembly, solely for purposes of information, summarization and explanation and do not represent the intent of the General Assembly or either chamber thereof for any purpose. In general, fiscal impacts are based upon a variety of informational sources, including the analyst's professional knowledge. Whenever applicable, agency data is consulted as part of the analysis, however final products do not necessarily reflect an assessment from any specific department.

OFA Fiscal Note

State Impact: None

Municipal Impact: None

Explanation

The bill, which restricts how software and information contractors and website, internet service, or mobile application operators can use student information, does not result in a fiscal impact as it impacts private individuals and makes procedural changes.

The Out Years

State Impact: None

Municipal Impact: None

OLR Bill Analysis

sHB 5469

AN ACT CONCERNING STUDENT DATA PRIVACY.

SUMMARY:

This bill restricts how student information may be used by (1) entities that contract to provide educational software and electronic storage of student records (“contractors”) and (2) operators of websites, online services, or mobile applications (i.e., apps).

Regarding software contractors that do business with local or regional boards of education, the State Board of Education (SBE), or the State Department of Education (SDE), the bill:

The bill also voids any (1) contract provision between these parties that conflicts with the above requirements and prohibitions on or after October 1, 2016 or (2) contract between these parties that fails to include the above required provisions.

For operators of websites, online services, or mobile apps, the bill does the following:

The bill also requires school districts to withhold the release of student directory information if the local or regional board of education determines that a request for such information is not related to school purposes.

The bill does not provide any specific enforcement mechanism or penalties; however, existing law provides a civil penalty for each violation.

EFFECTIVE DATE: October 1, 2016, and the provision regarding (1) contracts is applicable to contracts entered into, amended, or renewed on or after that date and (2) directory information takes effect July 1, 2016.

1 — RESTRICTIONS ON SOFTWARE AND INFORMATION STORAGE CONTRACTORS

The bill places a number of restrictions on how software and electronic information services contractors can use student information.

It defines contractors as individuals, businesses, or other entities that (1) provide educational software or services for storing, managing, or retrieving electronic student records and (2) receive student records under a written contract with a local or regional board of education, SBE, or SDE.

Under the bill, such contractors are banned from using (1) student records for any purposes other than those the contract authorizes or (2) personally identifiable information contained in student records for advertising.

Student Records

The bill defines “student records” as any information (1) directly related to a student that boards of education, SDE, or SBE maintains and (2) acquired through a student's use of educational software that a teacher or other public education employee assigned. Student records do not include de-identified student information allowed under the contract that the contractor uses to:

“De-identified student information” means any information that cannot be used to identify an individual student.

Contract Requirements

Under the bill, every contract that a board of education, SDE, or SBE enters into with a contractor, beginning October 1, 2016, must include:

Under the bill “student-generated content” refers to materials a student creates, including essays, research papers, portfolios, creative writing, music or other audio files or photographs, except that it does not include student responses to a standardized assessment.

Notice of Contract Execution

The bill requires boards of education to notify affected students and their parents or guardians within five business days after entering into a contract with a software or information storage contractor. The notice must do the following:

2 — RESTRICITONS ON WEBSITE, ONLINE SERVICE, AND APP OPERATORS

The bill restricts Internet website, online service, and app operators from using student information.

Operators

The bill defines these entities as operators of websites, online services, or mobile applications that are designed, used, and marketed for school purposes and who collect, maintain or use student information.

“School purposes” are activities directed by, or customarily take place at the direction of, a public school teacher or board of education and include classroom or at-home instruction, administrative activities, and collaboration among students, school personnel, or parents or guardians of students. (It is unclear what “customarily take place at the direction” of a teacher or board of education means in this context.)

“Students” refers to children who live in Connecticut and are enrolled in (1) a preschool program participating in the statewide public school information system (see BACKGROUND) or (2) grades kindergarten to 12 in a public school.

Student Information

The bill defines “student information” as personally identifiable information that:

Prohibitions Applying to Operators

The bill prohibits operators from knowingly:

Exceptions that Permit Disclosure

The bill permits operators to disclose student information if the disclosure is made under the following circumstances:

Requirement to Protect and, Upon Request, Delete Information

Under the bill, an operator must (1) protect student information from unauthorized access, whenever and however stored or maintained, in accordance with current industry standards, and (2) delete a student's information if a student, parent, or guardian or the board of education requests the information be deleted.

Current state consumer protection law has a similar provision that requires anyone who possesses another person's personal information to safeguard, among other things, the data and computer files from misuse by third parties (CGS 42-471). It also requires the data be destroyed or made unusable before it is disposed of. Willful violators may be subject to civil penalties of $500 for each violation, provided the penalty cannot exceed $500,000 for any single event.

Use of Student Information to Improve Operator's Service

The bill permits an operator to use de-identified student information to improve the operator's website, service, or application and to market the effectiveness of the website, service, or application. Under the bill, “de-identified student information” refers to any student information that has been altered to prevent the identification of an individual student. It also permits an operator to use aggregated de-identified student information for improvement and development of websites, services, or applications for school purposes.

Another portion of the bill allows the operator to use student information to maintain, support, evaluate, or diagnose the operator's website, service, or application or for adaptive learning purposes or customized student learning without specifying that the information first be de-identified.

Specified Effects

The bill specifies that all of the above provisions applicable to operators of websites, online services, or apps do not do any of the following:

3 — STUDENT DIRECTORY INFORMATION

Under FERPA, a board of education may disclose directory information if a parent has not made a request to restrict disclosure. The bill defines “directory information” using federal regulations for FERPA (see BACKGROUND).

The bill maintains a local or regional board of education's authority to disclose directory information but prohibits a board from disclosing such information if it determines that the disclosure request is not related to school purposes.

BACKGROUND

Statewide Public Information System

This system is a statewide, standardized electronic database that tracks and reports data on student, teacher, school, and district performance growth. This data is available to local and regional boards of education for evaluating educational performance and growth of teachers and students enrolled in Connecticut public schools (CGS 10-10a).

Disclosure of Directory Information under FERPA

FERPA is the federal law that protects the privacy of student education records, with some exceptions (20 USC 1232g). One exception is that FERPA allows school districts to disclose information they designate as “directory information” without prior parental consent (or student consent if the student is age 18 or older). Once a year, districts must notify parents of the policy and give them the opportunity to restrict the disclosure of directory information. Unless the parent affirmatively requests limiting disclosure, the district can disclose directory information.

Definition of “Directory Information” under FERPA Regulations

“Directory information” means information contained in a student's education record that would generally not be considered harmful or an invasion of privacy if disclosed.

It includes the following student information:

Directory information does not include a student's social security number or student ID number that can be used to gain access to educational records (34 CFR 99.3).

COMMITTEE ACTION

Education Committee

Joint Favorable Substitute

Yea

33

Nay

0

(03/18/2016)

TOP