PA 16-189—sHB 5469

Education Committee

AN ACT CONCERNING STUDENT DATA PRIVACY

SUMMARY: This act restricts how student information, student records, or student-generated content may be used by (1) contractors that provide student data services to boards of education and (2) certain operators of websites, online services, or mobile applications (“apps”).

For contractors, the act establishes requirements for contract content; contract execution notice to parents and guardians; and protection, deletion, and use of student information.

The act requires operators of websites, online services, or apps to maintain reasonable security practices to protect student information and delete student information upon student, parent, guardian, or board of education request. It prohibits, with some exceptions, operators from engaging in targeted advertising, creating student profiles for purposes unrelated to school, or selling or disclosing student information. However, the act allows operators to use some student information and de-identified student information for purposes related to student learning or product operational improvements.

The act also prescribes how contractors and operators must respond to security breaches involving student information, directory information, student records, or student-generated content in their possession.

Additionally, the act establishes a task force to study student data privacy issues.

EFFECTIVE DATE: October 1, 2016, except the provisions about (1) contracts apply to contracts entered into, amended, or renewed on or after October 1, 2016 and (2) the task force take effect upon passage.

1 — DEFINITIONS

Parties Defined

The act defines a “contractor” as an operator or consultant that possesses or has access to student information, student records, or student-generated content as a result of a written contract with a local or regional board of education. An “operator” is anyone who (1) operates a website, online service, or app with actual knowledge that such website, service, or app is used for and was designed and marketed for school purposes, to the extent that it is engaged in its operation, and (2) collects, maintains, or uses student information. A “consultant” is a professional who provides non-instructional services, including administrative, planning, analytical, statistical, or research services to a board of education under a contract.

The act defines a “student” as a Connecticut resident who is (1) enrolled in a preschool program participating in the statewide public school information system (see BACKGROUND), (2) enrolled in grades kindergarten through 12 in a public school, (3) receiving special education services under an individualized education program, or (4) otherwise the responsibility of a board of education.

Related Terms Defined

The act defines “school purposes” as purposes that (1) customarily take place at the direction of a teacher or a board of education or (2) aid in the administration of school activities, including (a) classroom instruction, (b) administrative activities, and (c) collaboration among students, school personnel, or students' parents or legal guardians.

“Student information” is personally identifiable information or student material in any media or format that is not publicly available and is any of the following:

1. created or provided by a student or a student's parent or legal guardian by using an operator's website, online service, or app for school purposes;

2. created or provided by an employee or agent of a board of education to an operator for school purposes; or

3. gathered by an operator through its website, online service, or app and identifies a student, including (a) information in the student's records or email account; (b) first or last name; (c) home address or telephone number; (d) date of birth; (e) email address; (f) discipline records; (g) test results; (h) grades; (i) evaluations; (j) criminal, medical, or health records; (k) Social Security number; (l) biometric information; (m) disabilities; (n) socioeconomic information; (o) food purchases; (p) political or religious affiliations; (q) text messages; (r) documents; (s) student identifiers; (t) search activity; (u) photographs or voice recordings; (v) survey responses; or (w) behavioral assessments.

The act defines a “student record” as any information (1) directly related to a student that boards of education, the State Department of Education, or the State Board of Education maintains or (2) acquired through a student's use of educational software that a teacher or other public education employee assigned. It does not include de-identified student information that the contract permits the contractor to use for any of the following purposes:

1. improving educational products for adaptive learning purposes and for customizing student learning,

2. demonstrating the product's effectiveness for marketing purposes, and

3. developing and improving the contractor's products and services.

“De-identified student information” is any student information that has been altered to prevent identification of an individual student.

The act defines “targeted advertising” as presenting an advertisement to a student where the selection of the advertisement is (1) based on student information, student records, or student-generated content or (2) inferred over time from the (a) student's use of the operator's website, online services, or app or (b) retention of the student's online activities or requests over time for the purpose of targeting subsequent advertisements. It does not include any advertising to a student on a website that the student accesses at the time or in response to a student's response or request for information or feedback.

2 — CONTRACTORS

The act establishes requirements for contractors who provide student data services to boards of education, specifically about contract content, notice of contract execution, protection and deletion of student information, and restrictions on use of student information. It applies to contracts entered into, amended, or renewed on or after October 1, 2016.

Required Contract Contents

Beginning October 1, 2016, the act requires boards of education to enter into a written contract with any contractor with whom it shares or provides access to student information, student records, or student-generated content. The contract must state the following:

1. student records, student information, and student-generated content are not the property of, or under the control of, a contractor;

2. the contractor will not use student information, student records, and student-generated content for any purposes except those the contract authorizes;

3. the contractor must take actions designed to ensure security and confidentiality of student information, student records, and student-generated content;

4. the contractor will not retain or have available student information, student records, or student-generated content after completing the contracted services unless a student, parent, or guardian chooses to establish or maintain an electronic account with the contractor to store student-generated content (e. g. , essays, research papers, portfolios, creative writing, music, audio files, or photographs, but not standardized assessment responses);

5. the contractor and the board of education must ensure compliance with the federal Family Educational Rights and Privacy Act of 1974 (FERPA) (see BACKGROUND);

6. Connecticut law governs the rights and duties of all parties to the contract; and

7. a court finding of invalidity of any contract provision does not invalidate other contract provisions or applications not affected by the finding.

The contract must also describe the following:

1. how the board of education may request deletion of student information, student records, or student-generated content in the contractor's possession;

2. procedures for a student, parent, or guardian to (a) review personally identifiable information in student information, student records, and student-generated content and (b) correct erroneous information, if any, in the record; and

3. procedures that a contractor will follow to notify the board of education when there has been an unauthorized release, disclosure, or acquisition of student information, student records, or student-generated content.

Under the act, a contractual provision is void if it conflicts with any of the above 10 provisions. Similarly, a contract is void if it lacks any of the above 10 provisions. However, the board of education must give the contractor reasonable notice to amend the contract to include the missing provisions.

Notice of Contract Execution

The act requires boards of education to electronically notify affected students and their parents or guardians within five business days after entering into a contract with a contractor. The notice must (1) state that the contract has been executed and its date of execution; (2) provide a brief description of the contract and its purpose; and (3) state what student information, student records, or student-generated content may be collected under the contract. The act also requires boards of education to post the notice and contract on their websites.

Requirement to Protect and Delete Student Information

Under the act, a contractor must implement and maintain security procedures and practices designed to protect student information from unauthorized access, destruction, use, modification, or disclosure that, based on the data's sensitivity and risk from unauthorized access, do the following:

1. use technologies and methodologies consistent with guidance issued about protected health information under the federal Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act) (see BACKGROUND),

2. maintain technical safeguards for student records in a manner consistent with federal HITECH Act regulations on technical safeguards for electronic protected health information, and

3. otherwise meet or exceed industry standards.

Restrictions on Contractors

The act bans contractors from using (1) student information, student records, or student-generated content for any purposes other than those the contract authorizes or (2) personally identifiable information contained in student information, student records, or student-generated content to engage in targeted advertising. The act specifies that all student-generated content is the property of the student or his or her parents or guardians.

3 — OPERATORS

Under the act, operators of Internet websites, online services, and apps must meet several security requirements and abide by various restrictions on the use of student information, records, and student-generated content. However, the act permits operators to disclose and share such data under certain circumstances.

Operator Requirements

The act requires operators to do the following:

1. implement and maintain security procedures and practices that meet or exceed industry standards and are designed to protect student information, student records, and student-generated content from unauthorized access, destruction, use, modification, or disclosure and

2. delete any student information, student records, or student-generated content within a reasonable amount of time if requested by a student, parent, or guardian or a board of education that has the right to control such student information.

Operator Restrictions

The act prohibits operators from knowingly doing the following:

1. collecting, storing, and using student information, student records, student-generated content, or persistent unique identifiers, except to further school purposes;

2. selling, renting, or trading student information, student records, or student-generated content unless the sale is part of the purchase, merger, or acquisition of an operator by a successor operator, and the successor operator continues to be subject to the act's provisions;

3. disclosing student information, student records, or student-generated content, with some exceptions (see below); or

4. engaging in targeted advertising on (a) the operator's website, online service, or app or (b) any other website, service, or app if the advertising is based on student information, student records, student-generated content, or persistent unique identifiers the operator acquired through the use of the operator's website, service, or mobile app for school purposes.

The act defines “persistent unique identifier” as a unique piece of information that (1) can be used to recognize a user over time and across different websites, online services, or apps and (2) is acquired as a result of a student's use of an operator's website, online service, or app.

Permissible Disclosures

The act permits operators to disclose student information, student records, or student-generated content if the disclosure is made under any of the following circumstances:

1. in furtherance of school purposes of the website, online service, or app, as long as the recipient of the information uses it to improve the operability and functionality of the website, service, or app;

2. to ensure compliance with federal or state law or regulations or pursuant to a court order;

3. in response to a judicial order;

4. to protect the safety or integrity of users or others, or the security of the website, online service, or app;

5. to an entity hired by the operator to provide services for the website, online service, or app, as long as the operator contractually (a) prohibits the entity from using the student information, student records, or student-generated content for any purpose other than providing the contracted service to, or on behalf of, the operator; (b) prohibits the entity from disclosing student information, student records, or student-generated content provided by the operator to subsequent third parties; and (c) requires the entity to agree to maintain security procedures and delete any student information at a student's, parent's, or guardian's request; or

6. for a school purpose or other education or employment purpose requested by a student, parent, or guardian, as long as such student information is not used or disclosed for any other purpose.

Permissible Uses Related to Products and Services

The act permits an operator to use student information for adaptive learning purposes or customized student learning, or to do the following:

1. maintain, support, improve, evaluate, or diagnose the operator's website, online service, or app;

2. provide recommendation engines to recommend content or services relating to school purposes or other educational or employment purposes, as long as the recommendation is not determined in whole or in part by payment or other consideration from a third party; or

3. respond to a request for information or feedback from a student, as long as the response is not determined in whole or in part by payment or other consideration from a third party.

The act permits an operator to use de-identified student information or aggregated student information to (1) develop or improve the operator's website, online service, or app or other websites, services, or apps owned by the operator or (2) demonstrate or market the effectiveness of the operator's website, online service, or app. It also permits an operator to share aggregated or de-identified student information to improve and develop websites, online services, or apps designed for school purposes.

Prohibited Effects

The act specifies that the above provisions may not be interpreted to do any of the following:

1. limit a law enforcement agency's ability to obtain student information, student records, or student-generated content when authorized by law or court order;

2. limit a student's, parent's, or guardian's ability to download, export, transfer, or otherwise save or maintain student information, student records, or student-generated content;

3. impose a duty on an “interactive computer service” provider to ensure compliance of third-party “information content providers” (as defined in the federal Communications Decency Act of 1996, see BACKGROUND) with the act's operator prohibitions and requirements;

4. impose a duty on a seller or provider of an electronic store, gateway, marketplace, or other means of purchasing or downloading software applications to review or enforce compliance with the act's operator prohibitions and requirements regarding such software apps;

5. limit an Internet service provider from giving a student, parent, guardian or board of education the ability to connect to the Internet;

6. prohibit an operator from advertising other websites, online services, or apps used for school purposes to students' parents or guardians, as long as it does not result from the operator's use of student information, student records, or student-generated content; or

7. regulate websites, online services, or apps designed and marketed for general use by individuals, even if their account credentials are designed and marketed for school purposes.

4 — SECURITY BREACHES

Security Breach Involving a Contractor

Breach of Student Information. The act requires a contractor to notify the board of education without unreasonable delay upon discovering the unauthorized release, disclosure, or acquisition (i. e. , “breach”) of student information, directory information, student records, or student-generated content. The contractor must do so within 30 days for a breach of student information (excluding any directory information contained) and within 60 days for a breach of directory information, student records, or student-generated content.

The act defines “directory information” according to federal FERPA regulations (see BACKGROUND).

During the 30- and 60-day periods, the act allows the contractor to (1) determine the breach's nature and scope and the identity of the students whose student information is involved or (2) restore the reasonable integrity of the contractor's data system.

Student, Parent, and Guardian Notice. Upon receiving notice of a security breach from a contractor, the board of education must electronically notify, within 48 hours, the student and parents or guardians of the student whose information, student records, or student-generated content was compromised. The board must also post this notice on its website.

Security Breach Involving an Operator

The act requires an operator, upon discovering a security breach of student information, student records, or student-generated content as a result of a student's use of the operator's website, online service, or app, to notify the student, parents, or guardians about the breach without unreasonable delay. As with the notice requirements for contractors, the operator must do so within 30 days for breaches of student information (excluding any directory information contained) and within 60 days for breaches of directory information, student records, or student-generated content.

During the 30- and 60-day periods, the act allows the operator to (1) determine the breach's nature and scope and the identity of the students whose student information, student records, or student-generated content are involved or (2) restore the reasonable integrity of the data system.

5 — STUDENT DATA PRIVACY TASK FORCE

Purpose and Charge

The act creates a 14-member task force to study student data privacy issues. The study must include an examination of the following topics:

1. when a student's parent or guardian may reasonably or appropriately request the deletion of student information, student records, or student-generated content possessed by a contractor or operator;

2. the means of providing notice to parents and guardians when a student uses an operator's website, online service, or app for instructional purposes in the classroom or as assigned by a teacher;

3. reasonable penalties for violating the act's provisions, such as restricting a contractor or operator from accessing or collecting student information, student records, or student-generated content;

4. other states' strategies that ensure that school employees, contractors, and operators are trained in data security handling, compliance, and best practices;

5. the feasibility of developing a district-wide list of approved websites, online services, and mobile apps;

6. the use of an administrative hearing process to provide legal recourse to students, parents, and guardians aggrieved by violations of this act's provisions;

7. the feasibility of creating an inventory of student information, student records, and student-generated content currently collected under state and federal law;

8. the feasibility of developing a tool kit for use by boards of education to (a) improve student data contracting practices and compliance, including a statewide template for use by districts; (b) increase school employee awareness of student data security best practices, including model training components; (c) develop district-wide lists of approved software applications and websites; and (d) increase the availability and accessibility of student data privacy information for students' parents and guardians and educators; and

9. any other issue involving student data security the task force deems relevant.

Membership

Table 1 below lists the task force members and their respective appointing authorities.

Table 1: Student Data Privacy Task Force Membership

Members

Appointing Authority

Operator

Expert in information technology systems

House speaker

Connecticut Education Association representative

Connecticut high school student

Senate president pro tempore

Contractor representative

Information technology systems expert

House majority leader

Connecticut Parent Teacher Association representative

American Federation of Teachers representative

Senate majority leader

Student privacy advocate

Connecticut Association of Boards of Education representative or member

House minority leader

Connecticut Association of School Administrators representative

Connecticut Association of Public School Superintendents representative

Senate minority leader

Attorney general or his designee

n/a

Education commissioner or her designee

n/a

Under the act, all membership appointments must be made by July 9, 2016. The appointing authorities must fill any vacancies that arise.

The act requires the House speaker and Senate president pro tempore to select the task force chairpersons from among its members. The chairpersons must schedule the first task force meeting by August 8, 2016. The administrative staff of the General Law Committee must staff the task force.

Report Deadline

The act requires the task force to submit a report on its findings and recommendations to the General Law and Education committees by January 1, 2017. The task force ends on the day it submits this report, or on January 1, 2017, whichever is later.

BACKGROUND

Public School Information System

This system is a statewide, standardized electronic database that tracks and reports data on student, teacher, school, and district performance growth. This data is available to boards of education for evaluating educational performance and growth of teachers and students enrolled in Connecticut public schools (CGS 10-10a).

Family Educational Rights and Privacy Act (FERPA)

FERPA is the federal law that protects the privacy of student education records, with some exceptions (20 USC 1232g). One exception is that FERPA allows school districts to disclose information they designate as “directory information” without prior parental consent (or student consent if the student is age 18 or older). Once a year, districts must notify parents of the policy and give them the opportunity to restrict the disclosure of directory information. Unless the parent affirmatively requests limiting disclosure, the district can disclose this information.

Under FERPA regulations, “directory information” is information contained in a student's education record that would generally not be considered harmful or an invasion of privacy if disclosed. It includes, among other things, a student's (1) name, address, and telephone listing; (2) email address; (3) date and place of birth; or (4) grade level and enrollment status. It does not include a student's Social Security number or student ID number that can be used to gain access to educational records (34 C. F. R. 99. 3).

Health Information Technology for Economic and Clinical Health (HITECH) Act

The federal HITECH Act (P. L. 111-5, 13402(h)(2)) addresses privacy and security concerns associated with electronically transmitting health information through several provisions that strengthen the civil and criminal enforcement of federal HIPAA (Health Insurance Portability and Accountability Act) rules.

Communications Decency Act (CDA) of 1996

This federal law protects online service providers and Internet users from civil actions based on harmful or offensive content posted by third parties (47 U. S. C. 230). PA 16-189 incorporates two terms from this federal law and their definitions.

The CDA defines “interactive computer service” as any information service, system, or access software provider that provides or enables computer access by multiple users to a computer server, including a service or system that provides access to the Internet and such systems operated or services offered by libraries or educational institutions (47 U. S. C. 230(f)(2)).

The CDA defines “information content provider” as any person or entity that is responsible, in whole or in part, for the creation or development of information provided through the Internet or any other interactive computer service (47 U. S. C. 230(f)(3)).

OLR Tracking: MGS; LH; PF; bs