OLR Bill Analysis
AN ACT MAKING REVISIONS TO THE STUDENT DATA PRIVACY ACT OF 2016.
This bill makes the following changes in the education statutes governing student data privacy:
1. extends the date by which local or regional boards of education must begin entering into written contracts with entities with which they share student data (§ 1);
2. modifies the deadline by which a board of education must electronically notify students and their parents or guardians about a breach of student data security from 48 hours to two business days after learning of the breach (§ 2);
3. requires the State Department of Education to provide guidance to boards of education on how to implement the (a) federal Family Educational Rights and Privacy Act (FERPA), which protects student education records, and (b) state's student data privacy laws (§ 3);
4. adds to the members of the student data privacy task force (see BACKGROUND) an attorney with expertise in Connecticut school law, replacing the Connecticut high school student member (§ 4); and
5. extends the task force reporting deadline by one year, from January 1, 2017 to January 1, 2018 (§ 4).
EFFECTIVE DATE: Upon passage, except the provisions about data security breach notice (§ 2) take effect July 1, 2017.
§ 1 — BOARD OF EDUCATION CONTRACTS WITH STUDENT DATA CONTRACTORS
Under current law, boards of education must enter into written contracts with contractors with whom they share student information, student records, or student-generated content beginning October 1, 2016. The bill postpones this start date to July 1, 2018.
Additionally, the bill specifies that any such contract entered into on and after July 1, 2018, rather than October 1, 2016, is void if it lacks any of the provisions required by law (see BACKGROUND). Existing law requires the board to give the contractor reasonable notice to amend the contract to include the missing provisions, however. It also specifies that a contractual provision is void if it conflicts with any of the provisions required by law beginning on July 1, 2018, rather than October 1, 2016.
Required Contractual Provisions
By law, a contract between a board of education and a contractor with whom it shares or provides access to student data must state the following:
1. student records, student information, and student-generated content are not the property of, or under the control of, a contractor;
2. the contractor will not use student information, student records, and student-generated content for any purposes except those the contract authorizes;
3. the contractor must take actions designed to ensure security and confidentiality of student information, student records, and student-generated content;
4. the contractor will not retain or have available student information, student records, or student-generated content after completing the contracted services unless a student, parent, or guardian chooses to establish or maintain an electronic account with the contractor to store student-generated content (e. g. , essays, research papers, portfolios, creative writing, music, audio files, or photographs, but not standardized assessment responses);
5. the contractor and the board of education must ensure compliance with FERPA;
6. Connecticut law governs the rights and duties of all parties to the contract; and
7. a court finding of invalidity of any contract provision does not invalidate other contract provisions or applications not affected by the finding.
The contract must also describe the following:
1. how the board of education may request deletion of student information, student records, or student-generated content in the contractor's possession;
2. procedures for a student, parent, or guardian to (a) review personally identifiable information in student information, student records, and student-generated content and (b) correct erroneous information, if any, in the record; and
3. procedures that a contractor must follow to notify the board of education when there has been an unauthorized release, disclosure, or acquisition of student information, student records, or student-generated content (CGS § 10-234bb).
Student Data Privacy Task Force
This task force must examine various student data privacy topics, including (1) notice to students and parents when websites or mobile applications are being used for class assignments; (2) strategies other states use to train schools, contractors for student data services, and website operators in data security handling; and (3) reasonable penalties for contractors and operators who violate state student data privacy laws (Public Act 16-189, § 5).
Joint Favorable Substitute