PA 17-200—sHB 7207

Education Committee

AN ACT MAKING REVISIONS TO THE STUDENT DATA PRIVACY ACT OF 2016

SUMMARY: This act makes the following changes in the education statutes governing student data privacy:

1. extends the date by which local or regional boards of education must begin entering into written contracts with entities with which they share student data ( 1);

2. changes the deadline by which a board of education must electronically notify students and their parents or guardians about a breach of student data security from 48 hours to two business days after learning of the breach ( 2);

3. requires the State Department of Education to provide guidance to boards of education on how to implement the (a) federal Family Educational Rights and Privacy Act (FERPA), which protects student education records, and (b) state's student data privacy laws ( 3);

4. requires one of the Senate president pro tempore's appointments to the student data privacy task force to be an attorney with expertise in Connecticut school law, instead of a Connecticut high school student ( 4); and

5. extends the task force reporting deadline and termination date ( 4).

The act also makes technical and conforming changes.

EFFECTIVE DATE: Upon passage, except the provisions about data security breach notice ( 2) take effect July 1, 2017.

1 — BOARD OF EDUCATION CONTRACTS WITH STUDENT DATA CONTRACTORS

Prior law required boards of education to enter into written contracts with contractors with whom they share student information, student records, or student-generated content beginning October 1, 2016. The act postpones this start date to July 1, 2018.

Additionally, the act specifies that any such contract entered into on and after July 1, 2018 rather than October 1, 2016 is void if it lacks any of the provisions required by law. Existing law requires the board to give the contractor reasonable notice to amend the contract to include the missing provisions, however. The act also specifies that a contractual provision is void if it conflicts with any of the provisions required by law, beginning on July 1, 2018, rather than October 1, 2016.

By law, these contracts must include specified provisions on student data security, ownership, and use, among other things.

4 — TASK FORCE DEADLINES

The act extends the student data privacy task force's reporting deadline by one year, from January 1, 2017 to January 1, 2018. Under existing law, the task force must report to the General Law and Education committees on its findings and recommendations.

Also, the act changes the task force's termination date. It must terminate on the date it submits its report to the legislative committees, or on January 1, 2018, whichever is later. Prior law required the termination on the report submission date or by January 1, 2017, whichever was later.

By law, the task force must examine various student data privacy topics, including other states' strategies for training schools and student data services contractors in data security.