OLR Bill Analysis
AN ACT CONCERNING REVISIONS TO THE STUDENT DATA PRIVACY ACT.
This bill makes numerous changes in the student data privacy law. The law restricts how website, online service, and mobile application operators and consultants who contract with local and regional boards of education process or access student data. The law requires operators and consultants to use reasonable security practices to safeguard student data.
The bill requires the Commission for Educational Technology (CET) (see BACKGROUND) to develop a student data privacy terms-of-service agreement addendum that may be used in contracts entered into pursuant to the student data privacy law.
With respect to the privacy law, the bill also:
1. creates certain exceptions for contractors and operators from requirements on deleting student data at a board of education's, student's, parents', or guardian's request;
2. creates an exception, under certain conditions, for boards when they have only one or two special education students using a particular application or website;
3. eliminates a requirement that boards electronically notify students and parents of new contracts;
4. requires State Department of Education (SDE) to add more information to the guidance it is already required to provide school districts;
5. adds the Connecticut Association of Schools' executive director, or her designee, as a member of the student data privacy task force; and
6. makes minor and technical changes.
EFFECTIVE DATE: July 1, 2018, except the provisions regarding the agreement addendum and the task force member are upon passage.
By law, unchanged by the bill, a contractor is an operator or a consultant who possesses, or has access to, student information due to a contract with a board of education. An operator is someone who operates a website, online service, or mobile application with knowledge that it was designed and marketed, and is used, for school purposes. A consultant is a professional who provides non-instructional services to a board of education (CGS § 10-234aa).
§§ 1 & 2 — TERMS-OF-SERVICE AGREEMENT ADDENDUM
The bill requires CET, which is housed in the Department of Administrative Services (DAS), to develop a uniform student data privacy terms-of-service agreement addendum that may be used in contracts entered into pursuant to the privacy law. The addendum must conform to the requirements for a contract described in the law. CET must make the addendum available on its website or in an online registry it maintains for boards, contractors, and operators. It also authorizes boards of education and a contractor to include the addendum in any contract executed under this law to satisfy the law's requirements.
§§ 2 & 3 — DELETING STUDENT DATA, CERTAIN SPECIAL EDUCATION STUDENTS, AND POSTING CONTRACT INFORMATION
Deleting Student Data
Current law requires an operator or contractor to delete student records, student information, and student-generated content (“student information”) in certain situations.
Current law requires an operator to delete any student information, within a reasonable amount of time if a student, parent, legal guardian of a student, or board of education who has the right to control the student information requests its deletion. The bill creates an exception to this requirement when (1) state or federal law prohibits the deletion or requires the retention of the information or (2) a copy of the student information is part of a disaster recovery storage system and is generally inaccessible to the public and the operator, provided a student, parent, or legal guardian or board of education may request the student information be deleted if the operator uses it to repopulate accessible data after a disaster recovery.
The bill also adds this exception to the required provisions on student information deletion that must be in any contract between a board of education and a contractor.
Special Education Student Exception
The bill exempts a board of education from entering into a contract that meets the privacy law's requirements if two or fewer children receiving special education have an individualized education program that requires the use of a website, online service, or mobile application that is unable to comply with the provisions of the law. This exemption only applies under the bill if (1) the website, service, or mobile application complies with the federal Family Educational Rights and Privacy Act (FERPA) and Health Insurance Portability and Accountability Act (HIPAA) (see BACKGROUND) and (2) the board of education has made a reasonable effort to find an equivalent website, service, or application that complies with the law. If such an exception is made then the website, service, or application, must still comply with the security measures in the law, the consultant or operator must comply with non-contractual parts of the law, such as the data security and information deletion provisions and the general prohibition on disclosing, selling, or trading student information.
Posting Contract Information
Current law requires boards of education to electronically notify affected students and their parents or guardians within five business days after entering into a contract with a contractor. The notice must (1) state that the contract has been executed and its date of execution; (2) provide a brief description of the contract and its purpose; and (3) state what student information may be collected under the contract. The bill removes the requirement to electronically notify students and parents. The law, unchanged by the bill, requires boards to post the notice and contract on their websites. Under the bill, each year by September 1, the board must electronically notify the parents, guardians, and students of the website's address.
§ 4 — GUIDANCE FOR SCHOOL DISTRICTS
Existing law requires CET to provide guidance to boards on FERPA and the state privacy law. The bill requires SDE to add information on the terms-of-service agreement addendum to this guidance. It also requires SDE to consult with CET in providing the written guidance, which must include:
1. a plain language explanation of how FERPA and the state student data privacy law are to be implemented,
2. information about the terms-of-service agreement addendum, and
3. how the addendum can be incorporated into contracts executed under the state privacy law.
The bill specifies that the guidance must be in writing.
§ 5 — STUDENT DATA PRIVACY TASK FORCE
By law, there is a task force to study student data privacy issues. The bill adds the Connecticut Association of Schools' executive director, or her designee, as a member.
It also changes the deadline, from January 1, 2018 to January 1, 2019, for the task force's report to be submitted to the General Law and Education committees.
The commission, which by statute is the principal educational technology policy advisor for state government, consists of state agency department heads and higher education, business, and municipal representatives (CGS § 4d-80).
HIPAA and FERPA
Except under specified circumstances, FERPA (20 USC 1232g) requires schools to obtain written permission from a minor's parent or guardian before disclosing educational records to a third party. HIPAA (P.L. 104-191, as amended from time to time) sets national standards to protect the privacy of health information by defining and limiting the circumstances under which entities may use or disclose it.