OLR Bill Analysis
sHB 5444 (as amended by House “A”)*
AN ACT CONCERNING REVISIONS TO THE STUDENT DATA PRIVACY ACT.
This bill makes numerous changes in the student data privacy law. The law restricts how website, online service, and mobile application (i.e., “online service”) operators and consultants who contract with local and regional boards of education process and access student data. The law requires operators and consultants to use reasonable security practices to safeguard student data.
The bill requires the Commission for Educational Technology (CET) (see BACKGROUND) to develop a student data privacy terms-of-service agreement addendum that may be used in contracts entered into pursuant to the student data privacy law.
With respect to the privacy law, the bill also:
1. creates certain exceptions for contractors and operators from requirements for deleting student data at a board of education's, student's, parents', or guardian's request;
2. creates an exception, under certain conditions, for boards when they have special education students using a particular online service that is necessary, but unable to meet the contract requirements;
3. eliminates a requirement that boards electronically notify students and parents of new contracts;
4. requires the State Department of Education (SDE) to add more information to the guidance it must already provide school districts;
5. requires boards of education to annually report to CET on using any online service that does not operate under a contract as required by the law and the bill;
6. adds the Connecticut Association of Schools' executive director, or her designee, as a member of the student data privacy task force; and
7. makes minor and technical changes.
EFFECTIVE DATE: July 1, 2018, except the provisions regarding the agreement addendum and the task force member are effective upon passage.
*House Amendment “A” modifies the language for the exception for students receiving special education, adds the requirement that boards report their use of online services that do not operate under the required contract terms, and makes minor and conforming changes.
By law, unchanged by the bill, a contractor is an operator or a consultant who possesses, or has access to, student information due to a contract with a board of education. An operator is someone who operates an online service knowing that it was designed and marketed, and is used, for school purposes. A consultant is a professional who provides non-instructional services to a board of education (CGS § 10-234aa).
§§ 1 & 2 — TERMS-OF-SERVICE AGREEMENT ADDENDUM
The bill requires CET, which is housed in the Department of Administrative Services, to develop a uniform student data privacy terms-of-service agreement addendum that may be used in contracts entered into pursuant to the privacy law. The addendum must conform to the requirements for a contract described in the law. CET must make the addendum available on its website or in an online registry it maintains for boards, contractors, and operators. It also authorizes boards of education and a contractor to include the addendum in any contract executed under this law to satisfy the law's requirements.
§ 2 — SPECIAL EDUCATION STUDENT EXCEPTION
The bill exempts, under certain circumstances, a board of education from the requirement to enter into a contract that conforms with the privacy law's standards for students (1) receiving special education services or (2) who have an accommodation under the Rehabilitation Act of 1973 (commonly referred to as a Section 504 accommodation).
Under the bill, this exemption only applies if the:
1. online service (a) is unique and necessary to implement the student's individualized education program (IEP) or Section 504 plan, (b) is unable to meet the law's contract requirements, and (c) complies with the federal Family Educational Rights and Privacy Act (FERPA) and Health Insurance Portability and Accountability Act (HIPAA) (see BACKGROUND);
2. board can provide evidence it has made a reasonable effort to (a) enter into a contract with the online service and (b) find an equivalent online service that complies with the law; and
3. parent or legal guardian of the student, and, in the case of a student with an IEP, a member of the IEP planning and placement team, sign an agreement that (a) acknowledges that they are aware that the online service is unable to comply with the law and (b) authorizes the use of the service.
If such an exception is made, the online service must still comply with the security measures in the law, such as the data security and information deletion provisions and the general prohibition on disclosing, selling, or trading student information.
Under the bill, if a parent or legal guardian of a student requests the evidence of reasonable attempts to get the online service to agree to a contract or to find an equivalent service, the board must provide it.
§§ 2 & 3 — DELETING STUDENT DATA
Current law requires an operator or contractor to delete student records, student information, and student-generated content (“student information”) in certain situations. It requires an operator to delete any student information, within a reasonable amount of time if a student, parent, legal guardian of a student, or board of education who has the right to control the student information requests its deletion.
The bill creates an exception to this requirement when (1) state or federal law prohibits the deletion or requires retention of the information or (2) a copy of the student information is part of a disaster recovery storage system and is generally inaccessible to the public and the operator, provided a student, parent, or legal guardian or board of education may request it to be deleted if the operator uses it to repopulate accessible data after a disaster recovery.
The bill also adds this exception to the provisions on student information deletion that must be in any contract between a board of education and a contractor.
§ 2 — POSTING CONTRACT INFORMATION
Current law requires boards of education to electronically notify affected students and their parents or guardians within five business days after entering into a contract with a contractor. The notice must (1) state that the contract has been executed and its date of execution; (2) provide a brief description of the contract and its purpose; and (3) state what student information may be collected under the contract. The bill removes the requirement to electronically notify students and parents. The law, unchanged by the bill, requires boards to post the notice and contract on their websites. Under the bill, each year by September 1, the board must electronically notify parents, guardians, and students of the website's address.
§ 2 — EXCEPTION FOR RETAINING INFORMATION
Current law requires contracts for online services to include a statement that student information will not be kept by, or available to, the contractor after the contracted services are completed unless a student, parent, or guardian chooses to establish or maintain an account with the contractor. The bill specifies that the information will not be retained after the contract expires, rather than after the services are completed, and that the choice to establish or maintain an account takes place after the contract expires.
§ 4 — GUIDANCE FOR SCHOOL DISTRICTS
Existing law requires CET to provide guidance to boards on FERPA and the state privacy law. The bill requires SDE to add information on the terms-of-service agreement addendum to this guidance. It also requires SDE to consult with CET in providing the written guidance, which must include:
1. a plain language explanation of how FERPA and the state student data privacy law are to be implemented,
2. information about the terms-of-service agreement addendum, and
3. how the addendum can be incorporated into contracts executed under the state privacy law.
§ 5 — STUDENT DATA PRIVACY TASK FORCE
By law, there is a task force to study student data privacy issues. The bill adds the Connecticut Association of Schools' executive director, or her designee, as a member.
It also changes the deadline, from January 1, 2018 to January 1, 2019, for the task force to submit its report to the General Law and Education committees.
§ 6 — REPORTING REQUIREMENT
The bill requires, every year beginning with the school year starting July 1, 2018, each board of education to submit a report to CET concerning the use of online services that do not have a contract that meets the standards required under the law and the bill. The report must indicate whether or not any of these online services are being so used, and, if so, a list of them.
The commission, which by law is the principal educational technology policy advisor for state government, consists of state agency department heads and higher education, business, and municipal representatives (CGS § 4d-80).
HIPAA and FERPA
Except under specified circumstances, FERPA (20 U.S.C. 1232g) requires schools to obtain written permission from a minor's parent or guardian before disclosing educational records to a third party. HIPAA (P.L. 104-191, as amended from time to time) sets national standards to protect the privacy of health information by defining and limiting the circumstances under which entities may use or disclose it.