Connecticut Seal

General Assembly

File No. 445

    February Session, 2018

Substitute House Bill No. 5444

House of Representatives, April 12, 2018

The Committee on Education reported through REP. FLEISCHMANN of the 18th Dist., Chairperson of the Committee on the part of the House, that the substitute bill ought to pass.

AN ACT CONCERNING REVISIONS TO THE STUDENT DATA PRIVACY ACT.

Be it enacted by the Senate and House of Representatives in General Assembly convened:

Section 1. (NEW) (Effective from passage) The Commission for Educational Technology shall develop a uniform student data privacy terms-of-service agreement addendum that may be used in contracts entered into pursuant to section 10-234bb of the general statutes, as amended by this act. The provisions of such addendum shall conform to the requirements for a contract described in said section. The commission shall make such addendum available on its Internet web site, or in any online registry maintained by the commission for contractors and operators, as those terms are defined in section 10-234aa of the general statutes, and local and regional boards of education.

Sec. 2. Section 10-234bb of the 2018 supplement to the general statutes is repealed and the following is substituted in lieu thereof (Effective July 1, 2018):

(a) On and after July 1, 2018, a local or regional board of education shall enter into a written contract with a contractor any time such local or regional board of education shares or provides access to student information, student records or student-generated content with such contractor. Each such contract shall include, but need not be limited to, the following:

(1) A statement that student information, student records and student-generated content are not the property of or under the control of a contractor;

(2) A description of the means by which the local or regional board of education may request the deletion of any student information, student records or student-generated content in the possession of the contractor that is not (A) otherwise prohibited from deletion or required to be retained under state or federal law, or (B) stored as a copy as part of a disaster recovery storage system and that is (i) inaccessible to the public, and (ii) unable to be used in the normal course of business by the contractor, provided such local or regional board of education may request the deletion of any such student information, student records or student-generated content if such copy has been used by the operator to repopulate accessible data following a disaster recovery;

(3) A statement that the contractor shall not use student information, student records and student-generated content for any purposes other than those authorized pursuant to the contract;

(4) A description of the procedures by which a student, parent or legal guardian of a student may review personally identifiable information contained in student information, student records or student-generated content and correct erroneous information, if any, in such student record;

(5) A statement that the contractor shall take actions designed to ensure the security and confidentiality of student information, student records and student-generated content;

(6) A description of the procedures that a contractor will follow to notify the local or regional board of education, in accordance with the provisions of section 10-234dd, when there has been an unauthorized release, disclosure or acquisition of student information, student records or student-generated content;

(7) A statement that student information, student records or student-generated content shall not be retained or available to the contractor upon completion of the contracted services unless a student, parent or legal guardian of a student chooses to establish or maintain an electronic account with the contractor for the purpose of storing student-generated content;

(8) A statement that the contractor and the local or regional board of education shall ensure compliance with the Family Educational Rights and Privacy Act of 1974, 20 USC 1232g, as amended from time to time;

(9) A statement that the laws of the state of Connecticut shall govern the rights and duties of the contractor and the local or regional board of education; and

(10) A statement that if any provision of the contract or the application of the contract is held invalid by a court of competent jurisdiction, the invalidity does not affect other provisions or applications of the contract which can be given effect without the invalid provision or application.

(b) All student-generated content shall be the property of the student or the parent or legal guardian of the student.

(c) A contractor shall implement and maintain security procedures and practices designed to protect student information, student records and student-generated content from unauthorized access, destruction, use, modification or disclosure that, based on the sensitivity of the data and the risk from unauthorized access, (1) use technologies and methodologies that are consistent with the guidance issued pursuant to section 13402(h)(2) of Public Law 111-5, as amended from time to time, (2) maintain technical safeguards as it relates to the possession of student records in a manner consistent with the provisions of 45 CFR 164.312, as amended from time to time, and (3) otherwise meet or exceed industry standards.

(d) A contractor shall not use (1) student information, student records or student-generated content for any purposes other than those authorized pursuant to the contract, or (2) personally identifiable information contained in student information, student records or student-generated content to engage in targeted advertising.

(e) Any provision of a contract entered into between a contractor and a local or regional board of education on or after July 1, 2018, that conflicts with any provision of this section shall be void.

(f) Any contract entered into on and after July 1, 2018, that does not include a provision required by subsection (a) of this section shall be void, provided the local or regional board of education has given reasonable notice to the contractor and the contractor has failed within a reasonable time to amend the contract to include the provision required by subsection (a) of this section.

(g) (1) Each local and regional board of education shall maintain and update, as necessary, an Internet web site with information relating to all contracts entered into pursuant to this section. Not later than five business days after executing a contract pursuant to this section, a local or regional board of education shall [provide electronic notice to any student and the parent or legal guardian of a student affected by the contract] post notice of such contract on the board's Internet web site. The notice shall [(1)] include the contract and (A) state that the contract has been executed and the date that such contract was executed, [(2)] (B) provide a brief description of the contract and the purpose of the contract, and [(3)] (C) state what student information, student records or student-generated content may be collected as a result of the contract. [The local or regional board of education shall post such notice and the contract on the board's Internet web site.]

(2) On or before September first of each school year, the board of education shall electronically notify students and the parents or legal guardians of students of the address of the Internet web site described in this subsection.

(h) A local or regional board of education and a contractor may include in any contract executed pursuant to this section, the uniform student data privacy terms-of-service agreement addendum, described in section 1 of this act, to satisfy the requirements of this section.

(i) A local or regional board of education shall not be required to enter into a contract pursuant to this section if two or fewer children requiring special education require the use of the same Internet web site, online service or mobile application operated by a consultant or operator pursuant to such children's individualized education program, and such Internet web site, online service or mobile application is unable to comply with the provisions of this section, provided (1) such Internet web site, online service or mobile application complies with the Family Educational Rights and Privacy Act of 1974, 20 USC 1232g, as amended from time to time, and the Health Insurance Portability and Accountability Act of 1996, P.L. 104-191, as amended from time to time, and (2) such board of education has made a reasonable effort to find an equivalent Internet web site, online service or mobile application operated by a consultant or operator that complies with the provisions of this section. If such children requiring special education use such Internet web site, online service or mobile application, such consultant or operator shall comply with the provisions of section 10-234cc, as amended by this act, for such use.

Sec. 3. Section 10-234cc of the general statutes is repealed and the following is substituted in lieu thereof (Effective July 1, 2018):

(a) An operator shall (1) implement and maintain security procedures and practices that meet or exceed industry standards and that are designed to protect student information, student records and student-generated content from unauthorized access, destruction, use, modification or disclosure, and (2) delete any student information, student records or student-generated content within a reasonable amount of time if a student, parent or legal guardian of a student or local or regional board of education who has the right to control such student information requests the deletion of such student information, student records or student-generated content, unless (A) state or federal law prohibits such deletion or otherwise requires the retention of such student information, student records or student-generated content, or (B) a copy of such student information, student records or student-generated content is in the possession of the operator as part of a disaster recovery storage system and is inaccessible to the public and unable to be used in the normal course of business by the operator, provided such student, parent or legal guardian of a student or local or regional board of education may request the deletion of any such student information, student records or student-generated content described in this subparagraph if such copy is used by the operator to repopulate accessible data following a disaster recovery.

(b) An operator shall not knowingly:

(1) Engage in (A) targeted advertising on the operator's Internet web site, online service or mobile application, or (B) targeted advertising on any other Internet web site, online service or mobile application if such advertising is based on any student information, student records, student-generated content or persistent unique identifiers that the operator has acquired because of the use of the operator's Internet web site, online service or mobile application for school purposes;

(2) Collect, store and use student information, student records, student-generated content or persistent unique identifiers for purposes other than the furtherance of school purposes;

(3) Sell, rent or trade student information, student records or student-generated content unless the sale is part of the purchase, merger or acquisition of an operator by a successor operator and the operator and successor operator continue to be subject to the provisions of this section regarding student information; or

(4) Disclose student information, student records or student-generated content unless the disclosure is made (A) in furtherance of school purposes of the Internet web site, online service or mobile application, provided the recipient of the student information uses such student information to improve the operability and functionality of the Internet web site, online service or mobile application and complies with subsection (a) of this section; (B) to ensure compliance with federal or state law or regulations or pursuant to a court order; (C) in response to a judicial order; (D) to protect the safety or integrity of users or others, or the security of the Internet web site, online service or mobile application; (E) to an entity hired by the operator to provide services for the operator's Internet web site, online service or mobile application, provided the operator contractually (i) prohibits the entity from using student information, student records or student-generated content for any purpose other than providing the contracted service to, or on behalf of, the operator, (ii) prohibits the entity from disclosing student information, student records or student-generated content provided by the operator to subsequent third parties, and (iii) requires the entity to comply with subsection (a) of this section; or (F) for a school purpose or other educational or employment purpose requested by a student or the parent or legal guardian of a student, provided such student information is not used or disclosed for any other purpose.

(c) An operator may use student information (1) to maintain, support, improve, evaluate or diagnose the operator's Internet web site, online service or mobile application, (2) for adaptive learning purposes or customized student learning, (3) to provide recommendation engines to recommend content or services relating to school purposes or other educational or employment purposes, provided such recommendation is not determined in whole or in part by payment or other consideration from a third party, or (4) to respond to a request for information or feedback from a student, provided such response is not determined in whole or in part by payment or other consideration from a third party.

(d) An operator may use de-identified student information or aggregated student information (1) to develop or improve the operator's Internet web site, online service or mobile application, or other Internet web sites, online services or mobile applications owned by the operator, or (2) to demonstrate or market the effectiveness of the operator's Internet web site, online service or mobile application.

(e) An operator may share aggregated student information or de-identified student information for the improvement and development of Internet web sites, online services or mobile applications designed for school purposes.

(f) Nothing in this section shall be construed to (1) limit the ability of a law enforcement agency to obtain student information, student records or student-generated content from an operator as authorized by law or pursuant to a court order, (2) limit the ability of a student or the parent or legal guardian of a student to download, export, transfer or otherwise save or maintain student information, student records or student-generated content, (3) impose a duty upon a provider of an interactive computer service, as defined in 47 USC 230, as amended from time to time, to ensure compliance with this section by third-party information content providers, as defined in 47 USC 230, as amended from time to time, (4) impose a duty upon a seller or provider of an electronic store, gateway, marketplace or other means of purchasing or downloading software applications to review or enforce compliance with this section on such software applications, (5) limit an Internet service provider from providing a student, parent or legal guardian of a student or local or regional board of education with the ability to connect to the Internet, (6) prohibit an operator from advertising other Internet web sites, online services or mobile applications that are used for school purposes to parents or legal guardians of students, provided such advertising does not result from the operator's use of student information, student records or student-generated content, or (7) apply to Internet web sites, online services or mobile applications that are designed and marketed for use by individuals generally, even if the account credentials created for an operator's Internet web site, online service or mobile application may be used to access Internet web sites, online services or mobile applications that are designed and marketed for school purposes.

Sec. 4. Section 10-234ee of the 2018 supplement to the general statutes is repealed and the following is substituted in lieu thereof (Effective July 1, 2018):

The Department of Education, in consultation with the Commission for Educational Technology, shall provide written guidance to local and regional boards of education concerning the implementation of the Family Educational Rights and Privacy Act of 1974, 20 USC 1232g, as amended from time to time, and the [provisions of] laws relating to student data privacy, set forth in sections 10-234aa to 10-234dd, inclusive, and section 1 of this act. Such written guidance shall include, but need not be limited to, (1) a plain language explanation of how such student data privacy laws are to be implemented, (2) information about the uniform student data privacy terms-of-service agreement addendum, described in section 1 of this act, and (3) how such addendum may be incorporated into contracts executed pursuant to section 10-234bb, as amended by this act.

Sec. 5. Section 5 of public act 16-189, as amended by section 4 of public act 17-200, is repealed and the following is substituted in lieu thereof (Effective from passage):

(a) There is established a task force to study issues relating to student data privacy. Such study shall include, but not be limited to, an examination of (1) when a parent or guardian of a student may reasonably or appropriately request the deletion of student information, student records or student-generated content that is in the possession of a contractor or operator, (2) means of providing notice to parents and guardians of students when a student uses an Internet web site, online service or mobile application of an operator for instructional purposes in a classroom or as part of an assignment by a teacher, (3) reasonable penalties for violations of the provisions of sections 10-234bb to 10-234dd, inclusive, of the general statutes, as amended by this act, such as restricting a contractor or operator from accessing or collecting student information, student records or student-generated content, (4) strategies in effect in other states that ensure that school employees, contractors and operators are trained in data security handling, compliance and best practices, (5) the feasibility of developing a school district-wide list of approved Internet web sites, online services and mobile applications, (6) the use of an administrative hearing process designed to provide legal recourse to students and parents and guardians of students aggrieved by any violation of sections 10-234bb to 10-234dd, inclusive, of the general statutes, as amended by this act, (7) the feasibility of creating an inventory of student information, student records and student-generated content currently collected pursuant to state and federal law, (8) the feasibility of developing a tool kit for use by local and regional boards of education to (A) improve student data contracting practices and compliance, including a state-wide template for use by districts, (B) increase school employee awareness of student data security best practices, including model training components, (C) develop district-wide lists of approved software applications and Internet web sites, and (D) increase the availability and accessibility of information on student data privacy for parents and guardians of students and educators, and (9) any other issue involving student data security that the task force deems relevant.

(b) The task force shall consist of the following members:

(1) Two appointed by the speaker of the House of Representatives, one of whom is an operator, [pursuant to] as defined in section 10-234aa of the general statutes and one of whom is an expert in information technology systems;

(2) Two appointed by the president pro tempore of the Senate, one of whom is a representative or member of the Connecticut Education Association and one of whom is an attorney with expertise in Connecticut school law;

(3) Two appointed by the majority leader of the House of Representatives, one of whom is a representative of a contractor, [pursuant to] as defined in section 10-234aa of the general statutes and one of whom is an expert in information technology systems;

(4) Two appointed by the majority leader of the Senate, one of whom is a representative or member of the Connecticut Parent Teacher Association and one of whom is a representative or member of the American Federation of Teachers;

(5) Two appointed by the minority leader of the House of Representatives, one of whom is a student privacy advocate and one of whom is a representative or member of the Connecticut Association of Boards of Education;

(6) Two appointed by the minority leader of the Senate, one of whom is a representative of the Connecticut Association of School Administrators and one of whom is a representative or member of the Connecticut Association of Public School Superintendents;

(7) The Attorney General, or the Attorney General's designee; [and]

(8) The Commissioner of Education or the commissioner's designee; [.] and

(9) The executive director of the Connecticut Association of Schools, or the executive director's designee.

(c) All appointments to the task force shall be made not later than thirty days after the effective date of this section. Any vacancy shall be filled by the appointing authority.

(d) The speaker of the House of Representatives and the president pro tempore of the Senate shall select the chairpersons of the task force from among the members of the task force. Such chairpersons shall schedule the first meeting of the task force, which shall be held not later than sixty days after the effective date of this section.

(e) The administrative staff of the joint standing committee of the General Assembly having cognizance of matters relating to general law shall serve as administrative staff of the task force.

(f) Not later than January 1, [2018] 2019, the task force shall submit a report on its findings and recommendations to the joint standing committee of the General Assembly having cognizance of matters relating to general law and education, in accordance with the provisions of section 11-4a of the general statutes. The task force shall terminate on the date that it submits such report or January 1, [2018] 2019, whichever is later.

This act shall take effect as follows and shall amend the following sections:

Section 1

from passage

New section

Sec. 2

July 1, 2018

10-234bb

Sec. 3

July 1, 2018

10-234cc

Sec. 4

July 1, 2018

10-234ee

Sec. 5

from passage

PA 16-189, Sec. 5

Statement of Legislative Commissioners:

In Section 2(a)(2) clause designators (i) and (ii) were added and "is used" was changed to "has been used" for clarity; in Section 2(g)(1), "update the board's Internet web site to post notice of such contract" was changed to "post notice of such contract on the board's Internet web site" for clarity; in Section 3(a)(2)(B), "described in this subparagraph" was added for clarity; in Section 4, "pursuant to" was changed to "set forth in" for accuracy; and in Section 5(b)(1) and (b)(3), "pursuant to" was changed to "[pursuant to] as defined in" for accuracy.

ED

Joint Favorable Subst. -LCO

 

The following Fiscal Impact Statement and Bill Analysis are prepared for the benefit of the members of the General Assembly, solely for purposes of information, summarization and explanation and do not represent the intent of the General Assembly or either chamber thereof for any purpose. In general, fiscal impacts are based upon a variety of informational sources, including the analyst's professional knowledge. Whenever applicable, agency data is consulted as part of the analysis, however final products do not necessarily reflect an assessment from any specific department.


OFA Fiscal Note

State Impact: None

Municipal Impact: None

Explanation

The bill makes various procedural, conforming, and technical changes to the student data privacy law, which does not result in a fiscal impact. Additionally, the bill expands, extends, and modifies various requirements to the State Department of Education, the Commission for Educational Technology (within the Department of Administrative Services), and local and regional school districts, which does not result in a fiscal impact as the entities have the staff and expertise necessary.

The Out Years

State Impact: None

Municipal Impact: None

OLR Bill Analysis

sHB 5444

AN ACT CONCERNING REVISIONS TO THE STUDENT DATA PRIVACY ACT.

SUMMARY

This bill makes numerous changes in the student data privacy law. The law restricts how website, online service, and mobile application operators and consultants who contract with local and regional boards of education process or access student data. The law requires operators and consultants to use reasonable security practices to safeguard student data.

The bill requires the Commission for Educational Technology (CET) (see BACKGROUND) to develop a student data privacy terms-of-service agreement addendum that may be used in contracts entered into pursuant to the student data privacy law.

With respect to the privacy law, the bill also:

EFFECTIVE DATE: July 1, 2018, except the provisions regarding the agreement addendum and the task force member are upon passage.

DEFINITIONS

By law, unchanged by the bill, a contractor is an operator or a consultant who possesses, or has access to, student information due to a contract with a board of education. An operator is someone who operates a website, online service, or mobile application with knowledge that it was designed and marketed, and is used, for school purposes. A consultant is a professional who provides non-instructional services to a board of education (CGS 10-234aa).

1 & 2 — TERMS-OF-SERVICE AGREEMENT ADDENDUM

The bill requires CET, which is housed in the Department of Administrative Services (DAS), to develop a uniform student data privacy terms-of-service agreement addendum that may be used in contracts entered into pursuant to the privacy law. The addendum must conform to the requirements for a contract described in the law. CET must make the addendum available on its website or in an online registry it maintains for boards, contractors, and operators. It also authorizes boards of education and a contractor to include the addendum in any contract executed under this law to satisfy the law's requirements.

2 & 3 — DELETING STUDENT DATA, CERTAIN SPECIAL EDUCATION STUDENTS, AND POSTING CONTRACT INFORMATION

Deleting Student Data

Current law requires an operator or contractor to delete student records, student information, and student-generated content (“student information”) in certain situations.

Current law requires an operator to delete any student information, within a reasonable amount of time if a student, parent, legal guardian of a student, or board of education who has the right to control the student information requests its deletion. The bill creates an exception to this requirement when (1) state or federal law prohibits the deletion or requires the retention of the information or (2) a copy of the student information is part of a disaster recovery storage system and is generally inaccessible to the public and the operator, provided a student, parent, or legal guardian or board of education may request the student information be deleted if the operator uses it to repopulate accessible data after a disaster recovery.

The bill also adds this exception to the required provisions on student information deletion that must be in any contract between a board of education and a contractor.

Special Education Student Exception

The bill exempts a board of education from entering into a contract that meets the privacy law's requirements if two or fewer children receiving special education have an individualized education program that requires the use of a website, online service, or mobile application that is unable to comply with the provisions of the law. This exemption only applies under the bill if (1) the website, service, or mobile application complies with the federal Family Educational Rights and Privacy Act (FERPA) and Health Insurance Portability and Accountability Act (HIPAA) (see BACKGROUND) and (2) the board of education has made a reasonable effort to find an equivalent website, service, or application that complies with the law. If such an exception is made then the website, service, or application, must still comply with the security measures in the law, the consultant or operator must comply with non-contractual parts of the law, such as the data security and information deletion provisions and the general prohibition on disclosing, selling, or trading student information.

Posting Contract Information

Current law requires boards of education to electronically notify affected students and their parents or guardians within five business days after entering into a contract with a contractor. The notice must (1) state that the contract has been executed and its date of execution; (2) provide a brief description of the contract and its purpose; and (3) state what student information may be collected under the contract. The bill removes the requirement to electronically notify students and parents. The law, unchanged by the bill, requires boards to post the notice and contract on their websites. Under the bill, each year by September 1, the board must electronically notify the parents, guardians, and students of the website's address.

4 — GUIDANCE FOR SCHOOL DISTRICTS

Existing law requires CET to provide guidance to boards on FERPA and the state privacy law. The bill requires SDE to add information on the terms-of-service agreement addendum to this guidance. It also requires SDE to consult with CET in providing the written guidance, which must include:

The bill specifies that the guidance must be in writing.

5 — STUDENT DATA PRIVACY TASK FORCE

By law, there is a task force to study student data privacy issues. The bill adds the Connecticut Association of Schools' executive director, or her designee, as a member.

It also changes the deadline, from January 1, 2018 to January 1, 2019, for the task force's report to be submitted to the General Law and Education committees.

BACKGROUND

CET

The commission, which by statute is the principal educational technology policy advisor for state government, consists of state agency department heads and higher education, business, and municipal representatives (CGS 4d-80).

HIPAA and FERPA

Except under specified circumstances, FERPA (20 USC 1232g) requires schools to obtain written permission from a minor's parent or guardian before disclosing educational records to a third party. HIPAA (P.L. 104-191, as amended from time to time) sets national standards to protect the privacy of health information by defining and limiting the circumstances under which entities may use or disclose it.

COMMITTEE ACTION

Education Committee

Joint Favorable

Yea

35

Nay

0

(03/23/2018)

TOP