PA 18-125—sHB 5444

Education Committee

AN ACT CONCERNING REVISIONS TO THE STUDENT DATA PRIVACY ACT

SUMMARY: This act makes numerous changes in the student data privacy law, which restricts how website, online service, and mobile application (i.e., “online service”) operators and consultants who contract with local and regional boards of education process and access student data. The law requires operators and consultants to use reasonable security practices to safeguard student data.

The act requires the Commission for Educational Technology (CET) (see BACKGROUND) to develop a student data privacy terms-of-service agreement addendum that may be used in contracts entered into pursuant to the student data privacy law.

With respect to the privacy law, the act also:

1. creates certain exceptions from requirements for contractors and operators to delete student data at a board of education's, student's, parent's, or guardian's request;

2. creates an exception, under certain conditions, when boards have special education students using a necessary online service that is unable to meet the contract requirements;

3. eliminates a requirement that boards electronically notify students and parents of new contracts;

4. requires the State Department of Education (SDE) to add more information to the guidance it must already provide school districts;

5. requires boards of education to annually report to CET on using any online service that does not operate under a contract as required by the law and the act; and

6. adds the Connecticut Association of Schools' executive director, or her designee, as a member of the student data privacy task force.

The act also makes minor and technical changes.

EFFECTIVE DATE: July 1, 2018, except the provisions regarding the agreement addendum and the task force member are effective upon passage.

DEFINITIONS

By law, unchanged by the act, a contractor is an operator or a consultant who possesses, or has access to, student information due to a contract with a board of education. An operator is someone who operates an online service knowing that it was designed and marketed, and is used, for school purposes. A consultant is a professional who provides non-instructional services to a board of education (CGS 10-234aa).

1 & 2 — TERMS-OF-SERVICE AGREEMENT ADDENDUM

The act requires CET, which is housed in the Department of Administrative Services, to develop a uniform student data privacy terms-of-service agreement addendum that may be used in contracts entered into pursuant to the privacy law. The addendum must conform to the requirements for a contract described in the law. CET must make the addendum available on its website or in an online registry it maintains for boards, contractors, and operators. The act also authorizes boards of education and a contractor to include the addendum in any contract executed under this law to satisfy the law's requirements.

2 — SPECIAL EDUCATION STUDENT EXCEPTION

The act exempts, under certain circumstances, a board of education from the student data privacy contract requirements for services to students (1) receiving special education services or (2) who have an accommodation under the Rehabilitation Act of 1973 (commonly referred to as a Section 504 accommodation).

Under the act, this exemption only applies if the:

1. online service (a) is unique and necessary to implement the student's individualized education program (IEP) or Section 504 plan, (b) is unable to meet the law's contract requirements, and (c) complies with the federal Family Educational Rights and Privacy Act (FERPA) and Health Insurance Portability and Accountability Act (HIPAA) (see BACKGROUND);

2. board can provide evidence it has made a reasonable effort to (a) enter into a contract with the online service and (b) find an equivalent online service that complies with the law; and

3. parent or legal guardian of the student, and, in the case of a student with an IEP, a member of the IEP planning and placement team, sign an agreement that (a) acknowledges that they are aware that the online service is unable to comply with the law and (b) authorizes the use of the service.

If such an exception is made, the online service must still comply with the security measures in the law, including the additional requirements added by the act (see below), such as the data security and information deletion provisions and the general prohibition on disclosing, selling, or trading student information.

Under the act, if a parent or legal guardian of a student requests the evidence of reasonable attempts to get the online service to agree to a contract or to find an equivalent service, the board must provide it.

2 & 3 — DELETING STUDENT DATA

Existing law requires an operator or contractor to delete student records, student information, and student-generated content (“student information”) in certain situations. Previously, it required an operator to delete any student information, within a reasonable amount of time, if a student, parent, legal guardian of a student, or board of education who has the right to control the student information requests its deletion.

Under the act, however, an operator or contractor does not have to delete such information if (1) state or federal law prohibits it or requires retention of the information or (2) a copy of the student information is part of a disaster recovery storage system and is generally inaccessible to the public and the operator, provided a student, parent, or legal guardian or board of education may request it to be deleted if the operator uses it to repopulate accessible data after a disaster recovery.

The act also adds this exception to the provisions on student information deletion that must be in any contract between a board of education and a contractor.

2 — CONTRACT NOTIFICATION REQUIREMENT ELIMINATED

The act eliminates a requirement that boards of education electronically notify affected students and their parents or guardians within five business days after entering into a contract with a contractor. By law, boards must post the notice and contract, including information that was previously sent to affected students and parents, on their websites. Under the act, each year by September 1, the board must electronically notify parents, guardians, and students of the website's address.

2 — EXCEPTION FOR RETAINING INFORMATION

Prior law required contracts for online services to include a statement that student information will not be kept by, or available to, the contractor after the contracted services are completed unless a student, parent, or guardian chooses to establish or maintain an account with the contractor. The act specifies that the information will not be retained after the contract expires, rather than after the services are completed, and that the choice to establish or maintain an account takes place after the contract expires.

4 — GUIDANCE FOR SCHOOL DISTRICTS

By law, SDE must provide guidance to boards on FERPA and the state privacy law. The act requires SDE to consult with CET in providing the written guidance, which under the act must include:

1. a plain language explanation of how FERPA and the state student data privacy law are to be implemented,

2. information about the terms-of-service agreement addendum, and

3. how the addendum can be incorporated into contracts executed under the state privacy law.

5 — STUDENT DATA PRIVACY TASK FORCE

By law, there is a task force to study student data privacy issues. The act adds the Connecticut Association of Schools' executive director, or her designee, as a member.

It also changes the deadline, from January 1, 2018, to January 1, 2019, for the task force to submit its report to the Education and General Law committees.

6 — REPORTING REQUIREMENT

Beginning with the school year starting July 1, 2018, the act requires each board of education to annually submit a report to CET concerning the use of online services that do not have a contract that meets the standards required under the law and the act. The report must indicate whether or not any of these online services are being so used, and, if so, a list of them.

BACKGROUND

CET

The commission, which by law is the principal educational technology policy advisor for state government, consists of state agency department heads and higher education, business, and municipal representatives (CGS 4d-80).

HIPAA and FERPA

Except under specified circumstances, FERPA (20 U.S.C. 1232g) requires schools to obtain written permission from a minor's parent or guardian before disclosing educational records to a third party. HIPAA (P.L. 104-191, as amended from time to time) sets national standards to protect the privacy of health information by defining and limiting the circumstances under which entities may use or disclose it.