
SB 819 - This act enacts multiple provisions to protect personal privacy from government intrusion.

FOURTH AMENDMENT PROTECTION ACT: This act creates the Fourth Amendment Protection Act. The act provides that it is the policy of the state of Missouri to refuse material support, participation or assistance, to any federal agency that claims the power or uses any federal law to purport to authorize the collection of electronic data or metadata of any person not based on a warrant that particularly describes the person, place, and thing to be searched or seized. (Section 1.270)

This act prohibits any agency of this state, political subdivision, employee, or corporation or contractor providing services on behalf of the state or a political subdivision from doing the following without a warrant that particularly describes the person, place, and thing to be searched or seized: provide material support, participation or assistance to any federal agency, as described in the act, with the collection of electronic data or metadata of any person; utilize any assets, state funds, or state funds allocated to local entities to engage in any activity that aids a federal agency, agent, or corporation or contractor providing services to the federal government with the collection of electronic data or metadata of any person; provide services or participate or assist in any way with the providing of services to a federal agency, agent, or corporation or contractor providing services to the federal government that is involved in the collection of electronic data or metadata of any person. (Section 1.275)

This act prohibits political subdivisions from receiving state grant funds if the political subdivision adopts a rule, order, ordinance, or policy that violates the prohibition on the collection of electronic data or metadata of any person as provided in the act. (Section 1.280)

Any state agent or employee of the state or political subdivision who knowingly violates the prohibition on the collection of electronic data or metadata of any person will be deemed to have resigned any commission of which he or she possesses. His or her office will be deemed vacant and he or she will be ineligible to hold any office under the laws of Missouri. In addition, any corporation, contractor, or person that violates the prohibition on the collection of electronic data or metadata of any person will be forever ineligible to act on behalf of, or provide services to the state or any political subdivision. (Section 1.280)

EDUCATION DATA: This act establishes limits and procedures for how certain entities may use student data and teacher data.

State agencies and education institutions are limited in the student data they may collect without written consent. The data they may collect includes the following, as described in the act: name, address, email, and family contact information; assessment results from the statewide assessment system; course taking and completion, credits earned, grades, date of birth; attendance; certain medical, health and mental-health records when used for certain purposes; discipline reports and juvenile delinquency or criminal or correctional records when used for certain purposes; remediation data; special education data; certain demographic data; student workforce information; social security numbers if required to comply with state or federal law; income data; and extracurricular activity data. State agencies or education institutions must obtain written consent before collecting other data points. Examples are listed in the act. (Section 160.503)

No funds, regardless of source, can be spent on the construction, enhancement, or expansion of any data system that does not comply with these limitations or that is designed to track students beyond their K-12 or postsecondary education careers, or that compiles personal nonacademic information. (Section 160.1503)

This act prohibits state agencies and education institutions from pursuing or accepting any grant that would require the collecting or reporting of any type of data that violates these prohibitions. (Section 160.1503)

State agencies and education institutions must publicly disclose on their websites the existence and character of any personally identifiable information from education records or teacher records maintained by them. They must annually notify parents, eligible students, and teachers of this website posting. (Section 160.1506)

These entities must annually notify the chairs of the Senate Education Committee, House Elementary and Secondary Education Committee, and the Joint Committee on Education. (Section 160.1506)

The disclosure and notifications must include multiple explanations, including the legal authority authorizing the establishment of a data repository, the principal purpose for which the information is intended to be used, categories of records and individuals maintained in the repository, expected disclosure of records, and policies and practices that must be followed, as described in the act. (Section 160.1506)

State agencies must only use aggregate data in published reports. (Section 160.1506)

School districts and charter schools are prohibited from adopting or administering any state or national student assessment that collects psychological data, as described in the act. (Section 160.1509)

State agencies, school boards, and education institutions offering grades pre-kindergarten through twelve cannot administer any student survey, assessment, analysis, evaluation, or similar instrument that solicits certain personal information about the student or student's family, as described in the act. (Section 160.1512)

Access to student education records in the Department of Elementary and Secondary Education's Missouri Student Information System (MOSIS) must be restricted to the authorized representatives of the Department of Elementary and Secondary Education, state agency, or education institution who require access to it. An authorized representative must be an employee of the Department, state agency, or education institution and be under its direct control. Personally identifiable student or teacher data cannot be disclosed without the written consent of the parents, eligible students, or affected teachers. (Section 160.1515)

The Department of Elementary and Secondary Education must develop and publish criteria for the approval of research-related data requests from state agencies, political subdivisions, local government agencies, the General Assembly, academic researchers, and the public. Written consent is required for the release of personally identifiable student or teacher information to a party conducting studies. Outside parties conducting studies must meet the requirements for contractors, as described in the act. (Section 160.1515)

In addition, state agencies, school boards, and institutions must not disclose personally identifiable information from education records or teacher records without written consent to an outside party, unless the outside party meets the criteria established in the act. (Section 160.1515)

If a security breach or unauthorized disclosure of personally identifiable student or teacher data occurs, the state agency, school board, or education institution responsible for the data must immediately notify the subjects of the breach or disclosure, report it to the Family Policy Compliance Office of the U.S. Department of Education, and investigate the causes and consequences of the breach or disclosure. (Section 160.1518)

Personally identifiable information from education records or teacher records cannot be disclosed to any party for commercial use. Cloud computing service providers that provide services for state agencies, school boards, or education institutions cannot use any information from education records or teacher records for any secondary purpose that would benefit the cloud computing service provider. (Section 160.1521)

Any cloud computing service provider that enters into a service agreement with a state agency, school board, or institution must certify in writing that it will comply with data use requirements and that the state agency, school board, or institution maintains ownership of all teacher and student data. All student or teacher data stored by a cloud computing service provider must be stored within the boundaries of the United States. (Section 160.1521)

Student data cannot be used for predictive modeling, as defined in the act, for detecting behaviors, beliefs, or value systems, or predicting or forecasting student outcomes. (Section 160.1524)

This act prohibits video monitoring in classrooms unless the local school board approves it after public hearings and the written consent of the teacher, eligible students, and the parents of all students in the classroom. (Section 160.1527)

This act prohibits the disclosure of personally identifiable information from education records and teacher records to any non-education government agency, including the Missouri Department of Labor and Industrial Relations, or to any party for the purpose of workforce development or economic planning. Data linkages or sharing of data with other states without expressed permission of the individuals affected are prohibited. (Section 160.1530)

Personally identifiable information from education records or teacher records cannot be disclosed to any government agency or other entity outside Missouri except to an institution attended by a student who has transferred out of state, to an out-of-state program in which a student voluntarily participates and a data transfer is required, or for migrant students for federal reporting purposes. (Section 160.1533)

Personally identifiable information from education records or teacher records cannot be disclosed to any federal agency unless certain conditions are satisfied. First, the disclosure must be required by the U.S. Department of Education as a condition of receiving a federal education grant. Second, the U.S. Department of Education must agree in writing to use the information only to evaluate the program funded by the grant. Third, the U.S. Department of Education must agree in writing that the information must not be used for any research beyond what is needed to evaluate the program, unless the parent or eligible student, or teacher, whose information or data is used, affirmatively consents. Fourth, the U.S. Department of Education must agree in writing to destroy the information or data upon completion of the program evaluation. Fifth, the grant or program must be authorized by federal statute or rule. Additional requirements on the use of data, and procedures in which written consent is required, are described in the act. (Section 160.1536)

State agencies, school boards, and education institutions are prohibited from disclosing student or teacher information to any assessment consortium of which Missouri is a member or any company with which Missouri contracts for development or administration of any assessment. However, these entities may disclose such information if it is transmitted in non-individual record format, it is limited to information directly related to the assessment, and no psychological information is included as part of the test scores. (Section 160.1539)

Education institutions must destroy and remove from their student databases all education records of a student within five years of the student's graduation. An institution may retain records showing the student's data of attendance, diploma or degree earned, and contact information. For any student who withdraws before graduation, the institution must, within one year, destroy and remove all records of the student except those showing dates of attendance. (Section 160.1542)

Each violation of any provision of this act by an organization or entity other than a state agency, a school board, or an institution shall be punishable by a civil penalty of up to one thousand dollars. A second violation involving the education records and privacy of the same student is punishable by a civil penalty of up to five thousand dollars. A subsequent violation by the same organization or entity involving the education records and privacy of the same student is punishable by a civil penalty of up to ten thousand dollars. (Section 160.1545)

The Attorney General is granted authority to enforce compliance with this act by investigation and subsequent commencement of a civil action, to seek civil penalties for violations, and to seek injunctive relief. (Section 160.1545)

This act contains an emergency clause.


