SB 401
Implements provisions relating to student data privacy, and establishes a student data privacy task force to study issues relating to student data privacy
Sponsor:
LR Number:
2067S.01I
Committee:
Last Action:
2/28/2019 - Second Read and Referred S Education Committee
Journal Page:
Title:
Calendar Position:
Effective Date:
August 28, 2019

Current Bill Summary

SB 401 - This act implements provisions related to student data privacy.

CONTRACTOR DUTIES RELATED TO STUDENT DATA

Under this act, on or after August 28, 2019, a local educational agency is required to enter into a written contract with a contractor any time such local educational agency shares or provides access to student information, student records, or student-generated content with such contractor.

The contract shall include certain elements set forth in the act, including a statement that such data is the property of and under the control of the student or the student's parent, and that the contractor shall not use the student data for any purposes other than those authorized under the contract.

A contractor is required to implement and maintain security procedures and practices designed to protect student data from unauthorized access, destruction, use, modification, or disclosure that, based on the sensitivity of the and the risk from unauthorized access uses technologies and methodologies consistent with prior guidance, maintains technical safeguards in relation to the possession of student records, and otherwise meets or exceed industry standards.

This act prohibits contractors from using or transferring student data for any purposes not directly related to improvement of student learning of curricular academic content established by the local educational agency, or personally identifiable information.

Any contract entered into on and after August 28, 2019 that does not include the elements required under the act shall be void, provided the local educational agency has given reasonable notice to the contractor and the contractor has failed to amend the contract to include such provisions.

Not later than five business days after executing a contract, a local educational agency shall provide electronic notice to any student and their parent who is affected by the contract. Such notice shall include elements set forth in the act. (Section 167.2005)

OPERATOR DUTIES RELATED TO STUDENT DATA

An operator of an internet website, online service, or mobile application is required to implement and maintain security procedures and practices that meet or exceed industry standards that are designed to protect student information, records, and student-generated content from unauthorized access, destruction, use, modification, or disclosure, and must delete any student data within a reasonable amount of time if requested.

Such operator is prohibited from engaging in targeted advertising, collecting, storing, or using student data for purposes other than the furtherance of school purposes, selling, renting, or trading student date, or disclosing such data.

An operator may use student information to maintain, support, improve, evaluate or diagnose the operator's website or service, to provide recommendation engines to recommend content or services relating to school purposes, or to respond to a request for information or feedback from a student. Such operator may also use de-identified student information or aggregated student information for purposes set forth in the act.

Aggregated student information or de-identified student information may be shared by an operator only for the improvement and development of internet websites or online services. (Section 167.2010)

BREACH OF STUDENT DATA

Upon the discovery of a breach of security that results in the unauthorized release, disclosure, or acquisition of student information, excluding any directory information contained in such student information, a contractor is required to notify the local educational agency of such breach within 30 days.

Upon the discovery of a breach of security that results in the unauthorized release, disclosure, or acquisition of student information , a contractor is required to notify the local educational agency of such breach within 60 days.

Within the 30 or 60 days, the contractor may conduct an investigation to determine the nature and scope of the breach and the identity of the students affected, or may restore the reasonable integrity of the contractor's data system.

Upon receipt of notice of a breach of security, a local educational agency is required to electronically notify, no later than 48 hours after receipt of such notice, the student and the parents whose student data is involved, and shall post such notice on their website.

Upon the discovery of a breach of security that results in unauthorized release of student data, the operator that is in possession of or maintains the student data shall notify the student or the parent of such student of any breach or security resulting the unauthorized release of student data, excluding any directory information within 30 days, and shall notify the student or parents of such breach that results in the unauthorized release of student data within 60 days.

Within the 30 or 60 days, the operator may conduct an investigation to determine the nature and scope of the breach and the identity of the students affected, or may restore the reasonable integrity of the contractor's data system. (Section 167.2015)

STUDENT DATA PRIVACY TASK FORCE

This act creates a task force to study issues related to student data privacy. The issues to be examined by the task force, and the makeup of the task force are set forth in the act. The Speaker of the House of Representatives and the President Pro Tempore of the Senate shall select the chairs of the task force from among the members of the task force.

Before January 31, 2020, such task force is required to submit a report on its findings and recommendations to the Joint Committee on Education, and shall terminate on the date that it submits such report, or January 31, 2020, whichever is later. (Section 167.2020)

This act is substantially similar to HB 592 (2019) and HCS/SB 206 (2019).

JOSIE BUTLER

Amendments

No Amendments Found.