SB 683 - This act creates provisions relating to data privacy in public elementary and secondary schools. HOME SCHOOLED STUDENTS (Section 167.032)
The act provides that any identifiable information about home schooled students shall be kept confidential. A public school shall not disclose such information to any external entities without the written consent of the student's parent. Information about persons having charge, control, or custody of a home schooled pupil shall also be kept confidential, and a public school shall not disclose such information without authorization from the student's parent.
CONTRACTS WITH SERVICE PROVIDERS (Section 167.2005)
The act defines a "contractor" as a service provider including a vendor, operator, or consultant who possesses or has access to student information, student records, or student-generated content, as those terms are defined in the act, as the result of a contract with a local educational agency. (Section 167.2000)
Under the act, a local educational agency shall enter into a written contract with a contractor any time the local educational agency shares or provides access to student information. The act outlines certain information that shall be included in the contract, including a statement that student-generated content is the property of the student or the student's parent. A contractor shall implement and maintain security procedures and practices that meet or exceed industry standards for protecting student records from unauthorized access, destruction, use, modification, or disclosure. A contractor shall not use or transfer student information, including personally identifiable information, to engage in targeted advertising without the consent of the student's parent. Any contract that does not include a provision required by the act, or any provision of a contract that conflicts with a provision of the act, shall be void if a local educational agency enters into such contract or provision on or after August 28, 2023.
A local educational agency shall post a notice on its website no more than five business days after executing a contract with a contractor. The act outlines the information that shall be included in the notice, including a list of the types of personally identifiable information to be collected under the contract and the purpose of collecting such information. On or before September first of each school year, a local educational agency shall provide the address of the website to students and parents. A local educational agency shall notify students and parents within three business days if there is any change in the process for accessing contract information between the annual notices.
REQUIREMENTS FOR OPERATORS (Section 167.2010)
The act defines an "operator" as any person who is involved in the operation of a website, online service, or mobile application with the knowledge that such website, service, or application is used for school purposes and was designed and marketed for school purposes. (Section 167.2000)
The act outlines responsibilities for operators, including the requirement to implement and maintain security procedures that meet or exceed industry standards and the requirement to delete any student information upon request by the student's parent or the local educational agency that has stewardship of such student information.
The act describes certain activities that an operator shall not undertake, including engaging in targeted advertising based on any student information or selling, renting, or trading student information without consent from the student's parent.
The act prohibits local educational agencies from making access to instructional curriculum or curriculum resources contingent upon an acceptable use policy that requires parents or students to consent to the collection of personally identifiable information. Local educational agencies shall provide alternate curriculums or curriculum resources when parents or students opt out of technology-based instructional delivery systems.
The act defines "de-identified student information" as any student information that has been altered to prevent the identification of an individual student. (Section 167.2000)
The act outlines the acceptable uses of de-identified student information by operators, including maintaining the operator's website, service, or application or responding to a request for information from the student.
PROCEDURES FOR DATA BREACHES (Section 167.2015)
The act outlines steps that contractors shall take upon the discovery of a breach of security that results in the unauthorized release, disclosure, or access of certain types of student information.
The act defines "student information" as personally identifiable information or material of a student in any medium or format that is not publicly available and is (a) created or provided by a student or parent to an operator in the course of the use of the operator's website, online service, or mobile application for school purposes; (b) created or provided by an employee or agent of a local educational agency to an operator for school purposes; or (c) gathered by an operator through the operation of the operator's website, online service, or mobile application. Student information includes but is not limited to information in the student's records or email account, computer IP address, first or last name, and other information specified in the act. (Section 167.2000)
The act defines "directory information" as information contained in a student's education record that would not generally be considered harmful or an invasion of privacy if disclosed, including a student's name or address but excluding a student's social security number or student ID number. (Section 167.2000)
Without unreasonable delay and within thirty days of the discovery of a security breach that results in the unauthorized release, disclosure, or acquisition of student information other than directory information, a contractor shall notify the local educational agency of the data breach. The contractor may use the thirty-day period to conduct an investigation to determine the nature and scope of the breach and restore the integrity of the contractor's data system.
The act defines "student record" as any information directly related to a student that is maintained by a local educational agency, the State Board of Education, or the Department of Elementary and Secondary Education, or any information acquired from a student through the use of educational software assigned to the student by a teacher or employee of a local educational agency or acquired from a teacher conducting student observations. (Section 167.2000)
The act defines "student-generated content" as any student materials created by a student, including but not limited to standardized assessment responses, questionnaire and survey responses, and classroom assignment submissions such as student webpages, essays, and research papers. (Section 167.2000)
Without unreasonable delay and within sixty days of the discovery of a breach of security that results in the unauthorized release, disclosure, or acquisition of student records or student-generated content, a contractor shall notify the local educational agency of such breach. The contractor may use the sixty-day period to conduct an investigation or restore the reasonable integrity of the contractor's data system.
Within forty-eight hours of being notified of a breach of security described in the act, a local educational agency shall electronically notify the student and a parent of the student whose student information, student records, or student-generated content is involved in the breach. The local educational agency shall also post a notice regarding the breach on its website.
An operator that is in possession of or maintains student information, student records, or student-generated content as a result of the student's use of the operator's website, online service, or mobile application shall notify the student's parent without unreasonable delay and within thirty days of any security breach that results in the unauthorized release, disclosure, or acquisition of the student's student information, excluding directory information. The operator shall also notify the student's parent without unreasonable delay and within fourteen weeks of any breach that results in the unauthorized release, disclosure, or acquisition of the student's student records or student-generated content. During the thirty-day or fourteen-week period, the operator may conduct an investigation or restore the reasonable integrity of the operator's data system.
DATA PRIVACY RESPONSIBILITIES OF LOCAL EDUCATIONAL AGENCIES (Section 167.2016)
The act establishes the responsibilities of local educational agencies to protect the private data of students and staff.
The act defines "personally identifiable information" or "PII" as any information that permits the identity of an individual to be directly or indirectly inferred, including any information that is linked or linkable to that individual, regardless of whether the individual is a United States citizen, legal permanent resident, visitor to the United States, or employee or contractor with the Department of Elementary and Secondary Education. (Section 167.2000)
A local educational agency shall not allow a researcher to collect any student PII without first obtaining written consent from the student's parent. A local educational agency shall provide a student the opportunity to opt out of any student PII collection for any purpose other than what is required by state law for reporting purposes. An institutional review board shall approve any collection of student PII for research purposes, and the PII shall be de-identified before the collection takes place.
A local educational agency shall not require any personnel, faculty, or staff to enroll in any digital system that transfers an individual's intellectual property rights to any private corporation. A local educational agency shall not sell or license any personal data of any personnel, faculty, or staff to any third party or make such personal data available for marketing or commercial purposes.
A local educational agency shall notify any personnel, faculty, or staff whose personal data security may be affected by contracts between such agency and any contractor. Such notice shall be provided electronically.
A local educational agency shall protect the personally identifiable information of all personnel, faculty, and other staff members by implementing the same data protections, advertising restrictions, and communications time lines as those required under the provisions of the act relating to the protection of students' PII.
A local educational agency shall provide annual professional development training to all staff members relating to personal data protection, student PII protection, federal and state privacy laws, and best practices for protection of education-related data.
A local educational agency shall not make employment contingent upon a staff member's signing an acceptable use policy that requires the collection of personally identifiable information.
A local educational agency shall implement cyber security practices or technologies to prevent identity theft caused by unauthorized access to the personal data of personnel, faculty, and staff, including but not limited to data that may be stored on or transmitted by personal devices used to access a school's Wi-Fi network.
A local educational agency shall provide the parent or legal guardian of a student the opportunity to review any PII regarding the student upon request and in a timely manner.
A local educational agency shall expunge any PII regarding a student upon request by the student's parent, provided that the student has graduated or disenrolled from the local educational agency at least one year prior to the request. Student transcripts and vaccination records are exempt from this requirement.
Finally, the act requires a local educational agency to adopt a cyber security policy to establish procedures for identifying and mitigating cyber security risks to protect the personally identifiable information of students and staff. The Department of Elementary and Secondary Education shall develop a model policy that includes risk assessments and implementation of appropriate controls to mitigate identified cyber risks. A local educational agency shall adopt the Department's policy with any changes necessary to meet the particular needs of the local educational agency.
This act is similar to HB 2827 (2022), HB 1162 (2021), and HB 2560 (2020).
OLIVIA SHANNON