Connecticut 2015 Regular Session

Connecticut House Bill HB07017 Compare Versions

Version 1 (Old)

Version 2 (New)

Old	New		Differences
1		-	General Assembly Substitute Bill No. 7017
2		-	January Session, 2015 _____HB07017ED____033015____
	1	+	General Assembly Raised Bill No. 7017
	2	+	January Session, 2015 LCO No. 5179
	3	+	05179_______ED_
	4	+	Referred to Committee on EDUCATION
	5	+	Introduced by:
	6	+	(ED)
3	7
4	8		General Assembly
5	9
6		-	~~Substitute~~ Bill No. 7017
	10	+	Raised Bill No. 7017
7	11
8	12		January Session, 2015
9	13
10		-	_____HB07017ED____033015____
	14	+	LCO No. 5179
	15	+
	16	+	05179_______ED_
	17	+
	18	+	Referred to Committee on EDUCATION
	19	+
	20	+	Introduced by:
	21	+
	22	+	(ED)
11	23
12	24		AN ACT CONCERNING STUDENT DATA PRIVACY.
13	25
14	26		Be it enacted by the Senate and House of Representatives in General Assembly convened:
15	27
16	28		Section 1. (NEW) (Effective October 1, 2015, and applicable to any agreement entered into on or after said date) (a) For the purposes of this section:
17	29
18		-	(1) "Contractor" means an individual, business or other entity that provides educational software or services for the electronic storage, management or retrieval of student records and receives such student records pursuant to a written ~~contract~~ with a local or regional board of education~~, the State Board of Education or the Department of Education~~;
	30	+	(1) "Contractor" means an individual, business or other entity that provides educational software or services for the electronic storage, management and retrieval of student records and receives such student records pursuant to a written agreement with a local or regional board of education;
19	31
20		-	(2) "~~De-identified~~ student information" means any information that cannot be used to identify an individual student;
	32	+	(2) "Deidentified student information" means any information that cannot be used to identify an individual student;
21	33
22		-	(3) "Student-generated content" includes materials created by a student including, but not limited to, essays, research papers, portfolios, creative writing, music or other audio files or photographs, except that it does not include student responses to a standardized assessment; and
	34	+	(3) "Student generated content" includes materials created by a student including, but not limited to, essays, research papers, portfolios, creative writing, music or other audio files or photographs, except that it does not include student responses to a standardized assessment; and
23	35
24		-	(4) "Student record" includes any information directly related to a student that is maintained by a local or regional board ~~of education, the State Board of Education or the Department~~ of Education and any information acquired from a student through the use of educational software assigned to the student by a teacher or employee of a local or regional board of education, ~~the State Board of Education or the Department of Education,~~ except that it does not include ~~de-identified~~ student information ~~allowed under the contract to be~~ used by the contractor to ~~(A)~~ improve educational products for adaptive learning purposes and for customizing student learning, ~~(B)~~ demonstrate the effectiveness of ~~the~~ contractor's products in the marketing of those products, and ~~(C)~~ develop and improve the ~~contractor~~'s products and services.
	36	+	(4) "Student record" includes any information directly related to a student that is maintained by a local or regional board of education and any information acquired from a student through the use of educational software assigned to the student by a teacher or employee of a local or regional board of education, except that it does not include deidentified student information used by the contractor to improve educational products for adaptive learning purposes and for customizing student learning, to demonstrate the effectiveness of contractor's products in the marketing of those products and to develop and improve the contractors' products and services.
25	37
26		-	(b) Every ~~contract~~ that a local or regional board ~~of education, the State Board of Education or the Department~~ of Education enters into with a contractor shall include, but ~~need~~ not be limited to, the following:
	38	+	(b) Every agreement that a local or regional board of education enters into with a contractor shall include, but is not limited to, the following:
27	39
28		-	(1) A statement that student records continue to be the property of and under the control of the local or regional board of education~~, the State Board of Education or the Department of Education~~;
	40	+	(1) A statement that student records continue to be the property of and under the control of the local or regional board of education;
29	41
30		-	(2) A description of the means by which a student~~, parent or legal guardian of a student~~ may retain possession and control of student-generated content and, if applicable, the means by which a student~~, parent or legal guardian of a student~~ may transfer such student-generated content to an electronic mail account;
	42	+	(2) A description of the means by which a student may retain possession and control of student generated content and, if applicable, the means by which a student may transfer such student generated content to an electronic mail account;
31	43
32	44		(3) A statement that the contractor shall not use student records for any purposes other than those authorized pursuant to the contract;
33	45
34		-	(4) A description of the procedures by which a ~~student,~~ parent or legal guardian of a student may review personally identifiable information ~~contained~~ in the student ~~record~~ and correct erroneous information~~, if any, in such student record~~;
	46	+	(4) A description of the procedures by which a parent or legal guardian of a student who is younger than eighteen years of age and a student who is eighteen years of age or older may review personally identifiable information in the student records and correct erroneous information;
35	47
36		-	(5) A description of the actions the contractor ~~shall~~ take to ensure the security and confidentiality of student records;
	48	+	(5) A description of the actions the contractor will take to ensure the security and confidentiality of student records;
37	49
38		-	(6) A description of the procedures for notifying a ~~student,~~ parent or legal guardian of a student and ~~the local~~ or ~~regional board of education,~~ ~~the State Board of Education~~ or ~~the Department of Education as soon as practical, but not later than forty-eight hours after the contractor becomes aware of or suspects that~~ any ~~student record under the control of the contractor has been subject to unauthorized access or suspected unauthorized access;~~
	50	+	(6) A description of the procedures for notifying a parent or legal guardian of a student who is younger than eighteen years of age and a student who is eighteen years of age or older in an instance where an unauthorized person or entity accesses student records in any manner;
39	51
40		-	(7) A statement that student records shall not be retained or available to the contractor upon completion of the contracted services unless a student~~, parent or legal guardian of a student~~ chooses to establish or maintain an electronic account with the ~~contractor~~ for the purpose of storing student-generated content; and
	52	+	(7) A statement that student records shall not be retained or available to the contractor upon completion of the contracted services unless a student chooses to establish or maintain an electronic account with the contract for the purpose of storing student generated content; and
41	53
42		-	(8) A statement that the contractor and the local or regional board ~~of education, the State Board of Education or the Department~~ of Education shall ensure compliance with the Family Educational Rights and Privacy Act of 1974, 20 USC 1232g.
	54	+	(8) A statement that the contractor and the local or regional board of education shall ensure compliance with the Family Educational Rights and Privacy Act of 1974, 20 USC 1232g, (FERPA).
43	55
44		-	(c) A contractor shall not use (1) student records for any purposes other than those authorized pursuant to the ~~contract~~, or (2) personally identifiable information ~~contained~~ in student records to engage in advertising.
	56	+	(c) A contractor shall not use (1) student records for any purposes other than those authorized pursuant to the agreement, and (2) personally identifiable information in student records to engage in targeted advertising.
45	57
46		-	(d) Any ~~contract that~~ conflicts with the provisions of this section shall be void.
	58	+	(d) Any agreement which conflicts with the provisions of this section shall be void.
47	59
48	60		Sec. 2. (NEW) (Effective October 1, 2015) (a) For the purposes of this section:
49	61
50	62		(1) "Operator" means an operator of an Internet web site, online service, online application or mobile application that is designed, used and marketed for elementary and secondary school purposes;
51	63
52		-	(2) "Elementary and secondary school purposes" means activities that ~~are directed by or that~~ customarily occur at the direction of an elementary or secondary ~~school~~ teacher or a local or regional board of education, including, but not limited to, instruction in the classroom or at home, administrative activities and collaboration ~~among~~ students, school personnel or parents ~~or legal guardians of students~~;
	64	+	(2) "Elementary and secondary school purposes" means activities that customarily occur at the direction of an elementary or secondary teacher or a local or regional board of education, including, but not limited to, instruction in the classroom or at home, administrative activities and collaboration between students, school personnel or parents;
53	65
54		-	(3) "Covered information" means personally identifiable information, in any media or format, that (A) is created or provided by a student, parent or legal guardian of a student in the course of the student, parent or legal guardian using the operator's ~~Internet web~~ site, service or application for elementary and secondary school purposes, (B) is created or provided by an employee or agent of a local or regional board of education ~~and provided~~ to an operator ~~for elementary and secondary school purposes~~, or (C) is gathered by an operator through the operation of the operator's Internet web site, service or application and identifies a student, including, but not limited to, information in the student's records or electronic mail account, first or last name, home address, telephone number, ~~date of birth,~~ electronic mail address, discipline records, test results, grades, evaluations, criminal records, medical records, health records, Social Security number, biometric information, disabilities, socioeconomic information, food purchases, political affiliations, religious affiliations, text messages, documents, student identifiers, search activity, ~~photographs~~ or voice recordings; and
	66	+	(3) "Covered information" means personally identifiable information, in any media or format, that (A) is created or provided by a student or a parent or legal guardian of a student who is younger than eighteen years of age to an operator in the course of the student, parent or legal guardian using the operator's site, service or application for elementary and secondary school purposes, (B) is created or provided by an employee or agent of a local or regional board of education to an operator, or (C) is gathered by an operator through the operation of the operator's Internet web site, service or application and identifies a student, including, but not limited to, information in the student's records or electronic mail account, first or last name, home address, telephone number, electronic mail address, discipline records, test results, grades, evaluations, criminal records, medical records, health records, Social Security number, biometric information, disabilities, socioeconomic information, food purchases, political affiliations, religious affiliations, text messages, documents, student identifiers, search activity, photos or voice recordings; and
55	67
56		-	(4) "~~De-identified~~ student covered information" means any information that cannot be used to identify an individual student.
	68	+	(4) "Deidentified student covered information" means any information that cannot be used to identify an individual student.
57	69
58	70		(b) An operator shall not:
59	71
60		-	(1) Engage in advertising on the operator's Internet web site, service or application, or advertising on any other ~~Internet web~~ site, service or application when ~~such~~ advertising ~~uses~~ any covered information that the operator acquired in the ~~course~~ of ~~a student, parent or legal guardian using~~ the operator's Internet web site, service or application;
	72	+	(1) Engage in targeted advertising on the operator's Internet web site, service or application, or target advertising on any other site, service or application when the targeting of the advertising is based upon any information, including covered information, that the operator acquired because of the use of the operator's Internet web site, service or application;
61	73
62		-	(2) Use ~~covered~~ information created or gathered by the operator's ~~Internet web~~ site, service or application to create a profile of a student, except in furtherance of elementary and secondary school purposes;
	74	+	(2) Use information created or gathered by the operator's site, service or application to create a profile about a minor student except in furtherance of elementary and secondary school purposes;
63	75
64		-	(3) Sell covered information, ~~unless the sale~~ is part of the purchase, merger or acquisition of an operator by ~~a successor~~ operator ~~and~~ the operator and successor operator continue to be subject to the provisions of this section regarding covered information; and
	76	+	(3) Sell a minor student's information, including covered information, except if selling is part of the purchase, merger or acquisition of an operator by another operator, provided the operator and successor operator continue to be subject to the provisions of this section regarding covered information; and
65	77
66		-	(4) Disclose covered information, unless the disclosure is made: (A) In furtherance of the elementary and secondary school purposes of the ~~Internet web~~ site, service or application, provided the recipient of the covered information uses such covered information to improve the operability and functionality of the Internet web site, service or application within the student's classroom or school and complies with subsection (d) of this section; (B) to ensure compliance with federal and state law; (C) in response to judicial process; (D) to protect the safety of users or others, or ~~the~~ security of the Internet web site, service or application; or (E) to ~~an entity hired by the operator to provide services for the operator's Internet web site,~~ service ~~or application~~, provided the operator contractually (i) prohibits the service provider from using any covered information for any purpose other than providing the contracted service to, or on behalf of, the operator, (ii) prohibits the service provider from disclosing any covered information provided by the operator to subsequent third parties, and (iii) requires the service provider to protect confidential information from unauthorized access in accordance with current industry standards.
	78	+	(4) Disclose covered information, unless the disclosure is made: (A) In furtherance of the elementary and secondary school purposes of the site, service or application, provided the recipient of the covered information uses such covered information to improve the operability and functionality of the Internet web site, service or application within the student's classroom or school and complies with subsection (d) of this section; (B) to ensure compliance with federal and state law; (C) in response to judicial process; (D) to protect the safety of users or others or security of the Internet web site, service or application; or (E) to a service provider, provided the operator contractually (i) prohibits the service provider from using any covered information for any purpose other than providing the contracted service to, or on behalf of, the operator, (ii) prohibits the service provider from disclosing any covered information provided by the operator with subsequent third parties, and (iii) requires the service provider protect confidential information from unauthorized access in accordance with current industry standards.
67	79
68	80		(c) No provision in subsection (b) of this section shall be construed to prohibit the use of covered information by the operator to maintain, develop, support or improve the operator's Internet web site, service or application.
69	81
70		-	(d) An operator shall (1) protect ~~covered~~ information from unauthorized access, whenever and however stored or maintained, in accordance with current industry standards, and (2) delete a student's covered information if ~~a student, parent or legal guardian of a student or~~ the local or regional board of education requests deletion of such covered information.
	82	+	(d) An operator shall (1) protect confidential information from unauthorized access, whenever and however stored or maintained, in accordance with current industry standards, and (2) delete a student's covered information if the local or regional board of education requests deletion of such covered information that is under the control of such board of education.
71	83
72		-	(e) An operator may (1) use ~~de-identified~~ student covered information to improve the operator's Internet web site, service or application and to demonstrate or market the effectiveness of the operator's Internet web site, service or application, and (2) ~~use~~ aggregated ~~de-identified~~ student covered information for improvement and development of Internet web sites, services or applications for elementary and secondary school purposes.
	84	+	(e) An operator may (1) use deidentified student covered information to improve the operator's Internet web site, service or application and to demonstrate or market the effectiveness of the operator's Internet web site, service or application, and (2) share aggregated deidentified student covered information for improvement and development of Internet web sites, services or applications for elementary and secondary school purposes.
73	85
74		-	Sec. 3. (NEW) (Effective October 1, 2015) (a) For the purposes of this section, "directory information" has the same meaning as provided in 34 CFR 99.3, as amended from time to time.
75		-
76		-	(b) Upon determination by a local or regional board of education that a request for directory information is related to school purposes, the local or regional board of education may disclose directory information to any person requesting such directory information. If the local or regional board of education determines that a request for directory information is not related to school purposes, the local or regional board of education shall not disclose such directory information.
	86	+	Sec. 3. (NEW) (Effective October 1, 2015) Upon determination that there is good cause, a local or regional board of education may disclose directory information, as defined in the regulations implementing the Family Educational Rights and Privacy Act of 1974, 20 USC 1232g, (FERPA), as from time to time amended, at 34 CFR 99.3, to any person requesting such directory information.
77	87
78	88
79	89
80	90
81	91		This act shall take effect as follows and shall amend the following sections:
82	92		Section 1 October 1, 2015, and applicable to any agreement entered into on or after said date New section
83	93		Sec. 2 October 1, 2015 New section
84	94		Sec. 3 October 1, 2015 New section
85	95
86	96		This act shall take effect as follows and shall amend the following sections:
87	97
88	98		Section 1
89	99
90	100		October 1, 2015, and applicable to any agreement entered into on or after said date
91	101
92	102		New section
93	103
94	104		Sec. 2
95	105
96	106		October 1, 2015
97	107
98	108		New section
99	109
100	110		Sec. 3
101	111
102	112		October 1, 2015
103	113
104	114		New section
105	115
106		-	Statement of ~~Legislative Commissioners~~:
	116	+	Statement of Purpose:
107	117
108		-	~~In Section 1(b)(4), "contained" was inserted before "in~~ the ~~student record" for clarity and ", if any, in such~~ student record" was inserted after "erroneous information" for clarity; in Section 1(b)(8), ", the State Board of Education or the Department of Education" was inserted after "regional board of education" for consistency and accuracy; in Section 1(c), "contained" was inserted before "in student records" for clarity; in Section 2(a)(2), "school" was inserted before "teacher" for clarity; in Section 2(b)(1), "is based upon" was changed to "uses" for clarity; and in Section 2(b)(3) "except if" was changed to "unless" and "provided" was changed to "and" for clarity and accuracy.
	118	+	To protect the privacy of student information.
109	119
110		-
111		-
112		-	ED Joint Favorable Subst.
113		-
114		-	ED
115		-
116		-	Joint Favorable Subst.
	120	+	[Proposed deletions are enclosed in brackets. Proposed additions are indicated by underline, except that when the entire text of a bill or resolution or a section of a bill or resolution is new, it is not underlined.]