General Assembly Substitute Bill No. 5469
February Session, 2016 *_____HB05469ED____032116____*
General Assembly
Substitute Bill No. 5469
February Session, 2016
*_____HB05469ED____032116____*
AN ACT CONCERNING STUDENT DATA PRIVACY.
Be it enacted by the Senate and House of Representatives in General Assembly convened:
Section 1. (NEW) (Effective October 1, 2016, and applicable to contracts entered into, amended or renewed on or after said date) (a) For the purposes of this section:
(1) "Contractor" means an individual, business or other entity that provides educational software or services for the electronic storage, management or retrieval of student records and receives such student records pursuant to a written contract with a local or regional board of education, the State Board of Education or the Department of Education;
(2) "De-identified student information" means any information that cannot be used to identify an individual student;
(3) "Student-generated content" means any student materials created by a student including, but not limited to, essays, research papers, portfolios, creative writing, music or other audio files or photographs, except "student-generated content" does not include student responses to a standardized assessment; and
(4) "Student record" means any information directly related to a student that is maintained by a local or regional board of education, the State Board of Education or the Department of Education and any information acquired from a student through the use of educational software assigned to the student by a teacher or employee of a local or regional board of education, the State Board of Education or the Department of Education, except "student record" does not include de-identified student information allowed under the contract to be used by the contractor to (A) improve educational products for adaptive learning purposes and customize student learning, (B) demonstrate the effectiveness of the contractor's products in the marketing of such products, and (C) develop and improve the contractor's products and services.
(b) On and after October 1, 2016, every contract that a local or regional board of education, the State Board of Education or the Department of Education enters into with a contractor shall include, but need not be limited to, the following:
(1) A statement that student records and student-generated content are not the property of or under the control of a contractor;
(2) A description of the means by which a student, parent or legal guardian of a student may retain possession and control of student-generated content and, if applicable, the means by which a student, parent or legal guardian of a student may transfer such student-generated content to an electronic mail account;
(3) A statement that the contractor shall not use student records for any purposes other than those authorized pursuant to the contract;
(4) A description of the procedures by which a student, parent or legal guardian of a student may review personally identifiable information contained in the student record and correct erroneous information, if any, in such student record;
(5) A description of the actions the contractor shall take to ensure the security and confidentiality of student records;
(6) A description of the procedures for notifying a student, parent or legal guardian of a student and the local or regional board of education, the State Board of Education or the Department of Education as soon as practical, but not later than forty-eight hours after the contractor becomes aware of or suspects that any student record under the control of the contractor has been subject to unauthorized access or suspected unauthorized access;
(7) A statement that student records shall not be retained or available to the contractor upon completion of the contracted services unless a student, parent or legal guardian of a student chooses to establish or maintain an electronic account with the contractor for the purpose of storing student-generated content;
(8) A statement that the contractor and the local or regional board of education, the State Board of Education or the Department of Education shall ensure compliance with the Family Educational Rights and Privacy Act of 1974, 20 USC 1232g;
(9) A statement that the laws of the state of Connecticut shall govern the rights and duties of the contractor and the local or regional board of education, the State Board of Education or the Department of Education; and
(10) A statement that if any provision of the contract or the application of the contract is held invalid by a court of competent jurisdiction, the invalidity does not affect other provisions or applications of the contract which can be given effect without the invalid provision or application.
(c) A contractor shall not use (1) student records for any purposes other than those authorized pursuant to the contract, or (2) personally identifiable information contained in student records to engage in advertising.
(d) Any provision of a contract entered into between a contractor and a local or regional board of education, the State Board of Education or the Department of Education on or after October 1, 2016, that conflicts with any provision of this section shall be void.
(e) Any contract entered into on and after October 1, 2016, that does not include a provision required by subsection (b) of this section shall be void, provided the local or regional board of education, the State Board of Education or the Department of Education has given reasonable notice to the contractor and the contractor has failed within a reasonable time to amend the contract to include the provision required by subsection (b) of this section.
(f) Not later than five business days after executing a contract pursuant to this section, a local or regional board of education shall provide notice to any student and the parent or legal guardian of a student affected by the contract. The notice shall (1) state that the contract has been executed and the date that such contract was executed, (2) provide a brief description of the contract and the purpose of the contract, (3) state what student-generated content or student records may be collected as a result of the contract, and (4) state that the parent or legal guardian of a student affected by the contract may choose to not have such student participate in the execution of the contract.
Sec. 2. (NEW) (Effective October 1, 2016) (a) For the purposes of this section:
(1) "Operator" means any person who (A) operates an Internet web site, online service or mobile application with actual knowledge that such Internet web site, online service or mobile application is used for school purposes and was designed and marketed for school purposes, and (B) collects, maintains or uses student information;
(2) "School purposes" means purposes that customarily take place at the direction of a teacher or a local or regional board of education, or aid in the administration of school activities, including, but not limited to, instruction in the classroom, administrative activities and collaboration among students, school personnel or parents or legal guardians of students;
(3) "Student information" means personally identifiable information regarding a student that is (A) created or provided by a student or the parent or legal guardian of a student, to the operator in the course of the student, parent or legal guardian using the operator's Internet web site, online service or mobile application for school purposes, (B) created or provided by an employee or agent of a local or regional board of education to an operator for school purposes, or (C) gathered by an operator through the operation of the operator's Internet web site, online service or mobile application and identifies a student, including, but not limited to, information in the student's records or electronic mail account, first or last name, home address, telephone number, date of birth, electronic mail address, discipline records, test results, grades, evaluations, criminal records, medical records, health records, Social Security number, biometric information, disabilities, socioeconomic information, food purchases, political affiliations, religious affiliations, text messages, documents, student identifiers, search activity, photographs, voice recordings, survey responses or behavioral assessments;
(4) "Student" means a child who is a resident of the state and enrolled in (A) a preschool program participating in the state-wide public school information system, pursuant to section 10-10a of the general statutes, or (B) grades kindergarten to twelve, inclusive, in a public school;
(5) "De-identified student information" means any student information that has been altered to prevent the identification of an individual student; and
(6) "Targeted advertising" means presenting an advertisement to a student where the selection of the advertisement is based on student information or inferred from the usage of the operator's Internet web site, online service or mobile application by such student.
(b) An operator shall (1) implement and maintain reasonable security procedures and practices, in accordance with current industry standards, to protect student information from unauthorized access, destruction, use, modification or disclosure, and (2) delete any student information if a student, parent or legal guardian of a student or local or regional board of education requests the deletion of such student information.
(c) An operator shall not knowingly:
(1) Engage in targeted advertising on the operator's Internet web site, online service or mobile application, or on any other Internet web site, online service or mobile application;
(2) Use student information to create a profile of a student for purposes other than the furtherance of school purposes;
(3) Sell student information, unless the sale is part of the purchase, merger or acquisition of an operator by a successor operator and the operator and successor operator continue to be subject to the provisions of this section regarding student information; or
(4) Disclose student information, unless the disclosure is made (A) in furtherance of school purposes of the Internet web site, online service or mobile application, provided the recipient of the student information uses such student information to improve the operability and functionality of the Internet web site, online service or mobile application and complies with subsection (b) of this section; (B) to ensure compliance with federal or state law; (C) in response to a judicial order; (D) to protect the safety of users or others, or the security of the Internet web site, online service or mobile application; or (E) to an entity hired by the operator to provide services for the operator's Internet web site, online service or mobile application, provided the operator contractually (i) prohibits the entity from using student information for any purpose other than providing the contracted service to, or on behalf of, the operator, (ii) prohibits the entity from disclosing student information provided by the operator to subsequent third parties, and (iii) requires the entity to comply with subsection (b) of this section.
(d) An operator may use student information (1) to maintain, support, evaluate or diagnose the operator's Internet web site, online service or mobile application, or (2) for adaptive learning purposes or customized student learning.
(e) An operator may use de-identified student information (1) to develop or improve the operator's Internet web site, online service or mobile application, or other Internet web sites, online services or mobile applications owned by the operator, or (2) to demonstrate or market the effectiveness of the operator's Internet web site, online service or mobile application.
(f) An operator may share aggregated de-identified student information for the improvement and development of Internet web sites, online services or mobile applications designed for school purposes.
(g) Nothing in this section shall be construed to (1) limit the ability of a law enforcement agency to obtain student information from an operator as authorized by law or pursuant to a court order, (2) limit the ability of a student or the parent or legal guardian of a student to download, transfer or otherwise save or maintain student information, (3) impose a duty upon a provider of an interactive computer service, as defined in 47 USC 230, as amended from time to time, to ensure compliance with this section by third-party information content providers, as defined in 47 USC 230, as amended from time to time, (4) impose a duty upon a seller or provider of online services or mobile applications to ensure compliance with this section with regard to such online services or mobile applications, (5) limit an Internet service provider from providing a student, parent or legal guardian of a student or local or regional board of education with the ability to connect to the Internet, (6) prohibit an operator from advertising other Internet web sites, online services or mobile applications that are used for school purposes to parents or legal guardians of students, provided such advertising does not result from the operator's use of student information, or (7) apply to Internet web sites, online services or mobile applications that are designed and marketed for use by individuals generally, even if the account credentials created for an operator's Internet web site, online service or mobile application may be used to access Internet web sites, online services or mobile applications that are designed and marketed for use by individuals generally.
Sec. 3. (NEW) (Effective July 1, 2016) (a) For the purposes of this section, "directory information" has the same meaning as provided in 34 CFR 99.3, as amended from time to time.
(b) Upon determination by a local or regional board of education that a request for directory information is related to school purposes, the local or regional board of education may disclose directory information to any person requesting such directory information. If the local or regional board of education determines that a request for directory information is not related to school purposes, the local or regional board of education shall not disclose such directory information.
This act shall take effect as follows and shall amend the following sections:
Section 1 October 1, 2016, and applicable to contracts entered into, amended or renewed on or after said date New section
Sec. 2 October 1, 2016 New section
Sec. 3 July 1, 2016 New section
This act shall take effect as follows and shall amend the following sections:
Section 1
October 1, 2016, and applicable to contracts entered into, amended or renewed on or after said date
New section
Sec. 2
October 1, 2016
New section
Sec. 3
July 1, 2016
New section
Statement of Legislative Commissioners:
In Sections 1(b) and 1(e), references to "October 1, 2016" were added for consistency and clarity, in Section 2(c)(4)(C), "process" was changed to "order" for accuracy and in Section 2(g)(6) "the operator's" was added before "use" for clarity.
ED Joint Favorable Subst.
ED
Joint Favorable Subst.