TX
Texas Senate Bill SB928

Texas 2023 - 88th Regular

Texas Senate Bill SB928 Compare Versions

OldNewDifferences
11 By: Parker S.B. No. 928
22
33
44 A BILL TO BE ENTITLED
55 AN ACT
66 relating to the protection of personally identifiable student
77 information and the use of covered information by an operator or
88 educational entity; authorizing a civil and administrative
99 penalty.
1010 BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
1111 SECTION 1. Section 32.151, Education Code, is amended by
1212 amending Subdivision (1) and adding Subdivisions (1-a), (1-b),
1313 (1-c), (1-d), (1-e), (1-f), and (5-a) to read as follows:
1414 (1) "Aggregate student information" means student
1515 information collected by an educational entity that:
1616 (A) is totaled and reported at the group, cohort,
1717 school, school district, region, or state level, as determined by
1818 the educational entity;
1919 (B) does not reveal personally identifiable
2020 student information; and
2121 (C) cannot reasonably be used to identify,
2222 contact, single out, or infer information about a student or a
2323 device used by a student.
2424 (1-a) "Biometric identifier" means any measurement of
2525 the human body or its movement that is used to attempt to uniquely
2626 identify or authenticate the identity of an individual, including a
2727 blood sample, hair sample, skin sample, body scan, retina or iris
2828 scan, fingerprint, voiceprint, or record of hand or face geometry.
2929 (1-b) "Coordinating board" means the Texas Higher
3030 Education Coordinating Board.
3131 (1-c) "Covered information" means personally
3232 identifiable information or information that is linked to
3333 personally identifiable information, in any media or format, that
3434 is not publicly available and is:
3535 (A) created by or provided to an operator or
3636 educational entity by a student or the student's parent in the
3737 course of the student's or parent's use of the operator's or
3838 entity's website, online service, online application, or mobile
3939 application for a school purpose;
4040 (B) created by or provided to an operator or
4141 educational entity by an employee of a school district or school
4242 campus for a school purpose; or
4343 (C) gathered by an operator or educational entity
4444 through the operation of the operator's or entity's website, online
4545 service, online application, or mobile application for a school
4646 purpose and personally identifies a student, including the
4747 student's educational record, electronic mail, first and last name,
4848 home address, telephone number, electronic mail address,
4949 information that allows physical or online contact, discipline
5050 records, test results, special education data, juvenile
5151 delinquency records, grades, evaluations, criminal records,
5252 medical records, health records, social security number, biometric
5353 identifier information, disabilities, socioeconomic information,
5454 food purchases, political affiliations, religious information,
5555 text messages, student identifiers, search activity, photograph,
5656 voice recordings, or geolocation information.
5757 (1-d) "Data breach" means an incident in which student
5858 information that is sensitive, protected, or confidential, as
5959 provided by state or federal law, is stolen or is copied,
6060 transmitted, viewed, or used by a person unauthorized to engage in
6161 that action.
6262 (1-e) "Educational entity" includes school districts,
6363 open-enrollment charter schools, regional education service
6464 centers, institutions of higher education, and other local
6565 education agencies.
6666 (1-f) "Information privacy officer" means the
6767 information privacy officer designated by the commissioner under
6868 Section 32.1512.
6969 (5-a) "Student" means a person who is enrolled at a
7070 public primary or secondary school.
7171 SECTION 2. Subchapter D, Chapter 32, Education Code, is
7272 amended by adding Sections 32.1511, 32.1512, 32.1513, 32.1514,
7373 32.1515, 32.1516, 32.1517, 32.1518, 32.1521, 32.1531, 32.1551,
7474 32.1552, 32.1561, 32.1562, 32.1563, 32.158, 32.159, and 32.160 to
7575 read as follows:
7676 Sec. 32.1511. OWNERSHIP OF COVERED INFORMATION AND WORK
7777 PRODUCT. (a) A student retains ownership over the student's own:
7878 (1) covered information; and
7979 (2) work or intellectual product, regardless of
8080 whether the product was created for academic credit.
8181 (b) A student may download, export, transfer, or otherwise
8282 save or maintain any document, covered information, or other data
8383 created by the student that is held or maintained by an educational
8484 entity.
8585 Sec. 32.1512. INFORMATION PRIVACY OFFICER; DUTIES. (a)
8686 The commissioner shall designate an agency employee to serve as an
8787 information privacy officer to oversee privacy and security
8888 policies regarding student information.
8989 (b) The information privacy officer shall:
9090 (1) ensure that the agency handles covered information
9191 maintained by the agency in a manner that complies with this
9292 subchapter, the Family Educational Rights and Privacy Act of 1974
9393 (20 U.S.C. Section 1232g), and any other federal or state
9494 information privacy or security law;
9595 (2) establish and publish in a form that is easily
9696 accessible policies necessary to ensure that the use of technology
9797 sustains, enhances, and does not erode privacy protections related
9898 to the use, collection, and disclosure of covered information;
9999 (3) develop and provide to each educational entity a
100100 model student information privacy and security plan;
101101 (4) evaluate legislative and regulatory proposals
102102 involving the use, collection, and disclosure of covered
103103 information by educational entities;
104104 (5) conduct privacy impact assessments, including an
105105 assessment of the type of covered information collected and the
106106 number of students affected, for:
107107 (A) legislative proposals affecting educational
108108 entities; and
109109 (B) agency and coordinating board rules and
110110 program initiatives;
111111 (6) consult and coordinate with representatives of the
112112 state, agency, and coordinating board and other appropriate persons
113113 regarding the use of covered information and the implementation of
114114 this subchapter;
115115 (7) establish and operate a privacy incident response
116116 program to ensure that each incident related to covered information
117117 involving the agency is properly reported, investigated, and
118118 mitigated;
119119 (8) establish a model process and policy for a student
120120 or the student's parent to file a complaint regarding:
121121 (A) a violation of student information privacy;
122122 or
123123 (B) an inability to access, review, or correct
124124 information contained in the student's educational record; and
125125 (9) provide training, guidance, technical assistance,
126126 and outreach to build a culture of student information protection
127127 and student data security among educational entities and third
128128 parties who contract with those entities.
129129 (c) Not later than February 1 of each year, the information
130130 privacy officer shall prepare and submit a written report to the
131131 standing committees of each house of the legislature with primary
132132 jurisdiction over primary, secondary, and higher education
133133 regarding actions taken by the agency related to student
134134 information privacy, including complaints regarding privacy
135135 violations, internal controls, and other related matters.
136136 Sec. 32.1513. GENERAL INVESTIGATIVE POWER OF INFORMATION
137137 PRIVACY OFFICER. (a) The information privacy officer may
138138 investigate an operator or educational entity as necessary to
139139 enforce this subchapter and protect covered information gathered
140140 from students in this state.
141141 (b) On request of the information privacy officer, an
142142 operator, educational entity, or a third party who contracts with
143143 an operator or educational entity shall make all applicable records
144144 and materials available to the officer as necessary to enable the
145145 officer to determine compliance with this subchapter.
146146 (c) The information privacy officer shall:
147147 (1) limit the scope of the investigation and any
148148 accompanying report to those matters that are necessary to the
149149 administration of this subchapter; and
150150 (2) in matters related to compliance with federal law,
151151 refer the matter to the appropriate federal agency and cooperate
152152 with an investigation by the federal agency.
153153 Sec. 32.1514. AGENCY COMPREHENSIVE STUDENT INFORMATION
154154 INVENTORY. The agency shall, to the maximum extent possible,
155155 develop, maintain, and post on the agency's Internet website a
156156 comprehensive student information inventory that accounts for all
157157 covered information assets created by, collected by, under the
158158 control or direction of, or maintained by the agency, including
159159 student information that:
160160 (1) is required to be reported by law;
161161 (2) has been proposed for inclusion in the agency's
162162 student information system with a statement regarding the reason
163163 for the proposed inclusion; and
164164 (3) is collected or maintained by the agency for no
165165 current purpose or reason.
166166 Sec. 32.1515. INFORMATION SECURITY POLICIES AND
167167 PROCEDURES. (a) Subject to the approval of the information privacy
168168 officer, each educational entity shall adopt and implement
169169 reasonable information security policies and procedures in
170170 accordance with this subchapter to protect students' educational
171171 records and covered information from unauthorized access,
172172 destruction, use, modification, or disclosure.
173173 (b) An educational entity must take into account the
174174 entity's specific needs and priorities in adopting policies and
175175 procedures under Subsection (a).
176176 Sec. 32.1516. STUDENT INFORMATION MANAGER. (a) Each
177177 educational entity shall designate an individual to act as a
178178 student information manager. The student information manager
179179 shall:
180180 (1) create, maintain, and submit to the information
181181 privacy officer an information governance plan addressing the
182182 protection of existing and future student information and records;
183183 and
184184 (2) establish a review process for all covered
185185 information requests for the purpose of external research or
186186 evaluation.
187187 (b) Not later than December 1 of each year, the student
188188 information manager shall submit a report to the agency's
189189 information privacy officer. The report must include:
190190 (1) proposed changes to the educational entity's
191191 information security policies and procedures adopted under Section
192192 32.1515; and
193193 (2) any data breaches or attempted data breaches
194194 detected by the educational entity.
195195 Sec. 32.1517. CONTRACT PROVISIONS. A contract between an
196196 educational entity and an operator must include the following
197197 provisions:
198198 (1) requirements and restrictions related to the
199199 collection, use, storage, and sharing of covered information by the
200200 operator that are necessary for the educational entity to ensure
201201 the operator's compliance with this subchapter and other law;
202202 (2) a description of the person or type of person,
203203 including an affiliate or subcontractor of the operator, with whom
204204 the operator may share covered information;
205205 (3) when and how to delete covered information
206206 received by the operator;
207207 (4) a prohibition on the secondary use of covered
208208 information by the operator, except when used for a legitimate
209209 school or research purpose or as described by Sections 32.153 and
210210 32.154;
211211 (5) an agreement by the operator that the educational
212212 entity or the educational entity's designee may audit the operator
213213 to verify compliance with the contract;
214214 (6) requirements for the operator or a subcontractor
215215 of the operator to establish security measures to prevent, detect,
216216 or mitigate a data breach; and
217217 (7) requirements for the operator or a subcontractor
218218 of the operator to notify the educational entity of a suspected data
219219 breach.
220220 Sec. 32.1518. NOTICE OF INFORMATION DISCLOSURE. (a) Not
221221 less than annually, an educational entity that collects covered
222222 information shall provide to each parent of a student whose covered
223223 information is collected a notice of information disclosure form
224224 stating in plain language the conditions under which the student's
225225 covered information may be disclosed. The educational entity shall
226226 provide the form as a stand-alone document.
227227 (b) The notice of information disclosure form must:
228228 (1) list the covered information that the educational
229229 entity collects and the rationale for collecting the information,
230230 including whether the information is required by law to be
231231 collected;
232232 (2) state that a student's covered information
233233 collected by the educational entity may not be shared without the
234234 written consent of the student's parent;
235235 (3) list each operator or other third party with
236236 access to or control of covered information maintained by the
237237 educational entity;
238238 (4) outline the rights and responsibilities of the
239239 educational entity under this subchapter; and
240240 (5) contain an acknowledgment section that:
241241 (A) states that the intended recipient of the
242242 notice actually received the notice and understands its contents;
243243 (B) allows for the recipient to record the
244244 recipient's objection to the collection of any covered information
245245 relating to the parent's student that is not required by law to be
246246 collected; and
247247 (C) includes a signature line.
248248 (c) Each parent who receives a notice of information
249249 disclosure form under Subsection (a) shall sign the acknowledgement
250250 section described by Subsection (b)(5) and return the form to the
251251 educational entity as soon as possible.
252252 (d) An educational entity shall:
253253 (1) annually update its notice of information
254254 disclosure form; and
255255 (2) maintain a written or electronic record of each
256256 signed acknowledgment form received under this section.
257257 Sec. 32.1521. PROHIBITED USE OF COVERED INFORMATION AND
258258 COLLECTION OF BIOMETRIC IDENTIFIER INFORMATION BY EDUCATIONAL
259259 ENTITY. (a) Except as otherwise provided by this subchapter, an
260260 educational entity may not release or otherwise disclose a
261261 student's covered information in exchange for a good, product,
262262 application, service, or any other thing of measurable value.
263263 (b) An educational entity may not use or release covered
264264 information for the purpose of targeted advertising unless the
265265 release of the data is essential for a school purpose, including the
266266 use of adaptive educational software or other strictly tailored
267267 educational endeavor with the sole purpose of providing a tailored
268268 educational experience to the student.
269269 (c) An educational entity may not collect a student's
270270 biometric identifier information unless required by law.
271271 Sec. 32.1531. ALLOWED DISCLOSURE OF COVERED INFORMATION BY
272272 EDUCATIONAL ENTITY. (a) An educational entity may disclose
273273 covered information if the disclosure is:
274274 (1) authorized in writing by the student's parent;
275275 (2) determined by the entity to be necessary because
276276 of an imminent health or safety emergency;
277277 (3) ordered by a court of competent jurisdiction; or
278278 (4) authorized or required by a provision of federal
279279 or state law.
280280 (b) The educational entity must comply with the
281281 requirements of federal and state law to protect any student
282282 information disclosed under this section.
283283 (c) This subchapter may not be construed to prohibit or
284284 otherwise limit the ability of an educational entity to report or
285285 make available aggregate student information or other collective
286286 information for reasonable use.
287287 Sec. 32.1551. NOTIFICATION OF DATA BREACH AFFECTING
288288 OPERATOR. (a) Not later than 24 hours after an operator becomes
289289 aware of a data breach, the operator shall notify the applicable
290290 educational entity with whom the operator has contracted of the
291291 breach and take action to determine the scope of student
292292 information affected by the breach.
293293 (b) The operator shall update the educational entity as soon
294294 as the full scope of the data breach is assessed and take all
295295 reasonable steps to notify all persons affected by the breach.
296296 Sec. 32.1552. NOTIFICATION OF DATA BREACH AFFECTING
297297 EDUCATIONAL ENTITY. (a) Not later than 24 hours after an
298298 educational entity becomes aware of a data breach, the educational
299299 entity shall notify the information privacy officer of the
300300 suspected or confirmed breach.
301301 (b) Not later than the third business day after the date a
302302 data breach is verified, an educational entity shall notify the
303303 parent of each student affected by the breach.
304304 Sec. 32.1561. INSPECTION OF INFORMATION CONTAINED IN
305305 STUDENT'S EDUCATIONAL RECORD. (a) On request of a student's
306306 parent, an educational entity or operator shall allow the student's
307307 parent to inspect the covered information and other information
308308 contained in the student's educational record maintained by the
309309 entity or operator.
310310 (b) The educational entity or operator shall provide the
311311 information requested under Subsection (a) in a timely manner and,
312312 if possible, in an electronic format.
313313 (c) An educational entity or operator is not required to
314314 provide information requested under Subsection (a) if:
315315 (1) the information cannot reasonably be made
316316 available to the requesting individual; or
317317 (2) the reproduction of the requested information
318318 would be unduly burdensome.
319319 Sec. 32.1562. CORRECTION OF INFORMATION CONTAINED IN
320320 STUDENT'S EDUCATIONAL RECORD. (a) After reviewing information
321321 requested under Section 32.1561, a student's parent may request
322322 that the educational entity or operator make corrections to address
323323 inaccurate or incomplete data in the student's educational record
324324 maintained by the entity or operator.
325325 (b) On request by a student's parent, an educational entity
326326 or operator shall expunge from the student's educational record
327327 covered information related to:
328328 (1) an unsubstantiated accusation made against the
329329 student; or
330330 (2) alleged conduct committed by the student if:
331331 (A) prosecution of the student's case was refused
332332 for lack of prosecutorial merit or insufficient evidence and no
333333 formal proceedings, deferred adjudication, or deferred prosecution
334334 were initiated; or
335335 (B) the court or jury found the student not
336336 guilty or made a finding the student did not engage in delinquent
337337 conduct or conduct indicating a need for supervision and the case
338338 was dismissed with prejudice.
339339 (c) Not later than the 90th day after the date an
340340 educational entity or operator receives a request under Subsection
341341 (a) or (b), the educational entity or operator shall make changes to
342342 the student's educational record as necessary and confirm the
343343 changes with the student's parent.
344344 Sec. 32.1563. RULES; FORMS. (a) The commissioner shall
345345 adopt rules as necessary to implement this subchapter.
346346 (b) The commissioner shall develop forms as necessary to
347347 implement this subchapter, including model forms for:
348348 (1) providing the notice of information disclosure
349349 required by Section 32.1518; and
350350 (2) obtaining written parental consent for the
351351 disclosure of covered information as required by Section 32.1531.
352352 Sec. 32.158. CIVIL PENALTY. (a) An operator that violates
353353 this subchapter or a rule adopted under this subchapter is liable
354354 for a civil penalty if the violation resulted in a negligent data
355355 breach.
356356 (b) In determining the amount of a civil penalty to impose
357357 under this section, the court shall include:
358358 (1) the cost of identity protection for each person
359359 affected by the data breach or compromise;
360360 (2) legal fees and costs incurred by each person
361361 affected by the data breach or compromise; and
362362 (3) any other penalty that the court deems reasonable
363363 or appropriate.
364364 Sec. 32.159. ADMINISTRATIVE PENALTY. (a) The commissioner
365365 may assess an administrative penalty for a violation of this
366366 subchapter in an amount of not less than $1,000 or more than $5,000.
367367 (b) The aggregate amount of penalties that the commissioner
368368 may assess against a person under this section during a calendar
369369 year may not exceed $1,000,000.
370370 Sec. 32.160. CRIMINAL LIABILITY NOT AFFECTED. This
371371 subchapter may not be construed to limit or otherwise affect a
372372 person's criminal liability under other law.
373373 SECTION 3. The heading to Section 32.152, Education Code,
374374 is amended to read as follows:
375375 Sec. 32.152. PROHIBITED USE OF COVERED INFORMATION AND
376376 COLLECTION OF BIOMETRIC IDENTIFIER INFORMATION BY OPERATOR.
377377 SECTION 4. Section 32.152, Education Code, is amended by
378378 amending Subsection (a) to read as follows:
379379 (a) An operator may not knowingly:
380380 (1) engage in targeted advertising on any website,
381381 online service, online application, or mobile application if the
382382 target of the advertising is based on any information, including
383383 covered information and persistent unique identifiers, that the
384384 operator has acquired through the use of the operator's website,
385385 online service, online application, or mobile application for a
386386 school purpose;
387387 (2) use information, including persistent unique
388388 identifiers, created or gathered by the operator's website, online
389389 service, online application, or mobile application, to create a
390390 profile about a student unless the profile is created for a school
391391 purpose; [or]
392392 (3) except as provided by Subsection (c), sell or rent
393393 any student's covered information;
394394 (4) exchange a student's covered information for any
395395 good, service, or application;
396396 (5) disclose covered information except as provided
397397 under this subchapter; or
398398 (6) unless required by law, collect a student's
399399 biometric identifier information.
400400 SECTION 5. The heading to Section 32.153, Education Code,
401401 is amended to read as follows:
402402 Sec. 32.153. ALLOWED DISCLOSURE OF COVERED INFORMATION BY
403403 OPERATOR.
404404 SECTION 6. Section 32.153, Education Code, is amended by
405405 amending Subsection (a) and adding Subsection (f) to read as
406406 follows:
407407 (a) An operator may use or disclose covered information
408408 under the following circumstances:
409409 (1) to further a school purpose of the website, online
410410 service, online application, or mobile application and the
411411 recipient of the covered information disclosed under this
412412 subsection does not further disclose the information unless the
413413 disclosure is to allow or improve operability and functionality of
414414 the operator's website, online service, online application, or
415415 mobile application;
416416 (2) to ensure legal and regulatory compliance;
417417 (3) to protect against liability;
418418 (4) to respond to or participate in the judicial
419419 process, including to comply with an investigation by law
420420 enforcement as authorized by law or a court order;
421421 (5) to protect:
422422 (A) the safety or integrity of users of the
423423 website, online service, online application, or mobile
424424 application; or
425425 (B) the security of the website, online service,
426426 online application, or mobile application;
427427 (6) for a school, education, or employment purpose
428428 requested by the student or the student's parent and the
429429 information is not used or disclosed for any other purpose;
430430 (7) to use the covered information for:
431431 (A) a legitimate research purpose; or
432432 (B) a school purpose or postsecondary
433433 educational purpose; [or]
434434 (8) for a request by the agency or the school district
435435 for a school purpose;
436436 (9) to market an educational application or product to
437437 a student's parent, if the operator did not use covered information
438438 shared or collected by or on behalf of an educational entity to
439439 develop the application or product;
440440 (10) to allow a recommendation engine on the
441441 operator's website, online service, online application, or mobile
442442 application to recommend to a student's parent content or services
443443 related to learning or employment, if the recommendation is not
444444 motivated by payment or other consideration from another party; or
445445 (11) to respond to the request of a student's parent
446446 for information or feedback, if the content of the response is not
447447 motivated by payment or other consideration from another party.
448448 (f) Notwithstanding any other law, an operator shall use a
449449 student's covered information received under a contract with an
450450 educational entity strictly for the purpose provided under the
451451 contract unless the student's parent affirmatively chooses to
452452 disclose the student's information for a secondary purpose.
453453 SECTION 7. The heading to Section 32.154, Education Code,
454454 is amended to read as follows:
455455 Sec. 32.154. ALLOWED USE OF COVERED INFORMATION BY
456456 OPERATOR.
457457 SECTION 8. The heading to Section 32.155, Education Code,
458458 is amended to read as follows:
459459 Sec. 32.155. PROTECTION OF COVERED INFORMATION BY OPERATOR.
460460 SECTION 9. Sections 32.155(c), (d), and (e), Education
461461 Code, are amended to read as follows:
462462 (c) In addition to including the unique identifier in
463463 releasing information as provided by Subsection (b), an operator
464464 may include any other data field identified by the agency or by an
465465 educational entity [a school district, open-enrollment charter
466466 school, regional education service center, or other local education
467467 agency] as necessary for the information being released to be
468468 useful.
469469 (d) An educational entity [A school district,
470470 open-enrollment charter school, regional education service center,
471471 or other local education agency] may include additional data fields
472472 in an agreement with an operator or the amendment of an agreement
473473 with an operator under this section. An operator may agree to
474474 include the additional data fields requested by an educational
475475 entity [a school district, open-enrollment charter school,
476476 regional education service center, or other local education agency]
477477 but may not require that additional data fields be included.
478478 (e) An educational entity [A school district,
479479 open-enrollment charter school, regional education service center,
480480 or other local education agency] may require an operator that
481481 contracts directly with the entity to adhere to a state-required
482482 student data sharing agreement that includes the use of an
483483 established unique identifier standard for all operators as
484484 prescribed by the agency.
485485 SECTION 10. The heading to Section 32.156, Education Code,
486486 is amended to read as follows:
487487 Sec. 32.156. DELETION OF COVERED INFORMATION BY OPERATOR.
488488 SECTION 11. This Act takes effect September 1, 2023.