By: Parker S.B. No. 928
A BILL TO BE ENTITLED
AN ACT
relating to the protection of personally identifiable student
information and the use of covered information by an operator or
educational entity; authorizing a civil and administrative
penalty.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
SECTION 1. Section 32.151, Education Code, is amended by
amending Subdivision (1) and adding Subdivisions (1-a), (1-b),
(1-c), (1-d), (1-e), (1-f), and (5-a) to read as follows:
(1) "Aggregate student information" means student
information collected by an educational entity that:
(A) is totaled and reported at the group, cohort,
school, school district, region, or state level, as determined by
the educational entity;
(B) does not reveal personally identifiable
student information; and
(C) cannot reasonably be used to identify,
contact, single out, or infer information about a student or a
device used by a student.
(1-a) "Biometric identifier" means any measurement of
the human body or its movement that is used to attempt to uniquely
identify or authenticate the identity of an individual, including a
blood sample, hair sample, skin sample, body scan, retina or iris
scan, fingerprint, voiceprint, or record of hand or face geometry.
(1-b) "Coordinating board" means the Texas Higher
Education Coordinating Board.
(1-c) "Covered information" means personally
identifiable information or information that is linked to
personally identifiable information, in any media or format, that
is not publicly available and is:
(A) created by or provided to an operator or
educational entity by a student or the student's parent in the
course of the student's or parent's use of the operator's or
entity's website, online service, online application, or mobile
application for a school purpose;
(B) created by or provided to an operator or
educational entity by an employee of a school district or school
campus for a school purpose; or
(C) gathered by an operator or educational entity
through the operation of the operator's or entity's website, online
service, online application, or mobile application for a school
purpose and personally identifies a student, including the
student's educational record, electronic mail, first and last name,
home address, telephone number, electronic mail address,
information that allows physical or online contact, discipline
records, test results, special education data, juvenile
delinquency records, grades, evaluations, criminal records,
medical records, health records, social security number, biometric
identifier information, disabilities, socioeconomic information,
food purchases, political affiliations, religious information,
text messages, student identifiers, search activity, photograph,
voice recordings, or geolocation information.
(1-d) "Data breach" means an incident in which student
information that is sensitive, protected, or confidential, as
provided by state or federal law, is stolen or is copied,
transmitted, viewed, or used by a person unauthorized to engage in
that action.
(1-e) "Educational entity" includes school districts,
open-enrollment charter schools, regional education service
centers, institutions of higher education, and other local
education agencies.
(1-f) "Information privacy officer" means the
information privacy officer designated by the commissioner under
Section 32.1512.
(5-a) "Student" means a person who is enrolled at a
public primary or secondary school.
SECTION 2. Subchapter D, Chapter 32, Education Code, is
amended by adding Sections 32.1511, 32.1512, 32.1513, 32.1514,
32.1515, 32.1516, 32.1517, 32.1518, 32.1521, 32.1531, 32.1551,
32.1552, 32.1561, 32.1562, 32.1563, 32.158, 32.159, and 32.160 to
read as follows:
Sec. 32.1511. OWNERSHIP OF COVERED INFORMATION AND WORK
PRODUCT. (a) A student retains ownership over the student's own:
(1) covered information; and
(2) work or intellectual product, regardless of
whether the product was created for academic credit.
(b) A student may download, export, transfer, or otherwise
save or maintain any document, covered information, or other data
created by the student that is held or maintained by an educational
entity.
Sec. 32.1512. INFORMATION PRIVACY OFFICER; DUTIES. (a)
The commissioner shall designate an agency employee to serve as an
information privacy officer to oversee privacy and security
policies regarding student information.
(b) The information privacy officer shall:
(1) ensure that the agency handles covered information
maintained by the agency in a manner that complies with this
subchapter, the Family Educational Rights and Privacy Act of 1974
(20 U.S.C. Section 1232g), and any other federal or state
information privacy or security law;
(2) establish and publish in a form that is easily
accessible policies necessary to ensure that the use of technology
sustains, enhances, and does not erode privacy protections related
to the use, collection, and disclosure of covered information;
(3) develop and provide to each educational entity a
model student information privacy and security plan;
(4) evaluate legislative and regulatory proposals
involving the use, collection, and disclosure of covered
information by educational entities;
(5) conduct privacy impact assessments, including an
assessment of the type of covered information collected and the
number of students affected, for:
(A) legislative proposals affecting educational
entities; and
(B) agency and coordinating board rules and
program initiatives;
(6) consult and coordinate with representatives of the
state, agency, and coordinating board and other appropriate persons
regarding the use of covered information and the implementation of
this subchapter;
(7) establish and operate a privacy incident response
program to ensure that each incident related to covered information
involving the agency is properly reported, investigated, and
mitigated;
(8) establish a model process and policy for a student
or the student's parent to file a complaint regarding:
(A) a violation of student information privacy;
or
(B) an inability to access, review, or correct
information contained in the student's educational record; and
(9) provide training, guidance, technical assistance,
and outreach to build a culture of student information protection
and student data security among educational entities and third
parties who contract with those entities.
(c) Not later than February 1 of each year, the information
privacy officer shall prepare and submit a written report to the
standing committees of each house of the legislature with primary
jurisdiction over primary, secondary, and higher education
regarding actions taken by the agency related to student
information privacy, including complaints regarding privacy
violations, internal controls, and other related matters.
Sec. 32.1513. GENERAL INVESTIGATIVE POWER OF INFORMATION
PRIVACY OFFICER. (a) The information privacy officer may
investigate an operator or educational entity as necessary to
enforce this subchapter and protect covered information gathered
from students in this state.
(b) On request of the information privacy officer, an
operator, educational entity, or a third party who contracts with
an operator or educational entity shall make all applicable records
and materials available to the officer as necessary to enable the
officer to determine compliance with this subchapter.
(c) The information privacy officer shall:
(1) limit the scope of the investigation and any
accompanying report to those matters that are necessary to the
administration of this subchapter; and
(2) in matters related to compliance with federal law,
refer the matter to the appropriate federal agency and cooperate
with an investigation by the federal agency.
Sec. 32.1514. AGENCY COMPREHENSIVE STUDENT INFORMATION
INVENTORY. The agency shall, to the maximum extent possible,
develop, maintain, and post on the agency's Internet website a
comprehensive student information inventory that accounts for all
covered information assets created by, collected by, under the
control or direction of, or maintained by the agency, including
student information that:
(1) is required to be reported by law;
(2) has been proposed for inclusion in the agency's
student information system with a statement regarding the reason
for the proposed inclusion; and
(3) is collected or maintained by the agency for no
current purpose or reason.
Sec. 32.1515. INFORMATION SECURITY POLICIES AND
PROCEDURES. (a) Subject to the approval of the information privacy
officer, each educational entity shall adopt and implement
reasonable information security policies and procedures in
accordance with this subchapter to protect students' educational
records and covered information from unauthorized access,
destruction, use, modification, or disclosure.
(b) An educational entity must take into account the
entity's specific needs and priorities in adopting policies and
procedures under Subsection (a).
Sec. 32.1516. STUDENT INFORMATION MANAGER. (a) Each
educational entity shall designate an individual to act as a
student information manager. The student information manager
shall:
(1) create, maintain, and submit to the information
privacy officer an information governance plan addressing the
protection of existing and future student information and records;
and
(2) establish a review process for all covered
information requests for the purpose of external research or
evaluation.
(b) Not later than December 1 of each year, the student
information manager shall submit a report to the agency's
information privacy officer. The report must include:
(1) proposed changes to the educational entity's
information security policies and procedures adopted under Section
32.1515; and
(2) any data breaches or attempted data breaches
detected by the educational entity.
Sec. 32.1517. CONTRACT PROVISIONS. A contract between an
educational entity and an operator must include the following
provisions:
(1) requirements and restrictions related to the
collection, use, storage, and sharing of covered information by the
operator that are necessary for the educational entity to ensure
the operator's compliance with this subchapter and other law;
(2) a description of the person or type of person,
including an affiliate or subcontractor of the operator, with whom
the operator may share covered information;
(3) when and how to delete covered information
received by the operator;
(4) a prohibition on the secondary use of covered
information by the operator, except when used for a legitimate
school or research purpose or as described by Sections 32.153 and
32.154;
(5) an agreement by the operator that the educational
entity or the educational entity's designee may audit the operator
to verify compliance with the contract;
(6) requirements for the operator or a subcontractor
of the operator to establish security measures to prevent, detect,
or mitigate a data breach; and
(7) requirements for the operator or a subcontractor
of the operator to notify the educational entity of a suspected data
breach.
Sec. 32.1518. NOTICE OF INFORMATION DISCLOSURE. (a) Not
less than annually, an educational entity that collects covered
information shall provide to each parent of a student whose covered
information is collected a notice of information disclosure form
stating in plain language the conditions under which the student's
covered information may be disclosed. The educational entity shall
provide the form as a stand-alone document.
(b) The notice of information disclosure form must:
(1) list the covered information that the educational
entity collects and the rationale for collecting the information,
including whether the information is required by law to be
collected;
(2) state that a student's covered information
collected by the educational entity may not be shared without the
written consent of the student's parent;
(3) list each operator or other third party with
access to or control of covered information maintained by the
educational entity;
(4) outline the rights and responsibilities of the
educational entity under this subchapter; and
(5) contain an acknowledgment section that:
(A) states that the intended recipient of the
notice actually received the notice and understands its contents;
(B) allows for the recipient to record the
recipient's objection to the collection of any covered information
relating to the parent's student that is not required by law to be
collected; and
(C) includes a signature line.
(c) Each parent who receives a notice of information
disclosure form under Subsection (a) shall sign the acknowledgement
section described by Subsection (b)(5) and return the form to the
educational entity as soon as possible.
(d) An educational entity shall:
(1) annually update its notice of information
disclosure form; and
(2) maintain a written or electronic record of each
signed acknowledgment form received under this section.
Sec. 32.1521. PROHIBITED USE OF COVERED INFORMATION AND
COLLECTION OF BIOMETRIC IDENTIFIER INFORMATION BY EDUCATIONAL
ENTITY. (a) Except as otherwise provided by this subchapter, an
educational entity may not release or otherwise disclose a
student's covered information in exchange for a good, product,
application, service, or any other thing of measurable value.
(b) An educational entity may not use or release covered
information for the purpose of targeted advertising unless the
release of the data is essential for a school purpose, including the
use of adaptive educational software or other strictly tailored
educational endeavor with the sole purpose of providing a tailored
educational experience to the student.
(c) An educational entity may not collect a student's
biometric identifier information unless required by law.
Sec. 32.1531. ALLOWED DISCLOSURE OF COVERED INFORMATION BY
EDUCATIONAL ENTITY. (a) An educational entity may disclose
covered information if the disclosure is:
(1) authorized in writing by the student's parent;
(2) determined by the entity to be necessary because
of an imminent health or safety emergency;
(3) ordered by a court of competent jurisdiction; or
(4) authorized or required by a provision of federal
or state law.
(b) The educational entity must comply with the
requirements of federal and state law to protect any student
information disclosed under this section.
(c) This subchapter may not be construed to prohibit or
otherwise limit the ability of an educational entity to report or
make available aggregate student information or other collective
information for reasonable use.
Sec. 32.1551. NOTIFICATION OF DATA BREACH AFFECTING
OPERATOR. (a) Not later than 24 hours after an operator becomes
aware of a data breach, the operator shall notify the applicable
educational entity with whom the operator has contracted of the
breach and take action to determine the scope of student
information affected by the breach.
(b) The operator shall update the educational entity as soon
as the full scope of the data breach is assessed and take all
reasonable steps to notify all persons affected by the breach.
Sec. 32.1552. NOTIFICATION OF DATA BREACH AFFECTING
EDUCATIONAL ENTITY. (a) Not later than 24 hours after an
educational entity becomes aware of a data breach, the educational
entity shall notify the information privacy officer of the
suspected or confirmed breach.
(b) Not later than the third business day after the date a
data breach is verified, an educational entity shall notify the
parent of each student affected by the breach.
Sec. 32.1561. INSPECTION OF INFORMATION CONTAINED IN
STUDENT'S EDUCATIONAL RECORD. (a) On request of a student's
parent, an educational entity or operator shall allow the student's
parent to inspect the covered information and other information
contained in the student's educational record maintained by the
entity or operator.
(b) The educational entity or operator shall provide the
information requested under Subsection (a) in a timely manner and,
if possible, in an electronic format.
(c) An educational entity or operator is not required to
provide information requested under Subsection (a) if:
(1) the information cannot reasonably be made
available to the requesting individual; or
(2) the reproduction of the requested information
would be unduly burdensome.
Sec. 32.1562. CORRECTION OF INFORMATION CONTAINED IN
STUDENT'S EDUCATIONAL RECORD. (a) After reviewing information
requested under Section 32.1561, a student's parent may request
that the educational entity or operator make corrections to address
inaccurate or incomplete data in the student's educational record
maintained by the entity or operator.
(b) On request by a student's parent, an educational entity
or operator shall expunge from the student's educational record
covered information related to:
(1) an unsubstantiated accusation made against the
student; or
(2) alleged conduct committed by the student if:
(A) prosecution of the student's case was refused
for lack of prosecutorial merit or insufficient evidence and no
formal proceedings, deferred adjudication, or deferred prosecution
were initiated; or
(B) the court or jury found the student not
guilty or made a finding the student did not engage in delinquent
conduct or conduct indicating a need for supervision and the case
was dismissed with prejudice.
(c) Not later than the 90th day after the date an
educational entity or operator receives a request under Subsection
(a) or (b), the educational entity or operator shall make changes to
the student's educational record as necessary and confirm the
changes with the student's parent.
Sec. 32.1563. RULES; FORMS. (a) The commissioner shall
adopt rules as necessary to implement this subchapter.
(b) The commissioner shall develop forms as necessary to
implement this subchapter, including model forms for:
(1) providing the notice of information disclosure
required by Section 32.1518; and
(2) obtaining written parental consent for the
disclosure of covered information as required by Section 32.1531.
Sec. 32.158. CIVIL PENALTY. (a) An operator that violates
this subchapter or a rule adopted under this subchapter is liable
for a civil penalty if the violation resulted in a negligent data
breach.
(b) In determining the amount of a civil penalty to impose
under this section, the court shall include:
(1) the cost of identity protection for each person
affected by the data breach or compromise;
(2) legal fees and costs incurred by each person
affected by the data breach or compromise; and
(3) any other penalty that the court deems reasonable
or appropriate.
Sec. 32.159. ADMINISTRATIVE PENALTY. (a) The commissioner
may assess an administrative penalty for a violation of this
subchapter in an amount of not less than $1,000 or more than $5,000.
(b) The aggregate amount of penalties that the commissioner
may assess against a person under this section during a calendar
year may not exceed $1,000,000.
Sec. 32.160. CRIMINAL LIABILITY NOT AFFECTED. This
subchapter may not be construed to limit or otherwise affect a
person's criminal liability under other law.
SECTION 3. The heading to Section 32.152, Education Code,
is amended to read as follows:
Sec. 32.152. PROHIBITED USE OF COVERED INFORMATION AND
COLLECTION OF BIOMETRIC IDENTIFIER INFORMATION BY OPERATOR.
SECTION 4. Section 32.152, Education Code, is amended by
amending Subsection (a) to read as follows:
(a) An operator may not knowingly:
(1) engage in targeted advertising on any website,
online service, online application, or mobile application if the
target of the advertising is based on any information, including
covered information and persistent unique identifiers, that the
operator has acquired through the use of the operator's website,
online service, online application, or mobile application for a
school purpose;
(2) use information, including persistent unique
identifiers, created or gathered by the operator's website, online
service, online application, or mobile application, to create a
profile about a student unless the profile is created for a school
purpose; [or]
(3) except as provided by Subsection (c), sell or rent
any student's covered information;
(4) exchange a student's covered information for any
good, service, or application;
(5) disclose covered information except as provided
under this subchapter; or
(6) unless required by law, collect a student's
biometric identifier information.
SECTION 5. The heading to Section 32.153, Education Code,
is amended to read as follows:
Sec. 32.153. ALLOWED DISCLOSURE OF COVERED INFORMATION BY
OPERATOR.
SECTION 6. Section 32.153, Education Code, is amended by
amending Subsection (a) and adding Subsection (f) to read as
follows:
(a) An operator may use or disclose covered information
under the following circumstances:
(1) to further a school purpose of the website, online
service, online application, or mobile application and the
recipient of the covered information disclosed under this
subsection does not further disclose the information unless the
disclosure is to allow or improve operability and functionality of
the operator's website, online service, online application, or
mobile application;
(2) to ensure legal and regulatory compliance;
(3) to protect against liability;
(4) to respond to or participate in the judicial
process, including to comply with an investigation by law
enforcement as authorized by law or a court order;
(5) to protect:
(A) the safety or integrity of users of the
website, online service, online application, or mobile
application; or
(B) the security of the website, online service,
online application, or mobile application;
(6) for a school, education, or employment purpose
requested by the student or the student's parent and the
information is not used or disclosed for any other purpose;
(7) to use the covered information for:
(A) a legitimate research purpose; or
(B) a school purpose or postsecondary
educational purpose; [or]
(8) for a request by the agency or the school district
for a school purpose;
(9) to market an educational application or product to
a student's parent, if the operator did not use covered information
shared or collected by or on behalf of an educational entity to
develop the application or product;
(10) to allow a recommendation engine on the
operator's website, online service, online application, or mobile
application to recommend to a student's parent content or services
related to learning or employment, if the recommendation is not
motivated by payment or other consideration from another party; or
(11) to respond to the request of a student's parent
for information or feedback, if the content of the response is not
motivated by payment or other consideration from another party.
(f) Notwithstanding any other law, an operator shall use a
student's covered information received under a contract with an
educational entity strictly for the purpose provided under the
contract unless the student's parent affirmatively chooses to
disclose the student's information for a secondary purpose.
SECTION 7. The heading to Section 32.154, Education Code,
is amended to read as follows:
Sec. 32.154. ALLOWED USE OF COVERED INFORMATION BY
OPERATOR.
SECTION 8. The heading to Section 32.155, Education Code,
is amended to read as follows:
Sec. 32.155. PROTECTION OF COVERED INFORMATION BY OPERATOR.
SECTION 9. Sections 32.155(c), (d), and (e), Education
Code, are amended to read as follows:
(c) In addition to including the unique identifier in
releasing information as provided by Subsection (b), an operator
may include any other data field identified by the agency or by an
educational entity [a school district, open-enrollment charter
school, regional education service center, or other local education
agency] as necessary for the information being released to be
useful.
(d) An educational entity [A school district,
open-enrollment charter school, regional education service center,
or other local education agency] may include additional data fields
in an agreement with an operator or the amendment of an agreement
with an operator under this section. An operator may agree to
include the additional data fields requested by an educational
entity [a school district, open-enrollment charter school,
regional education service center, or other local education agency]
but may not require that additional data fields be included.
(e) An educational entity [A school district,
open-enrollment charter school, regional education service center,
or other local education agency] may require an operator that
contracts directly with the entity to adhere to a state-required
student data sharing agreement that includes the use of an
established unique identifier standard for all operators as
prescribed by the agency.
SECTION 10. The heading to Section 32.156, Education Code,
is amended to read as follows:
Sec. 32.156. DELETION OF COVERED INFORMATION BY OPERATOR.
SECTION 11. This Act takes effect September 1, 2023.