Connecticut governor signs student privacy act into law

Robinson+Cole Data Privacy + Security Insider
Contact

On June 9, 2016, Governor Dannel Malloy, who continues to show his commitment to data privacy, signed An Act Concerning Student Data Privacy into law, effective October 1, 2016.

The law requires any local or regional board of education in Connecticut to enter into a written contract with any operator of an internet website, online service or mobile application that is used for school purposes, and will have access to student information, records or student-generated content.

The contractual provisions are specifically enumerated and require the contractor to have appropriate security measures in place to protect the student data, that it will be in compliance with FERPA, that it does not own the student information, that students and parents will have access to the data held by the contractor, procedures to follow in the event of an unauthorized access, use or disclosure of the student information, that the information will be returned or destroyed at the end of the contract and that the information cannot be used by the contractor for any other purpose than to provide the contracted services.

The new law further requires the local or regional board of education to provide electronic notice to any student and the parent of a student notice of the contract entered into within five days after signing the contract.

The operators of the internet website, online service or mobile application must implement appropriate security measures that “meet or exceed industry standards”, delete any student information if requested by a student, parent or the local or regional board of education.

Further, the operator is prohibited from:

  • using, selling or collecting any student information it has access to for targeted advertising to the student or the student’s parent
  • collecting, storing or using student information other than for school purposes
  • selling, renting or trading student information
  • disclosing student information except in limited circumstances

Finally, in the event of a security breach that results in the unauthorized release, disclosure or acquisition of student information that does not include student directory information, the operator must provide notification to the local or regional board of education “without unreasonable delay, but not more than thirty days after such discovery” and must also notify the student and the student’s parents.

If the unauthorized access, use or disclosure includes student directory information, the operator must notify the local or regional board of education and the student and the student’s parents within 60 days of discovery.

The law also creates a task force to “study issues relating to student data privacy” which is to be convened no later than October 31, 2016.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Robinson+Cole Data Privacy + Security Insider | Attorney Advertising

Written by:

Robinson+Cole Data Privacy + Security Insider
Contact
more
less

Robinson+Cole Data Privacy + Security Insider on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide