Governor Signs Student Data Privacy Law

by Shipman & Goodwin LLP
Contact

On June 9, 2016, Governor Malloy signed into law Public Act 16-189, “An Act Concerning Student Data Privacy” (the “Act”), which ushers in sweeping changes to the protection and use of student data. As schools increasingly turn to software, web-based learning, mobile apps, cloud computing and other electronic methods to improve student outcomes and the educational experience, the Act sets forth minimum privacy and contractual standards for all parties involved in the creation, use, or handling of student data. Unless otherwise noted, the Act’s requirements are effective October 1, 2016.

Shipman & Goodwin LLP’s School Law Practice Group and Privacy and Data Protection Group have collaborated to prepare this Alert to inform local and regional boards of education of the new requirements and to address what we anticipate will be commonly asked questions.

Requirements for Boards of Education: Contracting and Notice

Contracting. The most significant feature of the law for boards of education is the adoption of new standards for contracts between a board and a contractor, who, by statutory definition, is “an operator or consultant that is in possession of or has access to student information, student records or student-generated content as a result of a contract with a local or regional board of education.”  Under the Act, every contract that a board of education enters into with a contractor,1 beginning October 1, 2016, must include the following elements:

  • a statement that student records,2 student information,3 and student-generated content (collectively, “student data”) are not the property of, or under the control of, a software or electronic service contractor;
  • a description of the means by which a local or regional board of education may request the deletion of student information, student records, or student-related content in the possession of the contractor;
  • a statement that the contractor will not use student information, student records, or student-generated content for any purposes other than those authorized pursuant to the contract;
  • a description of the procedures by which a student, parent, or guardian may (a) review personally identifiable information in student records, student information, or student-generated content and (b) correct erroneous information, if any;
  • a statement that the contractor shall take actions designed to ensure the security and confidentiality of student information, student records, and student-generated content;
  • a description of the procedures that a contractor will follow for notifying a local or regional board of education when there has been an unauthorized release, disclosure, or acquisition of student information, student records, or student-generated content;
  • a statement that the student information, student records, or student-generated content shall not be retained or available to the contractor upon completion of the contracted services unless a student, or parent or legal guardian of a student, chooses to establish or maintain an electronic account with the contractor for the purpose of storing student-generated content;
  • a statement that the contractor and the local or regional board of education will ensure compliance with the federal Family Educational Rights and Privacy Act of 1974 (FERPA);
  • a statement that Connecticut law governs the rights and duties of all parties to the contract; and
  • a statement that a court finding of invalidity for any contract provision does not invalidate other contract provisions or applications that are not affected by the finding.

The Act voids any contract entered into on and after October 1, 2016 that fails to include the above requirements, and voids any contractual provision that conflicts with such requirements.

Notice of Contract to Students and Parents.  Within five (5) business days of executing a contract with a contractor, the local or regional board of education must provide electronic notice to any student and the parent or legal guardian of a student affected by the contract, and it must post such notice on its website. Each notice shall:

  • provide the date that the contract was executed;
  • provide a brief description of the contract and its purpose; and
  • explain what student information, student records, or student-generated content may be collected as a result of the contract.

48-hour Notice of Breach of Security. Upon receipt of notice of a breach of security by a contractor, a board of education must, within forty-eight (48) hours, notify the students and the parents or guardians of the students whose student information, student records, or student generated-content was involved in such breach.  The local or regional board of education must also post notice of the breach on its website.

Requirements for Contractors: Restrictions and Data Breaches

In addition to the contractual requirements discussed in the above section, the Act also imposes requirements upon contractors with respect to their use of student information and obligations in the event of a data breach.  While the Act does not specify that these restrictions must be in the contract, a board may wish to include these provisions to ensure the contractor is appropriately notified of its legal obligations.

Restrictions on Use. The Act specifies that all student-generated content remains the property of the student or the student’s parent or legal guardian.  It specifies that contractors must implement and maintain security procedures and practices designed to protect student information, student records, and student-generated content from unauthorized access, destruction, use, modification, or disclosure in a manner consistent with federal law and industry standards.

Further, the Act prohibits contractors from using student records for any purposes other than those the contract authorizes.  The Act also prohibits contractors from using personally identifiable information contained in student records for targeted advertising.

Data Breaches

30-Day notification period in event of unauthorized release of student information

Upon the discovery of a breach of security that results in the unauthorized release of student information (excluding directory information)5 a contractor must notify the board of education of such breach without unreasonable delay, and in no case later than thirty (30) days from discovery of the breach.  During that 30-day period, the contractor may (1) conduct an investigation to determine the scope of the unauthorized release and the identity of the students whose information was compromised or (2) restore the integrity of the contractor’s data system.

60-Day notification period in event of unauthorized release of directory information, student records, or student-generated content

Upon the discovery of a breach of security that results in the unauthorized release of directory information, student records, or student-generated content, the contractor must notify the board of education without unreasonable delay and in no case later than  sixty (60) days from discovery of the breach.  During the 60-day period, the contractor may (1) conduct an investigation to determine the scope of the unauthorized release and the identity of the students whose information was compromised or restore the integrity of the contractor’s data system, or (2) restore the reasonable integrity of the contractor’s data system.

We expect that some boards of education may desire to contract for more prompt notice of a breach of security.

Requirements for Website, Online Service and Mobile App Operators

The Act imposes restrictions on operators of certain websites, online services and mobile apps6  similar to those placed on contractors.  See “Restrictions on Use” above.  In addition, the Act prohibits operators from:

  • engaging in targeted advertising using student data that the operator acquired because of use of the operator’s web site, online service, or mobile application for school purposes; 7
  • storing or collecting student information, student records, or student-generated content for anything other than school purposes; and
  • selling or trading student data to third parties under most circumstances.

However, operators may use de-identified8 student information for a variety of purposes such as maintaining its website, providing user recommendations and feedback, responding to a user request for information, marketing its application, and developing other websites or applications.

Action Items

In most instances, these significant additions to Connecticut law will require boards of education to modify their contracting processes and to adopt or revise policies and procedures to address the Act’s requirements.  Specifically, boards of education should consider the following action items:

  • Conduct an in-district inventory of all internet websites, online services, and mobile applications teachers in the district are using in conjunction with the education of students;
  • Prepare a draft contract and student/parent notice of contracts that will be posted on the district’s website and sent electronically to students/parents;
  • Review Requests for Proposal (RFP) documents and templates to ensure that the documents requested from potential vendors contain information on the privacy topics addressed in the Act, so that the board of education can incorporate privacy concerns in its decision-making process;
  • Consider implementing a data privacy screening tool for potential vendors, which may or may not be included as part of a RFP.  The screening tool can provide some assurances to boards of education that vendors are aware of the requirements and have taken action to comply with them;
  • Review and consider revision to the board’s Student Records Policy to ensure compliance with the Act and relevant provisions of FERPA;
  • Develop a preferred description of the actions the board of education will expect a contractor to take to ensure student record security and confidentiality, including administrative, physical and technical standards; and
  • Prepare a procedure to govern who is responsible for receiving notice of data breaches and how the district will respond to such notification.

The School Law Practice Group is in the process of revising our Model Student Records Policy and Administrative Regulations, and drafting sample contracts and notices in relation to the Act.


The Act defines contractors” as “an operator or consultant that is in possession of or has access to student information, student records or student-generated content as a result of a contract with a local or regional board of education.”

It defines an “operator” as “any person who (A) operates an Internet web site, online service or mobile application with actual knowledge that such Internet web site, online service or mobile application is used for school purposes and was designed and marketed for school purposes, to the extent it is engaged in the operation of such Internet web site, online service or mobile application, and (B) collects, maintains or uses student information.

It defines “consultant” as “a professional who provides noninstructional services, including, but not limited to, administrative, planning, analysis, statistical or research services, to a local or regional board of education.”

The Act defines “student information” as “personally identifiable information or material of a student in any media or format that is not publicly available and is any of the following: (A) created or provided by a student or the parent or guardian of a student, to the operator in the course of the student, parent or legal guardian using the operator’s Internet web site, online service or mobile application for school purposes, (B) created or provided by an employee or agent of the a local or regional board of education to an operator for school purposes, or (C) gathered by an operator through the operation of the operator’s Internet web site, online service or mobile application and identifies a student, including, but not limited to, information in the student’ s records or electronic mail account, first or last name, home address, telephone number, date of birth, electronic mail address, discipline records, test results, grades, evaluations, criminal records, medical records, health records, Social Security number, biometric information, disabilities, socioeconomic information, food purchases, political affiliations, text messages, documents, student identifiers, search activity, photographs, voice recordings, survey responses, or behavioral assessments.”

The Act defines “student records” as “any information that is maintained by a local or regional board of education, the State Board of Education or the Department of Education or any information acquired from a student through the use of educational software assigned to the student by a teacher or employee of a local or regional board of education except ‘student record’ does not include de-identified student information allowed under the contract to be used by a contractor to (A) improve educational products for adaptive learning purposes and customize student learning, (B) demonstrate the effectiveness of the contractor’s products in marketing of such products, and (C) develop and improve the contractor’s products and services.”

The Act defines “student-generated content” as “any student materials created by a student including, but not limited to, essays, research papers, portfolios, creative writing, music or other audio files or photographs, except ‘student-generated content’ does not include student responses to a standardized assessment.”

The Act defines “directory information” in accordance with 34 CFR 99.3 as “information contained in an education record of a student that would not generally be considered harmful or an invasion of privacy if disclosed.”  Such as “the student’s name; address; telephone listing; electronic mail address; photograph; date and place of birth; major field of study; grade level; enrollment status; dates of attendance; participation in officially recognized activities and sports; weight and height of members of athletic teams; degrees, honors, and awards received; and the most recent educational agency or institution attended.”  For more information see the full text of the regulation.

The Act applies these requirements only to operators of those websites, online services, or mobile applications that are designed, used, and marketed for school purposes and who collect, maintain or use student information.

The Act defines “school purposes” as “activities directed by, or customarily take place at the direction of, a public school teacher or board of education and include classroom or at-home instruction, administrative activities, and collaboration among students, school personnel, or parents or guardians of students.”

The Act defines “de-identified student information” as “any student information that has been altered to prevent the identification of an individual statement.”

 

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Shipman & Goodwin LLP | Attorney Advertising

Written by:

Shipman & Goodwin LLP
Contact
more
less

Shipman & Goodwin LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):
hide

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.

Security

JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.