BUILDING A TRUSTED ENVIRONMENT MAY 2015 A Snapshot of State Laws on Student Data Use, Privacy and Security
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
BUILDINGA TRUSTEDENVIRONMENT
MAY 2015
A Snapshot of State Laws on Student Data Use, Privacy and Security
FACEBOOK.COM/EXCELINED
EXCELINED.ORG
@EXCELINED EDUCATIONCOUNSEL.COM
@EDCOUNSELDC
Founded by former Florida Governor Jeb Bush, the Foundation for Excellence in Education is igniting a movement of reform, state by state, to transform education for the 21st century economy by working with lawmakers, policymakers, educators and parents to advance education reform across America. Learn more at ExcelinEd.org.
EducationCounsel is a mission-based education consulting firm that combines experience in policy, strategy, law, and advocacy to drive significant improvements in the U.S. education system. We work at the local, state, and national levels to develop and put into motion policy initiatives that close achievement gaps and lead to improved education outcomes from pre-K through college. EducationCounsel is an affiliate of Nelson Mullins Riley & Scarborough. In collaboration with former U. S. Secretary of Education Richard W. Riley, EducationCounsel was established by Arthur L.Coleman and Scott R. Palmer.
All content and graphics are licensed CC BY-NC / Attribution-NonCommercial by the Foundation for Excellence in Education. This license lets others use and build upon this work for non-commercial uses, but only with proper attribution to the original source. Those wishing to use
content or graphics must acknowledge and link to the original report or infographic with credit to the Foundation for Excel-lence in Education and the paper’s authors.
ABOUT EXCELINED ABOUT EDUCATIONCOUNSEL
SNAPSHOT OF STATE LAWS ON STUDENT DATA USE, PRIVACY AND SECURITY 3
FOREWORD
Every week we see stories about the potential of virtual courses, digital content, formative assessments or early warning systems alongside stories expressing concern about metadata, data mining, data collection or cybersecurity. In this day and age, student data is necessary for an effective education system. Data empowers parents and students as they map out their educational journey, supports high-quality teaching, drives personalized learning and underpins both teacher and school accountability. However, there is also a growing tension between how to support these beneficial uses of data and the need for privacy protections. New models of education depend on sophisticated Internet-based technologies that use data to personalize student learning in ways federal laws could not foresee when lawmakers drafted policies decades ago. Today, there are rising concerns about who has access to sensitive student data and the limitations of what those entities can do with it. From state policymakers to teachers and parents, everyone is contemplating how best to collect, store, utilize and protect student data. Building a Trusted Environment: a Snapshot of State Laws on Student Data Use, Privacy and Security can serve as a resource for policymakers and advocacy organizations as they examine the wide variety of state-specific student data privacy practices from around the country and work to find the right balance in their state. It is clear this policy area requires a carefully balanced approach to empower parents, teachers, school leaders, policymakers and innovators in the private sector. To address these challenges, the Foundation for Excellence in Education (ExcelinEd) is providing support to states as they modernize outdated laws and respond to the concerns of parents by advancing comprehensive, balanced student data privacy protections.
In 2014, 22 states enacted legislation on the topic of student data privacy, debating more than 110 bills. In the first half of 2015 alone, lawmakers in 45 states have already introduced more than 170 bills addressing the issue.
4 SNAPSHOT OF STATE LAWS ON STUDENT DATA USE, PRIVACY AND SECURITY
In 2014, we developed a framework of fundamental student data privacy principles with which states can consider the complex issues, laws and regulations surrounding student data privacy. ExcelinEd’s student data privacy principles are: 1. Value of Data: Student educational data is crucial for improving student outcomes
and fostering an environment of personalized learning that will benefit every student. 2. Openness: Schools should communicate clearly with parents about how student data
is collected, stored, used and shared. 3. Limited Collection: Schools should not collect any information beyond what is
necessary for student learning and student success. 4. Limited Use: Students and parents need to trust that student data is protected and
used solely for the purpose of improving student learning. 5. Accurate and Accessible: Schools must ensure that student data is accurate, up to
date, and readily available to parents and students. 6. Security: Schools and states should clarify who is responsible for ensuring student
data is protected and secure, and implement policies, systems, and procedures as necessary to ensure security.
7. Accountability: Schools and State Education Agencies (SEAs) should conduct compliance audits, perform related oversight and provide remedies to parents for privacy, security breaches or other misuse of student data.
From these principles, ExcelinEd also developed the Student Data Privacy, Accessibility and Transparency Act. The model legislation provides protections to ensure student data is used responsibly, by addressing data collected by government, data collected by vendors and parental access to their child’s data. Components of the legislation include: • Designating a state Chief Privacy Officer to oversee privacy policy issues and be a
point of contact for schools and parents; • Requiring a state student data inventory, governance and security plan; • Limiting data collection and reporting; • Creating restrictions on outside providers’ use of student data; and • Strengthening parental rights and establishing a process for complaints. Data about students must be protected, but it is also critical to inform instruction and help parents, educators and policymakers understand and improve our schools. We hope that this detailed report provides you valuable information as we collectively work to ensure parents can trust that sensitive student educational data is private, secure and being used solely to help students succeed. Sincerely,
Patricia Levesque CEO, Foundation for Excellence in Education
SNAPSHOT OF STATE LAWS ON STUDENT DATA USE, PRIVACY AND SECURITY 5
OVERVIEW
As schools and districts increasingly turn to technology- and data-driven strategies for improving schools and educational outcomes, legal protections regarding student privacy are essential foundations. Federal law, including but not limited to the Family Educational Rights and Privacy Act (FERPA) and the Children's Online Privacy Protection Act (COPPA), provide baseline requirements nationwide—and many states have added their own unique requirements through state statute.1 Focusing exclusively on state statutes, this document provides a snapshot of student data use, privacy and security policies within state statutes as of March 2015 in the following areas: • Legislative Intent • Definition of Student Data • Chief Privacy Officer • Data Storage and Security • Data Sharing Between the State Education Agency (SEA) and Local Education
Agencies (LEA) • Collectible Data • Use of Data by Third Parties • Student and Parental Rights and Complaint Process
The analysis includes an overview of statutes as well as a few illustrative provisions.2 This document attempts to include a diverse group of state practices to represent different contexts and multiple strategies for achieving common state policy goals related to student data use, privacy and security. The snapshot follows the framework of sections in the Foundation for Excellence in Education’s (ExcelinEd) model legislation, the Student Data Privacy, Accessibility, and Transparency Act. 1 This document assumes state compliance with FERPA, COPPA, HIPAA, and other federal privacy laws and focuses instead on how state statutes build on federal requirements. 2 These statistics are limited in scope to generally applicable student data definitions and provisions within the state's K-12 education system. Specific populations of students, including children of military families and students with special needs, are commonly addressed in state statutes, but not included in this review.
6 SNAPSHOT OF STATE LAWS ON STUDENT DATA USE, PRIVACY AND SECURITY
Some states have captured policy decisions related to student data use, privacy and security in administrative regulations, state board rules or other state policy guidance, but this document is not intended to include an overview of those areas. This information is provided for policy planning purposes only and is not legal advice. Conclusions are based on EducationCounsel's and ExcelinEd’s analysis and best efforts to identify trends and common elements within different state laws as of March 2015. Other possibilities for categorizing and organizing state laws exist, and reasonable minds may differ on how best to distinguish among state laws. Please consult with local counsel for any state- or district-specific questions.
STATE STUDENT DATA PRIVACY LAWS
Active on student data privacy in 2014 Inactive on student data privacy in 2014
Note: This document contains both footnotes and endnotes. Footnotes include information relevant to the main text, such as the states included in the totals and limitations in the scope of different inquiries. Endnotes provide specific citations to state statutes highlighted as illustrations. We note that this is a frequently changing area of law, with changes to state statutes likely in the near future. Indeed, as reflected in the map, 22 state legislatures considered or passed new laws on student data privacy in 2014.
SNAPSHOT OF STATE LAWS ON STUDENT DATA USE, PRIVACY AND SECURITY 7
LEGISLATIVE INTENT Section 2 of Student Data Privacy, Accessibility and Transparency Act
Grounding state data use, privacy and security statutes with a clear, positive purpose can be a useful foundation for other state laws, regulations and policies. • Nebraska law explicitly declares that the sharing of student data, records and
information among local education agencies (LEAs), educational service units, learning communities and the state education agency (SEA) is vital to advancing education in this state.i Whenever applicable, law permits the sharing of such student data, records and information—and each LEA, educational service unit and learning community must provide information as requested by the SEA unless otherwise prohibited by law.
• West Virginia law notes that sound data collection, reporting and analysis are
critical to building an education system capable of ensuring that all West Virginia students are adequately prepared for college and the global workforce.ii Elementary schools, middle schools, secondary schools and higher education institutions can improve instructional and educational decision making by using data that are collected and made available to them. The law also specifically states that education policymaking benefits from partnerships between SEAs and entities with expertise in education research. It is beneficial for West Virginia to establish systems and processes that permit qualified researchers to assist with state evaluation and research functions in a manner that is consistent with privacy protection laws.
8 SNAPSHOT OF STATE LAWS ON STUDENT DATA USE, PRIVACY AND SECURITY
DEFINITION OF STUDENT DATA Section 3 of Student Data Privacy, Accessibility and Transparency Act
Twenty-nine states3 include some specific definition of student data and/or other related terms within state statute. As a condition for receiving federal funds, states must comply with the definitions of student data, student record and other key terms contained in FERPA, COPPA, HIPAA and other federal laws. Some states rely exclusively on these definitions (either explicitly or implicitly in state law), but these 29 states have added detail to this definition to clarify and enhance state policy. • Colorado law includes definitions of student data, education records and personally
identifiable information: o "Student data" includes: state-administered assessment results, including
participation information; courses taken and completed, credits earned and other transcript information; course grades and grade point average; grade level and expected graduation year; degree, diploma and credential attainment, or other school exit information; attendance and mobility information between and within Colorado LEAs; special education data and discipline reports limited to objective information that is sufficient to produce the federal Title IV annual incident report; date of birth, full name, gender, race and ethnicity; and program participation information required by state or federal law.
o "Education records" and "directory information" are defined exactly as FERPA defines them, with "education records" also including individualized education programs.
o "Personally identifiable data" means a dataset that is linked to a specific student or parent that would allow a reasonable person in the school community without knowledge of the relevant circumstances to identify the student or parent with reasonable certainty.iii
• Kansas law includes definitions of student data, personally identifiable student
data, aggregate data, biometric data and directory information:iv o "Student data" includes following information in a student’s educational record:
state and national assessment results, including information on untested students; course taking and completion, credits earned and other transcript information; course grades and grade point average; date of birth, grade level and expected date of graduation; degree, diploma, credential attainment and other school exit information, such as general education development and drop-out
3 Arizona, California, Colorado, Connecticut, Florida, Georgia, Idaho, Illinois, Indiana, Kansas, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Minnesota, Nevada, New Hampshire, New Jersey, New York, North Carolina, Oklahoma, Rhode Island, South Dakota, Tennessee, Utah, Virginia, West Virginia and Wisconsin.
SNAPSHOT OF STATE LAWS ON STUDENT DATA USE, PRIVACY AND SECURITY 9
data; attendance and mobility; data required to calculate the federal four-year adjusted cohort graduation rate, including sufficient exit and drop-out information; remediation information; special education data; demographic data and program participation information; and any other information included in a student’s educational record.
o "Personally identifiable student data" are student data that, alone or in combination, is linked or linkable to a specific student and would allow a reasonable person to identify the student with reasonable certainty.
o "Biometric data" are one or more measurable biological or behavioral characteristics that can be used for automated recognition of an individual, such as fingerprints, retina and iris patterns, voiceprints, DNA sequence, facial characteristics and handwriting.
o "Directory information" includes a student’s name, address, telephone listing, participation in officially recognized activities and sports, weight and height if the student is a member of an athletic team, and degrees honors, or awards received.
10 SNAPSHOT OF STATE LAWS ON STUDENT DATA USE, PRIVACY AND SECURITY
CHIEF PRIVACY OFFICER Section 4 of Student Data Privacy, Accessibility and Transparency Act
Only three states4 require a chief privacy officer in state law explicitly tasked with monitoring student privacy. A handful of other states have created new bodies or vested existing bodies to oversee state data privacy activities.v Because of the many moving parts within state educational data use, privacy and security policy, these three states have created a new central position with primary responsibility for ensuring all federal and state privacy and security requirements are followed. • New York law requires a chief privacy officer and tasks the officer with the
protection of student data privacy, including the following responsibilities: o Promoting the implementation of sound information practices for privacy and
security of student data or teacher or principal data; o Assisting the commissioner of education in handling instances of data breaches
and in due process proceedings regarding any alleged breaches of student data or teacher or principal data;
o Providing assistance to LEAs on minimum standards and best practices associated with privacy and the security of student data or teacher or principal data;
o Formulating a procedure within the SEA whereby parents, students, teachers, superintendents, school board members, principals and other persons or deemed appropriate can request information pertaining to student data or teacher or principal data in a timely and efficient manner; and more.vi
• Virginia law requires the Department of Education to designate a chief data security officer to assist school divisions, upon request, with the development and implementation of their own data security plans and to develop best practice recommendations regarding the use, retention and protection of student data.vii
• West Virginia law requires the state superintendent to appoint a data governance
manager to have primary responsibility for the state's privacy policy, including: o Assuring that the use of technologies sustain, and do not erode, privacy
protections relating to the use, collection and disclosure of student data; o Assuring that student data contained in the student data system is handled in full
compliance with state and federal privacy laws; o Evaluating legislative and regulatory proposals involving collection, use and
disclosure of student data by the SEA;
4 New York, Virginia, and West Virginia.
SNAPSHOT OF STATE LAWS ON STUDENT DATA USE, PRIVACY AND SECURITY 11
o Conducting a privacy impact assessment on proposed rules of the state board and department in general and on the privacy of student data, including the type of personal information collected and the number of students affected;
o Coordinating with state legal counsel and other legal organizations' officers to ensure that programs, policies and procedures involving civil rights, civil liberties and privacy considerations are addressed in an integrated and comprehensive manner;
o Preparing an annual report to the Legislature on SEA activities that affect privacy, including complaints of privacy violations, internal controls and other matters;
o Establishing SEA-wide policies necessary for implementing Fair Information Practice Principles to enhance privacy protections;
o Working with the Office of Data Management and Analysis, the general counsel and other officials in engaging with stakeholders about the quality, usefulness, openness and privacy of data;
o Establishing and operating an SEA-wide Privacy Incident Response Program to ensure that incidents are properly reported, investigated and mitigated, as appropriate;
o Establishing and operating a process for parents to file complaints of privacy violations;
o Establishing and operating a process to collect and respond to complaints of privacy violations and provides redress, as appropriate; and
o Providing training, education and outreach to build a culture of privacy across the department and transparency to the public.viii
To carry out these duties, the data governance manager is required to have access to all records, reports, audits, reviews, documents, papers, recommendations and other materials available to the SEA that relate to programs and operations with respect to his or her responsibilities. ix He or she also must make investigations and reports relating to the administration of SEA programs and operations as necessary or desirable.x
12 SNAPSHOT OF STATE LAWS ON STUDENT DATA USE, PRIVACY AND SECURITY
DATA STORAGE AND SECURITY Section 5 of Student Data Privacy, Accessibility and Transparency Act
Twenty-five states5 outline some data storage and security process within state statute, although states differ in their approach. Some states identify a specific position or office as being responsible for data security and storage, while others include specific provisions for how data storage, security and destruction policies should be designed. (And some do both.) Many of the specifics related to storing, maintaining and (when appropriate) destroying student data are necessarily left to local contracts and local policy, guided by state baselines. • Colorado's state board is responsible for developing a detailed data security plan
that includes data retention and disposition policies, including specific criteria for identifying when and how the data will be destroyed.xi o Colorado law has special requirements for agreements or contracts involving the
disclosure of student data for research conducted on behalf of the SEA to develop, validate, or administer predictive tests; to administer student aid programs; or to improve instruction.xii Such agreements must include a provision to destroy all personally identifiable information when the information is no longer needed for the purposes for which the study was conducted and to specify the time period in which the information must be destroyed.xiii
• Kansas law requires student data to be destroyed when no longer necessary for the
purposes of the data-sharing agreement or upon expiration of the data-sharing agreement, whichever occurs first. xiv A service provider engaged to perform a function of instruction may retain student transcripts as required by applicable laws and rules and regulations. xv Destruction must comply with the NISTSP800-88 standards of data destruction.xvi
• Tennessee law makes the state board responsible for creating, publishing and
making publicly available a data inventory and dictionary or index of data elements along with the purpose or reason for inclusion in the data system.
xviii
xvii The state board is also required to develop a detailed security plan that includes data retention and disposition policies. The Tennessee Department of Education is required to provide a model student records policy for LEAs that require LEAs to ensure student data is provided only to authorized individuals.xix
5 Arizona, California, Colorado, Delaware, Georgia, Idaho, Illinois, Kentucky, Maryland, Massachusetts, Mississippi, Missouri, New Jersey, New Mexico, New York, North Dakota, Ohio, Oklahoma, Pennsylvania, South Dakota, Tennessee, Utah, Washington, West Virginia and Wyoming.
SNAPSHOT OF STATE LAWS ON STUDENT DATA USE, PRIVACY AND SECURITY 13
• Utah’s SEA is responsible for creating and maintaining a robust, comprehensive data collection system that collects longitudinal student transcript data from LEAs and other unique student identifiers.
xxiii
xx And, using existing information collected and stored in the state data system, the state board is responsible for creating the Utah Student Record Store, where an authorized LEA user can access data in a Student Achievement Backpack relevant to the user's LEA or school or can request student records to be transferred from one LEA to another. xxi The state board is also responsible for ensuring that student data stored or transmitted to or from the Utah Student Record Store is secure and confidential.xxii If a security breach occurs that leads to the release of the student’s personally identifiable student data, the responsible education entity (e.g., state board, LEA, school or other agent) must notify the parents or guardians of affected students.
14 SNAPSHOT OF STATE LAWS ON STUDENT DATA USE, PRIVACY AND SECURITY
DATA SHARING BETWEEN THE SEA AND LEA Section 5 of Student Data Privacy, Accessibility and Transparency Act
Most states do not restrict the information that can be shared between the state education agency (SEA) and local education agencies (LEAs), with a few notable exceptions, including Louisiana and New Hampshire. Indeed, many state educational systems rely on sharing educational data between the SEA and LEAs, and some have included statutory guidelines for such exchanges. • Arizona law requires LEAs to share student-level data with the SEA to receive funds
for the cost of educating students, but not more often than once every twenty school days.xxiv
• In Connecticut, local and regional boards of education must collect and submit
data on student, teacher and school and district performance growth to the SEA; this information must be made available to all local and regional boards of education.
xxvii
xxv All school districts must participate in the statewide public school information system, and report all necessary information required, provided the SEA provides for technical assistance and training of school staff in the use of the system.xxvi When a student enrolls in a school in a new LEA, the student's former LEA is responsible for transferring the student's education records to the new school district no later than ten days after the notification receipt is delivered.
• Maryland requires LEAs and state agencies to make every effort to comply with the
data requirements and implementation schedule for the Maryland Longitudinal Data System as set forth by the governing board, and transfer student-level and transcript-level data and workforce data to the Maryland Longitudinal Data System in accordance with the data security and safeguarding plan.xxviii
SNAPSHOT OF STATE LAWS ON STUDENT DATA USE, PRIVACY AND SECURITY 15
COLLECTIBLE DATA Section 6 of Student Data Privacy, Accessibility and Transparency Act
Twenty-three states6 provide a comprehensive list of which student data can and cannot be collected, separate from the definition of student data. One area of recent activity involves biometric data, to which at least fifteen states 7 now include a specific reference in their student data privacy statutes.8 As reflected in the model legislation, states should take care to consider all potential ramifications of addressing biometric data in state law and take care to distinguish biometric data that may be necessary for an educational purpose (e.g., identification for an online state assessment) from that that should not be collected. Another area of recent activity relates to students' personal social media accounts. Some states, including Oregon and Rhode Island, have specifically prohibited requiring or requesting access to a personal social media account through the student's username and password. • Illinois provides a comprehensive list of the data required to be collected for the
state longitudinal data system. The system includes, but is not limited to, the following elements: o A unique statewide student identifier that connects multiple years of student
data across key databases; o Student-level enrollment, demographic and program participation information; o The ability to match individual students' elementary and secondary test records
from year to year to measure academic growth; o A teacher and administrator identifier system with the ability to match students
to early learning, elementary and secondary teachers and elementary and secondary administrators;
o Student-level transcript information, including information on courses completed and grades earned, from middle and high schools;
o Student-level college readiness test scores; o Student-level graduation and dropout data; and o The ability to match early learning through secondary student unit records with
institution of higher learning student unit record systems.xxix
6 California, Colorado, Connecticut, Florida, Hawaii, Idaho, Illinois, Kansas, Louisiana, Missouri, Montana, New Hampshire, New Jersey, New York, North Carolina, Ohio, Rhode Island, South Carolina, South Dakota, Tennessee, Texas, Utah and West Virginia. 7 California, Colorado, Florida, Idaho, Kansas, Kentucky, Louisiana, Missouri, New Hampshire, New York, Ohio, Oklahoma, Tennessee, Virginia and West Virginia. 8 Biometric data are complex and implicate a wide range of state policies, both old and new. This tally represents our best attempt at capturing those states that have specifically referenced biometric data in the context of K-12 data use, privacy and security policies.
16 SNAPSHOT OF STATE LAWS ON STUDENT DATA USE, PRIVACY AND SECURITY
• In Missouri, the SEA is required to notify the governor, the president pro tempore of the Senate, the speaker of the House of Representatives and the Joint Committee on Education annually of any new student data being proposed for inclusion in the state student data system, as well any changes to existing data collections required for any reason.xxx
SNAPSHOT OF STATE LAWS ON STUDENT DATA USE, PRIVACY AND SECURITY 17
USE OF DATA BY THIRD PARTIES Section 7 of Student Data Privacy, Accessibility and Transparency Act
Twenty-three states9 address the use of school or student data by non-public third parties, including vendors, within state statute. Seventeen states10 include some requirements for contracts with third parties in state statute. Many states and LEAs rely on third parties to help them create, maintain and evaluate their data systems. Though these relationships are always defined by contract, some states have included mandatory ground rules for the use of data by third parties in their state statutes. • California law prohibits third party operators of sites, services and applications
used for K-12 school purposes from using, sharing, disclosing or compiling the personal information of students for any purpose other than the K-12 school purpose.xxxi All contracts between an LEA and a third party provider must include:
o A statement that the pupil records continue to be the property of and under the control of the LEA;
o A description of the actions the third party will take to ensure the security and confidentiality of pupil records; and
o A description of how the LEA and the third party will jointly ensure compliance with FERPA.xxxii
• Idaho law requires its state board to monitor any contracts governing databases,
online services, assessments, or instructional supports (that include student data and are outsourced to private vendors) to ensure the following components are included:
o Express provisions that safeguard privacy and security; o Specific restrictions on secondary uses of student data; o Data destruction plans, including a time frame for data destruction; and o Penalties for noncompliance.xxxiii
• Louisiana law allows student information, including personally identifiable
information and cumulative records, to be transferred to computers operated and maintained by a private entity contracting with an LEA for an educational purpose, as long as the contract includes specific requirements regarding the protection of student information, including:
9 Alaska, Arizona, Arkansas, California, Colorado, Connecticut, Idaho, Kentucky, Louisiana, Maryland, Mississippi, Missouri, New Hampshire, New York, North Carolina, Ohio, Oklahoma, Rhode Island, Tennessee, Texas, Utah, West Virginia and Wisconsin. 10 Arizona, California, Colorado, Idaho, Kentucky, Louisiana, Maryland, Mississippi, Missouri, New York, North Carolina, Oklahoma, Rhode Island, Tennessee, Utah, West Virginia and Wisconsin.
18 SNAPSHOT OF STATE LAWS ON STUDENT DATA USE, PRIVACY AND SECURITY
o Guidelines for authorizing access to computer systems on which student information is stored;
o Privacy compliance standards; o Privacy and security audits performed under the direction of the local
superintendent; o Breach planning, notification and remediation procedures; o Information storage, retention and disposition policies; and o Disposal of all information from the servers of the contractor upon termination of
the contract. xxxiv
• Rhode Island law specifically requires that any cloud computing service providers for a Rhode Island-based educational institution must process all student data for the sole purpose of providing the cloud computing service to the educational institution and shall not process such data for any commercial purposes, including, but not limited to, advertising purposes that benefit the cloud computing service provider.
xxxvi
xxxv Each cloud computing service must certify within its contract that it will comply with this requirement.
SNAPSHOT OF STATE LAWS ON STUDENT DATA USE, PRIVACY AND SECURITY 19
STUDENT AND PARENTAL RIGHTS AND COMPLAINT PROCESS Section 8 of Student Data Privacy, Accessibility and Transparency Act
Eight states11 specifically address in state statute a complaint process for students and parents to address privacy violations or data breaches or designate an individual or entity to design the complaint process. Two states12 include a "Bill of Rights" relating to educational data in their state law. These states have created additional protections within state law for students and parents beyond those required by federal law. • California requires LEAs to notify parents in writing of their rights when their
student first enrolls in school and again at the beginning of each school year.xxxvii
xxxviii
The notice is intended to alert the parents of the information available to them about their child, including the right of the parent to access student records, the procedures for challenging the content of student records, and the right of the parent to file a complaint with the United States Department of Education (USED) concerning an alleged failure by the LEA to comply with federal law.
• Florida outlines the rights of students and parents explicitly with respect to
education records created, maintained or used by public educational institutions and agencies. Florida outlines a number of principles governing the use of student records: o Students and their parents have the right to access their education records,
including the right to inspect and review those records; o Students and their parents have the right to challenge the content of education
records in order to ensure that the records are not inaccurate, misleading or otherwise a violation of privacy or other rights;
o Students and their parents have the right of privacy with respect to such records and reports; and
o Students and their parents must receive annual notice of their rights with respect to education records.xxxix
• New York law outlines a complaint process for students and parents to address
privacy violations or data breaches in the parents' bill of rights for data privacy and security. The parents' bill of rights states that: o A student's personally identifiable information cannot be sold or released for any
commercial purposes;
11 Arizona, California, Florida, Illinois, Kentucky, New York, Rhode Island and West Virginia. 12 New York and Rhode Island.
20 SNAPSHOT OF STATE LAWS ON STUDENT DATA USE, PRIVACY AND SECURITY
o Parents have the right to inspect and review the complete contents of their child's education record, including any student data stored or maintained by an LEA;
o Safeguards based on industry standards and best practices—including but not limited to, encryption, firewalls and password protection—must be in place when data is stored or transferred;
o A complete list of all student data elements collected by the state is available for public review; and
o Parents have the right to make complaints about possible breaches of student data and have them addressed by appropriate authorities.xl
• Rhode Island law contains the Educational Records Bill of Rights that gives the parent, legal guardian or eligible student the following enumerated rights: o To personally inspect and review records in existence at the time of the request
that are required to be kept by law or regulation of the student within 10 days of making a request the school's principal or other designated authority;
o To a reasonable explanation and interpretation of the records; o To copies of the records (with limitations on the costs for copies); o To have the records preserved as long as a request to inspect is outstanding; o To request in writing an amendment and/or expungement of the records if the
parent or eligible student believes that the information contained in these records is inaccurate, misleading or in violation of the student's right to privacy;
o To place a statement in the record commenting on any contested information; and
o To have the records kept confidential and not released to any other individual, agency or organization without prior written consent of the parent, legal guardian or eligible student, except to the extent that the release of the records is authorized by FERPA or other applicable law or court process.xli
Any person who experiences a violation of these rights has the right to appeal. If a decision is rendered against the school system, the relevant records must be corrected by the school system in accordance with the decision.xlii
• West Virginia's data governance manager (described above) is responsible for
establishing and operating a process for parents to file complaints of privacy violations.xliii
SNAPSHOT OF STATE LAWS ON STUDENT DATA USE, PRIVACY AND SECURITY 21
ENDNOTES i Neb. Code § 79-2, 104 ii W.V. Educ. Code § 18B-1D-10 iii Colo. Educ. Code § 22-2-309 iv K.S.A. §72-6216 v For example, Arizona state law does not require a single chief privacy officer but has created a data governance commission within the SEA consisting of a number of chief technology managers. Ariz. Educ. Code § 15-249-01. California has statewide Chief Information Officer responsible for a number of duties, including establishing and enforcing state information technology strategic plans and working in conjunction with agency and department chief information officers and information security officers. The Officer is not specifically tasked with overseeing student data privacy and security issues, though his/her broad portfolio likely touches on these issues. Cal. Educ. Code § 11545 vi N.Y. Educ. Code § 2-D vii Va. Code §22.1-20.2 viii W.V. Educ. Code § 18-2-5h ix Id. x Id. xi Colo. Educ. Code § 22-2-309 xii Id. xiii Id. xiv K.S.A. §72-6217 xv Id. xvi Id. xvii Tenn. Code § 49-1-703 xviii Id. xix Tenn. Code § 49-1-704 xx Utah Educ. Code § 53A-1-413 xxi Id. xxii Id. xxiii Utah Educ. Code § 53A-13-301 xxiv Ariz. Educ. Code § 15-1042 xxv Conn. Educ. Code § 10-10a xxvi Id. xxvii Conn. Educ. Code § 10-220h xxviii Md. Educ. Code § 24-707 xxix Ill. Educ. Code § 105-13-15 xxx §161.096.1 RSMo xxxi Cal. Bus. & Prof. Code § 22584 xxxii Id. xxxiii Idaho Educ. Code § 33-133 xxxiv La. Revised Statutes § 17-3913 xxxv R.I. Gen. Laws §16-104-1 xxxvi Id. xxxvii Cal. Educ. Code § 49063 xxxviii Id. xxxix Fla. Educ. Code § 1002.22 xl N.Y. Educ. Code § 2-D xli R.I. Gen. Laws §16-71-3 xlii R.I. Gen. Laws §16-71-4 xliii W.V. Educ. Code § 18-2-5h
Stay Connected
FACEBOOK.COM/EXCELINEDEXCELINED.ORG @EXCELINED
Related Documents
