Student data privacy has been a hot legislative topic in recent years and more changes are now on the way. On June 7, 2018 Governor Malloy signed into law Public Act 18-125: An Act Concerning Revisions to the Student Privacy Act, an Act that makes significant changes to several key aspects of Connecticut’s student data privacy law.
As you may recall, back in 2016 the General Assembly enacted a comprehensive student data privacy law that required website, online service and mobile app operators along with board of education consultants to implement certain student data security requirements. Amongst other requirements, the law: 1. Required boards of education and the operators and consultants that it provided with student information, student records or student-generated content to enter into contracts with certain mandated student data privacy terms; 2. Required covered operators and consultants to implement and maintain various student data security provisions and permit the deletion of student data upon request, and; 3. Prohibited covered operators from engaging in targeted advertising based on student data, selling, renting or trading student data or otherwise using student data for improper purposes.
Notably the law, in its initial form, also required boards of education to provide electronic notice to affected students and parents whenever it entered into a contract involving the transmission of student data. A copy of such notice and the executed contract was required to be posted on the board’s website, and additionally the law mandated that boards electronically notify affected students and parents of student data security breaches within forty-eight hours of notice of such a breach from an operator or consultant and post a copy of the notice on the board’s website.
Last year with the passage of Public Act 17-200, the General Assembly pushed back several key provisions of the initial student data privacy act to July 1, 2018 (even though those initial deadlines had already passed), and changed the student/parent electronic notice timeframe from forty-eight hours to two business days, but otherwise kept the basic framework of the law in place.
Changes to the Law
Public Act 18-125 makes a number of important changes to Connecticut’s Student Data Privacy Act, but perhaps the most important aspect of the new law is that it does not push back the Student Data Privacy Act’s existing deadlines. In effect this means that effective July 1, 2018, Connecticut boards of education (and charter schools, which are generally subject to the law pursuant to Conn. Gen. Stat. § 10-66dd(b)(1)) must comply with all provisions of the amended Student Data Privacy Act’s provisions.
In terms of specifics, the newly amended Student Data Privacy Act now requires the following:
- By July 1, 2018 boards of education shall enter into a written contract with a contractor (either an operator or consultant) anytime the board shares or provides access to student information, student-records or student-generated content with a contractor. The contract must include either ten legally mandated terms set forth in the Act, or incorporate into any such contract a yet to be developed model “terms-of-service addendum” from the Connecticut Commission for Educational Technology.
- By July 1, 2018 boards of education must maintain and update an internet website (not necessarily the same website as the board’s normal website) with information relating to all student data privacy contracts the board enters into. Required information includes a copy of the contract, a statement as to whether the contract has been entered into and the date of execution, a brief description of the contract and its purpose and a statement as to the student data that may be collected as a result of the contract.
While Public Act 18-125 maintains many of the internet posting features of the initial Student Data Privacy Act, the new law eliminates the requirement that affected students and parents be sent individual electronic notice of student data contracts that a board enters into. In its place, Public Act 18-125 now requires that on or before September first of each school year boards of education must electronically notify students and parents of the website to be used by the board for posting of student data contracts and related information as described above.
In addition, Public Act 18-125 will now excuse website, online service and mobile app operators from being required to delete student data upon request if deletion of such data would violate state or federal law, and also exempts operators from being required to delete student data that is only in the possession of an operator as part of a disaster recovery storage system that is inaccessible to the public and unable to be used by the operator in the normal course of business.
Finally, the amended Student Data Privacy Act will now exempt boards of education in specified circumstances from being mandated to enter into a contract for use of a website, online service or mobile app if the website, service or app is unique and necessary to implement a child’s IEP or Section 504 plan. In order for the exemption to apply, the operator or consultant must comply with FERPA and HIPPA privacy provisions and must abide by and maintain the student data restrictions and protections of the Student Data Privacy Act. Additionally, the board must provide evidence that it made reasonable efforts to enter into a contract with the operator or consultant and made reasonable efforts to find an equivalent website, online service, or mobile app hosted by a consultant or operator that does comply with the contracting requirements of the Act. Lastly, in order for the exemption to apply, the student’s parent or guardian and a member of the student’s planning and placement team must sign an agreement allowing the non-compliant website, online service or mobile app to be used.
July 1st is rapidly approaching so it’s important that your board (or charter school) take the necessary steps to comply with the newly-amended Student Data Privacy Act.