H.B. 169

This document includes House Committee Amendments incorporated into the bill on Fri, Mar 7, 2014 at 11:54 AM by lerror. -->              1     

STUDENT PRIVACY ACT

             2     
2014 GENERAL SESSION

             3     
STATE OF UTAH

             4     
Chief Sponsor: Jacob L. Anderegg

             5     
Senate Sponsor: ____________

             6     
             7      LONG TITLE
             8      General Description:
             9          This bill creates the Student Privacy Act and addresses the release of public school
             10      student information.
             11      Highlighted Provisions:
             12          This bill:
             13          .    defines terms;
             14          .    requires certain people to protect student privacy;
             15          .    allows a student or the student's parent to authorize the collection and release of
             16      certain student data;
             17          .    prohibits an education entity from releasing a student's personally identifiable
             18      information under certain circumstances;
             19          .    allows an education entity to release a student's personally identifiable information
             20      under certain circumstances;
             21          .    prohibits a school district from eliciting certain information from students;
             22          .    provides what kinds of student data may be collected and under what circumstances;
             23          .    requires an education entity to provide a student data disclosure to parents and
             24      students at the beginning of each school year or at the time a student enrolls with the
             25      education entity;
             26          .    establishes requirements for the State Board of Education related to the collection,
             27      usage, and storage of student data;


             28          .    requires the State Board of Education to designate a student privacy coordinator to
             29      oversee the protection of student data;
             30          .    requires an education entity or third party contractor to collect, use, and store data in
             31      accordance with certain security measures;
             32          .    establishes penalties; and
             33          .    makes technical changes.
             34      Money Appropriated in this Bill:
             35          None
             36      Other Special Clauses:
             37          None
             38      Utah Code Sections Affected:
             39      AMENDS:
             40           53A-13-301 , as last amended by Laws of Utah 2011, Chapter 401
             41           53A-13-302 , as last amended by Laws of Utah 2013, Chapter 335
             42      ENACTS:
             43           53A-13-300.5 , Utah Code Annotated 1953
             44           53A-13-303 , Utah Code Annotated 1953
             45           53A-13-304 , Utah Code Annotated 1953
             46           53A-13-305 , Utah Code Annotated 1953
             47     
             48      Be it enacted by the Legislature of the state of Utah:
             49          Section 1. Section 53A-13-300.5 is enacted to read:
             50     
Part 13. Student Privacy Act

             51          53A-13-300.5. Definitions.
             52          As used in this part:
             53          (1) "Adult student" means a student who is at least 18 years old.
             54          (2) "Aggregate data" means data collected or reported at the group, cohort, school,
             55      school district, or state level that:
             56          (a) does not include personally identifiable information; and
             57          (b) at the level collected, includes at least 100 individuals in the level.
             58          (3) (a) "Allowable student data" means student data that an education entity may


             59      collect and include in a student's educational record without student authorization.
             60          (b) "Allowable student data" includes:
             61          (i) name;
             62          (ii) date of birth;
             63          (iii) gender;
             64          (iv) parent or guardian information;
             65          (v) contact information;
             66          (vi) a public student identification number;
             67          (vii) state and national assessment results, excluding information on untested public
             68      school students;
             69          (viii) courses taken and completed, credits earned, and other transcript information;
             70          (ix) course grades and grade point average;
             71          (x) grade level and expected graduation date or graduation cohort;
             72          (xi) degree, diploma, credential attainment, and other school exit information;
             73          (xii) attendance and mobility; and
             74          (xiii) drop-out data.
             75          (4) "Board" means the State Board of Education.
             76          (5) "Education entity" means:
             77          (a) the board;
             78          (b) a local school board or charter school governing board;
             79          (c) a school district;
             80          (d) a public school; or
             81          (e) the Utah Schools for the Deaf and the Blind.
             82          (6) "Higher education entity" means:
             83          (a) an institution of higher education described in Subsection 53B-2-101 (1); or
             84          (b) the State Board of Regents established in Section 53B-1-103 .
             85          (7) (a) "Optional student data" means student data that an education entity may not
             86      collect except in accordance with Section 53A-13-303 .
             87          (b) "Optional student data" includes:
             88          (i) discipline reports;
             89          (ii) remediation efforts;


             90          (iii) special education data;
             91          (iv) demographic data; and
             92          (v) program participation information.
             93          (8) "Out-of-state educational agency" means an education agency or institution located
             94      outside the state.
             95          (9) "Parent" means a student's parent or legal guardian.
             96          (10) (a) "Personally identifiable information" means information that identifies an
             97      individual.
             98          (b) "Personally identifiable information" includes:
             99          (i) a student's first or last name;
             100          (ii) a name of a student's family member;
             101          (iii) a student's or student's family's home or physical address;
             102          (iv) a student's email address or online contact information;
             103          (v) a student's telephone number;
             104          (vi) a student's Social Security number;
             105          (vii) a student's biometric identifier;
             106          (viii) a student's health or disability data;
             107          (ix) a student's student identification number;
             108          (x) a student's social media login or alias;
             109          (xi) a student's persistent identifier, if the identifier is associated with personally
             110      identifiable information, including:
             111          (A) a customer number held in a cookie; or
             112          (B) a processor serial number;
             113          (xii) a combination of a student's last name or photograph of the student with other
             114      information that together permits a person to contact the student online;
             115          (xiii) information about a student or a student's family that a person collects online and
             116      combines with other personally identifiable information; and
             117          (xiv) other information that, alone or in combination, is linked or linkable to a specific
             118      student that would allow a reasonable person in the school community, who does not have
             119      personal knowledge of the relevant circumstances, to identify the student with reasonable
             120      certainty.


             121          (11) (a) "Prohibited student data" means student data that may not be collected by an
             122      education entity.
             123          (b) "Prohibited student data" includes a student's:
             124          (i) juvenile delinquency records;
             125          (ii) criminal records;
             126          (iii) medical and health records;
             127          (iv) Social Security number; and
             128          (v) biometric information.
             129          (12) (a) "Student data" means student data collected or reported at the individual
             130      student level and may be included in a student's educational record.
             131          (b) "Student data" includes:
             132          (i) allowable student data;
             133          (ii) optional student data; and
             134          (iii) prohibited student data.
             135          (13) "Student authorization" means the authorization of:
             136          (a) the student's parent, if the student is less than 18 years old; or
             137          (b) the student, if the student is an adult student.
             138          (14) "Student data system" means the State Board of Education's system for collecting,
             139      storing, and using student data.
             140          (15) "Student privacy coordinator" means the State Office of Education student privacy
             141      coordinator designated by the board under Section 53A-13-305 .
             142          (16) "Third party contractor" means a person, other than an education entity, that
             143      receives student data from an education entity pursuant to a contract or written agreement.
             144          Section 2. Section 53A-13-301 is amended to read:
             145           53A-13-301. Application of state law to the administration and operation of
             146      public schools -- Student information confidentiality standards -- Local school board and
             147      charter school governing board policies.
             148          (1) An [employee, student aide, volunteer, or other agent of the state's public education
             149      system] education entity and an employee, student aide, volunteer, third party contractor, or
             150      other agent of an education entity shall protect the privacy of [students, their parents, and their
             151      families] a student, the student's parents, and the student's family, and support parental


             152      involvement in the education of their children through compliance with the protections
             153      provided for family and student privacy under [Section 53A-13-302 and the Federal Family
             154      Educational Rights and Privacy Act and related provisions under 20 U.S.C. 1232g and 1232h,]
             155      this part in the administration and operation of all public school programs, regardless of the
             156      source of funding.
             157          (2) (a) A student owns the student's personally identifiable information.
             158          (b) A parent of a student or an adult student has the discretion to authorize:
             159          (i) collection of the student's optional student data; and
             160          (ii) sharing or accessing of the student's optional student data.
             161          (c) When a student leaves the state's public education system, the student's parent or
             162      the student, if the student is an adult student, may require an education entity to expunge all of
             163      the student's student data.
             164          (3) Except as provided in Subsection (4), an education entity may not release a
             165      student's personally identifiable information without student authorization.
             166          (4) Subject to the requirements of this section, an education entity may release a
             167      student's personally identifiable information without student authorization to:
             168          (a) another education entity;
             169          (b) a higher education entity, upon request of the student's parent, or the student, if the
             170      student is an adult student;
             171          (c) a third party contractor, consultant, or other party to whom the education entity has
             172      outsourced services or functions for the following purposes:
             173          (i) to conduct a study or perform research; or
             174          (ii) to perform a service or function for which the education entity would otherwise use
             175      employees; or
             176          (d) an out-of-state educational agency if:
             177          (i) the student seeks or intends to enroll, or if the student is already enrolled, at the
             178      out-of-state educational agency; and
             179          (ii) the release of personally identifiable information is for purposes related to the
             180      student's enrollment or transfer.
             181          (5) An education entity may release aggregate student data to a person.
             182          [(2)] (6) A local school board or charter school governing board shall enact policies


             183      governing the protection of family and student privacy as required by this section.
             184          [(3)] (7) (a) In accordance with Title 63G, Chapter 3, Utah Administrative Rulemaking
             185      Act, the State Board of Education shall makes rules to establish standards for public education
             186      employees, student aides, and volunteers in public schools regarding the confidentiality of
             187      student information and student records.
             188          (b) The rules described in Subsection [(3)] (7)(a) shall provide that a local school board
             189      or charter school governing board may adopt policies related to public school student
             190      confidentiality to address the specific needs or priorities of the school district or charter school.
             191          [(4)] (8) The State Board of Education shall:
             192          (a) develop resource materials for purposes of training employees, student aides, and
             193      volunteers of a school district or charter school regarding the confidentiality of student
             194      information and student records; and
             195          (b) provide the materials described in Subsection [(4)] (8)(a) to each school district and
             196      charter school.
             197          Section 3. Section 53A-13-302 is amended to read:
             198           53A-13-302. Activities prohibited -- Qualifications -- Training on
             199      implementation.
             200          (1) Policies adopted by a school district under [Section 53A-13-301 ] this part shall
             201      include prohibitions on the administration to a student of any psychological or psychiatric
             202      examination, test, or treatment, or any survey, analysis, or evaluation [without the prior written
             203      consent of the student's parent or legal guardian,] in which the purpose or evident intended
             204      effect is to cause the student to reveal information, whether the information is personally
             205      identifiable or not, concerning the student's or any family member's:
             206          (a) political affiliations or, except as provided under Section 53A-13-101.1 or rules of
             207      the State Board of Education, political philosophies;
             208          (b) mental or psychological problems;
             209          (c) sexual behavior, orientation, or attitudes;
             210          (d) illegal, anti-social, self-incriminating, or demeaning behavior;
             211          (e) critical appraisals of individuals with whom the student or family member has close
             212      family relationships;
             213          (f) religious affiliations or beliefs;


             214          (g) legally recognized privileged and analogous relationships, such as those with
             215      lawyers, medical personnel, or ministers; and
             216          (h) income, except as required by law.
             217          [(2) Prior written consent under Subsection (1) is required in all grades, kindergarten
             218      through grade 12.]
             219          [(3) Except as provided in Section 53A-11a-203 , the prohibitions under Subsection (1)
             220      shall also apply within the curriculum and other school activities unless prior written consent of
             221      the student's parent or legal guardian has been obtained.]
             222          [(4) Written parental consent is valid only if a parent or legal guardian has been first
             223      given written notice, including notice that a copy of the educational or student survey questions
             224      to be asked of the student in obtaining the desired information is made available at the school,
             225      and a reasonable opportunity to obtain written information concerning:]
             226          [(a) records or information, including information about relationships, that may be
             227      examined or requested;]
             228          [(b) the means by which the records or information shall be examined or reviewed;]
             229          [(c) the means by which the information is to be obtained;]
             230          [(d) the purposes for which the records or information are needed;]
             231          [(e) the entities or persons, regardless of affiliation, who will have access to the
             232      personally identifiable information; and]
             233          [(f) a method by which a parent of a student can grant permission to access or examine
             234      the personally identifiable information.]
             235          [(5) (a) Except in response to a situation which a school employee reasonably believes
             236      to be an emergency, or as authorized under Title 62A, Chapter 4a, Part 4, Child Abuse or
             237      Neglect Reporting Requirements, or by order of a court, disclosure to a parent or legal guardian
             238      must be given at least two weeks before information protected under this section is sought.]
             239          [(b) Following disclosure, a parent or guardian may waive the two week minimum
             240      notification period.]
             241          [(c) Unless otherwise agreed to by a student's parent or legal guardian and the person
             242      requesting written consent, the authorization is valid only for the activity for which it was
             243      granted.]
             244          [(d) A written withdrawal of authorization submitted to the school principal by the


             245      authorizing parent or guardian terminates the authorization.]
             246          [(e) A general consent used to approve admission to school or involvement in special
             247      education, remedial education, or a school activity does not constitute written consent under
             248      this section.]
             249          [(6)] (2) (a) This section does not limit the ability of a student under Section
             250      53A-13-101.3 to spontaneously express sentiments or opinions [otherwise protected against
             251      disclosure under this section].
             252          (b) (i) If a school employee or agent believes that a situation exists which presents a
             253      serious threat to the well-being of a student, that employee or agent shall notify the student's
             254      parent or guardian without delay.
             255          (ii) If, however, the matter has been reported to the Division of Child and Family
             256      Services within the Department of Human Services, it is the responsibility of the division to
             257      notify the student's parent or guardian of any possible investigation, prior to the student's return
             258      home from school.
             259          (iii) The division may be exempted from the notification requirements described in
             260      [this] Subsection [(6)] (2)(b)(ii) only if it determines that the student would be endangered by
             261      notification of his parent or guardian, or if that notification is otherwise prohibited by state or
             262      federal law.
             263          [(7)] (3) Local school boards shall provide inservice for teachers and administrators
             264      within their respective school districts on the implementation of this section.
             265          [(8)] (4) The board shall provide procedures for disciplinary action for violations of
             266      this section.
             267          Section 4. Section 53A-13-303 is enacted to read:
             268          53A-13-303. Requirements for collection of student data -- Student data
             269      disclosure.
             270          (1) An education entity may collect allowable student data if the education entity
             271      provides a student data disclosure that complies with Subsection (4) to:
             272          (a) the student, if the student is an adult student; and
             273          (b) the student's parent.
             274          (2) An education entity may collect optional student data if the education entity:
             275          (a) provides a student data disclosure that complies with Subsection (4) to:


             276          (i) the student, if the student is an adult student; and
             277          (ii) the student's parent; and
             278          (b) obtains student authorization to collect the optional student data.
             279          (3) An education entity may not collect prohibited student data.
             280          (4) An education entity that collects student data shall prepare a written student data
             281      disclosure for distribution to parents and adult students:
             282          (a) (i) at the beginning of each school year; or
             283          (ii) at the time the student enrolls with the education entity; and
             284          (b) that includes a description of:
             285          (i) the allowable student data that the education entity collects;
             286          (ii) the optional student data that the education entity collects;
             287          (iii) the prohibited student data that the education entity may not collect;
             288          (iv) how the allowable and optional student data will be collected and used, shared, or
             289      accessed;
             290          (v) the consequences of authorizing the collection of allowable or optional student
             291      data;
             292          (vi) how the student data is stored and any security measures used to protect the student
             293      data; and
             294          (vii) the parent's and adult student's rights related to the student's student data,
             295      including the information described in Subsection 53A-13-301 (2).
             296          (5) The board shall develop a model student data disclosure in accordance with
             297      Subsection (4).
             298          Section 5. Section 53A-13-304 is enacted to read:
             299          53A-13-304. Security requirements related to the collection, usage, and storage of
             300      student data -- Board duties H. [ . ] -- Third party contractor requirements. .H
             301          The board shall:
             302          (1) maintain, secure, and safeguard all student data with an equivalent PCI DSS, third
             303      party verified compliant certification;
             304          (2) create, publish, annually update, and make publicly available, a data inventory and
             305      dictionary or index of data elements with definitions of student data fields currently in the
             306      student data system, including:


             307          (a) student data required to be reported by state or federal law;
             308          (b) student data that has been proposed for inclusion in the student data system with a
             309      statement regarding the purpose or reason for collecting the student data; and
             310          (c) student data collected or maintained with no current purpose or reason;
             311          (3) develop, publish, and make publicly available policies and procedures to comply
             312      with this part and other relevant privacy laws, including ensuring that a contract entered into
             313      between an education entity and a third party contractor, which allows the third party contractor
             314      to have access to student data, includes:
             315          (a) provisions requiring specific restrictions on the use of student data;
             316          (b) specific dates governing the destruction of student data given to a third party
             317      contractor;
             318          (c) provisions that prohibit a third party contractor from using the student data for a
             319      secondary use, including sales, marketing, or advertising; and
             320          (d) provisions limiting a third party contractor's use of student data strictly for the
             321      purpose of providing services to the education entity;
             322          (4) develop a detailed security plan for education entities that includes:
             323          (a) guidelines for authorizing sharing and access to student data, including guidelines
             324      for authentication of authorized access;
             325          (b) guidelines for administrative safeguards providing for the security of electronic and
             326      physical student data, including provisions related to data encryption;
             327          (c) guidelines for education entity employees to better ensure the safety and security of
             328      student data;
             329          (d) privacy compliance standards;
             330          (e) privacy and annual security audits;
             331          (f) breach planning, notification, and procedures; and
             332          (g) data retention and disposition policies;
             333          (5) develop a model governance policy for education entities regarding the collection,
             334      access, security, and use of student data; and
             335          (6) ensure that the following entities adopt the model governance policy described in
             336      Subsection (5):
             337          (a) local school boards;


             338          (b) charter schools; and
             339          (c) the Utah Schools for the Deaf and the Blind.
             339a           H. (7) (a) A third party contractor shall maintain, secure, and safeguard all student
             339b      data with an equivalent PCI DSS, third party verified compliant certification.
             339c          (b) A third party contractor shall:
             339d          (i) use student data received under a contract with an education entity strictly for the
             339e      purpose of providing the contracted services to the education entity; and
             339f          (ii) may not use student data received under a contract with an education entity for a
             339g      use not described in the contract. .H
             340          Section 6. Section 53A-13-305 is enacted to read:
             341          53A-13-305. Student privacy coordinator -- Reports of violations of student
             342      privacy laws -- Penalties.
             343          (1) (a) The board shall designate a State Office of Education student privacy
             344      coordinator.
             345          (b) The student privacy coordinator shall:
             346          (i) oversee the administration of student privacy laws, including the requirements of
             347      this part;
             348          (ii) review complaints of:
             349          (A) an unauthorized release of student data;
             350          (B) an unauthorized collection of student data; or
             351          (C) an unauthorized use of student data;
             352          (iii) report any violations of this part to:
             353          (A) the board;
             354          (B) the applicable education entity; and
             355          (C) the Education Interim Committee; and
             356          (iv) work with the board to develop a model student data disclosure described in
             357      Subsection 53A-13-303 (4).
             358          (2) (a) A third party contractor that knowingly or recklessly permits unauthorized
             359      release or use of student data:
             360          (i) may not enter into a future contract with the board or another education entity; and
             361          (ii) may be required by the board to pay a civil penalty of $25,000.
             362          (b) The board may assess the civil penalty described in Subsection (2)(a)(ii) in
             363      accordance with Title 63G, Chapter 4, Administrative Procedures Act.
             364          (c) The board may bring an action in the district court of the county in which the office
             365      of the board is located, if necessary, to enforce payment of the civil penalty described in
             366      Subsection (2)(a)(ii).
             367          (3) (a) A parent or adult student may bring an action in a court of competent
             368      jurisdiction for damages caused by violation of this part by an education entity or a third party


             369      contractor.
             370          (b) If the court finds that an education entity or third party contractor has violated this
             371      part, the court shall award to the parent or adult student:
             372          (i) damages;
             373          (ii) costs; and
             374          (iii) reasonable attorney fees.




Legislative Review Note
    as of 2-26-14 11:13 AM


Office of Legislative Research and General Counsel


[Bill Documents][Bills Directory]