H.B. 169
This document includes House Committee Amendments incorporated into the bill on Fri, Mar 7, 2014 at 11:54 AM by lerror. --> 1
2
3
4
5
6
7 LONG TITLE
8 General Description:
9 This bill creates the Student Privacy Act and addresses the release of public school
10 student information.
11 Highlighted Provisions:
12 This bill:
13 . defines terms;
14 . requires certain people to protect student privacy;
15 . allows a student or the student's parent to authorize the collection and release of
16 certain student data;
17 . prohibits an education entity from releasing a student's personally identifiable
18 information under certain circumstances;
19 . allows an education entity to release a student's personally identifiable information
20 under certain circumstances;
21 . prohibits a school district from eliciting certain information from students;
22 . provides what kinds of student data may be collected and under what circumstances;
23 . requires an education entity to provide a student data disclosure to parents and
24 students at the beginning of each school year or at the time a student enrolls with the
25 education entity;
26 . establishes requirements for the State Board of Education related to the collection,
27 usage, and storage of student data;
28 . requires the State Board of Education to designate a student privacy coordinator to
29 oversee the protection of student data;
30 . requires an education entity or third party contractor to collect, use, and store data in
31 accordance with certain security measures;
32 . establishes penalties; and
33 . makes technical changes.
34 Money Appropriated in this Bill:
35 None
36 Other Special Clauses:
37 None
38 Utah Code Sections Affected:
39 AMENDS:
40 53A-13-301 , as last amended by Laws of Utah 2011, Chapter 401
41 53A-13-302 , as last amended by Laws of Utah 2013, Chapter 335
42 ENACTS:
43 53A-13-300.5 , Utah Code Annotated 1953
44 53A-13-303 , Utah Code Annotated 1953
45 53A-13-304 , Utah Code Annotated 1953
46 53A-13-305 , Utah Code Annotated 1953
47
48 Be it enacted by the Legislature of the state of Utah:
49 Section 1. Section 53A-13-300.5 is enacted to read:
50
51 53A-13-300.5. Definitions.
52 As used in this part:
53 (1) "Adult student" means a student who is at least 18 years old.
54 (2) "Aggregate data" means data collected or reported at the group, cohort, school,
55 school district, or state level that:
56 (a) does not include personally identifiable information; and
57 (b) at the level collected, includes at least 100 individuals in the level.
58 (3) (a) "Allowable student data" means student data that an education entity may
59 collect and include in a student's educational record without student authorization.
60 (b) "Allowable student data" includes:
61 (i) name;
62 (ii) date of birth;
63 (iii) gender;
64 (iv) parent or guardian information;
65 (v) contact information;
66 (vi) a public student identification number;
67 (vii) state and national assessment results, excluding information on untested public
68 school students;
69 (viii) courses taken and completed, credits earned, and other transcript information;
70 (ix) course grades and grade point average;
71 (x) grade level and expected graduation date or graduation cohort;
72 (xi) degree, diploma, credential attainment, and other school exit information;
73 (xii) attendance and mobility; and
74 (xiii) drop-out data.
75 (4) "Board" means the State Board of Education.
76 (5) "Education entity" means:
77 (a) the board;
78 (b) a local school board or charter school governing board;
79 (c) a school district;
80 (d) a public school; or
81 (e) the Utah Schools for the Deaf and the Blind.
82 (6) "Higher education entity" means:
83 (a) an institution of higher education described in Subsection 53B-2-101 (1); or
84 (b) the State Board of Regents established in Section 53B-1-103 .
85 (7) (a) "Optional student data" means student data that an education entity may not
86 collect except in accordance with Section 53A-13-303 .
87 (b) "Optional student data" includes:
88 (i) discipline reports;
89 (ii) remediation efforts;
90 (iii) special education data;
91 (iv) demographic data; and
92 (v) program participation information.
93 (8) "Out-of-state educational agency" means an education agency or institution located
94 outside the state.
95 (9) "Parent" means a student's parent or legal guardian.
96 (10) (a) "Personally identifiable information" means information that identifies an
97 individual.
98 (b) "Personally identifiable information" includes:
99 (i) a student's first or last name;
100 (ii) a name of a student's family member;
101 (iii) a student's or student's family's home or physical address;
102 (iv) a student's email address or online contact information;
103 (v) a student's telephone number;
104 (vi) a student's Social Security number;
105 (vii) a student's biometric identifier;
106 (viii) a student's health or disability data;
107 (ix) a student's student identification number;
108 (x) a student's social media login or alias;
109 (xi) a student's persistent identifier, if the identifier is associated with personally
110 identifiable information, including:
111 (A) a customer number held in a cookie; or
112 (B) a processor serial number;
113 (xii) a combination of a student's last name or photograph of the student with other
114 information that together permits a person to contact the student online;
115 (xiii) information about a student or a student's family that a person collects online and
116 combines with other personally identifiable information; and
117 (xiv) other information that, alone or in combination, is linked or linkable to a specific
118 student that would allow a reasonable person in the school community, who does not have
119 personal knowledge of the relevant circumstances, to identify the student with reasonable
120 certainty.
121 (11) (a) "Prohibited student data" means student data that may not be collected by an
122 education entity.
123 (b) "Prohibited student data" includes a student's:
124 (i) juvenile delinquency records;
125 (ii) criminal records;
126 (iii) medical and health records;
127 (iv) Social Security number; and
128 (v) biometric information.
129 (12) (a) "Student data" means student data collected or reported at the individual
130 student level and may be included in a student's educational record.
131 (b) "Student data" includes:
132 (i) allowable student data;
133 (ii) optional student data; and
134 (iii) prohibited student data.
135 (13) "Student authorization" means the authorization of:
136 (a) the student's parent, if the student is less than 18 years old; or
137 (b) the student, if the student is an adult student.
138 (14) "Student data system" means the State Board of Education's system for collecting,
139 storing, and using student data.
140 (15) "Student privacy coordinator" means the State Office of Education student privacy
141 coordinator designated by the board under Section 53A-13-305 .
142 (16) "Third party contractor" means a person, other than an education entity, that
143 receives student data from an education entity pursuant to a contract or written agreement.
144 Section 2. Section 53A-13-301 is amended to read:
145 53A-13-301. Application of state law to the administration and operation of
146 public schools -- Student information confidentiality standards -- Local school board and
147 charter school governing board policies.
148 (1) An [
149
150 other agent of an education entity shall protect the privacy of [
151
152 involvement in the education of their children through compliance with the protections
153 provided for family and student privacy under [
154
155 this part in the administration and operation of all public school programs, regardless of the
156 source of funding.
157 (2) (a) A student owns the student's personally identifiable information.
158 (b) A parent of a student or an adult student has the discretion to authorize:
159 (i) collection of the student's optional student data; and
160 (ii) sharing or accessing of the student's optional student data.
161 (c) When a student leaves the state's public education system, the student's parent or
162 the student, if the student is an adult student, may require an education entity to expunge all of
163 the student's student data.
164 (3) Except as provided in Subsection (4), an education entity may not release a
165 student's personally identifiable information without student authorization.
166 (4) Subject to the requirements of this section, an education entity may release a
167 student's personally identifiable information without student authorization to:
168 (a) another education entity;
169 (b) a higher education entity, upon request of the student's parent, or the student, if the
170 student is an adult student;
171 (c) a third party contractor, consultant, or other party to whom the education entity has
172 outsourced services or functions for the following purposes:
173 (i) to conduct a study or perform research; or
174 (ii) to perform a service or function for which the education entity would otherwise use
175 employees; or
176 (d) an out-of-state educational agency if:
177 (i) the student seeks or intends to enroll, or if the student is already enrolled, at the
178 out-of-state educational agency; and
179 (ii) the release of personally identifiable information is for purposes related to the
180 student's enrollment or transfer.
181 (5) An education entity may release aggregate student data to a person.
182 [
183 governing the protection of family and student privacy as required by this section.
184 [
185 Act, the State Board of Education shall makes rules to establish standards for public education
186 employees, student aides, and volunteers in public schools regarding the confidentiality of
187 student information and student records.
188 (b) The rules described in Subsection [
189 or charter school governing board may adopt policies related to public school student
190 confidentiality to address the specific needs or priorities of the school district or charter school.
191 [
192 (a) develop resource materials for purposes of training employees, student aides, and
193 volunteers of a school district or charter school regarding the confidentiality of student
194 information and student records; and
195 (b) provide the materials described in Subsection [
196 charter school.
197 Section 3. Section 53A-13-302 is amended to read:
198 53A-13-302. Activities prohibited -- Qualifications -- Training on
199 implementation.
200 (1) Policies adopted by a school district under [
201 include prohibitions on the administration to a student of any psychological or psychiatric
202 examination, test, or treatment, or any survey, analysis, or evaluation [
203
204 effect is to cause the student to reveal information, whether the information is personally
205 identifiable or not, concerning the student's or any family member's:
206 (a) political affiliations or, except as provided under Section 53A-13-101.1 or rules of
207 the State Board of Education, political philosophies;
208 (b) mental or psychological problems;
209 (c) sexual behavior, orientation, or attitudes;
210 (d) illegal, anti-social, self-incriminating, or demeaning behavior;
211 (e) critical appraisals of individuals with whom the student or family member has close
212 family relationships;
213 (f) religious affiliations or beliefs;
214 (g) legally recognized privileged and analogous relationships, such as those with
215 lawyers, medical personnel, or ministers; and
216 (h) income, except as required by law.
217 [
218
219 [
220
221
222 [
223
224
225
226 [
227
228 [
229 [
230 [
231 [
232
233 [
234
235 [
236
237
238
239 [
240
241 [
242
243
244 [
245
246 [
247
248
249 [
250 53A-13-101.3 to spontaneously express sentiments or opinions [
251
252 (b) (i) If a school employee or agent believes that a situation exists which presents a
253 serious threat to the well-being of a student, that employee or agent shall notify the student's
254 parent or guardian without delay.
255 (ii) If, however, the matter has been reported to the Division of Child and Family
256 Services within the Department of Human Services, it is the responsibility of the division to
257 notify the student's parent or guardian of any possible investigation, prior to the student's return
258 home from school.
259 (iii) The division may be exempted from the notification requirements described in
260 [
261 notification of his parent or guardian, or if that notification is otherwise prohibited by state or
262 federal law.
263 [
264 within their respective school districts on the implementation of this section.
265 [
266 this section.
267 Section 4. Section 53A-13-303 is enacted to read:
268 53A-13-303. Requirements for collection of student data -- Student data
269 disclosure.
270 (1) An education entity may collect allowable student data if the education entity
271 provides a student data disclosure that complies with Subsection (4) to:
272 (a) the student, if the student is an adult student; and
273 (b) the student's parent.
274 (2) An education entity may collect optional student data if the education entity:
275 (a) provides a student data disclosure that complies with Subsection (4) to:
276 (i) the student, if the student is an adult student; and
277 (ii) the student's parent; and
278 (b) obtains student authorization to collect the optional student data.
279 (3) An education entity may not collect prohibited student data.
280 (4) An education entity that collects student data shall prepare a written student data
281 disclosure for distribution to parents and adult students:
282 (a) (i) at the beginning of each school year; or
283 (ii) at the time the student enrolls with the education entity; and
284 (b) that includes a description of:
285 (i) the allowable student data that the education entity collects;
286 (ii) the optional student data that the education entity collects;
287 (iii) the prohibited student data that the education entity may not collect;
288 (iv) how the allowable and optional student data will be collected and used, shared, or
289 accessed;
290 (v) the consequences of authorizing the collection of allowable or optional student
291 data;
292 (vi) how the student data is stored and any security measures used to protect the student
293 data; and
294 (vii) the parent's and adult student's rights related to the student's student data,
295 including the information described in Subsection 53A-13-301 (2).
296 (5) The board shall develop a model student data disclosure in accordance with
297 Subsection (4).
298 Section 5. Section 53A-13-304 is enacted to read:
299 53A-13-304. Security requirements related to the collection, usage, and storage of
300 student data -- Board duties H. [
301 The board shall:
302 (1) maintain, secure, and safeguard all student data with an equivalent PCI DSS, third
303 party verified compliant certification;
304 (2) create, publish, annually update, and make publicly available, a data inventory and
305 dictionary or index of data elements with definitions of student data fields currently in the
306 student data system, including:
307 (a) student data required to be reported by state or federal law;
308 (b) student data that has been proposed for inclusion in the student data system with a
309 statement regarding the purpose or reason for collecting the student data; and
310 (c) student data collected or maintained with no current purpose or reason;
311 (3) develop, publish, and make publicly available policies and procedures to comply
312 with this part and other relevant privacy laws, including ensuring that a contract entered into
313 between an education entity and a third party contractor, which allows the third party contractor
314 to have access to student data, includes:
315 (a) provisions requiring specific restrictions on the use of student data;
316 (b) specific dates governing the destruction of student data given to a third party
317 contractor;
318 (c) provisions that prohibit a third party contractor from using the student data for a
319 secondary use, including sales, marketing, or advertising; and
320 (d) provisions limiting a third party contractor's use of student data strictly for the
321 purpose of providing services to the education entity;
322 (4) develop a detailed security plan for education entities that includes:
323 (a) guidelines for authorizing sharing and access to student data, including guidelines
324 for authentication of authorized access;
325 (b) guidelines for administrative safeguards providing for the security of electronic and
326 physical student data, including provisions related to data encryption;
327 (c) guidelines for education entity employees to better ensure the safety and security of
328 student data;
329 (d) privacy compliance standards;
330 (e) privacy and annual security audits;
331 (f) breach planning, notification, and procedures; and
332 (g) data retention and disposition policies;
333 (5) develop a model governance policy for education entities regarding the collection,
334 access, security, and use of student data; and
335 (6) ensure that the following entities adopt the model governance policy described in
336 Subsection (5):
337 (a) local school boards;
338 (b) charter schools; and
339 (c) the Utah Schools for the Deaf and the Blind.
339a H. (7) (a) A third party contractor shall maintain, secure, and safeguard all student
339b data with an equivalent PCI DSS, third party verified compliant certification.
339c (b) A third party contractor shall:
339d (i) use student data received under a contract with an education entity strictly for the
339e purpose of providing the contracted services to the education entity; and
339f (ii) may not use student data received under a contract with an education entity for a
339g use not described in the contract. .H
340 Section 6. Section 53A-13-305 is enacted to read:
341 53A-13-305. Student privacy coordinator -- Reports of violations of student
342 privacy laws -- Penalties.
343 (1) (a) The board shall designate a State Office of Education student privacy
344 coordinator.
345 (b) The student privacy coordinator shall:
346 (i) oversee the administration of student privacy laws, including the requirements of
347 this part;
348 (ii) review complaints of:
349 (A) an unauthorized release of student data;
350 (B) an unauthorized collection of student data; or
351 (C) an unauthorized use of student data;
352 (iii) report any violations of this part to:
353 (A) the board;
354 (B) the applicable education entity; and
355 (C) the Education Interim Committee; and
356 (iv) work with the board to develop a model student data disclosure described in
357 Subsection 53A-13-303 (4).
358 (2) (a) A third party contractor that knowingly or recklessly permits unauthorized
359 release or use of student data:
360 (i) may not enter into a future contract with the board or another education entity; and
361 (ii) may be required by the board to pay a civil penalty of $25,000.
362 (b) The board may assess the civil penalty described in Subsection (2)(a)(ii) in
363 accordance with Title 63G, Chapter 4, Administrative Procedures Act.
364 (c) The board may bring an action in the district court of the county in which the office
365 of the board is located, if necessary, to enforce payment of the civil penalty described in
366 Subsection (2)(a)(ii).
367 (3) (a) A parent or adult student may bring an action in a court of competent
368 jurisdiction for damages caused by violation of this part by an education entity or a third party
369 contractor.
370 (b) If the court finds that an education entity or third party contractor has violated this
371 part, the court shall award to the parent or adult student:
372 (i) damages;
373 (ii) costs; and
374 (iii) reasonable attorney fees.
Legislative Review Note
as of 2-26-14 11:13 AM