The bill adds to the existing laws pertaining to student data security by adopting additional duties that the state board of education (state board), department of education (department), and school districts, boards of cooperative services, and charter schools (LEPs) must comply with to increase the transparency and security of the student personally identifiable information (student PII) that the department and the LEPs collect and maintain. The bill imposes duties on the commercial entities that provide school services by formal contract with the department or an LEP (contract providers) and the commercial entities that an LEP or employees of an LEP choose to use without entering in a formal, negotiated contract (on-demand providers).
Applicability of bill. For provider contracts and research agreements that the department enters into or renews on or after the effective date of the bill, the department must ensure that the contract or agreement includes the restrictions and requirements pertaining to student PII and must terminate the contract or agreement if the contract provider or researcher commits a material breach of the contract involving the misuse or unauthorized release of student PII. For provider contracts that an LEP enters into or renews on or after the effective date of the bill, the LEP must ensure that the contract includes the restrictions and requirements pertaining to student PII and, if the contract provider commits a material breach of the contract involving the misuse or unauthorized release of student PII, must either terminate the contract or hold a public meeting to discuss the nature of the material breach and decide whether to terminate the contract.
State board duties. Under existing law, the state board has several duties with regard to the student PII that the department collects from LEPs. These duties include explaining the types of student PII the department collects and creating policies to protect the collected student PII. The bill does not substantively change the duties of the state board, except to require the state board to ensure that an organization that conducts research for the department is subject to the same requirements and restrictions imposed on contract providers.
Department duties. Under existing law, the department has several duties with regard to the student PII that the department collects from LEPs. The bill adds to these duties by requiring the department, before it releases student PII to a person or entity that is conducting research, to enter into an agreement with the researcher that includes the same requirements and restrictions that are included in a contract with a contract provider. The department also must maintain on its website a detailed list of the vendors, researchers, researcher organizations, and government agencies with which it has agreements for the release of student PII.
The bill requires the department to create a sample student information privacy and protection policy and sample school service provider contract language that LEPs may choose to use. The department must make training materials and, upon request, training services, available to LEPs for training employees with regard to student information security and privacy.
Each LEP must adopt a student information privacy and protection policy, make copies available to parents upon request, and post the policy on its website.
Contract provider duties. Each contract provider must provide clear information concerning the student PII it collects and how it uses and shares the student PII. The contract provider must provide the information to the department and each LEP (public education entity) with which it contracts and post the information on its website. Each contract provider must help an LEP access and correct any factually inaccurate student PII that the contract provider holds. A contract provider may collect and use student PII only for the purposes authorized by the contract and must obtain parental consent to use a student's data in a manner that is inconsistent with the contract.
A contract provider cannot sell student PII; use or share student PII for use in targeted advertising; or use student PII to create a profile, except for purposes authorized by the contracting public education entity or with parental consent. A contract provider may use student PII for specified purposes. A contract provider may share student PII with a subcontractor, and a subcontractor may share with a subsequent subcontractor, only if the subcontractor or subsequent subcontractor is, by contract, subject to the restrictions and limitations imposed on the contract provider. If a subcontractor commits a material breach that involves the misuse or unauthorized release of student PII, the public education entity must terminate the contract with the contract provider unless the contract provider terminates the contract with the subcontractor.
Each contract provider must maintain a comprehensive information security program and must destroy student PII at the request of a contracting public education entity, unless the student's parent consents to retaining the student PII or the student has transferred to another public education entity that requests retention of the student PII. Each contract provider must destroy all student PII in accordance with the terms of the contract.
The bill describes some ways in which a contract provider may use student PII that are exceptions to the restrictions in the bill.
Parents' rights. The bill recognizes a parent's right to inspect and review his or her child's student PII; to request a paper or electronic copy of his or her child's student PII; and to request corrections to factually inaccurate student PII that an LEP maintains.
The governing board of each LEP must adopt a policy for hearing complaints from parents concerning the LEP's compliance with the bill.