on June 27, 2016
Colorado is the
latest state to revisit, and expand upon, its laws pertaining to the use
and protection of student data. Colorado Governor John Hickenlooper
recently signed into law House Bill 16-1423 (the “Bill”)
designed to increase the transparency and security of personal information
about students enrolled in Colorado’s public education system (K-12).
Described by its sponsors and the media as “nation-leading” with respect
to the extremely broad scope of the definition of “student
personally identifiable information”, the Bill imposes additional, detailed
requirements on the Colorado Department of Education, the Colorado Department
of Education, the Colorado Charter School Institute, school districts, public
schools, and other local education providers (each, a “Public Education
Entity”) and commercial software providers (including education application
providers) with respect to the collection, use, and security of student data.
In this blog post, we focus only on the duties of commercial software or
education application providers.
What software providers are
covered by the Bill?
The Bill covers primarily
commercial software providers that enter into a negotiated agreement for school
services with a Public Education Entity (“School Service Contract Providers”).
A school service is “any Internet website, online service, online
application, or mobile application that is (i) designed and marketed
primarilyfor use in a preschool, elementary school, or secondary school,
(ii) is used at the direction of teachers or other employees of
a local education provider, AND (iii) which collects, maintains, or uses
student personally identifiable information.” A “school service” is
not a website, online service or application, or mobile app designed
and marketed for use by individuals or entities generally, even if it is also
marketed to a U.S. preschool, elementary school or secondary school, but the
key to covered entities here will turn on whether software or an application is
“designed and primarily marketed.”
What type of information is
protected by the Bill?
The Bill covers “student
personally identifiable information,” which is very broadly defined as “information
that, alone or in combination, personally identifies an individual student or
the student’s parent or family, and that is collected, maintained, generated,
or inferred by a public education entity, either directly or through a school
service, or by a school service contract provider or school service on-demand
provider.”
What does a “School Service
Contract Provider” have to do to comply with the Bill?
Data Use
Obligations/Restrictions:
·
Collect, use, and share student personally identifiable
information (PII) only (i) for the purposes authorized in the contracts with
the Public Education Entities, or (ii) with the consent of the student (if the
student is at least 18 or legally emancipated) or the student’s parent. The
consent of the student or the student’s parent is required before using student
PII in a manner that is materially inconsistent with the provider’s privacy
policy or the contract with the applicable Public Education Entity.
·
Not sell student personally identifiable information,
except in the event of a purchase, merger, or other type of acquisition of the
provider or any assets of the provider by another entity provided
that the successor continues to be subject to all of the requirements
of the Bill with respect to the acquired student PII.
·
Not use or share student PII for targeted advertising
(defined as “selecting and sending advertisements to a student based on
information obtained or inferred over time from the student’s online behavior,
use of applications, or personally identifiable information”), with certain
exceptions set forth in the Bill.
·
Not use student PII to create a personal profile of a
student, except (i) for supporting purposes authorized by the contracting
public education entity or (ii) with the consent of the student (if the student
is at least 18 or legally emancipated) or the student’s parent.The Bill
contains a list of exceptions to the use and disclosure restrictions described
above (e.g., legal or regulatory compliance purposes and user safety) and a list
of permitted uses of student PII (e.g., to use adaptive learning or design
personalized or customized education or to maintain, develop, support, improve,
or diagnose a provider’s website, online service, online application, or mobile
application).
Data Transparency:
·
Provide to each contracting Public Education Entity
(and update to maintain accuracy) clear information, understandable by a
layperson, describing (i) all of the student PII collected,
including aggregated information, (ii) the learning purpose underlying the
collection, and (iii) how the student PII is used and shared. Notice is also
required before making material changes to the provider’s applicable privacy
policy.
·
If requested, facilitate access to and correction of
any factually inaccurate student PII held by the provider.
·
Upon discovering misuse or unauthorized release of
student PII held by the provider, subcontractors, or subsequent subcontractors,
notify the applicable Public Education Entity as soon as possible,
regardless of whether the misuse or unauthorized release is a result of a
material breach of the agreement with the entity.
·
Disclose student PII to a subcontractor (and a
subcontractor may share with a subsequent subcontractor) only if the provider
contractually requires the subcontractor (and the subcontractor requires the
subsequent subcontractor) to comply with specific requirements of the Bill.
Data
Security/Destruction:
·
Maintain a comprehensive information security program
(including appropriate administrative, technological, and physical safeguards)
reasonably designed to protect the security, privacy, confidentiality, and
integrity of student PII.
·
Subject to certain exceptions, during and after
termination of the agreement with a Public Education Entity, destroy (defined
as “removing student personally identifiable information so that it is
permanently irretrievable in the normal course of business”) student PII
within the time period set forth in the Bill and notify the applicable entity
of the destruction date
Although the effective date is August 10, 2016, if you are a
“Contract Provider” or an “On-Demand Provider” under the Bill, this is the time
to begin thinking about what kind of changes you may need to make in your
processes and procedures and to put in place an implementation plan to be
compliant with the Bill by its effective date.
No comments:
Post a Comment