Security concept with chalk lock and keyboard
On June 9, 2016, Governor Malloy signed into law Public Act 16-189, “An Act Concerning Student Data Privacy” (the “Act”), which ushers in sweeping changes to the protection and use of student data. As schools increasingly turn to software, web-based learning, mobile apps, cloud computing and other electronic methods to improve student outcomes and the educational experience, the Act sets forth minimum privacy and contractual standards for all parties involved in the creation, use, or handling of student data. Unless otherwise noted, the Act’s requirements are effective October 1, 2016.

Shipman & Goodwin LLP’s School Law Practice Group and Privacy and Data Protection Group have collaborated to prepare this Alert to inform local and regional boards of education of the new requirements and to address what we anticipate will be commonly asked questions.
Requirements for Boards of Education: Contracting and Notice
Contracting. The most significant feature of the law for boards of education is the adoption of new standards for contracts between a board and a contractor, who, by statutory definition, is “an operator or consultant that is in possession of or has access to student information, student records or student-generated content as a result of a contract with a local or regional board of education.”  Under the Act, every contract that a board of education enters into with a contractor,1 beginning October 1, 2016, must include the following elements:
  • a statement that student records,2 student information,3 and student-generated content (collectively, “student data”) are not the property of, or under the control of, a software or electronic service contractor;
  • a description of the means by which a local or regional board of education may request the deletion of student information, student records, or student-related content in the possession of the contractor;
  • a statement that the contractor will not use student information, student records, or student-generated content for any purposes other than those authorized pursuant to the contract;
  • a description of the procedures by which a student, parent, or guardian may (a) review personally identifiable information in student records, student information, or student-generated content and (b) correct erroneous information, if any;
  • a statement that the contractor shall take actions designed to ensure the security and confidentiality of student information, student records, and student-generated content;
  • a description of the procedures that a contractor will follow for notifying a local or regional board of education when there has been an unauthorized release, disclosure, or acquisition of student information, student records, or student-generated content;
  • a statement that the student information, student records, or student-generated content shall not be retained or available to the contractor upon completion of the contracted services unless a student, or parent or legal guardian of a student, chooses to establish or maintain an electronic account with the contractor for the purpose of storing student-generated content;
  • a statement that the contractor and the local or regional board of education will ensure compliance with the federal Family Educational Rights and Privacy Act of 1974 (FERPA);
  • a statement that Connecticut law governs the rights and duties of all parties to the contract; and
  • a statement that a court finding of invalidity for any contract provision does not invalidate other contract provisions or applications that are not affected by the finding.
The Act voids any contract entered into on and after October 1, 2016 that fails to include the above requirements, and voids any contractual provision that conflicts with such requirements.
Notice of Contract to Students and Parents.  Within five (5) business days of executing a contract with a contractor, the local or regional board of education must provide electronic notice to any student and the parent or legal guardian of a student affected by the contract, and it must post such notice on its website. Each notice shall:
  • provide the date that the contract was executed;
  • provide a brief description of the contract and its purpose; and
  • explain what student information, student records, or student-generated content may be collected as a result of the contract.
48-hour Notice of Breach of Security. Upon receipt of notice of a breach of security by a contractor, a board of education must, within forty-eight (48) hours, notify the students and the parents or guardians of the students whose student information, student records, or student generated-content was involved in such breach.  The local or regional board of education must also post notice of the breach on its website.
Requirements for Contractors: Restrictions and Data Breaches
In addition to the contractual requirements discussed in the above section, the Act also imposes requirements upon contractors with respect to their use of student information and obligations in the event of a data breach.  While the Act does not specify that these restrictions must be in the contract, a board may wish to include these provisions to ensure the contractor is appropriately notified of its legal obligations.
Restrictions on Use. The Act specifies that all student-generated content remains the property of the student or the student’s parent or legal guardian.  It specifies that contractors must implement and maintain security procedures and practices designed to protect student information, student records, and student-generated content from unauthorized access, destruction, use, modification, or disclosure in a manner consistent with federal law and industry standards.
Further, the Act prohibits contractors from using student records for any purposes other than those the contract authorizes.  The Act also prohibits contractors from using personally identifiable information contained in student records for targeted advertising.
Data Breaches
30-Day notification period in event of unauthorized release of student information
Upon the discovery of a breach of security that results in the unauthorized release of student information (excluding directory information)5 a contractor must notify the board of education of such breach without unreasonable delay, and in no case later than thirty (30) days from discovery of the breach.  During that 30-day period, the contractor may (1) conduct an investigation to determine the scope of the unauthorized release and the identity of the students whose information was compromised or (2) restore the integrity of the contractor’s data system.
60-Day notification period in event of unauthorized release of directory information, student records, or student-generated content
Upon the discovery of a breach of security that results in the unauthorized release of directory information, student records, or student-generated content, the contractor must notify the board of education without unreasonable delay and in no case later than  sixty (60) days from discovery of the breach.  During the 60-day period, the contractor may (1) conduct an investigation to determine the scope of the unauthorized release and the identity of the students whose information was compromised or restore the integrity of the contractor’s data system, or (2) restore the reasonable integrity of the contractor’s data system.
We expect that some boards of education may desire to contract for more prompt notice of a breach of security.
Requirements for Website, Online Service and Mobile App Operators
The Act imposes restrictions on operators of certain websites, online services and mobile apps6  similar to those placed on contractors.  See “Restrictions on Use” above.  In addition, the Act prohibits operators from:
  • engaging in targeted advertising using student data that the operator acquired because of use of the operator’s web site, online service, or mobile application for school purposes; 7
  • storing or collecting student information, student records, or student-generated content for anything other than school purposes; and
  • selling or trading student data to third parties under most circumstances.
However, operators may use de-identified8 student information for a variety of purposes such as maintaining its website, providing user recommendations and feedback, responding to a user request for information, marketing its application, and developing other websites or applications.
Action Items
In most instances, these significant additions to Connecticut law will require boards of education to modify their contracting processes and to adopt or revise policies and procedures to address the Act’s requirements.  Specifically, boards of education should consider the following action items:
  • Conduct an in-district inventory of all internet websites, online services, and mobile applications teachers in the district are using in conjunction with the education of students;
  • Prepare a draft contract and student/parent notice of contracts that will be posted on the district’s website and sent electronically to students/parents;
  • Review Requests for Proposal (RFP) documents and templates to ensure that the documents requested from potential vendors contain information on the privacy topics addressed in the Act, so that the board of education can incorporate privacy concerns in its decision-making process;
  • Consider implementing a data privacy screening tool for potential vendors, which may or may not be included as part of a RFP.  The screening tool can provide some assurances to boards of education that vendors are aware of the requirements and have taken action to comply with them;
  • Review and consider revision to the board’s Student Records Policy to ensure compliance with the Act and relevant provisions of FERPA;
  • Develop a preferred description of the actions the board of education will expect a contractor to take to ensure student record security and confidentiality, including administrative, physical and technical standards; and
  • Prepare a procedure to govern who is responsible for receiving notice of data breaches and how the district will respond to such notification.
The School Law Practice Group is in the process of revising our Model Student Records Policy and Administrative Regulations, and drafting sample contracts and notices in relation to the Act.  For further information or to discuss how these issues may impact you or your constituents, please contact Ben FrazziniKendrick (860-251-5182 orbfrazzinikendrick@goodwin.com); William J. Roberts (860-251-5051 or wroberts@goodwin.com); or Gwen J. Zittoun (860-251-5523 or gzittoun@goodwin.com).
The Act defines contractors” as “an operator or consultant that is in possession of or has access to student information, student records or student-generated content as a result of a contract with a local or regional board of education.”
It defines an “operator” as “any person who (A) operates an Internet web site, online service or mobile application with actual knowledge that such Internet web site, online service or mobile application is used for school purposes and was designed and marketed for school purposes, to the extent it is engaged in the operation of such Internet web site, online service or mobile application, and (B) collects, maintains or uses student information.
It defines “consultant” as “a professional who provides noninstructional services, including, but not limited to, administrative, planning, analysis, statistical or research services, to a local or regional board of education.”
The Act defines “student information” as “personally identifiable information or material of a student in any media or format that is not publicly available and is any of the following: (A) created or provided by a student or the parent or guardian of a student, to the operator in the course of the student, parent or legal guardian using the operator’s Internet web site, online service or mobile application for school purposes, (B) created or provided by an employee or agent of the a local or regional board of education to an operator for school purposes, or (C) gathered by an operator through the operation of the operator’s Internet web site, online service or mobile application and identifies a student, including, but not limited to, information in the student’ s records or electronic mail account, first or last name, home address, telephone number, date of birth, electronic mail address, discipline records, test results, grades, evaluations, criminal records, medical records, health records, Social Security number, biometric information, disabilities, socioeconomic information, food purchases, political affiliations, text messages, documents, student identifiers, search activity, photographs, voice recordings, survey responses, or behavioral assessments.”
The Act defines “student records” as “any information that is maintained by a local or regional board of education, the State Board of Education or the Department of Education or any information acquired from a student through the use of educational software assigned to the student by a teacher or employee of a local or regional board of education except ‘student record’ does not include de-identified student information allowed under the contract to be used by a contractor to (A) improve educational products for adaptive learning purposes and customize student learning, (B) demonstrate the effectiveness of the contractor’s products in marketing of such products, and (C) develop and improve the contractor’s products and services.”
The Act defines “student-generated content” as “any student materials created by a student including, but not limited to, essays, research papers, portfolios, creative writing, music or other audio files or photographs, except ‘student-generated content’ does not include student responses to a standardized assessment.”
The Act defines “directory information” in accordance with 34 CFR 99.3 as “information contained in an education record of a student that would not generally be considered harmful or an invasion of privacy if disclosed.”  Such as “the student’s name; address; telephone listing; electronic mail address; photograph; date and place of birth; major field of study; grade level; enrollment status; dates of attendance; participation in officially recognized activities and sports; weight and height of members of athletic teams; degrees, honors, and awards received; and the most recent educational agency or institution attended.”  For more information see the full text of the regulation.
The Act applies these requirements only to operators of those websites, online services, or mobile applications that are designed, used, and marketed for school purposes and who collect, maintain or use student information.
The Act defines “school purposes” as “activities directed by, or customarily take place at the direction of, a public school teacher or board of education and include classroom or at-home instruction, administrative activities, and collaboration among students, school personnel, or parents or guardians of students.”
The Act defines “de-identified student information” as “any student information that has been altered to prevent the identification of an individual statement.”