Bill Text - HB1612 (2018)

Relative to data security in schools.


Revision: Nov. 13, 2017, 11:54 a.m.

HB 1612 - AS INTRODUCED

 

 

2018 SESSION

18-2480

06/05

 

HOUSE BILL 1612

 

AN ACT relative to data security in schools.

 

SPONSORS: Rep. Cordelli, Carr. 4; Rep. T. Wolf, Hills. 7; Rep. Kurk, Hills. 2; Rep. Ladd, Graf. 4; Rep. V. Sullivan, Hills. 16; Rep. Ferreira, Hills. 28; Rep. Seidel, Hills. 28

 

COMMITTEE: Education

 

-----------------------------------------------------------------

 

ANALYSIS

 

This bill requires each local education agency to:

 

I.  Create and make publicly available an index of data elements containing definitions of certain individual student personally-identifiable data fields.

 

II.  Develop a data security plan.

 

III.  Make publicly available students' and parents' rights under the Family Educational Rights and Privacy Act.

 

IV.  Requires school districts that use digital badges to obtain the written consent of a student's parent or legal guardian.

 

V.  Modifies certain requirements for contracting with operators of Internet websites.

 

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 

Explanation: Matter added to current law appears in bold italics.

Matter removed from current law appears [in brackets and struckthrough.]

Matter which is either (a) all new or (b) repealed and reenacted appears in regular type.

18-2480

06/05

 

STATE OF NEW HAMPSHIRE

 

In the Year of Our Lord Two Thousand Eighteen

 

AN ACT relative to data security in schools.

 

Be it Enacted by the Senate and House of Representatives in General Court convened:

 

1  New Paragraph; Student Information Protection and Privacy; Definition; Directory Information.  Amend RSA 189:65 by inserting after paragraph III the following new paragraph:

III-a.  "Directory information" means name, address, telephone number, date and place of birth, honors and awards, and dates of attendance.  

2 Student and Teacher Information Protection; Data Inventory Security Plan.  Amend RSA 189:66 to read as follows:

189:66  Data Inventory and Policies Publication.

I.  The department and each local education agency shall create, maintain, and make publicly available an annually-updated index of data elements containing definitions of individual student personally-identifiable data fields or fields identified in RSA 189:68 currently in the SLDS or any other database maintained by the department[,] or local education agency, or added or proposed to be added thereto, including:

(a)  Any individual student personally-identifiable data required to be reported by state or federal law.

(b)  Any individual student personally-identifiable data which has been proposed for inclusion in the SLDS with a statement explaining the purpose or reason for the proposed collection.

(c)  Any individual student personally-identifiable data that the department collects or maintains.

(d)  Any data identified in RSA 189:68.

II.  The department shall develop a detailed data security plan to present to the state board, the legislative oversight committee established in RSA 193-C:7, and the commissioner of the department of information technology.  Each local education agency shall develop a detailed data security plan to present to the school board.  The plan shall include:

(a)  Privacy compliance standards.

(b)  Privacy and security audits.

(c)  Breach planning, notification, and procedures.

(d)  Data retention and disposition policies.

III.  The security plan shall:

(a)  Require notification as soon as practicable to:

(1)  Any teacher or student whose personally identifiable information could reasonably be assumed to have been part of any data security breach, consistent with the legitimate needs of law enforcement or any measures necessary to determine the scope of the breach and restore the integrity of the data system; and

(2)  The governor, state board, senate president, speaker of the house of representatives, chairperson of the senate committee with primary jurisdiction over education, chairperson of the house committee with primary jurisdiction over education, legislative oversight committee established in RSA 193-C:7, and commissioner of the department of information technology.

(b)  Require the department to issue an annual data security breach report to the governor, state board, senate president, speaker of the house of representatives, chairperson of the senate committee with primary jurisdiction over education, chairperson of the house committee with primary jurisdiction over education, legislative oversight committee established in RSA 193-C:7, and commissioner of the department of information technology.  The breach report shall also be posted to the department's public Internet website and shall not include any information that itself would pose a security threat to a database or data system.  The report shall include:

(1)  The name of the organization reporting the breach.

(2)  Any types of personal information that were or are reasonably believed to have been the subject of a breach.

(3)  The date, estimated date, or date range of the breach.

(4)  A general description of the breach incident.

(5)  The estimated number of students and teachers affected by the breach, if any.

(6)  Information about what the reporting organization has done to protect individuals whose information has been breached.

IV.  The department and each local education agency shall make publicly available students' and parents' rights under the Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. section 1232g, et seq., and applicable state law including:

(a)  The right to inspect and review the student's education records within 14 days after the day the school receives a request for access.

(b)  The right to request amendment of a student's education records that the parent or eligible student believes are inaccurate, misleading, or otherwise in violation of the student's privacy rights under FERPA.

(c)  The right to provide written consent before the school discloses student personally identifiable data, including directory information, from the student's education records, provided in applicable state and federal law.

(d)  The right to file a complaint with the Family Policy Compliance Office in the United States Department of Education concerning alleged failures to comply with the requirements of FERPA.

3  Student and Teacher Information Protection; Student Online Personal Information.  Amend RSA 189:68-a to read as follows:

189:68-a  Student Online Personal Information.  

I.  For the purposes of this section:

(a)  "Operator'' means the operator of an Internet website, online service, online application, or mobile application with actual knowledge that the site, service, or application is used primarily for K-12 school purposes and was designed and marketed for K-12 school purposes.

(b)  "Covered information'' means personally identifiable information or materials, in any media or format that meets any of the following:

(1)  Is created or provided by a student, or the student's parent or legal guardian, to an operator in the course of the student's, parent's, or legal guardian's use of the operator's site, service, or application for K-12 school purposes.

(2)  Is created or provided by an employee or agent of the K-12 school, school district, local education agency, or county office of education, to an operator.

(3)  Is gathered by an operator through the operation of a site, service, or application described in subparagraph (a) and is descriptive of a student or otherwise identifies a student, including, but not limited to, information in the student's educational record or email, first and last name, home address, date of birth, telephone number, unique pupil identifier, social security number, financial or insurance account numbers, email address, other information that allows physical or online contact, discipline records, test results, special education data, juvenile dependency records, grades, evaluations, criminal records, medical records, health records, biometric information, disabilities, socioeconomic information, food purchases, political affiliations, religious information, text messages, documents, other student identifiers, search activity, photos, voice recordings, or geo-location information.

(c)  "K-12 school purposes'' means purposes that customarily take place at the direction of the K-12 school, teacher, or school district or aid in the administration of school activities, including, but not limited to, instruction in the classroom or at home, student assessment, administrative activities, and collaboration between students, school personnel, or parents, or are for the use and benefit of the school.

(d)  "Online service'' includes cloud computing services, which shall comply with this section if they otherwise meet the definition of an operator.

(e)  "Digital badges" mean digital credentials or indicators that convey an array of skills, interests, competencies, and achievements.

II.(a)  No operator shall knowingly engage in any of the following activities with respect to their site, service, or application:

(1)  Targeted advertising on the operator's site, service, or application, or targeted advertising on any other site, service, or application when the targeting of the advertising is based upon any information, including covered information and persistent unique identifiers, that the operator has acquired because of the use of that operator's site, service, or application.

(2)  Use of information, including persistent unique identifiers, created or gathered by the operator's site, service, or application, to amass a profile about a K-12 student.

(3)  Sale, lease, rent, trade, or otherwise make available a student's information, including covered information.  This prohibition does not apply to the purchase, merger, or other type of acquisition of an operator by another entity, provided that the operator or successor entity continues to be subject to the provisions of this section with respect to previously acquired student information.

(4)  Disclosing protected information unless the disclosure is made to respond to or participate in judicial process.

(5)  Observing services to detect, characterize, or quantify behaviors, including but not limited to, question response times.

(b)  An operator shall:

(1)  Implement and maintain reasonable security procedures and practices appropriate to the nature of the covered information, and protect that information from unauthorized access, destruction, use, modification, or disclosure.

(2)  Delete a student's covered information if the school or district requests deletion of data under the control of the school or district or upon termination of the contract.

(c)  Nothing in this section shall prohibit an operator from using de-identified student covered information as follows:

(1)  Within the operator's site, service, or application or other sites, services, or applications owned by the operator to improve educational products.

(2)  To demonstrate the effectiveness of the operator's products or services, including in its marketing.

(d)  Nothing in this section shall prohibit an operator from sharing aggregated de-identified student covered information for the development and improvement of educational sites, services, or applications.

II-a.  No school shall enter into a contract with an operator or implement the use of digital badges without the approval of the school board.

II-b.  Any school district that uses digital badges for students shall adopt a policy for notifying a parent or legal guardian of such use and shall require the written consent of the parent or legal guardian for the student's participation.

III.  This section shall not apply to general audience Internet websites, general audience online services, general audience online applications, or general audience mobile applications, even if login credentials created for an operator's site, service, or application may be used to access those general audience sites, services, or applications.

IV.  This section shall not limit Internet service providers from providing Internet connectivity to schools or students and their families.

V.  This section shall not be construed to prohibit an operator of an Internet website, online service, online application, or mobile application from marketing educational products directly to parents so long as the marketing did not result from the use of covered information obtained by the operator through the provision of services covered under this section.

VI.  This section shall not be construed to impose a duty upon a provider of an electronic store, gateway, marketplace, or other means of purchasing or downloading software or applications to review or enforce compliance with this section on those applications or software.

VII.  This section shall not be construed to impose a duty upon a provider of an interactive computer service, as defined in 47 U.S.C. section 230, to review or enforce compliance with this section by third-party content providers.

VIII.  This section shall not impede the ability of students to download, export, or otherwise save or maintain their own student created data or documents.

IX.  The provisions of this section are severable. If any provision of this section or its application is held invalid, that invalidity shall not affect other provisions or applications that can be given effect without the invalid provision or application.

4  Effective Date.  This act shall take effect 60 days after its passage.

HB 1612 - AS INTRODUCED

 

 

2018 SESSION

18-2480

06/05

 

HOUSE BILL 1612

 

AN ACT relative to data security in schools.

 

SPONSORS: Rep. Cordelli, Carr. 4; Rep. T. Wolf, Hills. 7; Rep. Kurk, Hills. 2; Rep. Ladd, Graf. 4; Rep. V. Sullivan, Hills. 16; Rep. Ferreira, Hills. 28; Rep. Seidel, Hills. 28

 

COMMITTEE: Education

 

-----------------------------------------------------------------

 

ANALYSIS

 

This bill requires each local education agency to:

 

I.  Create and make publicly available an index of data elements containing definitions of certain individual student personally-identifiable data fields.

 

II.  Develop a data security plan.

 

III.  Make publicly available students' and parents' rights under the Family Educational Rights and Privacy Act.

 

IV.  Requires school districts that use digital badges to obtain the written consent of a student's parent or legal guardian.

 

V.  Modifies certain requirements for contracting with operators of Internet websites.

 

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 

Explanation: Matter added to current law appears in bold italics.

Matter removed from current law appears [in brackets and struckthrough.]

Matter which is either (a) all new or (b) repealed and reenacted appears in regular type.

18-2480

06/05

 

STATE OF NEW HAMPSHIRE

 

In the Year of Our Lord Two Thousand Eighteen

 

AN ACT relative to data security in schools.

 

Be it Enacted by the Senate and House of Representatives in General Court convened:

 

1  New Paragraph; Student Information Protection and Privacy; Definition; Directory Information.  Amend RSA 189:65 by inserting after paragraph III the following new paragraph:

III-a.  "Directory information" means name, address, telephone number, date and place of birth, honors and awards, and dates of attendance.  

2 Student and Teacher Information Protection; Data Inventory Security Plan.  Amend RSA 189:66 to read as follows:

189:66  Data Inventory and Policies Publication.

I.  The department and each local education agency shall create, maintain, and make publicly available an annually-updated index of data elements containing definitions of individual student personally-identifiable data fields or fields identified in RSA 189:68 currently in the SLDS or any other database maintained by the department[,] or local education agency, or added or proposed to be added thereto, including:

(a)  Any individual student personally-identifiable data required to be reported by state or federal law.

(b)  Any individual student personally-identifiable data which has been proposed for inclusion in the SLDS with a statement explaining the purpose or reason for the proposed collection.

(c)  Any individual student personally-identifiable data that the department collects or maintains.

(d)  Any data identified in RSA 189:68.

II.  The department shall develop a detailed data security plan to present to the state board, the legislative oversight committee established in RSA 193-C:7, and the commissioner of the department of information technology.  Each local education agency shall develop a detailed data security plan to present to the school board.  The plan shall include:

(a)  Privacy compliance standards.

(b)  Privacy and security audits.

(c)  Breach planning, notification, and procedures.

(d)  Data retention and disposition policies.

III.  The security plan shall:

(a)  Require notification as soon as practicable to:

(1)  Any teacher or student whose personally identifiable information could reasonably be assumed to have been part of any data security breach, consistent with the legitimate needs of law enforcement or any measures necessary to determine the scope of the breach and restore the integrity of the data system; and

(2)  The governor, state board, senate president, speaker of the house of representatives, chairperson of the senate committee with primary jurisdiction over education, chairperson of the house committee with primary jurisdiction over education, legislative oversight committee established in RSA 193-C:7, and commissioner of the department of information technology.

(b)  Require the department to issue an annual data security breach report to the governor, state board, senate president, speaker of the house of representatives, chairperson of the senate committee with primary jurisdiction over education, chairperson of the house committee with primary jurisdiction over education, legislative oversight committee established in RSA 193-C:7, and commissioner of the department of information technology.  The breach report shall also be posted to the department's public Internet website and shall not include any information that itself would pose a security threat to a database or data system.  The report shall include:

(1)  The name of the organization reporting the breach.

(2)  Any types of personal information that were or are reasonably believed to have been the subject of a breach.

(3)  The date, estimated date, or date range of the breach.

(4)  A general description of the breach incident.

(5)  The estimated number of students and teachers affected by the breach, if any.

(6)  Information about what the reporting organization has done to protect individuals whose information has been breached.

IV.  The department and each local education agency shall make publicly available students' and parents' rights under the Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. section 1232g, et seq., and applicable state law including:

(a)  The right to inspect and review the student's education records within 14 days after the day the school receives a request for access.

(b)  The right to request amendment of a student's education records that the parent or eligible student believes are inaccurate, misleading, or otherwise in violation of the student's privacy rights under FERPA.

(c)  The right to provide written consent before the school discloses student personally identifiable data, including directory information, from the student's education records, provided in applicable state and federal law.

(d)  The right to file a complaint with the Family Policy Compliance Office in the United States Department of Education concerning alleged failures to comply with the requirements of FERPA.

3  Student and Teacher Information Protection; Student Online Personal Information.  Amend RSA 189:68-a to read as follows:

189:68-a  Student Online Personal Information.  

I.  For the purposes of this section:

(a)  "Operator'' means the operator of an Internet website, online service, online application, or mobile application with actual knowledge that the site, service, or application is used primarily for K-12 school purposes and was designed and marketed for K-12 school purposes.

(b)  "Covered information'' means personally identifiable information or materials, in any media or format that meets any of the following:

(1)  Is created or provided by a student, or the student's parent or legal guardian, to an operator in the course of the student's, parent's, or legal guardian's use of the operator's site, service, or application for K-12 school purposes.

(2)  Is created or provided by an employee or agent of the K-12 school, school district, local education agency, or county office of education, to an operator.

(3)  Is gathered by an operator through the operation of a site, service, or application described in subparagraph (a) and is descriptive of a student or otherwise identifies a student, including, but not limited to, information in the student's educational record or email, first and last name, home address, date of birth, telephone number, unique pupil identifier, social security number, financial or insurance account numbers, email address, other information that allows physical or online contact, discipline records, test results, special education data, juvenile dependency records, grades, evaluations, criminal records, medical records, health records, biometric information, disabilities, socioeconomic information, food purchases, political affiliations, religious information, text messages, documents, other student identifiers, search activity, photos, voice recordings, or geo-location information.

(c)  "K-12 school purposes'' means purposes that customarily take place at the direction of the K-12 school, teacher, or school district or aid in the administration of school activities, including, but not limited to, instruction in the classroom or at home, student assessment, administrative activities, and collaboration between students, school personnel, or parents, or are for the use and benefit of the school.

(d)  "Online service'' includes cloud computing services, which shall comply with this section if they otherwise meet the definition of an operator.

(e)  "Digital badges" mean digital credentials or indicators that convey an array of skills, interests, competencies, and achievements.

II.(a)  No operator shall knowingly engage in any of the following activities with respect to their site, service, or application:

(1)  Targeted advertising on the operator's site, service, or application, or targeted advertising on any other site, service, or application when the targeting of the advertising is based upon any information, including covered information and persistent unique identifiers, that the operator has acquired because of the use of that operator's site, service, or application.

(2)  Use of information, including persistent unique identifiers, created or gathered by the operator's site, service, or application, to amass a profile about a K-12 student.

(3)  Sale, lease, rent, trade, or otherwise make available a student's information, including covered information.  This prohibition does not apply to the purchase, merger, or other type of acquisition of an operator by another entity, provided that the operator or successor entity continues to be subject to the provisions of this section with respect to previously acquired student information.

(4)  Disclosing protected information unless the disclosure is made to respond to or participate in judicial process.

(5)  Observing services to detect, characterize, or quantify behaviors, including but not limited to, question response times.

(b)  An operator shall:

(1)  Implement and maintain reasonable security procedures and practices appropriate to the nature of the covered information, and protect that information from unauthorized access, destruction, use, modification, or disclosure.

(2)  Delete a student's covered information if the school or district requests deletion of data under the control of the school or district or upon termination of the contract.

(c)  Nothing in this section shall prohibit an operator from using de-identified student covered information as follows:

(1)  Within the operator's site, service, or application or other sites, services, or applications owned by the operator to improve educational products.

(2)  To demonstrate the effectiveness of the operator's products or services, including in its marketing.

(d)  Nothing in this section shall prohibit an operator from sharing aggregated de-identified student covered information for the development and improvement of educational sites, services, or applications.

II-a.  No school shall enter into a contract with an operator or implement the use of digital badges without the approval of the school board.

II-b.  Any school district that uses digital badges for students shall adopt a policy for notifying a parent or legal guardian of such use and shall require the written consent of the parent or legal guardian for the student's participation.

III.  This section shall not apply to general audience Internet websites, general audience online services, general audience online applications, or general audience mobile applications, even if login credentials created for an operator's site, service, or application may be used to access those general audience sites, services, or applications.

IV.  This section shall not limit Internet service providers from providing Internet connectivity to schools or students and their families.

V.  This section shall not be construed to prohibit an operator of an Internet website, online service, online application, or mobile application from marketing educational products directly to parents so long as the marketing did not result from the use of covered information obtained by the operator through the provision of services covered under this section.

VI.  This section shall not be construed to impose a duty upon a provider of an electronic store, gateway, marketplace, or other means of purchasing or downloading software or applications to review or enforce compliance with this section on those applications or software.

VII.  This section shall not be construed to impose a duty upon a provider of an interactive computer service, as defined in 47 U.S.C. section 230, to review or enforce compliance with this section by third-party content providers.

VIII.  This section shall not impede the ability of students to download, export, or otherwise save or maintain their own student created data or documents.

IX.  The provisions of this section are severable. If any provision of this section or its application is held invalid, that invalidity shall not affect other provisions or applications that can be given effect without the invalid provision or application.

4  Effective Date.  This act shall take effect 60 days after its passage.