On June 9, 2016, Governor Dannel Malloy, who continues to show his commitment to data privacy, signed An Act Concerning Student Data Privacy into law, effective October 1, 2016.
The law requires any local or regional board of education in Connecticut to enter into a written contract with any operator of an internet website, online service or mobile application that is used for school purposes, and will have access to student information, records or student-generated content.
The contractual provisions are specifically enumerated and require the contractor to have appropriate security measures in place to protect the student data, that it will be in compliance with FERPA, that it does not own the student information, that students and parents will have access to the data held by the contractor, procedures to follow in the event of an unauthorized access, use or disclosure of the student information, that the information will be returned or destroyed at the end of the contract and that the information cannot be used by the contractor for any other purpose than to provide the contracted services.
The new law further requires the local or regional board of education to provide electronic notice to any student and the parent of a student notice of the contract entered into within five days after signing the contract.
The operators of the internet website, online service or mobile application must implement appropriate security measures that “meet or exceed industry standards”, delete any student information if requested by a student, parent or the local or regional board of education.
Further, the operator is prohibited from:
- using, selling or collecting any student information it has access to for targeted advertising to the student or the student’s parent
- collecting, storing or using student information other than for school purposes
- selling, renting or trading student information
- disclosing student information except in limited circumstances
Finally, in the event of a security breach that results in the unauthorized release, disclosure or acquisition of student information that does not include student directory information, the operator must provide notification to the local or regional board of education “without unreasonable delay, but not more than thirty days after such discovery” and must also notify the student and the student’s parents.
If the unauthorized access, use or disclosure includes student directory information, the operator must notify the local or regional board of education and the student and the student’s parents within 60 days of discovery.
The law also creates a task force to “study issues relating to student data privacy” which is to be convened no later than October 31, 2016.