Tuesday, July 15, 2014

North Carolina Has a New Education Privacy Law

A new education privacy bill was signed into law earlier this month, and became effective immediately.  Formally titled "An Act to Ensure the Privacy and Security of Student Educational Records," (Senate Bill 815, Session Law 2014-50) contains a number of privacy-related provisions.  This post summarizes some of the key aspects of the Act.

Prohibited Information
The new statute prohibits schools from collecting or storing the following categories of data:
  • biometric information
  • political affiliation
  • religion
  • voting history 
The term "biometric information" does not appear to be defined by the Act nor in the larger Article or Chapter.  I assume it covers fingerprints, retina scans, and DNA records.  (It is not perfectly clear to me where the line is drawn, however, between "biometric information" and other identifying information.)

Restrictions on Information Disclosure

The Act also prohibits schools from sharing "personally identifiable student data," which includes, but is not limited to, the following:
  • A student's name
  • The name of the student's parent or other family member
  • An address of the student or student's family
  • A personal identifier, such as the student's Social Security number or unique student identifier
  • Other indirect identifiers, such as the student's date of birth, place of birth, and mother's maiden name
  • Other information that, alone or in combination, would allow a reasonable person to identify the student with reasonable certainty
  • Other information requested by a person who the Department of Public Instruction or local school administrative unit reasonably believes knows the identity of the student to whom the education record relates
However, "personally identifiable student information" does not include "directory information" if the local board of education has provided parents with notice of an opportunity to opt out of the disclosure of that information [consistent with the Family Educational Rights and Privacy Act ("FERPA," 20 U.S.C. § 1232g)].

image dcJohn / foter.com
Parental Rights and Notices

The Act requires local school boards to provide parents, on an annual basis, with information about how state and federal privacy laws and regulations apply to school records and student data, including parental rights and opt-out opportunities relating to disclosure of directory information (as provided under FERPA) and surveys (covered by the Protection of Pupil Rights Amendment, 20 U.S.C. § 1232h).

New Rules and Procedures

The statute requires the State Board of Education to create more clearly defined rules and procedures for the safeguarding and use of student data.  Among other things, the statute requires the State Board of Education to develop a detailed data security plan that includes the following:
  • Guidelines for authorizing access to the student data system and to individual student data, including guidelines for authentication of authorized access
  • Privacy compliance standards
  • Privacy and security audits
  • Breach planning, notification, and procedures
  • Data retention and disposition policies
  • Data security policies, including electronic, physical, and administrative safeguards such as data encryption and training of employees
Covered Schools

The statute adds language to Article 29 of Chapter 115C of the General Statutes, which applies to public elementary and secondary schools.  Therefore, private schools, colleges, and universities appear to be unaffected.  

Widespread Support

The bill arose from a recommendation by the Joint Legislative Oversight Committee on Information Technology, and was unanimously approved  by both houses of the General Assembly.  

More Information

You can read the full text of the new statute here.

Tuesday, July 1, 2014

What's going on with mugshot publication in North Carolina?

Publishing mugshots has become big business, and is now attracting legislative scrutiny.  Critics point out that an innocent person can be arrested and photographed before the charges are dropped, only to find his or her mugshot in the local press or on the internet.  The mugshot might be seen by a potential employer, customer, girlfriend's dad, etc., resulting in reputational and financial loss.  In the most egregious cases, internet mugshot publishers charge a fee to remove an innocent person's mugshot from their website.

A number of states have enacted laws to curb perceived abuses relating to publication of mugshots, and North Carolina's General Assembly is currently considering similar legislation.

Rep. Tim Moffitt (Buncombe County) introduced a bill to prevent any mugshots for misdemeanor charges (not felonies) from being published unless and until the accused person is convicted.  Moffitt explained that "publishing pictures for all the world to see of people arrested for charges that may not be sustained just serves no public purpose.  It’s not journalism and it's not fair – it’s sensationalism to drive web traffic that plays to the worst part of our natures."  Moffitt's bill would create the following new statutory language:
G.S. 15A‑502 is amended by adding a new subsection to read: "(f) A photograph of a person charged with the commission of a misdemeanor or felony taken by a law enforcement officer or agency pursuant to this section is confidential and exempt from disclosure as a public record under Chapter 132 of the General Statutes, except that the photograph may be disclosed to the public if (i) the person is charged with a felony or (ii) the officer or agency determines that release of the photograph is reasonably necessary to secure the public's safety. Any photograph exempt from disclosure under this subsection shall become public upon conviction of the person charged.
Last week, the bill was rewritten and placed in Senate Bill 734.  The new language would require the Administrative Office of the Courts and the Department of Public Safety to study this issue and report back to the General Assembly before the end of 2014.  The revised language reads as follows:
The Administrative Office of the Courts and the Department of Public Safety shall study whether or not photographs of individuals charged with a crime should be a public record, including the admissibility of such photographs, posting on the Internet of such photographs prior to conviction, and any other matters related to the use of photographs of charged individuals. The Administrative Office of the Courts and the Department of Public Safety shall report, with recommendations, to the Joint Legislative Oversight Committee on Justice and Public Safety on or before December 31, 2014.
Similar bills in each house would be more limited, focusing on the mug shot publishers who charge to remove images.  It's unclear at this point which, if any, of the bills will be enacted.

Some commentators have little confidence any legislative action will have much effect.  Mugshot publishers have already proven adept at avoiding similar state laws.