Prohibited Information
The new statute prohibits schools from collecting or storing the following categories of data:
- biometric information
- political affiliation
- religion
- voting history
Restrictions on Information Disclosure
The Act also prohibits schools from sharing "personally identifiable student data," which includes, but is not limited to, the following:
- A student's name
- The name of the student's parent or other family member
- An address of the student or student's family
- A personal identifier, such as the student's Social Security number or unique student identifier
- Other indirect identifiers, such as the student's date of birth, place of birth, and mother's maiden name
- Other information that, alone or in combination, would allow a reasonable person to identify the student with reasonable certainty
- Other information requested by a person who the Department of Public Instruction or local school administrative unit reasonably believes knows the identity of the student to whom the education record relates
image dcJohn / foter.com |
The Act requires local school boards to provide parents, on an annual basis, with information about how state and federal privacy laws and regulations apply to school records and student data, including parental rights and opt-out opportunities relating to disclosure of directory information (as provided under FERPA) and surveys (covered by the Protection of Pupil Rights Amendment, 20 U.S.C. § 1232h).
New Rules and Procedures
The statute requires the State Board of Education to create more clearly defined rules and procedures for the safeguarding and use of student data. Among other things, the statute requires the State Board of Education to develop a detailed data security plan that includes the following:
- Guidelines for authorizing access to the student data system and to individual student data, including guidelines for authentication of authorized access
- Privacy compliance standards
- Privacy and security audits
- Breach planning, notification, and procedures
- Data retention and disposition policies
- Data security policies, including electronic, physical, and administrative safeguards such as data encryption and training of employees
The statute adds language to Article 29 of Chapter 115C of the General Statutes, which applies to public elementary and secondary schools. Therefore, private schools, colleges, and universities appear to be unaffected.
Widespread Support
The bill arose from a recommendation by the Joint Legislative Oversight Committee on Information Technology, and was unanimously approved by both houses of the General Assembly.
More Information
You can read the full text of the new statute here.