Prohibits the release of personally identifiable student information where parental consent is not provided.
TITLE OF BILL: An act to amend the education law, in relation to the release of personally identifiable student information
PURPOSE OR GENERAL IDEA OF BILL:
This bill would protect student privacy by prohibiting the release of personally identifiable information about individual students to third parties unless there is parental consent, or a student who is 18 or older consents, or unless certain exceptions apply.
SUMMARY OF SPECIFIC PROVISIONS:
Section one of the bill creates a new section 3212-b of the Education Law entitled "Release of personally identifiable student information." Subdivision one defines several terms as they are defined in the federal regulations that relate to privacy of student records (34 C.F.R. 99.3, the FERPA regulations), as well as defining other terms. Subdivision 2 prohibits the release of personally identifiable student information to third parties without parental consent (or student consent, if the student is 18 or older), unless one of the exceptions set out in subdivision 2 applies.
Subdivision 3 of new section 3212-b requires that detailed records be kept of all non-consensual disclosures made under subdivision 2, i.e., disclosures made under one of the exceptions set out in new section 3212-b(2)(a) through ((f). Subdivision 4 sets out notice requirements for non-consensual disclosures made pursuant to new section 3212-b(2)(d), relating to disclosure for research studies, or new section 3212-b(2)(e), relating to state or federal audits or other evaluations under state or federal law. Subdivision 5 addresses the content of notification and consent forms
Subdivision 6 of new section 3212-b provides for audits by the State Comptroller and subdivision 8 authorizes the State Attorney General to enforce compliance with the requirements of new section 3212-b. Other subdivisions provide sanctions for violation, require data systems to meet FTC data privacy and safeguarding standards, and provide that the new section does not limit administrative use of school records, based on a showing of appropriate need, by school employees, school boards or other government entities or employees.
New York and several other states have recently agreed to share confidential student information with corporate entities related to the Gates Foundation and the News Corporation (owned by Rupert Murdoch). The shared data will include children's personal information, including name, address, test scores, disciplinary and attendance records, race, ethnicity, disabilities, and other highly sensitive information. The data will be used for a variety of purposes and will be made available to commercial vendors to help them develop and market their learning products. Neither parents nor students have any ability to opt out of having this sensitive personal data shared with corporate entities, one of which is a subsidiary of the News Corporation. It is critical that there be safeguards on the release of
sensitive and personal information about students, and that parental or student consent should be part of any process of releasing personally identifiable student information to third parties. This legislation would establish procedures and standards that provide for consent and appropriate safeguards.
PRIOR LEGISLATIVE HISTORY:
None to the state.
This act shall take effect on July 1, 2013:
STATE OF NEW YORK ________________________________________________________________________ 4284 2013-2014 Regular Sessions IN SENATE March 19, 2013 ___________Introduced by Sen. GRISANTI -- read twice and ordered printed, and when printed to be committed to the Committee on Education AN ACT to amend the education law, in relation to the release of personally identifiable student information THE PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND ASSEM- BLY, DO ENACT AS FOLLOWS: Section 1. The education law is amended by adding a new section 3212-b to read as follows: S 3212-B. RELEASE OF PERSONALLY IDENTIFIABLE STUDENT INFORMATION. 1. DEFINITIONS. AS USED IN THIS SECTION: (A) "DIRECTORY INFORMATION" SHALL MEAN, BUT NOT BE LIMITED TO, THE STUDENT'S NAME; ADDRESS; TELEPHONE LISTING; ELECTRONIC MAIL ADDRESS; PHOTOGRAPH; DATE AND PLACE OF BIRTH; MAJOR FIELD OF STUDY; GRADE LEVEL; ENROLLMENT STATUS (UNDERGRADUATE OR GRADUATE, FULL-TIME OR PART-TIME); DATES OF ATTENDANCE; PARTICIPATION IN OFFICIALLY RECOGNIZED ACTIVITIES AND SPORTS; WEIGHT AND HEIGHT OF MEMBERS OF ATHLETIC TEAMS; DEGREES, HONORS, AND AWARDS RECEIVED; THE MOST RECENT EDUCATIONAL AGENCY OR INSTITUTION ATTENDED; STUDENT ID NUMBER, USER ID, OR OTHER UNIQUE PERSONAL IDENTIFIER USED BY A STUDENT FOR PURPOSES OF ACCESSING OR COMMUNICATING IN ELECTRONIC SYSTEMS, BUT ONLY IF THE IDENTIFIER CANNOT BE USED TO GAIN ACCESS TO EDUCATION RECORDS EXCEPT WHEN USED IN CONJUNC- TION WITH ONE OR MORE FACTORS THAT AUTHENTICATE THE USER'S IDENTITY, SUCH AS A PERSONAL IDENTIFICATION NUMBER (PIN), PASSWORD OR OTHER FACTOR KNOWN OR POSSESSED ONLY BY THE AUTHORIZED USER; AND A STUDENT ID NUMBER OR OTHER UNIQUE PERSONAL IDENTIFIER THAT IS DISPLAYED ON A STUDENT ID BADGE, BUT ONLY IF THE IDENTIFIER CANNOT BE USED TO GAIN ACCESS TO EDUCATION RECORDS EXCEPT WHEN USED IN CONJUNCTION WITH ONE OR MORE FACTORS THAT AUTHENTICATE THE USER'S IDENTITY, SUCH AS A PIN, PASSWORD, OR OTHER FACTOR KNOWN OR POSSESSED ONLY BY THE AUTHORIZED USER. (B) "PERSONALLY IDENTIFIABLE STUDENT INFORMATION" SHALL MEAN, BUT NOT LIMITED TO, THE STUDENT'S NAME; THE NAME OF THE STUDENT'S PARENT OREXPLANATION--Matter in ITALICS (underscored) is new; matter in brackets [ ] is old law to be omitted. LBD09672-03-3 S. 4284 2
OTHER FAMILY MEMBERS; THE ADDRESS OF THE STUDENT OR STUDENT'S FAMILY; A PERSONAL IDENTIFIER, SUCH AS THE STUDENT'S SOCIAL SECURITY NUMBER, STUDENT NUMBER, OR BIOMETRIC RECORD; OTHER INDIRECT IDENTIFIERS, SUCH AS THE STUDENT'S DATE OF BIRTH, PLACE OF BIRTH, AND MOTHER'S MAIDEN NAME; OTHER INFORMATION THAT, ALONE OR IN COMBINATION, IS LINKED OR LIKABLE TO A SPECIFIC STUDENT THAT WOULD ALLOW A REASONABLE PERSON IN THE SCHOOL COMMUNITY, WHO DOES NOT HAVE PERSONAL KNOWLEDGE OF THE RELEVANT CIRCUM- STANCES, TO IDENTIFY THE STUDENT WITH REASONABLE CERTAINTY; OR INFORMA- TION REQUESTED BY A PERSON WHO THE EDUCATIONAL AGENCY OR INSTITUTION REASONABLY BELIEVES KNOWS THE IDENTITY OF THE STUDENT TO WHOM THE EDUCA- TION RECORD RELATES. (C) "BIOMETRIC RECORD", AS USED IN THE DEFINITION OF "PERSONALLY IDEN- TIFIABLY STUDENT INFORMATION", SHALL MEAN A RECORD OF ONE OR MORE MEAS- URABLE BIOLOGICAL OR BEHAVIORAL CHARACTERISTICS THAT CAN BE USED FOR AUTOMATED RECOGNITION OF AN INDIVIDUAL, INCLUDING FINGERPRINTS, RETINA AND IRIS PATTERNS, VOICEPRINTS, DNA SEQUENCE, FACIAL CHARACTERISTICS, AND HANDWRITING. (D) "STUDENT" SHALL MEAN ANY PERSON WITH RESPECT TO WHOM AN EDUCA- TIONAL AGENCY OR INSTITUTION MAINTAINS EDUCATION RECORDS OR PERSONALLY IDENTIFIABLE INFORMATION, BUT DOES NOT INCLUDE A PERSON WHO HAS NOT BEEN IN ATTENDANCE AT SUCH AGENCY OR INSTITUTION. (E) "SCHOOL" SHALL MEAN ANY PUBLIC OR PRIVATE ELEMENTARY OR SECONDARY SCHOOL OR COLLEGE AS DEFINED IN SECTION TWO OF THIS CHAPTER. 2. NEITHER THE DEPARTMENT, DISTRICT BOARDS OF EDUCATION, NOR SCHOOLS SHALL DISCLOSE ANY PERSONALLY IDENTIFIABLE STUDENT INFORMATION TO ANY THIRD PARTY WITHOUT PARENTAL CONSENT, OR IN THE CASE OF STUDENTS EIGH- TEEN YEARS OF AGE OR OLDER THE CONSENT OF THE STUDENT, EXCEPT WHERE: (A) DISCLOSURE IS REQUIRED BY LAW; OR (B) DISCLOSURE IS PURSUANT TO A COURT ORDER OR SUBPOENA; OR (C) DISCLOSURE IS TO A THIRD PARTY PURSUANT TO A CONTRACT WHEREBY THE ENTITY IS PERFORMING ADMINISTRATIVE, TECHNICAL OR TRANSACTIONAL FUNC- TIONS THAT WOULD EITHER BE PERFORMED BY EMPLOYEES OF THE STATE DEPART- MENT OF EDUCATION, DISTRICT BOARD OF EDUCATION OR SCHOOL, PROVIDED THAT SAID CONTRACTOR: (1) AGREES NOT TO DISCLOSE OR USE THE PERSONALLY IDENTIFIABLE STUDENT INFORMATION FOR ANY OTHER PURPOSES; (2) MAINTAINS REASONABLE ADMINISTRATIVE, TECHNICAL AND PHYSICAL SAFE- GUARDS TO PROTECT THE SECURITY, CONFIDENTIALITY AND INTEGRITY OF THE PERSONALLY IDENTIFIABLE STUDENT INFORMATION; AND (3) INDEMNIFIES THE DEPARTMENT, DISTRICT BOARD OF EDUCATION OR SCHOOL FOR ANY DAMAGES DUE TO A VIOLATION OF THIS SECTION; OR (D) DISCLOSURE IS TO A THIRD PARTY FOR THE PURPOSE OF A RESEARCH STUDY CARRIED OUT BY OR ON THE BEHALF OF THE DEPARTMENT, DISTRICT BOARD OF EDUCATION OR SCHOOL; OR (E) DISCLOSURE IS FOR THE PURPOSE OF A STATE OR FEDERAL AUDIT OR EVAL- UATION BY ENTITIES AUTHORIZED UNDER STATE OR FEDERAL LAW; OR (F) DISCLOSURE IS NECESSARY DUE TO A HEALTH OR SAFETY EMERGENCY. 3. DETAILED RECORDS OF ALL NON-CONSENSUAL DISCLOSURES PURSUANT TO SUBDIVISION TWO OF THIS SECTION SHALL BE INCLUDED IN THE CORRESPONDING STUDENT'S EDUCATIONAL RECORDS. 4. WHERE THE DEPARTMENT, DISTRICT BOARD OF EDUCATION OR SCHOOL MAKES A DISCLOSURE PURSUANT TO PARAGRAPH (D) OF SUBDIVISION TWO OF THIS SECTION AND PURSUANT TO PARAGRAPH (E) OF SUBDIVISION TWO OF THIS SECTION WHERE PRACTICABLE, IT SHALL POST ON ITS WEBSITE, SEND HOME VIA MAIL AND MAKE OTHERWISE PUBLICLY AVAILABLE:S. 4284 3
(A) THE PARTICULAR TYPE OR TYPES OF PERSONALLY IDENTIFIABLE STUDENT INFORMATION ARE TO BE DISCLOSED; (B) THE ENTITY TO WHICH THE DISCLOSURE IS TO BE MADE; (C) THE PURPOSE OF THE STUDY, AUDIT OR EVALUATION AND WHY THE DISCLO- SURE IS NECESSARY FOR ITS COMPLETION; (D) THE SPECIFIC TIME FRAME DURING WHICH THE PERSONALLY IDENTIFIABLE STUDENT INFORMATION WILL BE UTILIZED AND THEN SECURELY DESTROYED; (E) THE ENTITY'S ASSURANCE OF COMPLIANCE WITH ADMINISTRATIVE, TECHNI- CAL AND PHYSICAL SAFEGUARDS, INCLUDING ALL THE FEDERAL AND STATE DATA PRIVACY AND DATA SAFEGUARDING RULES THE DEPARTMENT, DISTRICT BOARD OF EDUCATION AND SCHOOLS ARE SUBJECT TO, TO PROTECT THE SECURITY, CONFIDEN- TIALITY AND INTEGRITY OF THE PERSONALLY IDENTIFIABLE STUDENT INFORMA- TION; AND (F) THE ENTITY'S INDEMNIFICATION OF THE DEPARTMENT, DISTRICT BOARD OF EDUCATION OR SCHOOL FOR ANY VIOLATION OF THIS SECTION. 5. NOTIFICATION AND CONSENT FORMS SHALL INCLUDE: (A) THE SCOPE, PURPOSE AND ALLOWABLE USES OF THE PERSONALLY IDENTIFI- ABLE STUDENT INFORMATION; (B) THE RISK OF DATA BREACHES AND THE REASONABLE ADMINISTRATIVE, TECH- NICAL AND PHYSICAL SAFEGUARDS USED TO PROTECT THE SECURITY, CONFIDEN- TIALITY AND INTEGRITY OF THE PERSONALLY IDENTIFIABLE STUDENT INFORMA- TION; AND (C) INFORMATION REGARDING WHO IS LEGALLY AND FINANCIALLY RESPONSIBLE SHOULD THERE BE A VIOLATION OF THIS SECTION. 6. THE STATE COMPTROLLER SHALL CARRY OUT REGULAR AUDITS TO ENSURE PROPER PROCEDURES HAVE BEEN USED; RELEVANT NOTIFICATIONS AND CONSENT FORMS ARE COMPLETED; AND SECURITY AND PRIVACY PROTECTIONS MEASURES USED IN THE STORAGE, TRANSMISSION AND USAGE OF PERSONALLY IDENTIFIABLE STUDENT INFORMATION ARE EFFECTIVE AND ACCURATELY DESCRIBED IN THE NOTIFICATION DOCUMENTS. 7. ANY ORGANIZATION OR COMPANY FOUND IN VIOLATION OF ANY OF THE PROVISIONS OF THIS SECTION SHALL BE PROHIBITED FROM OBTAINING PERSONALLY IDENTIFIABLE STUDENT INFORMATION FOR A PERIOD OF NO LESS THAN FIVE YEARS. 8. THE NEW YORK STATE ATTORNEY GENERAL SHALL HAVE THE AUTHORITY TO OVERSEE AND ENFORCE COMPLIANCE WITH THIS SECTION AND TO IMPOSE APPROPRI- ATE PENALTIES ON THOSE FOUND IN VIOLATION OF ANY OF ITS PROVISIONS. 9. ANY DATA SYSTEMS MAINTAINED BY THE STATE OR DISTRICT OR THEIR REPRESENTATIVES SHALL, TO THE MAXIMUM EXTENT PRACTICABLE, CONFORM WITH THE FEDERAL TRADE COMMISSION'S DATA PRIVACY AND DATA SAFEGUARDING RULES. 10. NOTHING IN THIS SECTION SHALL LIMIT THE ADMINISTRATIVE USE OF SCHOOL RECORDS BY A PERSON ACTING EXCLUSIVELY IN THE PERSON'S CAPACITY AS AN EMPLOYEE OF A SCHOOL, A BOARD OF EDUCATION OR OF THE STATE OR ANY OF ITS POLITICAL SUBDIVISIONS, ANY COURT OR THE FEDERAL GOVERNMENT THAT DEMONSTRATES AN APPROPRIATE NEED FOR THE INFORMATION. S 2. This act shall take effect July 1, 2013 and shall apply to school years beginning with the 2013-2014 academic year.