HB 5444 & Recent Changes to the Law (June 2018)
In June 2018 Governor Malloy signed into law HB 5444, which makes changes to the state’s student data privacy statute which was made law in 2016.
Changes to the Law
As reference, see the General Assembly page regarding the bill. That page provides the full text of the bill as well as a bill analysis (i.e., executive summary). Most pertinent to school leaders are the following changes:
- Calls the Connecticut Commission for Educational Technology (CET) to create a student data privacy terms-of-service agreement addendum that may be used in contracts entered into pursuant to the student data privacy law. This is essentially an updated version of the Student Data Privacy Pledge (http://bit.ly/CTSDPP). CET is preparing this for district use for contracts entered into or renewed on or after July 1.
- Creates a disaster recovery exception for deleting student data.
- Creates an exception for software used for special education needs.
- Removes the electronic notification requirement (but districts still need to maintain Web listings of software).
- Requires reporting to CET on the use of software that does not comply with the law. CET is currently developing an automated approach to this requirement.
Public Act 16-189
On October 1st 2016, Connecticut Public Act 16-189 Concerning Student Data Privacy came into effect. The Act sets forth minimum standards which boards of education, contractors, and 3rd party online services who work with or have access to student data must follow in regards to the protection of student data and the privacy of students. School district requirements in the act include:
- Contracting Requirements for Boards of Education to adopt new standards in contract language when working with an operator, consultant, and/or 3rd party vendor who is in possession of or has access to student information.
- Electronic Notification must be sent to parents/guardians within 5 days of the board of education executing a contract with a 3rd party vendor who may have access to,collect and/or store student information. The notification must include the date the contract was executed, a description of the contract and its purpose, and disclosure of what types of student information or student generated content may be collected. The district must also post this information on their website. The Act places similar restrictions on operators of websites, online services, and mobile apps.
- Data Breach - 3rd Party Contractors/Consultants/Operators must notify Boards of Education within 30 days in the event of unauthorized release of student information and within 60 days in the event of unauthorized release of directory information, student records, or student-generated content. The board of education must notify parents/guardians/students of whose student information, student records, or student generated-content was involved with a data breach upon receiving notice of a the data breach or security breach by a contractor. The board of education must also post notice of the breach on its website.
See Shipman & Goodwin’s Overview of Law for additional information and a more detailed summary of these requirements.
- Privacy Information from the office of Educational Technology
- Security Questions to Ask of an Online Service Provider
- EdSurge Product Index: A general edtech software review portal, with some privacy and security information
- Common Sense Media: improves the lives of kids and families by providing independent reviews, age ratings, & other information about all types of media.