Colorado Gov. John Hickenlooper will have the final say on a bill designed to create more privacy protections around student data.
H.B. 16-1423, or the “Student Data Transparency and Privacy Act” — introduced by state Reps. Alec Garnett and Paul Lundeen, and state Sen. Owen Hill — made it to Hickenlooper’s desk Monday after clearing its final legislative hurdles last week.
The legislation is aimed at changing how the state’s Department of Education and local school districts manage the personally identifiable information of students in Colorado, restricting how outside entities use student data and ensuring that policies governing the information are as transparent as possible.
“The General Assembly recognizes that, with the increasing use of technology in education, it is imperative that information that identifies individual students and their families is vigilantly protected from misappropriation,” lawmakers wrote in a legislative declaration attached to the bill. “The General Assembly also finds, however, that there are many positive ways in which a student’s personally identifiable information may be used to improve the quality of the education the student receives.”
Accordingly, legislators tried to strike a balance between those competing interests with the bill.
The legislation would create a new definition of student personally identifiable information, also known as PII, in state law as “information that, alone or in combination, personally identifies any individual student or the student’s parent or family, and that is collected, maintained, generated or inferred by a public education entity.”
The bill then lays out restrictions, which would take effect Aug. 10, on how companies contracting with school districts or the education department can use student PII.
The legislation would bar anyone from selling, using or sharing student data “for purposes of targeted advertising to students” or creating a “personal profile” for an individual student without the student’s or guardian’s consent. However, the bill contains exceptions for companies to use the data for certain legal or public safety purposes, and doesn’t restrict them from using PII to “design personalized or customized education” methods, maintaining or improving their websites or mobile apps, or providing an evaluation of a school’s services.
But the bill also includes a number of data retention restrictions, requiring contractors to “maintain a comprehensive information security program” and destroy any PII if a school district asks them to within a reasonable amount of time. If a company violates any of these terms, then the bill gives the state and districts recourse to reconsider their contract with the vendor.
The legislation would mandate that all school districts put in place a “student information and privacy protection policy” containing the bill’s provisions by Dec. 31, 2017, and would direct the state’s education department to prepare a draft policy for districts by March 1.
Districts would also be required post information on their websites that is “understandable by a layperson” explaining how they share student PII. Companies that do business with schools and the education department would also be held to the same standard.
Additionally, the bill would give parents and guardians access to all PII maintained by school districts, letting them request the data or ask for corrections to it.
Though the legislation is complex, it hasn’t experienced much legislative resistance. The House and Senate passed it unanimously when it reached the floors of the respective chambers, though its ultimate fiscal impact is unclear.
In an analysis of the bill, Josh Abram of the Colorado Legislative Council wrote that the preparation of draft privacy policies for districts would “increase workload” for the education department, though it “does not require additional appropriations to implement the bill.” He expects school districts will bear the brunt of the work, as they would be forced to tailor those policies and “communicate policies to vendors, staff, parents and students.”
Hickenlooper has 30 days to act on the legislation. If he does nothing, it’ll become law without his signature.
Contact the reporter who wrote this story at email@example.com, or follow him on Twitter at @AlexKomaSNG.