CT Student Data Privacy Act

COVID-19: COMMISSIONER OF EDUCATION RELAXES PORTION OF STUDENT DATA PRIVACY LAW DURING SCHOOL CLOSURE

March 24, 2020 

As we previously reported, on March 21, 2020, Governor Lamont issued Executive Order 7I, Protection of Public Health and Safety During COVID-19 Pandemic and Response - Municipal Operations and Availability of Assistance and Healthcare, which permitted the Commissioner of Education (“Commissioner”) to temporarily waive any requirements included in Connecticut’s student data privacy laws, Conn. Gen. Stat. §§ 10-234aa through 10-234dd, during school closures resulting from the pandemic. Please refer to our March 22, 2020 post detailing various requirements of Connecticut’s student data privacy law. On March 23, 2020, the Commissioner issued a Memorandum to all superintendents identifying “temporary flexibilities” in the student data privacy laws and providing guidance to schools in their use of internet-based tools during the school closure as relating to data privacy.

The Commissioner’s temporary waiver is strictly limited to the contracting requirements identified in Conn. Gen. Stat. § 10-234bb.  As the Commissioner explained, “effective immediately, and for the duration of the cancellation of in-school classes, districts may bypass the process of crafting individual contracts for new technology solutions that fall under the data privacy statute.” Instead of entering into individual contracts, districts may use any of the educational technology offered by companies that have signed Connecticut’s Student Data Privacy Pledge, available on the Connecticut Educational Software Hub. In signing the Pledge, providers agree that they will comply with Connecticut’s student data privacy protections. A list of the pledged products can also be found here. Please note that the following platforms can also be used because they have negotiated contract terms directly with the Connecticut Commission for Educational Technology: Apple, Google, Code.org, and Khan Academy.

School districts must be aware that all other aspects of Connecticut’s student data privacy laws still apply; this includes but is not limited to the requirements for and prohibitions on the use of student data by operators, under Conn. Gen. Stat. § 10-234cc; and the breach notification requirements for schools and operators, under Conn. Gen. Stat. § 10-234dd.  Moreover, schools are still permitted to use the internet-based educational technology for which they already have contracts in accordance with Connecticut law, or technology that does not fall under the law’s contracting requirements.  School districts are also still permitted to enter into contracts with these providers, or in the alternative, may request that vendors sign onto the Student Data Privacy Pledge, as suggested in the Commissioner’s Memorandum.

Schools are cautioned that additional laws may be implicated through the use of internet-based services for students, including but not limited to the Family Educational Rights and Privacy Act (“FERPA”). Schools are permitted to provide third parties with personally identifiable information (“PII”) of students under FERPA with parent consent or if an applicable exception applies. The “school official” exception will permit the school to release PII to an online education provider, without parent consent, as long as the online provider: (1) “performs an institutional service or function for which the school or district would otherwise use its own employees”; (2) “has been determined to meet the criteria set forth in the school’s or district’s annual notification of FERPA rights for being a school official with a legitimate educational interest in the education records”; (3) “is under the direct control of the school or district with regard to the use and maintenance of education records”; and (4) “uses education records only for authorized purposes and may not re-disclose PII from education records to other parties (unless the provider has specific authorization from the school or district to do so and it is otherwise permitted by FERPA).” See 34 C.F.R. § 99.31. Importantly, by signing the Student Data Privacy Pledge, vendors agree that they will comply with FERPA in their use of and access to student data. As such, the required elements of the school official exception are likely met for these online providers.  The Student Privacy Policy Office of the U.S. Department of Education recently issued “FERPA and Virtual Learning Related Resources,” which reviews school district obligations under FERPA and other federal laws in connection with distance learning.

The intent of the Governor’s Executive Order and the Commissioner’s subsequent Memorandum are to assist schools in the provision of distance learning during these unprecedented times, while still protecting student data. Schools should always exercise caution in releasing student data to third parties. Even though Connecticut’s student data privacy contracting requirements have been temporarily relaxed, schools should continue to make student privacy a top priority in their provision of distance learning during school closures

                                                                                                                                                                     

CT Student Data Privacy Information-Overview: In alignment with the Connecticut State Department of Education (CSDE), Stamford Public Schools treats data confidentiality and the privacy of student educational records very seriously. It complies with all federal laws including Family Educational Rights and Privacy Act (FERPA), state statutes, and guidelines to protect confidential data. This page is designed to provide additional resources to families, community members, and schools to explain the implications of new legislation going into effect October 1, 2016.

These links provide information about your rights as a parent, and the District's responsibilities as it pertains to data privacy:

US Department of Education FERPA Page

Children’s Online Privacy Protection Act (COPPA)

Connecticut Public Act 16-189 "An Act Concerning Student Data Privacy"

SPS Reviewed Digital Resources

 

Student Data Privacy 101: Ferpa for Parents