The recognized trend in data privacy is that those collecting or storing personally identifying information (“PII”) are required to safeguard and protect that information. The requirement to safeguard and protect data extends to any organization, regardless of industry.
One of the less-regulated industries that has lately been receiving a lot of attention is educational institutions. As technology continues to move into virtually all aspects of education, so too has the collection, use, and storage of student PII (“SPII”).
This activity has not gone unnoticed by state legislatures. Thirty-five states have adopted student privacy laws in the past two years. The latest state to do so — Colorado — recently passed what is viewed as one of the strictest student privacy laws in the country. So what does the Colorado law require and what should those involved with education in Colorado know about the requirements of the law?
Colorado’s Student Data Transparency and Security Act
The new Colorado Student Data Transparency and Security Act (“SDTSA”) was developed to address concerns over what happens to the vast amounts of personal information gathered and maintained throughout the educational process. The drafters recognized that students today are increasingly defined by the digital information they create as they progress through school, and that there was a need to protect these vast stores of information from misuse. This understanding pushed the legislature to go further than merely requiring notice and consent before SPII could be collected and for such SPII to be destroyed after a period of time. Legislators also recognized a need to allow access to this information for certain legal or public safety purposes. This information was seen as key to designing personalized or customized education methods, maintaining or improving educational websites and software, and providing an evaluation of a school’s services. The result is an attempted balance between data protection and use of student data, one that Colorado hopes will be a model for other student privacy acts across the country.
Student Personally Identifiable Information
One of the keystones of the SDTSA is the definition provided for protected Student Personally Identifiable Information (“SPII”). The SDTSA defines SPII as “information that, alone or in combination, personally identifies an individual student or student’s parent or family, and that is collected, maintained, generated, or inferred by a public education entity, either directly or through a school service, or by a school service contract provider or school service on demand provider.”
Of note, not only does this definition encompass information that can directly identify a student or their family, but also information that, when cross-referenced with other information — even information outside of SPII — could lead to the identification of a student or student’s family. This expansive definition, which greatly increases the scope of information that must be protected, flowed from the drafters’ desire to vigilantly protect SPII from misappropriation.
Requirements and restrictions
Key to the structure of the Colorado law is consistent protection across the educational system and all entities interacting with that system. Schools are not only required to adopt and publish a student information privacy and protection policy, they must also ensure that any companies doing business with the school and having access to the SPII (and any subcontractors working with those companies) adhere to that same privacy and protection policies. Where schools must identify every entity with which they share SPII (as well as those with whom they no longer disclose information because of privacy concerns), so too must the Department of Education. And, schools, the Department of Education, and any entities working with them, must identify what SPII they collect, the purpose for the collection, and how the SPII will be used or shared — ensuring compliance and protection across the entire educational ecosystem.
The SDTSA also imposes strict SPII requirements on all entities doing business with schools or the Department of Education, requiring them to maintain comprehensive information security programs (utilizing appropriate administrative, technological, and physical safeguards) and report any misuse or unauthorized release of SPII.
The SDTSA includes requirements for entities providing services to educational institutions. Specifically, the act prohibits entities receiving SPII from collecting, using, or sharing that information unless authorized by contract or where students or their parents’ consent. Entities receiving SPII are also generally prohibited from selling SPII. And they cannot sell advertising that individually targets students or create a personal profile of a student other than for limited purposes. Entities receiving SPII from an educational institution must also destroy (not just delete) SPII if a school district asks them to do so. If an entity fails to comply with these restrictions, the SDTSA allows the state and schools to terminate contracts with those companies.
Although the legislation passed both the Colorado House of Representatives and Senate with unanimous votes and was signed into law by the Governor without issue, the legislation has not been without any concern. Some have complained that the broad definition of SPII may decrease the number of companies willing to work with Colorado school districts or the educational system. Wary of costs associated with SDTSA requirements or with violating SDTSA provisions, companies may forego working with the Colorado educational system, resulting in decreased educational opportunities for Colorado students.
But increased scrutiny over data protection now stretches across nearly every area of commerce. At this point, any company in the business of collecting, storing, or transferring PII is already on high alert over data privacy concerns. For that reason, it seems unlikely that a company looking to work with the Colorado educational system would forego that opportunity because they were required to protect PII.
Having passed both houses of the Colorado legislature and signed into law, the SDTSA is due to take effect on August 10, 2016. School districts will have until December 2017 to complete their privacy plans/policies and small rural districts will have until the middle of 2018.
For more information, please contact one of the lawyers in the firm's Cybersecurity group.