The Connecticut General Assembly will soon be acting on House Bill #7017, An Act Concerning Student Data Privacy.
However, as of now this critically important legislation is little more than an empty shell and it falls far short of what is needed to ensure that Connecticut law properly protects the state’s children by instituting appropriate safeguards on data collected by the state and school districts about students.
Although few parents are presently aware of the problems, as a result of federal action, the Common Core testing frenzy and the ever increasing desire to collect and warehouse massive amounts of data on everybody and everything, the notion of protecting student data at the federal, state and local level has been severely undermined.
Today student data is not properly protected.
In response to these developments, states all across the country have passed new laws aimed at putting appropriate safeguards in place on student data.
This year alone, 41 states have or are considering legislation that would increase the level of protection on student data.
The Connecticut’s General Assembly’s opportunity to step forward and protect Connecticut’s children rests with House Bill #7017, but significant changes would be needed if the legislation is to have a significant impact.
Jennifer Jacobsen, a long time educator, mother of three, a founding member of Connecticut Unites for Student Privacy and a member of the Connecticut Parental Rights Coalition has been a leading voice in the effort to ensure that Connecticut improves its laws on student data privacy.
In a recent letter Jennifer Jacobsen highlighted the steps needed to update loopholes with the Family Educational Rights and Privacy Act (FERPA), to institute appropriate provisions for dealing with online and third party vendors who contract with the state and schools that collect student data, and changes needed to ensure proper procedures for regulating Connecticut’s “state longitudinal data system,” known as P20-WIN, so that there is transparency, accessibility and protection in place.
The proposed law needs to include the following provisions;
- Clarification that All student records are the property, and are under the control of, the parent or legal guardian of the child, and may be held in trust by the local board of education. The local board of education shall safeguard the privacy of student records, and shall protect student records from all unlawful release to third parties, in accordance with state and federal statutes and regulations.
- A requirement that, upon request, the local board of education shall provide immediately to the student, parent, or legal guardian, a copy of any student record, or data of any kind, that is in the possession and/or control of the local board of education and its agents and the state longitudinal data.
- Adding language ensuring that certain data elements cannot be disclosed to third-parties without parental consent including; (a) Juvenile court delinquency records; (b) Criminal records; (c) Student biometric information; and (d) Student medical Records.
In addition, tougher provisions are needed to limit the likelihood of a data breach and ensure that proper steps are taken if and when a breach of data security occurs. As Jacobsen notes, the legislature should add that:
The State Department of Education and its agents, and the local board of education and its agents, shall notify the student and parent or legal guardian of a student of any unauthorized access, or suspected unauthorized access, to any student record or data of any kind that is collected, maintained, or in the possession and control of the State Department of Education and its agents, the local board of education and its agents, and any other authorized third party.
Each unauthorized release of, or breached access to, any student record or data of any kind that is collected, maintained, or in the possession and control of the State Department of Education and its agents, the local board of education and its agents, and any other authorized third party, shall be considered a separate violation, punishable by (add appropriate penalties- fines, denied access to data systems, etc).
Upon notification of an unauthorized release or breach, or suspected unauthorized release or breach, of student records or data of any kind, the State Department of Education and its agents, the local board of education and its agents, and any authorized third party, immediately shall ensure that all necessary corrections are made to prevent further release or breach, and shall repair and rectify all harm caused by the unauthorized release or breach.
These additions are necessary to update Connecticut’s law on protecting student data. As Jacobsen explains,
“These proposed changes and additions allow third party vendors and state agencies the opportunity to ensure their proper handling of the data they collect with ultimate responsibility to safeguard the students behind the data while still having access to de-identified data for research or product development purposes.
These recommendations also permit parents the access they need to ensure the accuracy of the data collected on their children and assures them that the state has taken every measure possible to protect their children’s information with serious consequences for those who would either intentionally or unintentionally misuse that information.”
The Connecticut General Assembly should add these provisions, Connecticut’s parents and students deserve nothing less.