PUPIL PRIVACY PROTECTIONS

Senate Bill 33 (passed by the Senate as S-3)

Sponsor:  Sen. Phil Pavlov

House Committee:  Education

Senate Committee:  Education

Complete to 1-27-16

SUMMARY:

Senate Bill 33 would add Section 1136 to the Revised School Code to ensure that statewide agencies and schools are strictly limited in disclosing pupil information; that if they do so, they disclose as much to the pupil and parent or guardian; and specify that certain information does not fall under this prohibition.

Key terms (as defined in the Code of Federal Rules, 34 CFR 99.3)

Education records applies to records that are (1) directly related to the student, and (2) maintained by an educational agency or institution or by a party acting for the agency or institution.  Certain records are excepted from this designation.

Personally identifiable information includes, but is not limited to, the student's name, address, social security number, student number or date of birth, the name or address of the student's family members, or other information linkable to a specific student.

Rules for Michigan Department of Education and CEPI

In order to protect pupil privacy, the bill would require the State Board of Education and State Budget Director to ensure that the Michigan Department of Education (MDE) and the Center for Educational Performance and Information (CEPI), respectively, comply with all of the following:

·         Not sell any information that is part of a pupil's education records.

·         Post a notice listing the information they collect for a pupil's education records on their websites within 30 days after the effective date of this bill. The notice must at least include an inventory of all pupil data elements collected by the MDE and CEPI and a description of each pupil data element.

·         Post notice if they propose to add any pupil data elements to those collected, and their rationale for doing so, at least 30 days before initiating the collection.

·         Not disclose any information concerning a pupil that is collected by the MDE or CEPI except in accordance with a policy adopted and made publicly available by the State Board or State Budget Director, as applicable, that clearly states the criteria for the disclosure of the information.

·         Ensure that any contract it has with a vendor, allowing the vendor access to education records, expressly require the vendor to protect the privacy of education records and provide express penalties for noncompliance.  

·         Upon written request by the pupil's parent or guardian, notify the parent or guardian of any disclosure of protected information to any unauthorized party.  In other words, disclosure to anyone other than the following is a violation:  the school district, intermediate school district (ISD), public school academy (charter school), authorizing body, preschool, or postsecondary institution in which the pupil is currently or was formerly enrolled, or the pupil's parent or legal guardian.  Protected information, the disclosure of which would be a violation, includes any personally identifiable information concerning a pupil that is collected or created by the MDE or CEPI as part of the pupil's education records. If such a violation occurs, the MDE or CEPI must notify the parent or guardian all of the following:

o   The specific data fields that were disclosed;

o   The name and contact information of each person, agency, or organization to which the information has been disclosed; and

o   The reason for the disclosure.

·         Disclose the above listed information about any violation to the parent or guardian within 30 days of receiving the written request, and without charge to the parent or guardian. If the MDE or CEPI considers it necessary to produce redacted copies of the pupil's education records in order to protect another pupil's information, the parent or guardian will not be charged for the cost of making those copies.

            Rules for Schools

The board of a school district or ISD or board of directors of a charter school must ensure that its schools comply with all of the following, and the governing board of an authorizing body shall ensure that the authorizing body complies with all of the following:

·         Not sell or otherwise provide a for-profit business entity with any personally identifiable information that is part of a pupil's education records.

o   The above prohibition also applies to an educational management organization (EMO), except that, if the pupil is enrolled in a charter school and the charter school has a management contract with an EMO, the EMO may receive this information.

o   This prohibition does not apply to information provided for standardized testing or participating in educational support services with a contracted entity.

·         Disclose to the pupil's parent or guardian the personally identifiable information collected or gathered by the school district, IDS, charter school or authorizing body as part of the pupil's education records, upon written request by the parent or guardian.

·         Upon written request by the pupil's parent or guardian, notify the parent or guardian of any disclosure of personally identifiable information to any person, agency, or organization, except in the instances listed in allowable disclosures, below. If such a violation occurs, the MDE or CEPI must notify the parent or guardian all of the following:

o   The specific information that was disclosed;

o   The name and contact information of each person, agency, or organization to which the information has been disclosed; and

o   The legitimate reason that the person, agency, or organization had in obtaining the information.

·         Disclose the above listed information about any violation to the parent or guardian within 30 days of receiving the written request, and without charge to the parent or guardian. If the school district, ISD, charter school, or authorizing body considers it necessary to produce redacted copies of the pupil's education records in order to protect another pupil's information, the parent or guardian will not be charged for the cost of making those copies.

Allowable disclosures

The prohibition on a school disclosing personally identifiable information to a person, agency or organization does not apply when the school is providing information to the following:

·         MDE or CEPI;

·         The pupil's parent or guardian;

·         Its authorizing body or EMO with which it has a management agreement, in the case of a charter school;

·         Its respective ISD, in the case of a school district;

·         The school district in which the pupil is enrolled, from its respective ISD;

·         The charter school in which the student is enrolled, from its authorizing body;

·         A person, agency, or organization with written consent from the pupil's parent or guardian or, if the pupil is at least age 18, the pupil;

·         A person, agency, or organization seeking or receiving records in compliance with an order, subpoena, or ex parte order issued by a court of competent jurisdiction; or

·         As necessary for standardized testing.

In addition to ensuring that the MDE and CEPI comply with the rules listed above, the State Board and the State Budget Director, respectively, must ensure that those entities comply with all other applicable privacy law.

Senate Bill 33 would take effect 90 days after enactment.

MCL 380.1 to 380.1852

FISCAL IMPACT:

Senate Bill 33 would create additional administrative costs related to the protection and transparency of student data elements for the State as well as school districts, public school academies, and intermediate school districts. 

The bill could add to the administrative and staffing costs for MDE and CEPI by requiring them to post all current and future student data online with descriptions, to review current and future contracts covering student data and ensure compliance with the statute, and to create a formalized request process for parents and legal guardians concerning their children's education data and respond within 30 days of the request.  While CEPI already fulfills such requests under federal requirements, there is no formalized process or required response time, so the addition of both could require that additional resources be dedicated to responding to requests.

The bill could also increase administrative costs for districts, intermediate districts, and public school academies in having to review current and future contracts covering student data to ensure compliance with the statute and creating a formal request process for parents and legal guardians concerning their children's education data with a 30-day response time.

 

                                                                                        Legislative Analyst:   Jennifer McInerney

                                                                                                Fiscal Analyst:   Bethany Wicksall

                                                                                                                           Samuel Christensen

■ This analysis was prepared by nonpartisan House Fiscal Agency staff for use by House members in their deliberations, and does not constitute an official statement of legislative intent.