STUDENT DATA; PRIVACY                                                                                S.B. 33:

                                                                                              ANALYSIS AS ENACTED

 

 

 

 

Senate Bill 33 (as enacted)                                                                PUBLIC ACT 367 of 2016

Sponsor:  Senator Phil Pavlov

Senate Committee:  Education

House Committee:  Education

 

Date Completed:  2-8-17

 

RATIONALE

 

Educators, students, parents, and those in government require data in order to improve education programs and outcomes. Data allow educators to personalize academic programs, give parents tools to hold schools accountable for performance, and ensure that states allocate appropriate funding for effective programs. The privacy of student education records is protected by the Federal Family Educational Rights and Privacy Act (FERPA) and its regulations. This Act grants parents of pupils and students 18 and older (referred to by FERPA as "eligible students") certain rights with respect to education records. Some have expressed concern, however, that the protections under FERPA do not sufficiently protect the privacy of education records. To address this concern, it was suggested that heighted disclosure requirements and privacy protections for pupil education records be included in the Revised School Code.

 

CONTENT

 

The bill amends the Revised School Code to do the following:

 

 --    Require the Superintendent of Public Instruction and the State Budget Director to ensure that the Department of Education and the Center for Educational Performance and Information (CEPI), respectively, comply with requirements pertaining to the collection, sale, or transmission of information collected for a pupil's education records.

 --    Require the Superintendent of Public Instruction and the State Budget Director to ensure that the Department of Education and CEPI, respectively, comply with all other applicable privacy law.

 --    Require the board of a school district, board of directors of a public school academy (PSA), or governing board of an authorizing body, to ensure that the school district, intermediate school district (ISD), PSA, or authorizing body complies with various requirements pertaining to the sale of pupil education records and parental notification and disclosure.

 --    Require a school district, ISD, PSA, or authorizing body to develop a list of common uses for which a pupil's directory information may be disclosed and to develop an opt-out form that lists those instances.

 --    Allow a parent, legal guardian, emancipated minor, or pupil at least 18 years old to exclude the pupil's directory information from various uses by signing the opt-out form.

 

The bill will take effect on March 22, 2017.

 

Definitions

 

The bill contains the definitions described below.

 

"Authorizing body" means that term as defined in Part 6A (Public School Academies), 6C (Urban High School Academies), or 6E (Schools of Excellence), or Section 1311b of the Code, as applicable.

(The term refers to various entities that issue a contract authorizing a PSA, an urban high school academy, or a school of excellence.)

 

"Directory information" means that term as defined in 34 CFR 99.3: information contained in an education record of a student that would not generally be considered harmful or an invasion of privacy if disclosed. This information includes, for example, the student's name, address, e-mail address, date and place of birth, enrollment status, and dates of attendance.

 

"Educational management organization" means that term as defined in Section 503c, 523c, or 553c of the Code, as applicable: an entity that enters into a management agreement with a PSA, an urban high school academy, or a school of excellence. "Management agreement" means that term as defined in Section 503c, 523c, or 553c, as applicable: an agreement to provide comprehensive educational, administrative, management, or instructional services or staff to a PSA, an urban high school academy, or a school of excellence.

 

"Education records" means that term as defined in 34 CFR 99.3: those records that are directly related to a student, and are maintained by an educational agency or institution or by a party acting for the agency or institution. The term does not include, for example, records that are kept in the sole possession of the maker used only as a memory aid, records of an education agency or institution law enforcement unit, or records relating to an individual employed at the educational agency or institution kept in the normal course of business, unless the individual is employed as a result of his or her status as a student.

 

Duties of the Superintendent of Public Instruction or CEPI

 

The bill requires the Superintendent of Public Instruction and the State Budget Director to ensure that the Department of Education and CEPI, respectively, comply with the following:

 

 --    The Department or CEPI may not sell any information that is part of a pupil's education record.

 --    Within 30 days after the bill's effective date, the Department and CEPI must post on their respective websites a notice of the information they collect for a pupil's education record, including an inventory and description of all pupil data elements.

 --    At least 30 days before initiating the collection of any additional pupil data elements, the Department or CEPI must post on its website a notice of the additional data elements it is proposing to collect and an explanation of the reasons for the proposal.

 --    The Department or CEPI may not disclose any information concerning a pupil that it collects or creates except in accordance with a policy adopted and made publicly available by the Superintendent of Public Instruction or State Budget Director, as applicable, that clearly states the criteria for disclosure.

 --    The Department or CEPI must ensure that any contract with a vendor that allows access to education records expressly requires the vendor to protect the privacy of education records and provides express penalties for noncompliance.

 

In addition, if the Department or CEPI provides any personally identifiable information concerning a pupil that it collected or created as part of the pupil's education records to any person other than the school district, ISD, PSA or its authorizing body, preschool, or postsecondary institution in which the pupil is currently or was formerly enrolled, or the pupil's parent or legal guardian, the Department or CEPI must, if the pupil is under 18 years of age or claimed as a dependent on a parent's or legal guardian's Federal income tax return, disclose to the parent or legal guardian upon his or her written request, within 30 days and without charge, a) the specific data fields disclosed, b) the name and contact information of each person, agency, or organization to which the information was disclosed, and c) the reason for the disclosure. If the Department or CEPI considers it necessary to make redacted copies of all or part of a pupil's education record in order to protect the personally identifiable information of another pupil, it may not charge the parent or legal guardian for the costs of making the copies.

 

The Superintendent of Public Instruction and State Budget Director also must ensure that the Department and CEPI, respectively, comply with all other applicable privacy law.

 

Duties of a School District, ISD, PSA, or Authorizing Body

 

The bill requires the board of a school district or ISD, board of directors of a PSA, or governing board of an authorizing body, to ensure that the school district, ISD, PSA, or authorizing body complies with all of the following provisions.

 

A school district, ISD, PSA, educational management organization, or authorizing body may not sell or otherwise provide to a for-profit business entity any personally identifiable information that is part of a pupil's education record. This restriction does not apply to any of the following situations: a) for a pupil enrolled in a PSA, if the PSA has a management agreement with an educational management organization, the PSA providing the information to that educational management organization; b) providing the information as necessary for standardized testing that measures the pupil's academic progress and achievement; or c) providing the information as necessary to a person that is providing educational or educational support services to the pupil under a contract with the school district, ISD, PSA, or educational management organization.

 

Upon written request by a pupil's parent or legal guardian, a school district, ISD, PSA, or authorizing body must disclose to that person, within 30 days and without charge, any personally identifiable information concerning the pupil that those entities collected or created as part of the pupil's education records. Subject to certain exemptions, upon written request, if a school district, ISD, PSA, or authorizing body provides any personally identifiable information to any person, agency, or organization, then the school district, ISD, PSA, or authorizing body must disclose to the parent or legal guardian, within 30 days and without charge, all of the following: a) the specific information disclosed, b) the name and contact information of each person, agency, or organization to which the information was disclosed, and c) the reason that the person, agency, or organization had in obtaining the information. This requirement does not apply to a school district, ISD, PSA, or authorizing body providing the information to the Department, CEPI, or the pupil's parent or legal guardian. The requirement also does not apply to any of the following:

 

 --    A PSA providing the information to its authorizing body or an educational management organization with which it has a management agreement.

 --    A school district or PSA providing the information to its ISD or another ISD providing services to the school district or PSA, or its pupils, under a written agreement.

 --    An ISD providing the information to a school district or PSA in which the student is enrolled or for which the ISD is providing services.

 --    An authorizing body providing the information to a PSA in which the student is enrolled.

 --    Providing the information to a person, agency, or organization with written consent from the pupil's parent or legal guardian or, if the pupil is at least age 18, the pupil.

 --    Providing the information to a person, agency, or organization seeking or receiving records in accordance with an order, subpoena, or ex parte order issued by a court of competent jurisdiction.

 --    Providing the information as necessary for standardized testing that measures the pupil's academic progress and achievement.

 --    A school district, ISD, PSA, or authorizing body providing information that is covered by the opt-out form (described below), unless the pupil's parent or legal guardian, or the pupil, as applicable, has signed and submitted the opt-out form.

 

If an educational management organization receives information that is part of a pupil's education records from any source as permitted, the educational management organization may not sell or provide the information to any other person except as provided in the bill.

 

Opt-Out Form

 

For the bill's purposes, each school district, ISD, PSA, or authorizing body must do all of the following:

 

 --    Develop a list of uses for which the school district, ISD, PSA, or authorizing body commonly would disclose a pupil's directory information.

 --    Develop an opt-out form that lists all of those uses or instances and allows a parent or legal guardian to elect not to have his or her directory information disclosed for one or more of these uses.

 --    Present the opt-out form to each pupil's parent or legal guardian within the first 30 days of the school year, and at other times upon request.

 --    If an opt-out form is signed and submitted to the school district, ISD, PSA, or authorizing body, exclude the pupil's directory information in any of the uses that have been opted out of in the form.

 

If a pupil is at least age 18 or is an emancipated minor, the pupil may act on his or her own behalf under the opt-out provisions.

 

MCL 380.11136

 

BACKGROUND

 

The Family Educational Rights and Privacy Act and the regulations promulgated under it apply to any educational agency or institution that receives funds from any program administered by the U.S. Department of Education. As mentioned above, FERPA grants parents of pupils under 18 and eligible students certain rights with respect to education records. Under FERPA, a pupil's parent or an eligible student may inspect and review the student's education records maintained by a school within 45 days of his or her written request, and may request that a school correct inaccurate or misleading records. Generally, FERPA requires schools to have written permission from a parent or eligible student in order to release any information from a student's education record, with certain exceptions. Schools may disclose education records without consent to various parties, for example: a) school officials with legitimate educational interest; b) other schools to which a student is transferring; c) specified officials for evaluation purposes; d) appropriate parties in connection with financial aid; e) accrediting organizations; f) organizations conducting studies for the school; and g) appropriate officials in cases of health and safety emergencies or in connection with the juvenile justice system.^[1] A school also may disclose education records in order to comply with a judicial order or subpoena.

 

In addition, FERPA allows a school to disclose, without consent, so-called "directory information" (defined above). This information can include the student's name, address, phone number, e-mail address, photograph, date and place of birth, major field of study, height and weight, awards, and when the student attended the school.^[2] The school must inform parents and eligible students about the types of information the school has designated as directory information and allow parents and eligible students a reasonable amount of time to request that the school not disclose directory information without prior consent.^[3]

 

ARGUMENTS

 

(Please note:  The arguments contained in this analysis originate from sources outside the Senate Fiscal Agency.  The Senate Fiscal Agency neither supports nor opposes legislation.)

 

Supporting Argument

A significant amount of data and information pertaining to students is collected in public schools. These data include, for example, course grades, test scores, demographic information, programs, and attendance. Some of the data contain personally identifiable information. It is possible that the data could be sold or transmitted to for-profit businesses, such as retailers or health-related companies, or the release of personal information could lead to identity theft. The bill allows parents to see what information is collected by the Department or CEPI and gives the public 30 days' notice if the Department or CEPI wishes to collect additional student data. The bill also prohibits the sale of student data to a for-profit business entity, and provides a mechanism for a

parent to learn when information contained in his or her child's education records is disclosed to other parties and to opt out of those disclosures.

 

                                                                                    Legislative Analyst:  Jeff Mann

 

FISCAL IMPACT

 

The bill will result in a number of additional expenses for the Department of Education and the Center for Educational Performance and Information, since both the Department and CEPI collect pupil information. First, the Department and CEPI will need to spend resources to list the current pupil information that is collected and post it on the webpage within 30 days. The Department and CEPI then will need to spend resources on reviewing existing contracts to ensure that they are in compliance with the statute. Finally, the Department and CEPI will need to develop a formal process that allows parents and legal guardians to request information concerning their pupil's record and respond to the request within 30 days. Currently, CEPI receives these requests under Federal requirements; however, there is no formal process and no time line for a response. The 30-day response time and the possible increase in the volume of requests will result in additional costs. At this time, the total administrative costs are unknown.

 

The bill also will result in additional expenses for ISDs, school districts, and PSAs, which will have to ensure that current contracts and practices are in compliance with the statute. They also will have to have a formal process for parents and legal guardians to request their pupil's information, and respond within 30 days, as well as develop an opt-out form. At this time, the total administrative costs for local units are unknown.

 

                                                                                        Fiscal Analyst:  Cory Savino

This analysis was prepared by nonpartisan Senate staff for use by the Senate in its deliberations and does not constitute an official statement of legislative intent.