First Regular Session Seventieth General Assembly STATE OF COLORADO INTRODUCED LLS NO. 15-0236.01 Jane Ritter x4342 HOUSE BILL 15-1199 HOUSE SPONSORSHIP Everett, Carver, Joshi, Klingenschmitt, Saine, Humphrey, Lundeen, Neville P., Nordberg, Buck, Van Winkle, Windholz SENATE SPONSORSHIP Marble, Grantham, Lambert, Woods, Holbert, Neville T. House Committees Senate Committees Education A BILL FOR AN ACT Concerning the creation of the "Student and Teacher Data Privacy and Security Act". Bill Summary (Note: This summary applies to this bill as introduced and does not reflect any amendments that may be subsequently adopted. If this bill passes third reading in the house of introduction, a bill summary that applies to the reengrossed version of this bill will be available at http://www.leg.state.co.us/billsummaries.) The bill creates the "Student and Teacher Data Privacy and Security Act" (act). The bill classifies types of student and teacher data that may be collected by an education institution or state agency without the written consent of affected parents, eligible students, or teachers (affected parties). The types of information that require written consent from affected parties are established. An education institution is prohibited from using moneys from any source to construct, enhance, or expand a data system that is not in compliance with the provisions of the bill. Parameters for transparency of data collection and storage for education institutions and state agencies are established, including disclosure on web sites about the existence and character of any personally identifiable information maintained, procedures to be followed in the case of a security breach or unauthorized disclosure, and the principal purpose or purposes of the data collection. The bill establishes limitations on the administration of certain types of assessments, the collection of sensitive information about a student or his or her family, and the disclosure of personally identifiable information to third-party contractors, including those requesting the information for research and studies. If an entity performing an audit or evaluation of an education program requests disclosure of personally identifiable information, the disclosure must be to an authorized representative only. The bill establishes requirements for third-party contractors before they may enter into a contract with an education institution or state agency for the maintenance or use of education or teacher data, including protocols to be followed in the case of a suspected or actual security breach or unauthorized disclosure of personally identifiable information. The bill establishes a minimum protocol for an education institution or state agency to follow in the case of a security breach or unauthorized disclosure of personally identifiable information. The commercial use of any education or teacher data for commercial use, including use by a cloud-computing service provider performing services to an education institution or state agency, is prohibited. The use of any education or teacher data for predictive modeling is prohibited, as is any interagency disclosure. Video monitoring of classrooms for any purpose is prohibited, except for teacher evaluation purposes, and in those instances, prior written consent must be obtained from all affected parties. Any disclosure of personally identifiable information contained in education or teacher records may not be made to any entity outside the state, except in limited circumstances. Disclosure of personally identifiable information to the United States department of education for the purposes of obtaining a federal grant is limited to specific situations required by law. Education institutions are required to destroy and remove from student databases certain education records associated with a student within 5 years of the student's graduation or withdrawal from the institution; except that education institutions shall retain adequate records to demonstrate that a student has completed graduation requirements. Penalties for violations of the bill are established, including a fine of up to $1,000 for a first offense, up to $5,000 for a second offense, and up to $10,000 for any subsequent offenses. Be it enacted by the General Assembly of the State of Colorado: SECTION 1. In Colorado Revised Statutes, add article 15 to title 22 as follows: ARTICLE 15 Student and Teacher Data Privacy and Security Act 22-15-101. Short title. This article is known and may be cited as the "Student and Teacher Data Privacy and Security Act". 22-15-102. Definitions. As used in this article, unless the context otherwise requires: (1) "Affective computing" means systems and devices that attempt to or can recognize, interpret, process, or simulate aspects of human feelings or emotions. (2) "Biometric record" means a record of one or more measurable biological or behavioral characteristics that can be used for automated recognition of an individual, including fingerprints, palm screening, retina and iris patterns, voice prints, facial characteristics, handwriting, and DNA sequences, including newborn screening information. The term "biometric record" also includes photographs, video recordings, behavioral or psychometric surveys, and observations. (3) "Cloud-computing service" means a service that enables on-demand network access to a shared pool of configurable computing resources, such as networks, servers, storage, applications, and services. A cloud-computing service provides students, teachers, or staff members account-based productivity applications, such as e-mail, document storage, and document editing, that can be rapidly provisioned and released with minimal management effort or cloud-computing service provider interaction. A cloud-computing service has the characteristics of on-demand self-service, broad network access, resource pooling, rapid elasticity, and measured service. (4) "Cloud-computing service provider" means an entity other than an education institution that operates a cloud-computing service. (5) "Department" means the department of education created and existing pursuant to section 24-1-115, C.R.S. (6) "Disclosure" has the same meaning as set forth in the federal "Family Education Rights and Privacy Act", 20 U.S.C. sec. 1232g, and its implementing regulations, 34 CFR 99.3. (7) "Education institution" or "institution" means any public or private early childhood learning center, elementary or secondary school, school district board of education, or board of cooperative services. (8) "Education program" means a program of instruction administered by an education institution. (9) "Education record" has the same meaning as set forth in the federal "Family Education Rights and Privacy Act", 20 U.S.C. sec. 1232g, and its implementing regulations, 34 CFR 99.3. (10) "Eligible student" has the same meaning as set forth in the federal "Family Education Rights and Privacy Act", 20 U.S.C. sec. 1232g, and its implementing regulations, 34 CFR 99.3. (11) "Interpersonal resources" or "interpersonal skills" means noncognitive, emotional, and psychological characteristics, attributes, and skills used to manage relationships and interactions between or among individuals. (12) "Intrapersonal resources" or "intrapersonal skills" means noncognitive, emotional, and psychological characteristics, attributes, and skills used to manage emotions and attitudes within an individual. (13) "Parent" has the same meaning as set forth in the federal "Family Education Rights and Privacy Act", 20 U.S.C. sec. 1232g, and its implementing regulations, 34 CFR 99.3. (14) "Party" has the same meaning as set forth in the federal "Family Education Rights and Privacy Act", 20 U.S.C. sec. 1232g, and its implementing regulations, 34 CFR 99.3. (15) "Personally identifiable information" has the same meaning as set forth in the federal "Family Education Rights and Privacy Act", 20 U.S.C. sec. 1232g, and its implementing regulations, 34 CFR 99.3. (16) "Predictive modeling" means the use of educational data-mining methods to make predictions about future behaviors or performance. (17) "Process" or "processing" means to use, access, manipulate, scan, modify, transform, disclose, store, transmit, transfer, retain, aggregate, or dispose of student or teacher data. (18) "Psychological resources" means noncognitive, emotional characteristics, attributes, and skills, including mindsets, learning strategies, and effortful control, used by an individual to address or manage life situations. (19) "Record" has the same meaning as set forth in the federal "Family Education Rights and Privacy Act", 20 U.S.C. sec. 1232g, and its implementing regulations, 34 CFR 99.3. (20) "State agency" means the Colorado department of education, the state board of education, the Colorado division of early care and learning, Colorado student financial assistance agencies, the Colorado professional teaching standards commission, any regional education service agency, or any other state education entity. (21) "Student" has the same meaning as set forth in the federal "Family Education Rights and Privacy Act", 20 U.S.C. sec. 1232g, and its implementing regulations, 34 CFR 99.3. (22) "Student database" means any data system, including regional, interstate, or federal data warehouse organizations under contract to or with a memorandum of understanding with the department, to track Colorado student data. (23) "Teacher records" applies to teachers, paraprofessionals, principals, and other administrators and includes any of the following: (a) Social security number; (b) Name, address, e-mail address, and telephone numbers; (c) Date of birth; (d) Compensation information and performance evaluations; (e) Resume information; and (f) Any other information that, alone or in combination, is linked or linkable to a specific staff member and would allow a reasonable person in the school community who would otherwise not have personal knowledge of relevant circumstances to identify the staff member with reasonable certainty. (24) "Track" means to collect and maintain records of a student's activities once he or she exits the educational system, including but not limited to his or her entrance into and progression through the workforce or military. (25) "Workforce information" means information related to unemployment insurance, wage records, unemployment benefit claims, or employment and earnings data from workforce data sources, such as state wage records or the federal employment data exchange system. (26) "Written consent" means consent given in writing within six months before the data collection or data disclosure to which consent is being given. "Written consent" must reference a specific data collection or data disclosure and be dated and signed on the same day. 22-15-103. Data collection - limitations. (1) The collection of student data by any state agency or education institution without written consent of parents or eligible students is limited to the following information: (a) Name, address, e-mail address, telephone number, and family contact information; (b) State and national assessment results; (c) A summary of courses taken and completed and credits earned; (d) Course grades and grade point average; (e) Date of birth, grade level, and expected graduation date and graduation cohort; (f) Degree, diploma, or credential attainment; (g) Enrollment verification, attendance, and transfers; (h) Immunization records required by state law, records needed or created by a school-based health professional for administering prescription drugs or otherwise treating a student at school, records needed or created by a school-based counselor when a student seeks counseling while at school, or records required by the federal "Individuals with Disabilities Education Act", 20 U.S.C. sec. 1400 et seq.; (i) Discipline reports limited to objective information about disciplinary incidents; (j) Juvenile delinquency or other criminal or correctional records if necessary to meet the educational needs of the student or to ensure staff or student safety; (k) Remediation data; (l) Special education data, limited to data required by the federal "Individuals with Disabilities Education Act", 20 U.S.C. sec. 1400 et seq.; (m) Demographic data limited to that required by the federal "Elementary and Secondary Education Act of 1965", 20 U.S.C. sec. 6301 et seq., including race, economic status, disability status, and English proficiency status; (n) Student workforce information, limited to information related to work-study programs in which the student participated for academic credit; (o) Student or family social security numbers only if needed to comply with state or federal law; (p) Student or family income data, limited to data required by law to determine eligibility to participate in or receive financial assistance from an education institution; and (q) Information about extracurricular activities, limited to activities that are school-sponsored or engaged in for academic credit. (2) Unless expressly mandated by federal law, a state agency or education institution shall obtain written consent from parents or eligible students prior to collecting any data not set forth in subsection (1) of this section, including but not limited to: (a) Medical, health, and mental health records, except as provided for in paragraph (h) of subsection (1) of this section; (b) Student or family workforce information, except as provided for in paragraph (n) of subsection (1) of this section; (c) Student biometric records; (d) Any data collected through affective computing, including analysis of facial expressions, EEG brain wave patterns, skin conductance, galvanic skin response, heart rate variability, pulse, blood volume, posture, and eye tracking; (e) Any data, including that resulting from state or national assessments, that measure psychological resources, mindsets, learning strategies, effortful control, attributes, dispositions, social skills, attitudes, or intrapersonal resources; (f) Any data collected through predictive modeling; and (g) Information related to student or family religious affiliation. (3) Moneys, including but not limited to federal "Race to the Top" and "American Reinvestment and Recovery Act of 2009" grants, shall not be used for construction, enhancement, or expansion of any data system that does not comply with the limitations set forth in this section, that is designed to track students beyond K-12 or postsecondary education careers, or that compiles personal, nonacademic information on students beyond what is necessary for either administrative functions directly related to the student's education or the evaluation of academic programs and student progress. (4) A state agency or education institution shall not pursue or accept any federal or private grant that requires collecting or reporting any type of data in violation of subsection (2) of this section. 22-15-104. Transparency of data systems. (1) Each state agency and education institution shall publicly and conspicuously disclose on its web site the existence and character of any personally identifiable information related to education or teacher records maintained, directly or through contracts with outside entities, by the state agency or education institution. Each education institution shall annually notify parents, eligible students, and teachers of the web site posting. Each state agency shall provide electronic notification of the web site posting to the education committees of the senate and house of representatives, or any successor committees. (2) The disclosure and notification required pursuant to subsection (1) of this section must include, at a minimum, the following information: (a) The legal authority that authorizes the establishment and existence of the data repository; (b) The principal purpose or purposes for which the data is intended to be used; (c) The categories of individuals on whom records are maintained in the data repository; (d) The categories of records maintained in the data repository; (e) Each expected disclosure of the records contained in the data repository, including the categories of recipients and the purpose of such disclosure; (f) The policies and practices of the state agency or education institution and any vendor or third party regarding storage, ability to retrieve, access controls, retention, and disposal of the records; (g) The title and business address of the official responsible for the data repository and the name and business address of any contractor or third party maintaining the data repository for or on behalf of the state agency or education institution; (h) The procedures by which a parent, eligible student, or teacher can be notified at his or her request if the data repository contains a record pertaining to him or her; and (i) The procedures by which a parent, eligible student, or teacher can be notified at his or her request concerning how to access any record pertaining to him or her that is contained in the data repository and how he or she can contest its content. (3) Upon request, a parent or eligible student must be provided with a written copy of his or her education records that are held in a data repository. He or she has the right to correct such education records in a manner that is consistent with the requirements of state and federal law. (4) Each state agency and education institution shall notify the governor, the general assembly, and the state board of education of any: (a) New student data proposed for inclusion in any state-maintained databases, data systems, or records; and (b) Changes to existing data collections that are required for any reason, including changes to federal reporting requirements made by the United States department of education. (5) A state agency or education institution and any subdivision or local agency shall use only aggregate data in published reports. 22-15-105. Adopting or administering assessments - limitations. An education institution shall not adopt or administer any district, state, or national student assessment that collects any type of psychological data, including but not limited to assessment of noncognitive skills or attributes, psychological resources, mindsets, learning strategies, effortful control, attitudes, dispositions, social skills, or other interpersonal or intrapersonal resources. 22-15-106. Collection of sensitive information - limitations. (1) An education institution or state agency shall not administer any student survey, assessment, analysis, evaluation, or similar instrument that solicits information about a student or a student's family concerning any of the following: (a) Political or religious affiliations or beliefs; (b) Mental or psychological attitudes or problems, psychological resources, mindsets, learning strategies, effortful control, attributes, dispositions, social skills, attitudes, or intrapersonal resources; (c) Sexual behavior or attitudes; (d) Illegal, antisocial, self-incriminating, or demeaning behavior; (e) Critical appraisals of another individual with whom a student has a close family relationship; (f) Legally recognized privileged or analogous relationships, such as those with an attorney, physician, or clergy; (g) Personal or family gun ownership; or (h) Income or income-related information except information required by law to determine eligibility to participate in or receive financial assistance for an education program. 22-15-107. Disclosure of personally identifiable information to third parties - limitations. (1) Except as otherwise provided in this article, access to education records is restricted to authorized representatives of the education institution or state agency who require access to the information to perform an assigned duty. A person may not be designated as an authorized representative unless he or he is on the staff and under the direct control of the designating education institution or state agency. (2) Except as otherwise provided in this article, personally identifiable information contained in an education or teacher record must not be disclosed without written consent of the affected parent, eligible student, or teacher. (3) Vendors or third parties shall not redistribute, share, or sell education or teacher records. 22-15-108. Research and studies. (1) The department shall develop and publish criteria for the approval of research-related data requests from state and local government agencies, the general assembly, academic researchers, and the public. (2) (a) Except as provided in paragraph (b) of this subsection (2), personally identifiable information contained in an education or teacher record may not be released to a third-party contractor conducting a study for or on behalf of a state agency or education institution without written consent of the affected parent, eligible student, or teacher. (b) Provided that the third-party contractor conducting a study meets all the requirements for contractors set forth in section 22-15-110, personally identifiable information contained in an education or teacher record may be released to the contractor that is conducting a study for or on behalf of a state agency or education institution without written consent of the affected parent, eligible student, or teacher in the following situations: (I) To develop, validate, or administer assessments; or (II) To administer student financial assistance programs. 22-15-109. Audits, evaluations, and compliance. In conducting an audit or evaluation of an education program, or a compliance or enforcement activity in connection with legal requirements related to state- or district-supported education programs, education and teacher records must be released only to an authorized representative of an education institution or state agency if the audit, evaluation, or compliance or enforcement activity involves access to personally identifiable information. An individual must not be designated as an authorized representative unless he or she is on the staff and under the direct control of the designating education institution or state agency. 22-15-110. Outsourcing. (1) An education institution or state agency shall not disclose personally identifiable information contained in education or teacher records to an outside contractor with which the education institution or state agency has outsourced institutional services or functions without written consent of affected parents, eligible students, or teachers unless the outside contractor: (a) Performs an institutional service or function for which the education institution or state agency would otherwise use its own employees; (b) Is under the direct control of the education institution or state agency with respect to the use and maintenance of education or teacher records; (c) Limits internal access to education or teacher records to those individuals who require access to those records for completion of the contract; (d) Does not use the education or teacher records for any purpose other than those explicitly authorized in the contract; (e) Does not disclose any personally identifiable information contained in education or teacher records to any other party: (I) Without written consent of the affected parent, eligible student, or teacher; or (II) Unless the disclosure is required by law or court order and the contractor provides a notice of the disclosure to the education institution or state agency that initially provided the information. Notice must occur no later than the time the information is disclosed, unless providing said notice is expressly prohibited by law or court order. (f) Maintains reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of the personally identifiable information in its custody; (g) Uses encryption technologies to protect data from unauthorized disclosure while in motion or in its custody. The technology or methodology must be of the type specified by the secretary of the United States department of health and human services in guidance issued pursuant to Pub.L. 111-5, section 13402 (h) (2); (h) Has sufficient administrative and technical procedures in place to continuously monitor the security of personally identifiable information contained in education and teacher records in its custody; (i) Conducts a security audit annually and provides the results of the audit to each education institution and state agency from which it has obtained education or teacher records; (j) Prior to the initial receipt of education and teacher records, provides the education institution or state agency with a breach remediation plan that is acceptable to the education institution or state agency; (k) Reports immediately all suspected security breaches to the education institution or state agency that provided the education or teacher records; (l) Reports immediately all actual security breaches to the education institution, state agency, and affected individuals; (m) In the event of a security breach or unauthorized disclosure of personally identifiable information contained in education or teacher records, pays all costs and liabilities incurred by the education institution or state agency that are related to the security breach or unauthorized disclosure, including but not limited to the costs of responding to inquiries, notifying affected individuals, mitigating the effects of the breach or disclosure, and investigating the cause or consequences of the breach or disclosure; and (n) Destroys or returns to the education institution or state agency all personally identifiable information in its custody upon request and at the termination of the contract. 22-15-111. Security breach or unauthorized disclosure - required actions. (1) In the event of a security breach or unauthorized disclosure of personally identifiable information contained in education or teacher records, whether by an education institution, state agency, or third-party contractor, the education institution, state agency, or third-party contractor shall: (a) Immediately notify the individuals affected by the breach or disclosure; (b) Report the breach or disclosure to the family policy compliance office of the United States department of education; and (c) Investigate the causes and consequences of the breach or disclosure. 22-15-112. Prohibitions on commercial use. (1) Personally identifiable information contained in education or teacher records must not be disclosed to any entity for commercial use, including but not limited to marketing products or services, compilation of lists for sale or rental, development of products or services, or creation of individual, household, or group profiles. (2) A cloud-computing service provider that performs services for an education institution or state agency is prohibited from using information from education or teacher records for any secondary purpose that might benefit the cloud-computing service provider or any other third party, including but not limited to on-line behavioral advertising, creating or correcting an individual or household profile primarily for the cloud-computing service provider's benefit, selling the data for any commercial purpose, or any other similar commercial for-profit activity. However, a cloud-computing service provider may process or monitor student data solely to provide such service to an education institution or state agency and to maintain the integrity of said service. (3) A cloud-computing service provider that enters into an agreement to provide cloud-computing services to an education institution or state agency shall certify in writing that it will comply with the terms and conditions set forth in section 22-15-110 and that the education institution or state agency maintains ownership of all education and teacher records. (4) Any education or teacher records stored by a cloud-computing service provider must be stored within the United States. 22-15-113. Predictive modeling prohibited. Student data must not be used for predictive modeling to detect behaviors, beliefs, or value systems or for predicting or forecasting student outcomes. 22-15-114. Video monitoring - prohibition. Video monitoring of classrooms for any purpose is prohibited, including for teacher evaluations, without the approval of the school district board of education after public hearings and written consent of the teacher, all eligible students, and parents of all students in the classroom. 22-15-115. Interagency disclosure prohibited. Personally identifiable information contained in education or teacher records must not be disclosed to a noneducation government agency, including but not limited to any entity that intends to use or disclose the information or data for the purpose of workforce development or economic planning. 22-15-116. Interstate disclosure - limitations. (1) Except as otherwise provided in this article, personally identifiable information contained in education and teacher records must not be disclosed to any entity outside the state; except that disclosure may be made: (a) To an out-of-state institution attended by a student who transferred from Colorado; (b) To an out-of-state program in which a student voluntarily participates and for which such a data transfer is a condition or requirement of participation; or (c) When a student is classified as a migrant for federal reporting purposes. 22-15-117. Disclosure to federal government - limitations. (1) Personally identifiable information contained in education or teacher records must not be disclosed to any federal agency unless: (a) Such disclosure is required by the United States department of education as a condition of receiving a federal education grant; (b) The United States department of education agrees in writing to use the information from the education or teacher records only to evaluate the program or programs funded by a federal grant; (c) The United States department of education agrees in writing that the information will not be used for any research beyond that related to the evaluation of the program or programs funded by the federal grant, unless the parent, eligible student, or teacher whose information will be used provides written consent; (d) The United States department of education agrees in writing to destroy the information upon completion of the evaluation of the program or programs for which the information was compiled; and (e) The federal grant or program in connection with the information required is one explicitly authorized by federal law or rule. (2) If the United States department of education requires, as a condition of making a federal education grant, that the grant recipient disclose education or teacher records under circumstances that do not comply with subsection (1) of this section, the grant recipient shall obtain written consent from the parents of every student, eligible students, or teachers whose information will be disclosed. (3) If the United States department of education demands personally identifiable information contained in education or teacher records without the written consent of affected parents, eligible students, or teachers, the grant recipient shall provide written notification to said parents, eligible students, and teachers of the following: (a) That the grant recipient has been required to disclose the personally identifiable information contained in the education or teacher records to the United States department of education; (b) That neither the grant recipient nor any other entity within the state of Colorado will have control over the use of or further disclosure of that personally identifiable information; and (c) The contact information, including the name, telephone number, and e-mail address, of the United States department of education official demanding the disclosure of information. 22-15-118. Disclosure to assessment consortium or company. (1) An education institution or state agency shall not disclose education or teacher records to any assessment consortium of which the state is a member or to a company with which the state contracts for the development or administration of any assessment unless: (a) The records are transmitted in aggregated record format; (b) The records are limited to information directly related to the assessment, such as a student's grade level and test scores; and (c) The test scores included do not contain any psychological information of any kind. 22-15-119. Destruction of data. An education institution shall destroy and remove from its student database all education records associated with a student within five years of the student's graduation or withdrawal from the education institution; except that an education institution shall retain adequate records to demonstrate attendance, courses passed, diploma or degree received, and contact information in case it becomes necessary to show that a student has completed graduation requirements. 22-15-120. Enforcement and penalties. (1) A violation of any provision of this article by an organization or entity other than an education institution or state agency is punishable by a fine of no more than one thousand dollars. A second violation by the same organization or entity involving the education or teacher records of the same student or teacher is punishable by a fine of no more than five thousand dollars. Any subsequent violation by the same organization or entity involving the education or teacher records of the same student or teacher is punishable by a fine of no more than ten thousand dollars. Each violation involving a different individual education or teacher record is considered a separate violation for purposes of this subsection (1). (2) Nothing in this article may be construed as creating a private right of action against an education institution or state agency. SECTION 2. Effective date - applicability. This act takes effect July 1, 2015, and applies to academic years beginning with the 2015-16 academic year. SECTION 3. Safety clause. The general assembly hereby finds, determines, and declares that this act is necessary for the immediate preservation of the public peace, health, and safety.