First Regular Session Seventieth General Assembly STATE OF COLORADO INTRODUCED LLS NO. 15-0269.01 Jane Ritter x4342 HOUSE BILL 15-1108 HOUSE SPONSORSHIP Lundeen, Carver, Everett, Humphrey, Joshi, Klingenschmitt, Landgraf, Neville P., Nordberg, Ransom, Roupe, Szabo, Tate SENATE SPONSORSHIP Woods, House Committees Senate Committees Education Appropriations A BILL FOR AN ACT Concerning protections for student data. Bill Summary (Note: This summary applies to this bill as introduced and does not reflect any amendments that may be subsequently adopted. If this bill passes third reading in the house of introduction, a bill summary that applies to the reengrossed version of this bill will be available at http://www.leg.state.co.us/billsummaries.) The bill expands on the protections currently existing in law regarding protection of student data. Prior to conducting any survey, assessment, analysis, or evaluation that would include the collection of specified personal information, a school or school district shall obtain the written consent of a minimum of 85% of the students' parents or legal guardians. Additional protections and requirements for data collected or released include assurances that: The data collected are accurate and, where necessary, kept up to date, and that the school district shall take every reasonable step to ensure that inaccurate or incomplete data are rectified or deleted; The data collected will be kept in a form that permits identification of a data subject for no longer than is necessary for the stated purposes for which the data were collected; The data collected will be adequate, relevant, and not excessive in relation to the stated purposes for which the data are collected; Appropriate safeguards are in place for personal data that will be stored for longer periods of time for historical, statistical, or scientific use; and The data will be adequately protected from threat of exposure or loss. The bill allows a student who is 18 years of age or older to have all data related to him or her not included in his or her academic achievement record to be destroyed. A student's parent or legal guardian may, at any time, provide written notification to a school district that prohibits the school district from including any data related to the student to be provided, separately or in the aggregate, to any other vendor or entity outside the school district. Be it enacted by the General Assembly of the State of Colorado: SECTION 1. Legislative declaration. (1) The general assembly finds and declares that: (a) The United States constitution protects all United States citizens against searches and seizures of private information; (b) The United States constitution applies to minors as well as adults, and attendance in a public school is insufficient grounds to waive all constitutional rights to privacy; (c) Assessment questions and answers, coupled with various technological advancements, including word choice, phrases used, handwriting analysis, pressure mouse, retina tracking, facial expressions, body language, and viewpoints expressed through answers, have the potential to be processed using technology to mine for "meta data"; (d) "Meta data" has been and can be used to profile students according to personal preferences and cultural, racial, religious, political, economic, social, and psychological tendencies, as well as several hundred potential other data points. Such profiling virtually amounts to a search into the thought processes and private life of an individual in violation of the fourth and fifth amendments of the United States constitution, much like a legal interrogation or discovery process; and (e) Profiling in order to predict behavior and the gathering of profile type information to be used to affect the life and opportunities of American citizens has been long suspect, discouraged, and, in many cases, illegal. (2) The general assembly additionally finds that: (a) School attendance is mandated by law; (b) Participation by minors in standardized assessments in school settings is also mandated by law; and (c) The school entity stands in locus parenti for the purpose of education but does not have legal custody over the students and, therefore, cannot lawfully waive students' constitutional rights to privacy. SECTION 2. In Colorado Revised Statutes, 22-1-123, amend (5) (a) introductory portion, (5) (c), (6), and (8); and add (14) as follows: 22-1-123. Protection of student data - parental or legal guardian consent for surveys. (5) (a) A school district shall comply with 20 U.S.C. sec. 1232h. A school or school district employee who requires participation in a survey, assessment, analysis, or evaluation in a public school's curriculum or other official school activity shall obtain the written consent of a student's parent or legal guardian a minimum of eighty-five percent of the students' parents or legal guardians before giving the student students any survey, assessment, analysis, or evaluation intended to reveal information, whether the information is personally identifiable or not, concerning the student or the student's parent's or legal guardian's students or the students' parents' or legal guardians': (c) Written consent for the collection of data pursuant to this subsection (5) is valid only if the school district has given gives a parent or legal guardian written notice of the survey, assessment, analysis, or evaluation; has made makes a copy of the document available for viewing at convenient locations and times the student's school or school district office during normal business hours; and has given gives the parent or legal guardian at least two weeks, after receipt of the written notice, to obtain written information concerning: (I) Records or information that may be examined and requested in the survey, analysis, or evaluation; (II) The means by which the records or information shall will be examined, reviewed, or disseminated; (III) The means by which the information is to will be obtained; (IV) The purposes for which the records or information is needed and assurances that the data collected will not be further processed in a way that is incompatible with those purposes; (V) The entities or persons, regardless of affiliation, who will have access to the information; and (VI) A method by which a parent or legal guardian of a student can grant or deny permission to access or examine the records or information; (VII) Assurances that the data collected are accurate and, where necessary, kept up to date, and that the school district shall take every reasonable step to ensure that inaccurate or incomplete data are rectified or deleted; (VIII) Assurances that the data collected will be kept in a form that permits identification of a data subject for no longer than is necessary for the stated purposes for which the data were collected; (IX) Assurances that the data collected will be adequate, relevant, and not excessive in relation to the stated purposes for which the data are collected; (X) Assurances that appropriate safeguards are in place for personal data that will be stored for longer periods of time for historical, statistical, or scientific use; and (XI) Assurances that the data collected will be protected from threat of exposure or loss, consistent with section 22-2-309. (6) If a school district sends a consent form to a parent or legal guardian requesting written consent for the school district to release personally identifiable information in education records other than directory information concerning that parent's or legal guardian's child, in education records other than directory information, such consent shall be the written consent is valid under this section only if the consent form contains notice to the parent or legal guardian regarding: (a) The specific records to be released; (b) The specific reasons for such for the release A clear and specific statement of the purposes for which the data released will be used; (c) The specific identity of any person, agency, or organization requesting such the information and the intended uses of the information for each entity; (d) The method or manner by which the records will be released, and including assurances that the data will not be further processed in any way incompatible with the stated purposes for which the data have been released; (e) The right to review or to receive a copy of the relevant records to be released; (f) Assurances that the data released will be adequate, relevant, and not excessive in relation to the stated purposes for which the data are released; and (g) Assurances that appropriate safeguards are in place for personal data that will be stored for longer periods of time for historical, statistical, or scientific use. (8) Any right accorded to a parent or legal guardian pursuant to this section shall transfer transfers to the relevant student when that student attains the age of eighteen years. At such time, the student may request, in writing, that the school district immediately destroy all data related to his or her record, except any information contained on his or her academic achievement record. (14) A student's parent or legal guardian may, at any time, provide written notification to a school district that prohibits the school district from including any data related to the student to be provided, separately or in the aggregate, to any other vendor or entity outside the school district. SECTION 3. Act subject to petition - effective date. This act takes effect at 12:01 a.m. on the day following the expiration of the ninety-day period after final adjournment of the general assembly (August 5, 2015, if adjournment sine die is on May 6, 2015); except that, if a referendum petition is filed pursuant to section 1 (3) of article V of the state constitution against this act or an item, section, or part of this act within such period, then the act, item, section, or part will not take effect unless approved by the people at the general election to be held in November 2016 and, in such case, will take effect on the date of the official declaration of the vote thereon by the governor.