Sec. 3. Protecting student privacy
1,136 words·~5 min read·
/bill/114/hr/2092/ih/section-3A research copy — for the controlling text, always check the official state or federal source. Not legal advice.
An operator may not knowingly— engage in or permit targeted advertising on a school service; collect, generate, use, or disclose any covered information for purposes of targeted advertising; sell covered information to a third party; collect, generate, or use covered information (including using covered information to create a personal profile of a student) other than for K-12 purposes; or disclose covered information, unless the disclosure is made— pursuant to lawful process or to ensure legal and regulatory compliance with Federal or State law; in accordance with subsection (c), pursuant to a request for disclosure— in the case of information about a student, from the student’s parent; or in the case of information about a student’s parent or another user of the school service, from the parent or such other user, as the case may be; in accordance with subsection (c), pursuant to a request for disclosure from a student who is or has been enrolled in a secondary school or from the student’s parent for the exclusive purpose of— providing or authenticating the student’s transcript, standardized test scores, letters of recommendation, or other information required by an institution of higher education for an application for admission or by a potential employer for an application for employment; or providing information relating to— admission to an institution of higher education; or a scholarship or financial aid for attendance at an institution of higher education; to protect the safety of users or others or the security of the school service; to an educational agency or institution, as permitted by Federal and State law; or to a third-party service provider of the operator, and the operator contractually— prohibits the service provider from using any covered information for any purpose other than providing the contracted service to, or on behalf of, the operator; prohibits the service provider from disclosing to subsequent third parties any covered information disclosed by the operator to the service provider; and requires the service provider to establish, implement, and maintain reasonable security procedures as described in subsection (b)(1).
An operator shall— establish, implement, and maintain reasonable security procedures appropriate to the nature of covered information to protect the confidentiality, security, and integrity of covered information; delete a student’s covered information (except for information that is required to be maintained by Federal or State law) within a reasonable time, not to exceed 45 days, after receiving— a request from an educational agency or institution serving the student; or a request (either directly or through the educational agency or institution) from the student’s parent, except in the case of information that is included in the student’s education records (as defined in section 444 of the General Education Provisions Act ( 20 U.S.C. 1232g )), such as the student’s test scores or grades, or that is directed by the educational agency or institution to be maintained for educational or administrative purposes; disclose publicly and to each educational agency or institution to which the operator provides a school service, in contracts or privacy policies in a manner that is clear and easy to understand, the types of covered information collected or generated (if any), the purposes for which the covered information is used or disclosed to third parties, and the identity of any such party; facilitate access to and correction of covered information, either directly or through an educational agency or institution— in the case of information about a student, by the student’s parent; or in the case of information about a parent or another user of the school service, by the parent or such other user, as the case may be; implement policies and procedures for responding to data breaches involving unauthorized acquisition of or access to personally identifiable information that occur on a school service, in compliance with any obligations imposed by Federal or State law; notify the Commission and, as appropriate, students, parents, educational agencies or institutions, or officials of such agencies or institutions (including teachers) of each data breach involving unauthorized acquisition of or access to personally identifiable information that occurs on a school service, in compliance with any obligations imposed by Federal or State law; and delete any covered information maintained by a school service (except for information that is required to be maintained by Federal or State law)— except as provided in subparagraph (B), within a reasonable time, not to exceed one year, after the operator ceases to provide the service to the educational agency or institution, unless the information is required to be maintained at the direction of the educational agency or institution or the student’s parent; or if the operator continues providing the service in whole or in part to a student after ceasing to provide the service to the educational agency or institution, within a reasonable time, not to exceed one year, after the operator ceases to provide the service to the student, unless the information is required to be maintained at the direction of the student’s parent.
An operator may disclose covered information under subparagraph
(B)or
(C)of subsection (a)(5) only after the operator— receives from the student, the student’s parent, or other user of the school service, as the case may be (in this subsection referred to as the requesting party ), an affirmative express request (whether made directly or through an educational agency or institution serving the student) to disclose information specified in the request; provides to the requesting party, in a manner that is clear and easy to understand, a description of the types of covered information that will be disclosed to a third party, any fees collected by the operator to cover administrative costs, and the purposes for which the covered information will be disclosed to and used by the third party; ensures that the third party agrees, in writing or an electronic equivalent— not to use any covered information received pursuant to the request for any purpose other than fulfilling the purpose for which the request was made; not to disclose to subsequent third parties any covered information received pursuant to the request; and to establish, implement, and maintain reasonable security procedures as described in subsection (b)(1); and provides a readily available mechanism for the requesting party to revoke the request. The prohibitions of this section on sale and disclosure of covered information do not apply to the merger of an operator with another entity or the acquisition of the operator by another entity (including any subsequent merger or acquisition), provided that the operator or successor entity continues to be subject to the provisions of this section with respect to covered information acquired before the merger or acquisition. This section shall continue to apply, after a student is no longer enrolled in an elementary school or secondary school, to covered information relating to the student that was collected or generated while the student was enrolled.
Connectionstraces to 1
Traces to 1 document
Citation graph
cites case law
Sec. 3
Protecting student privacy
Cites 1Cited by 0 across 0 sources