HOUSE DOCKET, NO. 3725        FILED ON: 2/19/2021

HOUSE  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  No. 127

 

The Commonwealth of Massachusetts

_________________

PRESENTED BY:

Kate Lipper-Garabedian and Jeffrey N. Roy

_________________

To the Honorable Senate and House of Representatives of the Commonwealth of Massachusetts in General
Court assembled:

The undersigned legislators and/or citizens respectfully petition for the adoption of the accompanying bill:

An Act relative to student and educator data privacy.

_______________

PETITION OF:

 

Name:

District/Address:

Date Added:

Kate Lipper-Garabedian

32nd Middlesex

2/19/2021

Jeffrey N. Roy

10th Norfolk

2/19/2021

Brian W. Murray

10th Worcester

2/24/2021

Jack Patrick Lewis

7th Middlesex

2/24/2021

Lindsay N. Sabadosa

1st Hampshire

2/24/2021

Carmine Lawrence Gentile

13th Middlesex

2/25/2021

Tommy Vitolo

15th Norfolk

2/25/2021

Steven S. Howitt

4th Bristol

2/26/2021

Tram T. Nguyen

18th Essex

2/26/2021

Josh S. Cutler

6th Plymouth

2/26/2021

Alice Hanlon Peisch

14th Norfolk

3/3/2021

Steven Ultrino

33rd Middlesex

3/6/2021

Bradley H. Jones, Jr.

20th Middlesex

3/10/2021

Tami L. Gouveia

14th Middlesex

7/7/2021


HOUSE DOCKET, NO. 3725        FILED ON: 2/19/2021

HOUSE  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  No. 127

By Representatives Lipper-Garabedian of Melrose and Roy of Franklin, a petition (accompanied by bill, House, No. 127) of Kate Lipper-Garabedian, Jeffrey N. Roy and others relative to student and educator data privacy.  Advanced Information Technology, the Internet and Cybersecurity.

 

The Commonwealth of Massachusetts

 

_______________

In the One Hundred and Ninety-Second General Court
(2021-2022)

_______________

 

An Act relative to student and educator data privacy.

 

Be it enacted by the Senate and House of Representatives in General Court assembled, and by the authority of the same, as follows:
 

Chapter 71 of the General Laws, as appearing in the 2018 Official Edition, is hereby amended by inserting after section 34H the following four sections:--

Section 34I.  As used in sections 34I through 34L, the following words shall, unless the context clearly requires otherwise, have the following meanings:

“Aggregated data,” data collected and reported at the group, cohort, school, school district, region or state level that is aggregated using protocols that are both intended and reasonably likely to preserve the anonymity of each individual.

“Board”, the board of elementary and secondary education.

“Commissioner”, the commissioner of the department of elementary and secondary education.

"Covered information",  information or material that, alone or in combination, is linked or linkable to a specific student, teacher, principal, or administrator that would allow a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances, to identify the individual with reasonable certainty and is: (i) created by or provided to an operator by a student, or the student's parent or legal guardian, in the course of the student's, parent's or legal guardian's use of the operator's site, service or application for K–12 school purposes; (ii) created by or provided to an operator by an employee or agent of a school district or K-12 school for K-12 school purposes; (iii) gathered by an operator through the operation of its site, service or application for K-12 school purposes and personally identifies a student, including, but not limited to, information in the student's educational record or electronic mail, including student-generated work; first and last name; home address and geolocation information; telephone number; electronic mail address or other information that allows physical or online contact; discipline records; test results, grades, and student evaluations; special education data; juvenile dependency records; criminal records; medical records and health records; social security number; student identifiers; biometric information; socioeconomic information; food purchases; political and religious affiliations; text messages; student identifiers; search activity and online behavior or usage of applications when linked or linkable to a student; photographs; voice recordings and persistent unique identifers; or (iv) gathered by an operator through the operation of its site, service or application in connection with performance evaluations conducted pursuant to section 38 of this chapter and personally identifies a teacher, principal or administrator.

“De-identified data”, records and information from which all personally identifiable information has been removed or obscured such that the remaining information does not reasonably identify a specific individual, including, but not limited to, any information that alone or in combination is linkable to a specific individual.             

“Department”, the department of elementary and secondary education.

“Destroy”, action taken in the normal course of business that is intended, and what a reasonable person would believe in the context of the information’s medium, to make such information permanently irretrievable

“District” or “school district”, the school department of a city or town, regional school district, vocational or agricultural school, independent vocational school or charter school.

“Educational entity”, a state educational agency, school district, K-12 school or subdivision thereof, education collaborative as defined in section 4E of chapter 40, approved public or private day and residential school providing special education services to publicly funded eligible students pursuant to chapter 71B or institutional K-12 school program overseen by a state agency including the department of youth services, the department of mental health or the department of public health as well as employees acting under the authority or on behalf of an educational entity.

"K-12 school", a school that offers any of grades kindergarten to 12 and that is operated by a school district; provided that, a K-12 school shall include any preschool or prekindergarten program or course of instruction provided by a school district.

"K-12 school purposes", uses that are directed by or that customarily take place at the direction of a school district, K-12 school or teacher or that aid in the administration of school activities, including, but not limited to, instruction in the classroom or at home, administrative activities and collaboration between students, school personnel or parents, or are otherwise for the use and benefit of the K-12 school; provided that, K-12 school purposes shall include comparable purposes in the administration of any preschool or prekindergarten program or course of instruction provided by a school district.

"Operator", a person or entity operating in accordance with an agreement with an educational entity to provide an Internet website, online service, online application, or mobile application for K-12 school purposes or at the direction of an educational entity or an employee of an educational entity; provided, however, that this definition shall not apply to the department, school district, K-12 school, or other educational entity.

“Persistent unique identifier”, an identifier that can be used to recognize a consumer, a family, or a device that is linked to a consumer or family, over time and across different services, including, but not limited to, a device identifier; an Internet Protocol address; cookies, beacons, pixel tags, mobile ad identifiers or similar technology; customer number, unique pseudonym or user alias; telephone number or other forms of persistent or probabilistic identifiers that can be used to identify a particular consumer or device; provided that, for the purposes of this definition “family” means a custodial parent or guardian and any minor children over which the parent or guardian has custody.

"Targeted advertising", presenting advertisements to a student where the advertisement is selected based on information obtained or inferred over time from that student's online behavior, usage of applications or covered information. It does not include advertising to a student at an online location based upon that student's current visit to that location or in response to that student’s request for information or feedback without the retention of that student's online activities or requests over time for the purpose of targeting subsequent advertisements.

Section 34J. (a) An operator shall not engage in any of the following activities with respect to its site, service or application:

     (1) Engage in targeted advertising on the operator's site, service or application, or targeted advertising on any other site, service or application if the targeting of the advertising is based on any information, including covered information and persistent unique identifiers, that the operator has acquired because of the use of that operator's site, service or application for K-12 school purposes.

     (2) Use covered information, including persistent unique identifiers, created or gathered by the operator's site, service or application, to amass a profile about a student or a teacher, principal, or administrator except in furtherance of K–12 school purposes

     (3) Sell or rent a student's information, including covered information. This subsection shall not apply to the purchase, merger, or other type of acquisition of an operator by another entity, if the operator or successor entity complies with sections 34I through 34L of this chapter, or to national assessment providers if the national assessment provider secures the express written consent of the parent or student if 18 years old, given in response to clear and conspicuous notice solely to provide access to employment, educational scholarships or financial aid or postsecondary educational opportunities.

     (4) Disclose covered information; provided that, an operator may disclose covered information of a student, so long as subparagraphs (1) through (3), inclusive, of subsection (a) are not violated, under the following circumstances:

(i) If provisions of federal or state law require the operator to disclose the information, and the operator complies with the requirements of federal and state law in protecting and disclosing that information;

(ii) For research purposes with the approval of the relevant educational entity and in compliance with and subject to the restrictions of state and federal law; provided that, the operator shall share research results with the educational entity in advance of any public dissemination; or

(iii) To an educational entity, including a K-12 school and school district, for K–12 school purposes, as permitted by state or federal law.

(b) An operator shall: (1) implement and maintain reasonable security procedures and practices appropriate to the nature of the covered information designed to protect that covered information from unauthorized access, destruction, use, modification, or disclosure and in compliance with regulations promulgated by the board pursuant to section 34L of this chapter; and (2) immediately return or destroy covered information if requested by the educational entity or when covered information is no longer required for K-12 school purposes or other lawful purpose, such as complying with a judicial order or law enforcement request.

(c) Subject to the provisions of this section, an operator may use de-identified data to maintain, develop, support, improve, or diagnose the operator's site, service, or application. Subject to the provisions of this section, an operator may use aggregated or de-identified student information to demonstrate the effectiveness of the operator’s products or services, including marketing or within the operator’s site, service, or application or other sites, services, or applications owned by the operator to improve educational purposes.

(d) Nothing in this section shall be construed to: (i) limit the authority of a law enforcement agency to obtain any content or information from an operator as authorized by law or pursuant to an order of a court of competent jurisdiction; (ii) limit the ability of an operator to use student data, including covered information, for adaptive learning or customized student learning purposes; (iii) apply to general audience Internet websites, general audience online services, general audience online applications, or general audience mobile applications, even if login credentials created for an operator's site, service, or application may be used to access those general audience sites, services, or applications; (iv) limit service providers from providing Internet connectivity to schools or students and their families; (v) prohibit an operator of an Internet website, online service, online application, or mobile application from marketing educational products directly to parents if the marketing did not result from the use of covered information obtained by the operator through the provision of services covered under this section; (vi) impose a duty upon a provider of an electronic store, gateway, marketplace, or other means of purchasing or downloading software or applications to review or enforce compliance with this section on those applications or software; or (vii) prohibit students from downloading, exporting, transferring, saving, or maintaining their own data or documents.

(f) An aggrieved student or educational entity may institute a civil action against an operator for damages or to restrain a violation of this section and may recover: (i) up to $10,000 for each request that violates this section; (ii) up to $10,000 for each adverse action, which violates this section, or actual damages, whichever amount is higher; (iii) punitive damages if a court determines that a violation was willful; and (iv) reasonable attorneys’ fees and other litigation costs reasonably incurred.

(g) The commissioner may bar an operator that improperly discloses covered information from receiving access to student and educator evaluation records of any educational entity in the Commonwealth for a period no less than five years.

Section 34K. (a) Any contract or agreement that is entered between an educational entity and an operator, as defined in section 34I, pursuant to which the operator sells, leases, provides, operates, or maintains a service that grants access to covered information, or creates any covered information, including, but not limited to (i) any cloud-based services for the digital storage, management and retrieval of pupil records; or (ii) any digital software that authorizes an operator to access and acquire student records, shall contain:

(1) a statement that covered information and student records continue to be the property and under the control of the educational entity;

(2) a prohibition against the operator using covered information for commercial or advertising purposes or for any purpose other than K-12 school purposes;

(3) a description of the procedures by which a parent, legal guardian, or eligible student may review the student’s records and correct erroneous information, in accordance with state and federal law;

(4) a requirement that only persons, whether they are employees of the operator or other persons, such as employees of subcontractors, with a legitimate need to access covered information to support professional roles consistent with the terms of the contract or agreement and federal and state law shall have access to it, with either the identification of said persons or an agreement to identify said persons upon request;

(6) a description of the reasonable administrative, technical and physical safeguards including with respect to encryption technology to protect covered information while in motion or in the operator’s custody that the operator will employ to protect the security, confidentiality and integrity of covered information in its custody; provided, however, compliance with this requirement shall not, in itself, absolve the operator of liability in the event of an unauthorized disclosure of covered information;

(7) a description of the procedures for notifying any and all affected parties in the event of an unauthorized disclosure of covered information or any breach of security resulting in an unauthorized release of covered information; provided that, the procedures shall comply with chapter 444 of the acts of 2018 and implementing regulations;

(8) a certification that covered information shall be returned or destroyed by the operator upon completion of the terms of the contract; and

(9) a description of how the educational entity and the operator will jointly ensure the compliance with applicable federal and state law, including, but not limited to 20 U.S.C. section 1232g, 15 U.S.C. section 6501 et. seq. and sections 34A through 34L, inclusive, of this chapter.

(b) Any contract that fails to comply with the requirements of this section shall be voidable and all covered information and student records in possession of the third party shall be returned to the educational entity or, if the return of such information is not technologically feasible, destroyed.

Section 34L. (a) The board shall promulgate regulations that establish data security and privacy responsibilities of the department and educational entities as well as minimum required security standards for operators, including for use in department and educational entity contracts and agreements with operators, and shall approve the department’s data privacy and security policy and security plan for the state data system. The regulations further shall establish the process through which the commissioner, pursuant to subsection (g) of section 34J, may bar an operator from receiving the student and educator evaluation data of any educational entity in the Commonwealth for a period no less than five years. In carrying out these responsibilities, the board shall consult with the executive office of technology services and security and seek the input of security and experts, including those from security, cyber-security and fields in addition to education that have experience with personal data protection.

(b) The commissioner shall appoint a chief privacy officer with experience in data privacy and security.  The chief privacy officer shall oversee the development and implementation, subject to the board’s approval, of a department data privacy and security policy and a detailed security plan for the state data system in consultation with the executive office of technology services and security. The chief privacy officer further shall develop a model school district data privacy and security policy as well as a model operator contract or contracts in consultation with the executive office of technology services and security; otherwise support and supervise implementation of sections 34I through 34L, inclusive, of this chapter and the regulations issued by the board pursuant to subsection (a); develop and provide a program of training and technical assistance to K-12 schools, school districts and other educational entities including through the issuance of guidance and recommendations to assist with compliance with federal and state law pertaining to personally identifiable information including, but not limited to, 20 U.S.C. 1232g, sections 34A through 34L, inclusive, of chapter 71 of the General Laws, chapter 66A of the General Laws and chapter 444 of the acts of 2018; develop and oversee a program of oversight, support and accountability for the department and educational entities responsible for implementing policies pursuant to sections 34I through 34L of this chapter; and assist the commissioner with enforcement responsibilities regarding operators that violate any provision of sections 34I through 34K, inclusive, of this chapter.

(c) The department shall make publicly available a list of categories of covered information collected by the department including, but not limited to, covered information required to be collected or reported by state or federal law. The list shall contain the source of the information, the reason for the collection of the information and the use of the information collected.

(d) In accordance with the regulations of the board promulgated pursuant to subsection (a), each district shall develop a detailed privacy and security policy for the protection of covered information that includes security breach planning, notice and procedures; provided that, a district may adopt any model policy developed by the chief privacy officer of the department and approved by the board to comply with this requirement. Each district shall designate an individual to act as a student data manager to oversee said policy.

(e)Each district shall make publicly available on its website a list of categories of student personally identifiable information collected at the school district, school, or classroom level. The list shall contain the source of the information, the reason for collection of the information and the use of the information. Each district further shall make publicly available on its website a list of the operators with which the district has a contract or agreement that involves the creation, provision or gathering of covered information and a list of operators with which the district had a contract or agreement that involved the creation, provision or gathering of covered information in the last ten years.