SB 989
Enacts multiple provisions to protect the privacy of student data
Sponsor:
LR Number:
4680S.04I
Committee:
Last Action:
2/10/2016 - Hearing Conducted S Education Committee
Journal Page:
Title:
Calendar Position:
Effective Date:
August 28, 2016

Current Bill Summary

SB 989 - This act enacts multiple provisions to protect the privacy of student data.

State agencies, as defined in the act, are limited in the student data they may collect without written consent. The data they may collect without the written consent of parents for any student under the age of eighteen or any eligible student is limited to certain types of data, as described in the act.

State agencies are prohibited from collecting any of the following information from parents, eligible students, or through data sharing agreements with any other entity: certain medical and health information; certain student or family workforce information; student biometric records; certain data collected via affective computing; data collected from predictive modeling; and information about student or family religious affiliation. (Section 160.1503)

No funds, regardless of source, can be spent on the construction, enhancement, or expansion of any data system that does not comply with these limitations or that is designed to track students beyond their K-12 or postsecondary education careers, or that compiles personal nonacademic information. (Section 160.1503)

This act prohibits state agencies from pursuing or accepting any grant that would require the collecting or reporting of any type of data that violates these prohibitions. (Section 160.1503)

This act prohibits the Department of Elementary and Secondary Education and the State Board of Education from developing or approving policies that require the disclosure of student or family income data, including completion of federal financial aid applications, as a condition of attendance or graduation from any education program. (Section 160.1503)

By June 30 annually, state agencies shall publicly disclose on their websites the existence and character of any personally identifiable information from education records maintained by them, and shall notify the chairs of the Senate Education Committee, House Elementary and Secondary Education Committee, and the Joint Committee on Education of such information. They must annually notify parents, eligible students, and teachers of this website posting.

The disclosure and notifications must include multiple explanations, including the legal authority authorizing the establishment of a data repository, the principal purpose for which the information is intended to be used, categories of records and individuals maintained in the repository, expected disclosure of records, policies and practices that must be followed, the title and business address of the individual responsible for the data repository, and the procedures whereby parents or eligible students may be notified of records pertaining to them in the repository, as described in the act.

State agencies must only use aggregate data in published reports. (Section 160.1506)

School districts and charter schools are prohibited from adopting or administering any state or national student assessment that collects psychological or behavioral data, as described in the act. (Section 160.1509)

State agencies, school boards, and education institutions offering grades pre-kindergarten through twelve cannot administer any student survey, assessment, analysis, evaluation, or similar instrument that solicits certain personal information about the student or student's family, as described in the act. (Section 160.1512)

Access to student education records in the Department of Elementary and Secondary Education's Missouri Student Information System (MOSIS) must be restricted to the authorized representatives of the Department of Elementary and Secondary Education, any state agency, or education institution who require access to it. An authorized representative must be an employee of the Department, state agency, or education institution and be under its direct control. Personally identifiable student or teacher data cannot be disclosed without the written consent of the parents or eligible students. (Section 160.1515)

Written consent is required for the release of personally identifiable student or teacher information to a party conducting studies. Outside parties conducting studies must meet the requirements for contractors, as described in the act. In addition, state agencies, school boards, and institutions must not disclose personally identifiable information from education records without written consent to an outside party, unless the outside party meets the criteria established in the act. (Section 160.1515)

If a security breach or unauthorized disclosure of personally identifiable student data occurs, the state agency responsible for the data must immediately notify any individual whose personally identifiable student data may have been affected of the breach or disclosure, report it to the Family Policy Compliance Office of the U.S. Department of Education, and investigate the causes and consequences of the breach or disclosure. (Section 160.1518)

Personally identifiable information by any state agency in education records cannot be disclosed to any party for commercial use. Cloud computing service providers that provide services for a state agency are prohibited from using information from education records or information relating to a student or created by a student through the use of a cloud computing service for any purpose other than providing the cloud computing service for education purposes and maintaining the integrity of the service. Examples of prohibited purposes for processing of information are listed in the act.

Any cloud computing service provider that enters into a service agreement with a state agency must certify in writing that it will comply with data use requirements and that the state agency maintains ownership of all student data. The agreement must also provide that the cloud computing service provider will be responsible for all damages associated with a data breach. All student data stored by a cloud computing service provider must be stored within the boundaries of the United States. (Section 160.1521)

Student data cannot be used for predictive modeling, as defined in the act, for detecting behaviors, beliefs, or value systems, or predicting or forecasting student outcomes. (Section 160.1524)

This act prohibits video monitoring in classrooms unless the local school board approves it after public hearings and the written consent of the teacher, eligible students, and the parents of all students in the classroom. (Section 160.1527)

This act prohibits the disclosure of personally identifiable information from education records to any non-education government agency, including the Missouri Department of Labor and Industrial Relations, or to any party for the purpose of workforce development or economic planning. Data linkages or sharing of data with other states without expressed permission of the individuals affected are prohibited. (Section 160.1530)

Personally identifiable information from education records cannot be disclosed to any government agency or other entity outside Missouri except to an institution attended by a student who has transferred out of state, to an out-of-state program in which a student voluntarily participates and a data transfer is required, or for migrant students for federal reporting purposes. (Section 160.1533)

Personally identifiable information from education records cannot be disclosed to any federal agency unless certain conditions are satisfied as described in the act. (Section 160.1536)

State agencies, school boards, and education institutions are prohibited from disclosing student or teacher information to any assessment consortium of which Missouri is a member or any company with which Missouri contracts for development or administration of any assessment. However, these entities may disclose such information if it is transmitted in non-individual record format, it is limited to information directly related to the assessment, and no psychological or behavioral information is included as part of the test scores. (Section 160.1539)

Education institutions must destroy and remove from their student databases all education records of a student within five years of the student's graduation or withdrawal from the district. An institution may retain records showing the student's data of attendance, diploma or degree earned, and contact information. For any student who withdraws before graduation, the institution must, within one year, destroy and remove all records of the student except those showing dates of attendance. Destruction must comply with the standards of data destruction identified in the National Institute of Standards and Technology (NIST) special publication 800-88. (Section 160.1542)

Each violation of any provision of this act by an organization or entity other than a state agency, a school board, or an institution shall be punishable by civil penalties as described in the act. (Section 160.1545)

The Attorney General is granted authority to enforce compliance with this act by investigation and subsequent commencement of a civil action, to seek civil penalties for violations, and to seek injunctive relief. (Section 160.1545)

This act is substantially similar to SB 530 (2015) and HB 1240 (2015), and is similar to SCS/SB 819 (2014).

JOSHUA NORBERG

Amendments