SB 530 - This act enacts multiple provisions to protect the privacy of student data. Consistent with Article I, Section 15 of the Missouri Constitution, the people shall be secure in their electronic communications and data and no access to electronic data or communication will be allowed without describing the data or communication to be accessed as nearly as may be.
EDUCATION DATA: This act establishes limits and procedures for how certain entities may use student data.
State agencies are limited in the student data they may collect without written consent. The term "state agency" is defined to include the state departments of education and state education boards. The data they may collect without the written consent of parents for any student under the age of eighteen or any eligible student includes the following, as described in the act: the student's identification number for the Missouri student information system (MoSIS); assessment results from the statewide assessment system; course taking and completion, credits earned, grades, grade point average, date of birth; attendance; certain medical, health and mental-health records when used for certain purposes; discipline reports and juvenile delinquency or criminal or correctional records when used for certain purposes; remediation data; special education data; certain demographic data; student workforce information; social security numbers if needed by an institution of higher education to comply with state or federal law; income data; and extracurricular activity data.
State agencies are prohibited from collecting any of the following information from parents, eligible students, or through data sharing agreements with any other entity: certain medical and health information; certain student or family workforce information; student biometric records; certain data collected via affective computing; data collected from predictive modeling; and information about student or family religious affiliation. (Section 160.1503)
No funds, regardless of source, can be spent on the construction, enhancement, or expansion of any data system that does not comply with these limitations or that is designed to track students beyond their K-12 or postsecondary education careers, or that compiles personal nonacademic information. (Section 160.1503)
This act prohibits state agencies from pursuing or accepting any grant that would require the collecting or reporting of any type of data that violates these prohibitions. (Section 160.1503)
By June 30 annually, state agencies must publicly disclose on their websites the existence and character of any personally identifiable information from education records records maintained by them. They must annually notify parents, eligible students, and teachers of this website posting. (Section 160.1506)
State agencies must annually notify, by June 30, the chairs of the Senate Education Committee, House Elementary and Secondary Education Committee, and the Joint Committee on Education. (Section 160.1506)
The disclosure and notifications must include multiple explanations, including the legal authority authorizing the establishment of a data repository, the principal purpose for which the information is intended to be used, categories of records and individuals maintained in the repository, expected disclosure of records, policies and practices that must be followed, the title and business address of the individual responsible for the data repository, and the procedures whereby parents or eligible students may be notified of records pertaining to them in the repository, as described in the act. (Section 160.1506)
State agencies must only use aggregate data in published reports. (Section 160.1506)
School districts and charter schools are prohibited from adopting or administering any state or national student assessment that collects psychological or behavioral data, as described in the act. (Section 160.1509)
State agencies, school boards, and education institutions offering grades pre-kindergarten through twelve cannot administer any student survey, assessment, analysis, evaluation, or similar instrument that solicits certain personal information about the student or student's family, as described in the act. (Section 160.1512)
Access to student education records in the Department of Elementary and Secondary Education's Missouri Student Information System (MOSIS) must be restricted to the authorized representatives of the Department of Elementary and Secondary Education, any state agency, or education institution who require access to it. An authorized representative must be an employee of the Department, state agency, or education institution and be under its direct control. Personally identifiable student or teacher data cannot be disclosed without the written consent of the parents or eligible students. (Section 160.1515)
The Department of Elementary and Secondary Education must develop and publish criteria for the approval of research-related data requests from state agencies, political subdivisions, local government agencies, the General Assembly, academic researchers, and the public. Written consent is required for the release of personally identifiable student or teacher information to a party conducting studies. Outside parties conducting studies must meet the requirements for contractors, as described in the act. (Section 160.1515)
In addition, state agencies, school boards, and institutions must not disclose personally identifiable information from education records without written consent to an outside party, unless the outside party meets the criteria established in the act. (Section 160.1515)
If a security breach or unauthorized disclosure of personally identifiable student data occurs, the state agency responsible for the data must immediately notify any individual whose personally identifiable student data may have been affected of the breach or disclosure, report it to the Family Policy Compliance Office of the U.S. Department of Education, and investigate the causes and consequences of the breach or disclosure. (Section 160.1518)
Personally identifiable information by any state agency in education records cannot be disclosed to any party for commercial use. Cloud computing service providers that provide services for a state agency are prohibited from using information from education records or information relating to a student or created by a student through the use of a cloud computing service for any purpose other than providing the cloud computing service for education purposes and maintaining the integrity of the service. Examples of prohibited purposes for processing of information are listed in the act. (Section 160.1521)
Any cloud computing service provider that enters into a service agreement with a state agency must certify in writing that it will comply with data use requirements and that the state agency maintains ownership of all student data. The agreement must also provide that the cloud computing service provider will be responsible for all damages associated with a data breach. All student data stored by a cloud computing service provider must be stored within the boundaries of the United States. (Section 160.1521)
Student data cannot be used for predictive modeling, as defined in the act, for detecting behaviors, beliefs, or value systems, or predicting or forecasting student outcomes. (Section 160.1524)
This act prohibits video monitoring in classrooms unless the local school board approves it after public hearings and the written consent of the teacher, eligible students, and the parents of all students in the classroom. (Section 160.1527)
This act prohibits the disclosure of personally identifiable information from education records to any non-education government agency, including the Missouri Department of Labor and Industrial Relations, or to any party for the purpose of workforce development or economic planning. Data linkages or sharing of data with other states without expressed permission of the individuals affected are prohibited. (Section 160.1530)
Personally identifiable information from education records cannot be disclosed to any government agency or other entity outside Missouri except to an institution attended by a student who has transferred out of state, to an out-of-state program in which a student voluntarily participates and a data transfer is required, or for migrant students for federal reporting purposes. (Section 160.1533)
Personally identifiable information from education records cannot be disclosed to any federal agency unless certain conditions are satisfied. First, the disclosure must be required by the U.S. Department of Education as a condition of receiving a federal education grant. Second, the U.S. Department of Education must agree in writing to use the information only to evaluate the program funded by the grant. Third, the U.S. Department of Education must agree in writing that the information must not be used for any research beyond what is needed to evaluate the program, unless the parent or eligible student whose information or data is used, affirmatively consents. Fourth, the U.S. Department of Education must agree in writing to destroy the information or data upon completion of the program evaluation. Fifth, the grant or program must be authorized by federal statute or rule. Additional requirements on the use of data, and procedures in which written consent is required, are described in the act. (Section 160.1536)
State agencies, school boards, and education institutions are prohibited from disclosing student or teacher information to any assessment consortium of which Missouri is a member or any company with which Missouri contracts for development or administration of any assessment. However, these entities may disclose such information if it is transmitted in non-individual record format, it is limited to information directly related to the assessment, and no psychological or behavioral information is included as part of the test scores. (Section 160.1539)
Education institutions must destroy and remove from their student databases all education records of a student within five years of the student's graduation or withdrawal from the district. An institution may retain records showing the student's data of attendance, diploma or degree earned, and contact information. For any student who withdraws before graduation, the institution must, within one year, destroy and remove all records of the student except those showing dates of attendance. Destruction must comply with the standards of data destruction identified in the National Institute of Standards and Technology (NIST) special publication 800-88. (Section 160.1542)
Each violation of any provision of this act by an organization or entity other than a state agency, a school board, or an institution shall be punishable by a civil penalty of up to one thousand dollars. A second violation involving the education records and privacy of the same student is punishable by a civil penalty of up to five thousand dollars. A subsequent violation by the same organization or entity involving the education records and privacy of the same student is punishable by a civil penalty of up to ten thousand dollars. (Section 160.1545)
The Attorney General is granted authority to enforce compliance with this act by investigation and subsequent commencement of a civil action, to seek civil penalties for violations, and to seek injunctive relief. (Section 160.1545)
This act contains an emergency clause.
This act is substantially similar to HB 1240 (2015) and is similar to SCS/SB 819 (2014).