HP0851
LD 1251
Session - 127th Maine Legislature
 
LR 839
Item 1
Bill Tracking, Additional Documents Chamber Status

An Act To Safeguard Students' Personal and Private Information

Be it enacted by the People of the State of Maine as follows:

Sec. 1. 20-A MRSA c. 221, sub-c. 1-A  is enacted to read:

SUBCHAPTER 1-A

PROTECTION OF STUDENTS' PERSONAL AND PRIVATE DATA

§ 6011 Definitions

As used in this subchapter, unless the context otherwise indicates, the following terms have the following meanings.

1 Disclosure.   "Disclosure" means to permit access to or the release, transfer or other communication of personally identifiable information contained in education records by any means, including oral, written or electronic means, to any party except the party identified as the party that provided or created the record.
2 Education record.   "Education record" means a record directly related to a student and maintained by the department or a school administrative unit or by a party acting for the department or a school administrative unit.
3 Eligible student.   "Eligible student" means a student who has reached 18 years of age.
4 Party.   "Party" means an individual, agency, institution or organization.
5 Personally identifiable information.   "Personally identifiable information" includes but is not limited to:
A The student's name;
B The name of the student's parent or other family members;
C The address of the student or student's family;
D A personal identifier, such as the student's social security number, student number or biometric record;
E Other indirect identifiers, such as the student's date of birth, place of birth and mother's maiden name;
F Other information that, alone or in combination, may be or is linked to a specific student that would allow a reasonable person in the school community, who does not have personal knowledge of any relevant circumstances, to identify the student with reasonable certainty; and
G An education record requested by a person who the department or a school administrative unit reasonably believes knows the identity of the student to whom the education record relates.
6 Record.   "Record" means any information recorded in any way, including, but not limited to, by handwriting, print, computer media, videotape or audio tape, film, microfilm and microfiche.
7 Student.   "Student" means an individual who is or has been in attendance at a school within this State and regarding whom the department or a school administrative unit maintains education records.
8 Student database.   "Student database" means any computer system that houses or maintains data on students in prekindergarten to grade 12.
9 Written consent.   "Written consent" means consent that is signed by an eligible student or a parent, is dated on the day it was signed, is signed within 6 months before a disclosure, identifies the recipient and the purpose of the disclosure and states that the information will be used only for that purpose and will not be used or disclosed for any other purpose.

§ 6012 Restrictions on maintenance and disclosure

1 Disclosure prohibited.   The department or a school administrative unit may not directly or through contracts with outside parties maintain personally identifiable information from education records without the written consent of eligible students or parents unless maintenance of the information is:
A Explicitly mandated in federal or state statute;
B Administratively required for the proper performance of the department's or the school administrative unit's duties under the law and is relevant to and necessary for delivery of services; or
C Designed to support a study of students or former students, as long as no personally identifiable information is retained on former students for more than 5 years after the date of their last enrollment at a school.
2 Data collection, entry and maintenance prohibited.   The following information may not be collected, entered into any student database or maintained as education records by the department or a school administrative unit:
A DNA, fingerprints or retina or iris pattern information or any information about the psychological characteristics of a student;
B Student or family religious affiliation, beliefs or practices;
C Student or family political affiliation, beliefs or practices;
D Student or family member sexual orientation or beliefs about sexual orientation; or
E Student or family gun ownership or usage.
3 Prohibited grants.   The department or a school administrative unit may not pursue or accept a grant, whether governmental or private, that would require the collection or reporting of any student information contained in subsection 2.
4 Disclosure and notification concerning maintenance of personally identifiable information.   The department and school administrative units shall publicly and conspicuously disclose on their publicly accessible websites and through annual electronic notification to the joint standing committee of the Legislature having jurisdiction over education matters the existence and nature of any personally identifiable information from education records that they, directly or through contracts with outside parties, maintain. Such disclosure and notifications must include:
A The name and location of the student database where the information is maintained;
B The legal authority that authorizes the establishment and existence of the student database;
C The principal purpose or purposes for which the information is intended to be used;
D The categories of individuals on whom records are maintained in the student database;
E The categories of records maintained in the student database;
F Each expected disclosure of the records contained in the student database, including the categories of recipients and the purpose of the disclosure;
G The policies and practices of the department and school administrative units regarding storage, retrievability, access controls, retention and disposal of the records;
H The title and business address of the department or school administrative unit official who is responsible for the student database, and the name and business address of any contractor or other outside party maintaining the student database for or on behalf of the department or a school administrative unit;
I The procedure whereby an eligible student or a parent can be notified upon request if the student database contains a record pertaining to the student or the parent's child;
J The procedure whereby an eligible student or a parent can be notified upon request regarding how to gain access to a record pertaining to the student or the parent's child contained in the student database, and how the student or parent can contest the record's content; and
K The categories of sources of records in the student database.
5 Access to personally identifiable information restricted.   Except as otherwise authorized by this section, access to personally identifiable information in the student database is restricted to the authorized representatives of the department and the school administrative unit who require such access to perform their assigned duties. The department and the school administrative unit shall designate only parties that are under their direct control to act as their authorized representatives to conduct an audit or evaluation, or any compliance or enforcement activity in connection with legal requirements that relate to state-supported or unit-supported educational programs, when the audit, evaluation or activity requires or is used as the basis for granting access to personally identifiable information.
6 Disclosure without written consent restricted.   The department or a school administrative unit may not disclose personally identifiable information from education records of students without the written consent of eligible students or parents to a contractor, consultant or other party to whom the department or the school administrative unit has outsourced institutional services or functions unless the contractor, consultant or other party:
A Performs an institutional service or function for which the department or the school administrative unit would otherwise use its own employees;
B Is under the direct control of the department or the school administrative unit with respect to the use and maintenance of education records;
C Limits internal access to education records to those individuals who are determined to have legitimate educational interests;
D Does not use the education records for any purposes other than those explicitly authorized in the party's contract;
E Does not disclose any personally identifiable information to any other party;
F Maintains reasonable administrative, technical and physical safeguards to protect the security, confidentiality and integrity of personally identifiable information in its custody;
G With respect to personally identifiable information stored in a student database that is accessed over the Internet or other public network, protects such data through a secure encrypted protocol. Access through a web browser must use at a minimum Hypertext Transfer Protocol Secure, while access through other means must use the industry standard encryption technologies applicable to the most sensitive component of the record. With respect to records concerning a student's physical, mental or psychological health, "industry standard" means a technology or methodology specified by the Secretary of the United States Department of Health and Human Services in guidance issued under Section 13402(h)(2) of the American Recovery and Reinvestment Act, Public Law 111-5;
H With respect to data that is in motion or in the party's custody, protects such data from unauthorized disclosure using industry standard encryption technologies applicable to the most sensitive component of the data in its custody. With respect to records concerning a student's physical, mental or psychological health, "industry standard" means a technology or methodology specified by the Secretary of the United States Department of Health and Human Services in guidance issued under Section 13402(h)(2) of the American Recovery and Reinvestment Act, Public Law 111-5;
I Has sufficient administrative and technical procedures to monitor continuously the security of personally identifiable information in the party's custody;
J Conducts a security audit annually and provides the results of that audit to the department and each school administrative unit and school that provided education records to the party;
K Provides the department or the school administrative unit with a breach-remediation plan acceptable to the department or the school administrative unit before initial receipt of education records;
L Reports all suspected or actual security breaches to the department or the school administrative unit that provided education records to the party as soon as possible but not later than 48 hours after a suspected or actual breach is known or would have been known by exercising reasonable diligence;
M In the event of a security breach or unauthorized disclosure of personally identifiable information, pays all costs and liabilities incurred by the department or the school administrative unit related to the security breach or unauthorized disclosure, including but not limited to the costs of responding to inquiries about the security breach or unauthorized disclosure, of notifying subjects of personally identifiable information about the security breach or unauthorized disclosure, of mitigating the effects of the security breach or unauthorized disclosure for the subjects of personally identifiable information and of investigating the cause and consequences of the security breach or unauthorized disclosure; and
N Destroys or returns to the department or the school administrative unit all personally identifiable information in the party's custody upon request or at the termination of the contract, whichever occurs first.
7 Disclosure without consent for studies.   The department or a school administrative unit may disclose personally identifiable information from an education record of a student without the consent of the eligible student or parent to a party conducting studies for or on behalf of the department or the school administrative unit to:
A Develop, validate or administer predictive tests; or
B Administer student-aid programs if the outside party conducting the study meets all of the requirements for contractors set forth in subsection 6.
8 Disclosure and notification before authorized nonconsensual disclosure.   Before any nonconsensual disclosures authorized by subsections 6 and 7, the department or a school administrative unit shall publicly and conspicuously disclose on their publicly accessible websites and through electronic notification to the joint standing committee of the Legislature having jurisdiction over education matters the existence and nature of any contracts or agreements pursuant to which the department or school administrative unit intends to disclose personally identifiable information from education records to a contractor, outsourcing entity or 3rd party conducting a study. The disclosure and notification must include:
A The name and location of the student database where any personally identifiable information would be maintained by a contractor, outsourcing entity or 3rd party;
B The principal purpose or purposes for which the personally identifiable information is intended to be used;
C The categories of individuals whose records would be disclosed to the contractor, outsourcing entity or 3rd party;
D The categories of records maintained by the contractor, outsourcing entity or 3rd party;
E Expected uses of the records disclosed to the contractor, outsourcing entity or 3rd party;
F The policies and practices of the contractor, outsourcing entity or 3rd party regarding storage, retrievability, access controls, retention and disposal of the records;
G The title and business address of the department or school administrative unit official who is responsible for the contract or agreement, and the name and business address of the contractor, outsourcing entity or 3rd party directly responsible for education records maintained pursuant to a contract or agreement;
H The procedure whereby an eligible student or a parent can be notified upon request regarding how to gain access to any record pertaining to the student or the parent's child maintained by the contractor, outsourcing entity or 3rd party and how the student or the parent can contest the record's contents; and
I The categories of sources of records in the student database containing education records.
9 Collection or disclosure for commercial use prohibited.   The department or a school administrative unit may not, without the written consent of eligible students or parents, facilitate, arrange, contract for or authorize a 3rd party to collect personally identifiable information of students or disclose personally identifiable information from education records to any party for a commercial use, including but not limited to marketing products or services, or creation of individual, household or group profiles; nor may such disclosure be made for provision of services other than contracting, studies and audits or evaluations as authorized and limited by subsections 6 and 7.
10 Disclosure to noneducation government agency prohibited.   The department or a school administrative unit may not disclose personally identifiable information from education records to any noneducation government agency, including but not limited to the Department of Labor, whether within or outside the State, or to any party that intends to use or disclose the personally identifiable information for the purpose of workforce-development or economic planning without the written consent of eligible students or parents.
11 Disclosure to governmental or private entity outside this State restricted.   Subject to the provisions of this subsection, the department or a school administrative unit may not disclose personally identifiable information from education records to any governmental or private entity outside this State without the written consent of eligible students or parents, except that the department or the school administrative unit may disclose personally identifiable information in the following circumstances:
A When a student has transferred to a school out of state;
B When a student voluntarily participates in an out-of-state program and the data transfer is a condition or requirement of participation; or
C When a student is classified as a "migrant" for federal reporting purposes.
12 Disclosure to United States Department of Education restricted.   The department or a school administrative unit may not disclose to the United States Department of Education any student-level information, whether or not personally identifiable, from education records without the prior notification of the joint standing committee of the Legislature having jurisdiction over education matters.
13 Data match practices restricted.   The department or a school administrative unit may not append education records with personally identifiable information obtained from other federal or state agencies through data matches without the written consent of eligible students or parents unless the data matches are:
A Explicitly mandated by federal or state statute; or
B Administratively required for the proper performance of the department's or the school administrative unit's duties under the law and are relevant to and necessary for delivery of services.
14 Administrative use.   Nothing in this section limits the administrative use of education records by a person acting exclusively in the person's capacity as an employee of the department or a school administrative unit.

§ 6013 Violations

1 Civil penalty; disqualification.   A violation of this subchapter by a contractor, consultant or other party that has entered into a contract or other agreement with the department or a school administrative unit and is subject to the provisions of this subchapter is punishable by a civil penalty of up to $5,000 and may result in permanent disqualification by the department or the school administrative unit from access to education records. Each violation involving a different individual student is considered a separate violation for purposes of civil penalties under this subsection.
2 Enforcement by Attorney General.   The Attorney General has the authority to enforce compliance with this subchapter.
3 No private right of action against department or school administrative unit.   Nothing in this subchapter may be construed as creating a private right of action against the department or a school administrative unit.

§ 6014 Effective date; application

This subchapter takes effect July 1, 2016 and applies to school years beginning with the 2016-2017 academic year.

summary

This bill establishes data privacy practices for the Department of Education and school administrative units. It prohibits the department and school administrative units from disclosing personally identifiable information about students without the written consent of the parents of children under 18 years of age and the written consent of the students themselves when the students are at least 18 years of age. There are specific exceptions to the prohibitions. The bill also prohibits the collection, entry and maintenance of certain information about students and their families. A contractor, consultant or other party that has entered into a contract or other agreement with the department or a school administrative unit who violates the restrictions is subject to a $5,000 civil penalty per violation and disqualification from future access to education records.


Top of Page