An Act To Protect Student Data
Be it enacted by the People of the State of Maine as follows:
Sec. 1. 20-A MRSA §6006 is enacted to read:
§ 6006. Student electronic data
1. Definitions. As used in this section, unless the context otherwise indicates, the following terms have the following meanings.
A. "Aggregate data" means student-related data collected and reported by an educational institution at the group, cohort or institutional level that contain no personally identifying student data.
B. "Educational institution" means a school administrative unit or private or public elementary or secondary school under this Part or Part 2, including an employee or agent of the unit or school acting as representative or on behalf of the unit or school.
C. "Personally identifying student data" means student data that include:
(1) The name of a student or a parent, legal guardian or family member of a student;
(2) The address of a student or a parent, legal guardian or family member of a student;
(3) A student's date of birth, place of birth, social security number, telephone number, credit card account number, insurance account number, financial services account number, e-mail address, social media address or password or any other electronic address; and
(4) Any information that, alone or in combination, is linked or linkable to a specific student that would allow a 3rd party to identify the student with reasonable certainty.
D. "Provider" means a person who sells, leases or provides to or operates or maintains for an educational institution a student information system.
E. "Student data" means data about a student that are collected and stored by an educational institution and included in a student's educational record.
F. "Student information system" means a software application that allows an educational institution to input, maintain and manage student data on a computer or computer system.
G. "System opt-in agreement" means a verifiable written or electronically generated agreement by which access is granted to analyze, interact with, share or transfer specific personally identifying student data.
2. Student information system. A contract or agreement between an educational institution and a provider:
A. Must expressly authorize and require the secure storage and transmission of all student data;
B. May authorize the provider to access, analyze, interact with, share or transfer aggregate data transferred or stored in the student information system; and
C. Must expressly prohibit the provider from accessing, analyzing, interacting with, sharing or transferring any personally identifying student data transferred or stored in the student information system unless:
(1) The provider receives a valid system opt-in agreement under subsection 3 for the personally identifying student data; or
(2) At the request of the educational institution, the provider de-identifies and aggregates personally identifying student data for the sole purpose of enabling the educational institution to comply with federal, state or local reporting requirements.
3. System opt-in agreement. A system opt-in agreement must be signed by a student and, if the student is less than 18 years of age, a parent or legal guardian of the student. A student or parent or legal guardian of the student is not required to sign a system opt-in agreement. A system opt-in agreement may be revoked at any time upon written notice by the student or a parent or legal guardian of the student. An educational benefit may not be withheld from or punitive measure taken against a student or parent, legal guardian or family member of the student based in whole or in part upon a decision not to sign or to revoke a system opt-in agreement. A provider may not share, sell or otherwise transfer personally identifying student data obtained from a system opt-in agreement except as provided in subsection 4. A system opt-in agreement may not grant general access to personally identifying student data. A valid system opt-in agreement must specify:
A. The name of the provider to whom access is being granted;
B. The precise subset of personally identifying student data in the student information system, such as attendance records or disciplinary records, to which the provider is being granted access;
C. The purpose for the access; and
D. Any information required by subsection 4.
4. Sharing or transferring personally identifying student data with or to a 3rd party. A provider may share with or transfer or otherwise disseminate to a 3rd party personally identifying student data if:
A. The 3rd party is identified in the system opt-in agreement of the student under subsection 3;
B. The purpose of the sharing or transfer of the personally identifying student data is to benefit the operational, administrative or educational functions of the educational institution and that benefit is specified in the system opt-in agreement of the student under subsection 3;
C. The system opt-in agreement under subsection 3 specifies the subset of personally identifying student data, such as attendance records or disciplinary records, to be shared or transferred; and
D. Prior to sharing or transferring the personally identifying student data, the provider notifies the 3rd party in writing that the 3rd party may not share the data with or transfer or otherwise disseminate the data to another person not authorized under this section.
A person who directly or indirectly receives personally identifying student data under this subsection may not share the data with or transfer or otherwise disseminate the data to another person not authorized under this section.
5. Educational institution employees. An educational institution may authorize in writing an employee of the educational institution to access personally identifying student data on a student information system if the employee is trained regarding the provisions of this section and the access is limited to the extent required by the employee's professional duties. An employee under this subsection may not share, transfer or otherwise disseminate personally identifying student data unless specifically authorized under this section.
6. Parent or legal guardian of student. Upon written request, a parent or legal guardian of a student or a student who is 18 years of age or older may review the student's personally identifying student data that are stored on a student information system and may request a correction to or seek removal of inaccurate data.
7. Removal of personally identifying student data. Except as otherwise provided by law or if retention of personally identifying student data is required pursuant to a disciplinary, administrative or judicial action or proceeding, upon a student's graduation, withdrawal or expulsion from an educational institution, the educational institution and any employee, provider or 3rd party in possession of any of the student's personally identifying student data shall delete or otherwise destroy the data. Within 30 days of the student's graduation, withdrawal or expulsion from the educational institution, the educational institution shall notify any employee, provider or 3rd party in possession of the student's personally identifying student data of the provisions of this subsection.
8. Limitations on use. Evidence or information obtained or collected in violation of this section is not admissible as evidence in any disciplinary, administrative, civil or criminal trial, proceeding or hearing.
9. Penalty. An educational institution that violates this section is subject to the provisions of section 6801-A.
Sec. 2. 20-A MRSA c. 231 is enacted to read:
CHAPTER 231
ELECTRONIC DEVICES
§ 6991. Definitions
As used in this chapter, unless the context otherwise indicates, the following terms have the following meanings.
1. Device opt-in agreement. "Device opt-in agreement" means a verifiable written or electronically generated agreement by which access is granted to analyze, interact with, share or transfer specific personally identifying student data stored on a student electronic device.
2. Educational institution. "Educational institution" means a school administrative unit or private or public elementary or secondary school under this part or Part 2, including an employee or agent of the unit or school acting as representative or on behalf of the unit or school.
3. Electronic device. "Electronic device" has the same meaning as in Title 16, section 647, subsection 3.
4. Personal electronic device. "Personal electronic device" means an electronic device that was not provided by an educational institution and is owned, leased or possessed by a student.
5. Personally identifying student data. "Personally identifying student data" means student data that include:
A. The name of a student or a parent, legal guardian or family member of a student;
B. The address of a student or a parent, legal guardian or family member of a student;
C. A student's date of birth, place of birth, social security number, telephone number, credit card account number, insurance account number, financial services account number, e-mail address, social media address or password or any other electronic address; and
D. Any information that, alone or in combination, is linked or linkable to a specific student that would allow a 3rd party to identify the student with reasonable certainty.
6. School-authorized electronic device. "School-authorized electronic device" means an electronic device that an educational institution or a 3rd party approved by the educational institution provides to a student for overnight or at-home use.
7. Student data. "Student data" means data on a school-authorized electronic device or a personal electronic device, including browser, keystroke and location histories.
§ 6992. School-authorized electronic devices
1. School-authorized electronic devices. An educational institution, employee of an educational institution or 3rd party may not directly or remotely access a school-authorized electronic device or data stored on a school-authorized electronic device or share, transfer or otherwise disseminate data stored on a school-authorized electronic device, except pursuant to the provisions of this section.
2. Access to a school-authorized electronic device. As specified in this subsection, an educational institution, employee of the educational institution, law enforcement official or 3rd party may access a school-authorized electronic device owned by the educational institution to analyze, interact with, share or transfer student data if:
A. For the educational institution, employee of the educational institution or 3rd party authorized by the educational institution:
(1) The data are not personally identifying student data;
(2) The educational institution, employee of the educational institution or 3rd party obtains a device opt-in agreement under subsection 7 authorizing the specific scope of the access; or
(3) Access is necessary to update or upgrade the device's software and access is limited to that purpose;
B. For the educational institution or employee of the educational institution, the educational institution or employee has reasonable suspicion that the student has violated or is violating the educational institution's policy and that the device contains evidence of the suspected violation, subject to the following:
(1) Prior to searching the device, the educational institution or employee documents the reasonable suspicion and notifies the student and, if the student is less than 18 years of age, a parent or legal guardian of the student of the suspected violation and the specific data to be searched for evidence of the violation;
(2) The search is strictly limited to the data listed in subparagraph (1); and
(3) If the violation involves illegal conduct, a judicial warrant is obtained pursuant to paragraph C prior to the search even if the device may also have evidence of a related or unrelated violation of the educational institution's policy;
C. For the educational institution, employee of the educational institution or law enforcement official, the educational institution, employee or law enforcement official reasonably suspects the student has engaged or is engaging in illegal conduct and reasonably suspects that data on the device contain evidence of the suspected illegal conduct and has obtained a judicial warrant to search the device prior to the search. A 3rd party other than a law enforcement official may not access a student electronic device pursuant to this paragraph; or
D. For the educational institution, employee of the educational institution, law enforcement official or 3rd party, access by the educational institution, employee, law enforcement official or 3rd party is necessary in response to an immediate threat to life or safety and access is limited to that purpose. Within 72 hours of accessing a device under this paragraph, the educational institution, employee of the educational institution, law enforcement official or 3rd party shall provide to the student whose device was accessed, to a parent or legal guardian of the student if the student is less than 18 years of age and to the educational institution if the access was performed by an employee of the educational institution, law enforcement official or 3rd party a written explanation of the precise threat that prompted the access and the specific data that were accessed.
3. Tracking location. If a school-authorized electronic device is equipped with location tracking technology, either to track the location in real time or a historical location, an educational institution, employee of an educational institution or law enforcement official may use the tracking technology to track the device if:
A. The use is ordered pursuant to a judicial warrant. A 3rd party other than a law enforcement official may not access a student electronic device pursuant to this paragraph;
B. The student or a parent or legal guardian of the student to whom the device was provided has notified the educational institution, employee of an educational institution or a law enforcement official in writing that the device was lost or stolen; or
C. Tracking the device is necessary in response to an immediate threat to life or safety and access is limited to that purpose. Within 72 hours of using tracking technology of a device under this paragraph, the educational institution, employee of an educational institution or 3rd party or a law enforcement official shall provide to the student whose device was tracked, to a parent or legal guardian of the student if the student is less than 18 years of age and to the educational institution if the tracking was performed by an employee of an educational institution or a law enforcement official a written explanation of the precise threat that prompted the tracking and the specific details of the tracking.
4. Audio or video functions. An educational institution, employee of the educational institution, law enforcement official or 3rd party may activate or access any audio or video receiving, transmitting or recording functions on a school-authorized electronic device if:
A. The student to whom the device was provided initiates the video or audio function for an educational purpose and activation or access by the educational institution, employee of the educational institution, law enforcement official or 3rd party is limited to that purpose;
B. The activation or access is ordered by a judicial warrant. A 3rd party other than a law enforcement official may not activate or access any audio or video receiving, transmitting or recording functions of a student electronic device pursuant to this paragraph; or
C. Activating or accessing the audio or video function of the device is necessary in response to an immediate threat to life or safety and access is limited to that purpose. Within 72 hours of activating or accessing the audio or video function of a device under this paragraph, the educational institution, employee of the educational institution, law enforcement official or 3rd party shall provide to the student whose device's audio or video function was activated or accessed, to a parent or legal guardian of the student if the student is less than 18 years of age and to the educational institution if the activation or access was performed by an employee of the educational institution or a law enforcement official a written explanation of the precise threat that prompted the activation or access and the specific details of the activation or access.
5. Employee training. An employee of an educational institution may not supervise, direct or participate in an educational program using a school-authorized electronic device without receiving adequate training on the provisions of this section.
6. Sharing, transferring or dissemination of personally identifying student data. Personally identifying student data obtained from a school-authorized electronic device may not be shared with or transferred or disseminated to an employee of an educational institution who has not satisfied the requirements of subsection 5.
7. Device opt-in agreement. A device opt-in agreement must be signed by the student to whom a school-authorized electronic device is provided and, if the student is less than 18 years of age, a parent or legal guardian of the student. A student or parent or legal guardian of the student is not required to sign a device opt-in agreement. A device opt-in agreement may be revoked at any time upon written notice by the student or a parent or legal guardian of the student. An educational benefit may not be withheld from or punitive measure taken against a student or parent, legal guardian or family member of the student based in whole or in part upon a decision not to sign or to revoke a device opt-in agreement. A device opt-in agreement may not grant general access to personally identifying student data and may not grant to a 3rd party authority to collect all the personally identifying student data that are generated or used in connection with a specific program or application on the device. A device opt-in agreement may not allow an educational institution, an employee of an educational institution or a 3rd party to share, sell or otherwise transfer personally identifying student data to a 3rd party. A valid device opt-in agreement must specify:
A. The name of the employee of the educational institution or 3rd party to whom access is being granted;
B. The precise subset of personally identifying data to which the person in paragraph A is being granted access; and
C. The purpose for the access.
8. School-authorized program. A school-authorized program requiring use of a school-authorized electronic device may not condition a student's participation in the program upon execution of a device opt-in agreement or authorization by the student or the student's parent or legal guardian to allow access to the student's personally identifying student data on a school-authorized electronic device.
9. Return of device. Upon return of a school-authorized electronic device to an educational institution from a student, the educational institution shall fully erase all data stored on the device and return the device to its default factory settings.
10. Limitations on use. Evidence or information obtained or collected in violation of this section is not admissible as evidence in any disciplinary, administrative, civil or criminal trial, proceeding or hearing.
11. Penalty. An educational institution that violates this section is subject to the provisions of section 6801-A.
§ 6993. Personal electronic devices
1. Personal electronic devices. An educational institution, at its discretion, may limit or prohibit a student from carrying or using a personal electronic device while on the property of the educational institution. An educational institution, employee of an educational institution or 3rd party may not directly or remotely access a personal electronic device or data stored on a personal electronic device or share, transfer or otherwise disseminate data stored on a personal electronic device, except pursuant to the provisions of this section.
2. Access to a personal electronic device. As specified in this subsection, an educational institution, employee of the educational institution, law enforcement official or 3rd party may not access any data or other content input into or stored on a personal electronic device of a student of the educational institution, even if the device has been carried or used in violation of the policy of the educational institution, unless:
A. For the educational institution or employee of the educational institution, the educational institution or employee has reasonable suspicion that the student has violated or is violating the educational institution's policy and the device contains evidence of the suspected violation, subject to the following:
(1) Prior to searching the device, the educational institution or employee documents the reasonable suspicion and notifies the student and, if the student is less than 18 years of age, a parent or legal guardian of the student of the suspected violation and the specific data to be searched for evidence of the violation;
(2) The search is strictly limited to the data listed in subparagraph (1); and
(3) If the violation involves illegal conduct, a judicial warrant is obtained pursuant to paragraph B prior to the search even if the device may also have evidence of a related or unrelated violation of the educational institution's policy;
B. For the educational institution, employee of the educational institution or law enforcement official, the educational institution, employee or law enforcement official reasonably suspects the student has engaged or is engaging in illegal conduct, reasonably suspects that data on the device contain evidence of the suspected illegal conduct and has obtained a judicial warrant to search the device prior to the search. A 3rd party other than a law enforcement official may not access a student electronic device pursuant to this paragraph; or
C. For the educational institution, employee of the educational institution, law enforcement official or 3rd party, access by the educational institution, employee, law enforcement official or 3rd party is necessary in response to an immediate threat to life or safety and access is limited to that purpose. Within 72 hours of accessing a device under this paragraph, the educational institution, employee, law enforcement official or 3rd party shall provide to the student whose device was accessed, to a parent or legal guardian of the student if the student is less than 18 years of age and to the educational institution if the access was performed by an employee of the educational institution, law enforcement official or 3rd party a written explanation of the precise threat that prompted the access and the specific data that were accessed.
3. Sharing, transferring or dissemination of personally identifying student data. Personally identifying student data obtained from a personal electronic device may not be shared with or transferred or disseminated to a 3rd party without the express written consent of the student and, if the student is less than 18 years of age, a parent or legal guardian of the student.
4. Limitations on use. Evidence or information obtained or collected in violation of this section is not admissible as evidence in any disciplinary, administrative, civil or criminal trial, proceeding or hearing.
5. Penalty. An educational institution that violates this section is subject to the provisions of section 6801-A.
summary
This bill establishes restrictions and protocols on the access and use of personally identifying student data by public and private elementary and secondary schools in software applications used to input, store and manage student data and on school-authorized electronic devices provided to students for overnight or at-home use. This bill also establishes restrictions and protocols for public and private elementary and secondary schools regarding allowable limitations on students' possession and use of and the schools' authority to access data on students' personal electronic devices.