SECOND REGULAR SESSION
HOUSE BILL NO. 1873
97TH GENERAL ASSEMBLY
INTRODUCED BY REPRESENTATIVES GUERNSEY (Sponsor), ANDERSON, NEELY, MORRIS, SPENCER, KELLEY (127), HOUGHTON, JONES (50), BAHR, REMOLE, HICKS, DOHRMAN, CURTMAN, ALLEN, MCGAUGH, DAVIS, CROSS, KORMAN, COX, MOON, FITZWATER, KOENIG, REHDER, SHUMAKE, HANSEN, MESSENGER, REIBOLDT, KEENEY, WIELAND, POGUE, MOLENDORP, HAAHR, LANT, SWAN, WALKER AND FITZPATRICK (Co-sponsors).
5517L.04I D. ADAM CRUMBLISS, Chief Clerk
To amend chapter 160, RSMo, by adding thereto seven new sections relating to student data privacy, with an emergency clause and a penalty provision.
Be it enacted by the General Assembly of the state of Missouri, as follows:
Section A. Chapter 160, RSMo, is amended by adding thereto seven new sections, to be known as sections 160.2510, 160.2512, 160.2514, 160.2516, 160.2518, 160.2520, and 160.2522, to read as follows:
160.2510. 1. The provisions of sections 160.2510 to 160.2522, which shall take effect beginning with the 2014-15 school year, shall be known and referred to as the "Missouri Student Data Protection Act". For purposes of sections 160.2510 to 160.2522, the following terms mean:
(1) "Affective computing", systems and devices that can or attempt to recognize, interpret, process, or simulate aspects of human feelings or emotions;
(2) "Biometric records", any record of one or more measurable biological or behavioral characteristics that can be used for automated recognition of an individual, including fingerprints; retina and iris patterns; voiceprints; DNA sequence, including newborn screening information; facial characteristics; and handwriting;
(3) "Cloud computing service", a service that enables on-demand network access to a shared pool of configurable computing resources, including networks, servers, storage, applications, and services, to provide a student, teacher, or staff member account-based productivity applications such as email, document storage and document editing that can be rapidly provisioned and released with minimal management effort, or cloud computing service provider interaction;
(4) "Data system", the Missouri Student Information System (MOSIS), or any other data warehouse or repository containing student information, including regional, interstate, or federal data warehouse organizations under contract or with a memorandum of understanding with the Missouri department of elementary and secondary education;
(5) "Educational institution", any public elementary or secondary school, school district, or school board;
(6) "Predictive modeling", the use of educational data mining methods to make predictions about future behaviors or performance;
(7) "Public education agency", the Missouri department of elementary and secondary education, the state board of education, the P-20 Council, the coordinating board for early childhood education, or any regional elementary and secondary education service agency;
(8) "Student performance data", information about the academic progress of a single student, such as formative and summative assessment data, course work, instructor observations, information about student engagement and time on task, and similar information;
(9) "Teacher records", shall apply to teachers, paraprofessionals, principals, and other administrators, and includes Social Security number, name, address, birth date, email address, telephone number, compensation information, resume information, performance evaluations, and any other information that, alone or in combination, is linked or linkable to a specific staff member that would allow a reasonable person in the school community who does not have personal knowledge of the relevant circumstances to identify the staff member with reasonable certainty;
(10) "Workforce information", information relating to unemployment insurance, wage records, unemployment insurance benefit claims, or employment and earnings data from workforce data sources such as state wage records, the Wage Record Interchange System (WRIS), or the federal Employment Data Exchange System (FEDES).
2. It shall be unlawful for any public education agency or educational institution to collect without the informed written consent of a parent or guardian of a student, or in the case of an emancipated minor the informed written consent of the student, any of the following information:
(1) Student or family workforce information as defined in this section, except as provided in subdivision (14) of subsection 3 of this section;
(2) Student biometric records, as defined in this section;
(3) Any data collected through affective computing as defined in this section, including analysis of facial expressions, EEG brain wave patterns, skin conductance, galvanic skin response, heart rate variability, pulse, blood volume, posture, and eye tracking;
(4) Any data, including any resulting from state or national assessments, that measure psychological resources, mindsets, learning strategies, effortful control, attributes, dispositions, social skills, attitudes, or intrapersonal resources;
(5) Any data collected through predictive modeling, as defined in this section;
(6) Information about student or family religious affiliation;
(7) Medical, health, and mental health records limited to immunization records required under state law, records needed or created by a school-based health professional for administering prescription drugs or otherwise treating a student at school, records needed or created by a school-based counselor when a student seeks counseling while at school, or records required by the Individuals with Disabilities Act; and
(8) Student or family Social Security numbers, only if needed by an institution of higher education to comply with state or federal law.
3. No consent is needed in order for a public education agency or educational institution to collect the following:
(1) Name, address, email address, and family contact information;
(2) State and national results of assessments approved by the general assembly under subsection 2 of section 160.526;
(3) Courses taken and completed, and credits earned;
(4) Course grades earned and grade-point average;
(5) Date of birth, grade level, and expected graduation date;
(6) Degree, diploma, or credential attainment;
(7) Enrollment status;
(8) Attendance record and transfers;
(9) Discipline reports limited to objective information about disciplinary incidents;
(10) Juvenile delinquency or other criminal or correctional records if necessary to meet the educational needs of the student or to ensure the safety of staff or students;
(11) Remediation data;
(12) Special education data, limited to data required by the federal Individuals with Disabilities Education Act;
(13) Demographic data limited to race, economic status, disability status, and English proficiency;
(14) Workforce information, as defined in this section, limited to information relating to work-study programs in which participation was for academic credit;
(15) Student or family income data, limited to data required by law to determine eligibility to participate in or receive financial assistance under a financial aid program; and
(16) Information about extracurricular activities, limited to activities that are school-sponsored or engaged in for academic credit.
4. Notwithstanding any other provision of law, no federal or state funds shall be used on construction, enhancement, or expansion of any data system, as defined in this section, that fails to comply with the privacy provisions of subsections 2 and 3 of this section, or that is designed to track students beyond their K-12 careers, or to compile student personal, nonacademic information beyond what is necessary for either administrative functions directly related to a student's education or evaluation of academic programs and student progress.
5. No student performance data shall be collected or disseminated in a manner that violates the federal Fair Labor Standards Act of 1938.
6. No public education agency or educational institution shall pursue or accept any grant that would require collecting or reporting any type of data in violation of sections 160.2510 to 160.2522.
160.2512. 1. Public education agencies and educational institutions that maintain a data system shall disclose publicly and conspicuously on the agency or educational institution website the existence of such data system and the nature of the data system including the following information:
(1) The legal authority for the establishment and existence of the data system;
(2) The principal purpose or purposes for which the information is intended to be used;
(3) The categories of individuals on whom records are maintained;
(4) The categories of records maintained;
(5) Each expected disclosure of records, including the categories of recipients and the purpose of such disclosure;
(6) The policies and practices of the public education agency or educational institution regarding the storage, retrievability, access controls, retention, and disposal of records;
(7) The title and business address of the official responsible for the data system and the name and business address of any contractor or other outside party maintaining the data system for or on behalf of the public education agency or educational institution;
(8) The procedure whereby parents, eligible students, or teachers can be notified at their request as to how to gain access to any record pertaining to the student or teacher and how content can be contested.
2. On request, parents and eligible students shall be provided a printed copy of their educational records that are held in any database and shall have the right to correct those educational records in a manner consistent with the requirements of state and federal law.
3. Public education agencies shall also provide annual electronic notification to the chairs of the senate education committee and the house elementary and secondary education committee of the existence of any data system. Public education agencies shall use only aggregate data in published reports.
160.2514. Notwithstanding any other provision of law, no school classroom, school district, state or national student assessment shall be adopted or administered in this state that collects any type of psychological data, including assessment of noncognitive skills or attribute, psychological resources, mindsets, learning strategies, effortful control, attitudes, dispositions, social skills, or other interpersonal or intrapersonal resources.
160.2516. No public education agency or educational institution shall administer any student survey, assessment, analysis, evaluation, or similar instrument that solicits information about the student or the student's family concerning the following:
(1) Political affiliations or beliefs;
(2) Mental or psychological problems, psychological resources, mindsets, learning strategies, effortful control, attributes, dispositions, social skills, attitudes, or intrapersonal resources;
(3) Sexual behavior or attitudes;
(4) Illegal, antisocial, self-incriminating, or demeaning behavior;
(5) Critical appraisals of another individual with whom a student has a close familial relationship;
(6) Legally recognized privileged relationships, including those with a lawyer, physician, or clergy person;
(7) Religious practices or beliefs;
(8) Personal or family gun ownership;
(9) Income or other income-related information except that required by law to determine eligibility to participate in or receive financial assistance under a program.
160.2518. 1. Any access to information collected under the provisions of sections 160.2510 to 160.2522 shall be restricted to an authorized representative or representatives of the public education agency or educational institution who requires such access to perform work duties. No person may be designated as an authorized representative unless such person is on the staff of the public education agency or educational institution and under the direct control of the public education agency or educational institution.
2. Subject to the restrictions contained in sections 160.2510 to 160.2522, no personally identifiable student data or teacher data shall be disclosed without the written consent of the student's parent or guardian, or the student if he or she is emancipated, or of the affected teacher.
3. The department of elementary and secondary education shall develop and publish criteria for the approval of research-related data requests from state and local governmental agencies, the legislature, academic researchers, and the public.
4. Notwithstanding any other provision of law, personally identifiable information from an education report of a student or from teacher records shall not be released to a party conducting studies for or on behalf of a public education agency or educational institution without the written consent of a student's parent or guardian, or the student if he or she is emancipated, or of the affected teacher, except to administer student financial aid programs.
5. In conducting any audit or evaluation of an education program, or any compliance or enforcement activity in connection with legal requirements relating to state or district-supported education programs, any personally identifiable student or teacher information, education records, and teacher records may be released only to an authorized representative of a public education agency or educational institution. No party may be designated as an authorized representative unless that party is on the staff and under the direct control of the public education agency or educational institution.
6. Public agencies and educational institutions shall not disclose personally identifiable information from education or teacher records without the informed written consent of a parent or guardian of a student, or in the case of an emancipated minor the informed written consent of a student, or the informed written consent of a teacher, to a contractor, consultant, or other party to whom the public education agency or educational institution has outsourced institutional services or functions unless the contractor, consultant, or other party:
(1) Performs an institutional service or function for which the public education agency or educational institution would otherwise use its own employees;
(2) Is under the direct control of the public education agency or educational institution with respect to the use and maintenance of education records or teacher records;
(3) Limits internal access to education records or teacher records to those individuals who require access to those records for completion of the contract;
(4) Does not use the education records or teacher records for any purpose other than those explicitly authorized in the contract;
(5) Does not disclose any personally identifiable information from education records to any other party without the written consent of the parent, student, or teacher; or unless required by statute or court order and the party provides notice of the disclosure to the public education agency or educational institution that provided the information no later than the time the information is disclosed, unless providing notice of the disclosure is expressly prohibited by the statute or court order;
(6) Maintains industry standards for administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of the personally identifiable student or teacher data in its custody;
(7) Uses encryption technologies to protect data while in transmission or in its custody from unauthorized disclosure using a technology or methodology specified by the Secretary of the U.S. Department of Health and Human Services in guidance issued under Section 13402(H)(2) of Public Law 111-5;
(8) Has sufficient administrative and technical procedures to monitor continuously the security of personally identifiable student or teacher data in its custody;
(9) Conducts a security audit annually and provides the results of that audit to each public education agency or educational institution that provides education records or teacher records;
(10) Provides the public education agency or educational institution with a breach-remediation plan acceptable to the public education agency or educational institution before initial receipt of education records or teacher records and makes results accessible to the parents or guardians of the students;
(11) Reports all suspected and actual security breaches to the public education agency or educational institution that provided education records or teacher records as soon as possible but not later than forty-eight hours after a suspected or actual breach was known or would have been known if exercising reasonable diligence, and also reports the suspected or actual breach to the parent or guardian of a student or any other victim connected to a suspected or actual security breach;
(12) Pays all costs and liabilities relating to the security breach or unauthorized disclosure incurred by the public education agency or educational institution in the event of a security breach or unauthorized disclosure of personally identifiable information, including, but not limited to the costs of responding to inquiries about the security breach or unauthorized disclosure, notifying subjects of personally identifiable information about the breach, mitigating the effects of the breach for the subjects of the personally identifiable information, and of investigating the cause or consequences of the security breach or unauthorized disclosure; and
(13) Destroys or returns to the public education agency or educational institution all personally identifiable information in its custody upon request and at the termination of the contract.
160.2520. 1. In the event of a security breach or unauthorized disclosure of personally identifiable student or teacher data, whether by a public education agency or educational institution, or by a third party given access to education records or teacher records under subsection 6 of section 160.2518, the public education agency or educational institution shall:
(1) Immediately notify the subjects of the breach or disclosure;
(2) Report the breach or disclosure to the family policy compliance office of the U.S. Department of Education; and
(3) Investigate the causes and consequences of the breach or disclosure.
2. Personally identifiable information from educational records or teacher records shall not be disclosed to any party for commercial use including but not limited to marketing products or services, compilation of lists for sale or rental, development of products or services, or creation of individual, household, or group profiles.
3. Any cloud computing service provider performing services for a public education agency or educational institution is prohibited from using information from education records or teacher records for any secondary purposes that benefit the cloud computing service provider or any third party, including but not limited to online behavioral advertising, creating or correcting an individual or household profile primarily for the cloud computing service provider's benefit, the sale of the data for any commercial purpose, or any other similar commercial for-profit activity; provided, however, that a cloud computing service provider may process or monitor student data solely to provide such service to the public education agency or educational institution and to maintain the integrity of such service.
4. Any cloud computing service provider that enters into an agreement to provide cloud computing services to a public education agency or educational institution shall certify in writing to the public education agency or educational institution that it will comply with the terms and conditions set forth in sections 160.2510 to 160.2522 and that the public education agency or educational institution maintains ownership of all student and teacher data. Any student or teacher data stored by a cloud computing service provider shall be stored within the boundaries of the United States.
5. No student data shall be used for predictive modeling for detecting behaviors, beliefs, or value systems, or predicting or forecasting student outcomes.
6. There shall be no video monitoring of classrooms for any purpose, including for teacher evaluation, without the approval of the district school board after public hearings and the written consent of the teacher, all emancipated students, and the parents or guardians of all other students in the classroom.
7. Personally identifiable information from education records or teacher records shall not be disclosed to any noneducation government agency, including but not limited to the Missouri department of labor, whether within or outside the state, or to any party that intends to use or disclose the information or data for the purpose of workforce development or economic planning. Data linkages or sharing of data with other states without express permission of the individuals affected is prohibited.
8. Personally identifiable information from education records or teacher records may not be disclosed to any government agency or other entity outside the state, except disclosure may be made under the following circumstances:
(1) When a student has transferred to an educational institution out of state, records may be disclosed to the out-of-state institution;
(2) When a student voluntarily participates in an out-of-state program for which a data transfer is required for participation, records may be disclosed to the out-of-state program; and
(3) When a student is classified as a migrant for federal reporting purposes.
9. No personally identifiable information from education records or teacher records may be disclosed to any federal agency, including the U.S. Department of Education or the U.S. Department of Labor or a representative, unless:
(1) Such disclosure is required by the U.S. Department of Education as a condition of receiving a federal education grant;
(2) The U.S. Department of Education agrees in writing to use the information from the education records or teacher records for the sole purpose of evaluating the program or programs funded by a federal grant;
(3) The U.S. Department of Education agrees in writing that the information will not be used for any research beyond that related to evaluation of the program or programs funding by a federal grant, unless the parent or emancipated student or any teacher whose information or data will be used for such evaluation affirmatively consents in writing to such use;
(4) The U.S. Department of Education agrees in writing to destroy the information or data upon completion of the evaluation of the program or programs for which the information or data were compiled; and
(5) The grant or program in connection with which the information or data are required is one explicitly authorized by federal statute or by federal rule promulgated under the federal Administrative Procedure Act.
10. If the U.S. Department of Education demands personally identifiable student information or teacher data without the written consent of the emancipated student, the student's parents, or the teacher, the grant recipient shall provide written notification to those emancipated students, parents, and teachers of the following:
(1) The grant recipient has been required to disclose the student's information or teacher's data to the U.S. Department of Education;
(2) Neither the grant recipient or any other entity within the state of Missouri will have control over use or further disclosure of that information or data; and
(3) The contact information, including the name, telephone number, and email address of the U.S. Department of Education official who demands the disclosure.
11. Public agencies and educational institutions shall not disclose student or teacher information to any assessment consortium of which the state is a member, or company with which the state contracts for development or administration of any assessment unless:
(1) The information is transmitted in nonindividual record format;
(2) The information is limited to information directly related to the assessment, such as a student's grade level and test scores; and
(3) No psychological information of any kind is included as part of the test scores.
12. An educational institution shall destroy and remove from the student database all education records of a student within five years of the student's graduation from that institution, provided that the institution may retain records showing dates of attendance, diploma or degrees received, and contact information. If a student withdraws from an education institution before graduating, the institution shall, within one year of the student's withdrawal, destroy and remove from the database all education records of that student except records showing dates of attendance. Destruction shall be compliant with the NISTPS800-88 Standards.
160.2522. 1. Each violation of any provision of sections 160.2510 to 160.2522 by an organization or entity other than a public education agency or educational institution shall be punishable by a civil penalty of a minimum of one thousand dollars; a second violation by the same entity involving the education records and privacy of the same student shall be punishable by a civil penalty of a minimum of five thousand dollars; and any subsequent violation by the same entity involving the same student shall be punishable by a civil penalty of a minimum of ten thousand dollars. Each violation involving a different education record or a different individual student shall be considered a separate violation for purposes of assessing civil penalties.
2. The attorney general shall have the authority to enforce compliance with sections 160.2510 to 160.2522.
Section B. Because immediate action is necessary to synchronize the requirements of this act with the school calendar and state fiscal year, this act is deemed necessary for the immediate preservation of the public health, welfare, peace, and safety, and is hereby declared to be an emergency act within the meaning of the constitution, and this act shall be in full force and effect on July 1, 2014, or upon its passage and approval, whichever occurs later.