BILL ANALYSIS �Ó
AB 1584
Page 1
Date of Hearing: April 9, 2014
ASSEMBLY COMMITTEE ON EDUCATION
Joan Buchanan, Chair
AB 1584 (Buchanan) - As Amended: March 28, 2014
[Note: This bill is double referred to the Assembly Judiciary
Committee and will be heard as it relates to issues under its
jurisdiction.]
SUBJECT : Pupil records: privacy: third-party contracts:
digital storage services and digital educational software
SUMMARY : Authorizes local educational agencies (LEAs) to enter
into contracts with third parties for specified computer
services and requires the contracts to contain specified
provisions. Specifically, this bill :
1)Authorizes LEAs to contract with third parties for the
following purposes:
a) To provide services, including cloud-based services, for
the digital storage, management, and retrieval of pupil
records; and
b) To provide digital educational software that authorizes
a third party provider of digital educational software to
access and acquire pupil records.
2)Requires the contracts to contain all of the following:
a) A statement that pupil records continue to be the
property of and under the control of the local educational
agency;
b) A prohibition against the third party using information
in individual pupil records for commercial or advertising
purposes;
c) A prohibition against the third party releasing any
information in a pupil record to any unauthorized
individual or entity without the prior written approval of
the eligible pupil or the pupil's parent or legal guardian;
d) A description of the procedures by which a parent, legal
�
AB 1584
Page 2
guardian, or eligible pupil may review the pupil's records
and correct erroneous information;
e) A description of the actions the third party will take,
including the designation and training of responsible
individuals, to ensure the security of pupil records.
Compliance with this requirement shall not, in itself,
absolve the third party of liability in the event of an
unauthorized disclosure of pupil records;
f) The assignment of liability and the procedures for
notifying the affected parent, legal guardian, and eligible
pupil in the event of an unauthorized disclosure of the
pupil's records;
g) A certification that a pupil's records shall not be
retained or available to the third party when that pupil is
no longer enrolled in the local educational agency and a
description of how that certification will be enforced; and
h) A description of how the local educational agency and
the third party will jointly ensure compliance with the
federal Family Educational Rights and Privacy Act (20
U.S.C. Sec. 1232g) and the federal Children's Online
Privacy Protection Act of 1998 (15 U.S.C. Sec. 6501 et
seq.) for all pupils, including pupils who are more than 13
years of age.
3)Provides that a contract that fails to comply with the
requirements of this subdivision shall be voidable and all
pupil records in possession of the third party shall be
returned to the local educational agency.
4)Provides that, if these provisions are in conflict with the
terms of a contract in effect before January 1, 2015, they
shall not apply to the local educational agency or the third
party subject to that agreement until the expiration,
amendment, or renewal of the agreement.
5)Defines "eligible pupil" to mean a pupil who has reached 18
years of age.
6)Defines "local educational agency" to include school
districts, county offices of education, and charter schools.
�
AB 1584
Page 3
7)Defines "third party" to refer to a provider of digital
educational software, including cloud-bases services, for the
digital storage, management, and retrieval of pupil records.
EXISTING LAW (both state and federal) provides different levels
of protection for different types of pupil records.
Specifically, existing law:
1)Requires school districts to adopt a policy identifying those
categories of directory information that may be released.
2)Defines "directory information" to mean one or more of the
following items: pupil's name, address, telephone number, date
of birth, email address, major field of study, participation
in officially recognized activities and sports, weight and
height of members of athletic teams, dates of attendance,
degrees and awards received, and the most recent previous
public or private school attended by the pupil.
3)Authorizes school districts to release directory information
without prior parental/guardian consent.
4)Requires an annual notice of the information the district
plans to release and the recipients.
5)Prohibits a district from releasing directory information of a
pupil if that pupil's parent has notified the district that it
shall not be released.
6)Prohibits the release on non-directory information (such as
disciplinary records, Individualized Education Plans for
special needs pupils, eligibility for free or reduced price
meals, etc.) without prior written parental consent, except
for the following requesters, if they have a legitimate
educational interest:
a) School officials, employees of the district, and members
of a school attendance review board;
b) Officials and employees of other public schools where
the pupil intends to or is enrolled;
c) The Comptroller General of the U. S., the U. S.
Secretary of Education, state and local educational
authorities, or the U. S. Department of Education's Office
of Civil Rights, if the information is necessary to audit
or evaluate a federally funded program;
�
AB 1584
Page 4
d) Other state and local officials if the information is
required to be reported pursuant to state law adopted
before November 19, 1974;
e) Parents of a pupil 18 years of age or older if the pupil
is a dependent;
f) A pupil who is 16 years of age or older or who has
completed 10th grade and a pupil who is 14 years of age or
older who is a homeless or unaccompanied youth;
g) A district attorney conducting a truancy mediation
program or investigating a violation of compulsory
attendance laws;
h) A probation officer, district attorney, or counsel of
record for a minor for purposes of conducting a criminal
investigation or an investigation in regards to declaring a
person a ward of the court or involving a violation of a
condition of probation;
i) A judge or probation officer in relation to a truancy
mediation program;
j) A county placing agency;
aa) A representative of a child welfare agency;
bb) Appropriate persons in connection with a health or
safety emergency;
cc) Agencies in connection with the application of a pupil
for financial aid;
dd) Accrediting associations;
ee) A contractor or consultant with a legitimate educational
interest who has a formal written agreement or contract
with the school district regarding the provision of
outsourced institutional services or functions;
7)Prohibits a person, agency, or organization that has been
permitted access to pupil records from permitting access to
any other entity without written parental consent, and
requires them to certify in writing that they will not do so,
except as permitted by the federal Family Educational Rights
and Privacy Act (FERPA).
FISCAL EFFECT : Unknown
COMMENTS : FERPA is the primary law that protects the privacy
of pupil records. It applies to all educational institutions
that receive federal funds. In general, state law mirrors
FERPA.
The USDOE revised the FERPA regulations in 2011 to broaden the
�
AB 1584
Page 5
definition of entities that can have access to pupil records
under specified circumstances. According to the USDOE, these
changes were necessary to improve access to data to facilitate
the ability of states to evaluate education programs and ensure
that limited resources are invested effectively (Federal
Register, Vol. 76, No. 232, December 2, 1022).
The revised regulations allow three general exceptions to the
prohibition against the disclosure of pupil records-including
non-directory and personally identifiable information-without
prior written consent:
1)The "school official exception," which allows the disclosure
of pupil records to an entity that is performing a function
that would otherwise be performed by the LEA using LEA
employees. LEAs use this exception to, among other things,
contract with entities to provide services, including
cloud-based services, for the digital storage, maintenance,
and retrieval of pupil records.
2)The "audit or evaluation exception," which allows the
disclosure of pupil records to specified state and federal
agencies to conduct an audit or evaluation of a
federally-funded program.
3)The "studies exception," which allows the disclosure of pupil
records to entities conducting studies for, or on behalf of
the LEA. Studies can be for the purpose of developing,
validating, or administering predictive tests. LEAs use this
exception when contracting with entities for instructional
software or programs. Pupil records can be used by the
software providers to evaluate the effectiveness of the
software and to guide new software development.
Written agreements pursuant to the studies exception must do the
following:
1)Specify the purpose, scope, and duration of the study and the
information to be disclosed;
2)Require the organization to use personally identifying
information (PII) only to meet the purpose or purposes of the
study;
3)Require the organization to conduct the study in a manner that
�
AB 1584
Page 6
does not permit the personal identification of parents and
pupils by anyone other than the representatives of the
organization with legitimate interests; and
4)Require the organization to destroy all PII from education
records when the information is no longer needed for the
purposes of the study.
FERPA is not enough. FERPA has three primary weaknesses.
First, it is not self-executing, meaning that is does not
establish the means by which its privacy protections can be
assured. For example, it does not require contracts between
LEAs and service providers to identify responsible persons or
how they will be trained in the requirements of FERPA. Nor does
it explicitly prohibit the use of information from pupil records
for commercial or advertising purposes, or address the
assignment of liability in the event of the unauthorized
disclosure of information from pupil records.
Second, the only penalty for a violation of FERPA is the
complete withdrawal of federal funds from the educational
agency. This is a "nuclear option," which has never been
invoked.
Third, the private, third party services are beyond the reach of
FERPA for enforcement purposes. In other words, the USDOE does
not have the authority to impose any penalties on private
companies that may violate FERPA.
The USDOE acknowledges that FERPA alone may not always be
sufficient to protect pupil privacy, and advises that, "As
States develop and refine their information management systems,
it is critical that they take steps to ensure that student
information is protected and that PII from education records is
disclosed only for authorized purposes and under circumstances
permitted by law" (Federal Register, Vol. 76, No. 232, December
2, 2011). According to the USDOE, FERPA provides "basic"
protections and states should consider additional means of
assuring the privacy of pupil data. The USDOE explicitly defers
to state law governing contracts and written agreements
regarding access to pupil records. However, California law has
not been amended to reflect the current federal regulations.
This bill addresses each of these weaknesses. By focusing on
the contract entered into between an LEA and a third party
�
AB 1584
Page 7
service provider, this bill:
1)Provides additional prohibitions against the misuse of pupil
records;
2)Requires contracts to describe specific steps that will be
taken to ensure compliance with FERPA;
3)Establishes-through the possible nullification of a
contract-an enforcement mechanism that applies to contractors
as well as to LEAs; and
4)Establishes a penalty that can be imposed on LEAs that falls
short of the total revocation of federal funding, and is
therefore more likely to be used if needed.
Arguments in support. According to the author's office, the
protections afforded by existing state and federal law are not
keeping pace with the growing use of online and cloud-based
services that involve the disclosure of pupil records to private
third parties. As a result, pupil privacy is increasingly at
risk. The state has a duty to ensure that the educational
records of pupils are not misused or released to unauthorized
persons or entities.
Staff recommendation . As written, the prohibition against the
third party releasing any information in a pupil record to any
unauthorized individual or entity without written parental
consent (provision #3) may be too broad. First, it is not clear
who constitutes an "unauthorized" vs. an "authorized" individual
or entity. Second, this could prevent the disclosure of
information that is otherwise allowed by FERPA. For example, a
school district can submit pupil's records to a college or
university of support of a pupil's application for admission
without prior consent. If that same district contracted with a
service provider to manage pupil's records and respond to such
requests, then the service provided would need to get parental
approval for each request. It is not the author's intent to be
this restrictive.
Most of the protections sought by provision #3 are covered by
provision #8, which requires a description of how the LEA and
third party will jointly ensure compliance with federal privacy
laws. However, provision #8, by itself, would still allow the
third party to disclose information for purposes other than
those contracted for as long as it does not violate FERPA. To
prevent against the unauthorized disclosure of student
information, without being overly broad, staff recommends that
�
AB 1584
Page 8
that the bill be amended to strike provision #3 and add a
provision that the contract include assurances that the
information in pupil records will not be used for any purpose
other than the purpose contracted for.
Related legislation:
AB 1442 (Gatto) requires an LEA that considers a program
to gather or maintain in its records personal information
obtained through social media on any student enrolled in
the school district shall notify students, parents, and
guardians about the proposed program and provide an
opportunity for public comment prior to the adoption of any
such program and to take other specified steps. (Passed
Assembly Judiciary 9-0 and is pending in the Education
Committee.)
AB 2504 (Chau) requires a school district contract with
a cloud service provider to specify the types of data
transferred or collected and include a limit or prohibition
on the redisclosure of student data. (Pending in Assembly
Education.)
SB 1177 (Steinberg) prohibits K-12 online educational
sites, services, and applications from compiling, sharing,
or disclosing student personal information and from
facilitation, marketing, or advertising to K-12 students.
(Passed Senate Education 9-0 and is pending in Senate
Judiciary.)
REGISTERED SUPPORT / OPPOSITION :
Support
None received
Opposition
None received
Analysis Prepared by : Rick Pratt / ED. / (916) 319-2087
�
AB 1584
Page 9