BILL ANALYSIS �Ó
AB 1584
Page 1
Date of Hearing: April 29, 2014
ASSEMBLY COMMITTEE ON JUDICIARY
Bob Wieckowski, Chair
AB 1584 (Buchanan) - As Amended: April 22, 2014
PROPOSED CONSENT
SUBJECT : Pupil Records: Privacy: Third Party Contracts
KEY ISSUE : Should contractors that provide schools with digital
storage or educational software be contractually prohibited from
using student information for purposes unrelated to the contract
and required to take reasonable steps to protect the privacy of
student information?
SYNOPSIS
This bill seeks to ensure that, when schools contract with third
parties to provide digital storage and educational software
services, that student privacy is properly protected. According
to recent news reports, where schools have entered into
agreements with providers of educational software packages,
including Google's "Apps for Education" tool suite, the students
who use the services have allegedly been the subjects of
targeted advertising. The author believes that the growing use
of online and cloud-based services for providing educational
software and record management "has put student privacy at
risk." This bill would authorize schools to enter into such
contracts, but only if the contracts require third-party
providers to ensure the security of student information and
prohibit the third-party from using student information for
commercial and advertising purposes, or indeed for any purpose
beyond the requirements of the contract. The bill would also
require the contracts to contain other protections, including a
means by which a parent, guardian, or student could review and
correct information, a certification that student information
will not be retained by the third party after the student is no
longer enrolled in the district, and a description of how the
third party and the school will ensure compliance with federal
and state privacy and notification laws. Any contract that
fails to comply with these requirements will be voidable and any
records or information in possession of the third party shall be
returned to the school. This bill passed out of the Assembly
Education Committee on a 7-0 vote. There is no opposition to
�
AB 1584
Page 2
this measure.
SUMMARY : Authorizes a local educational agency to enter into a
contract with a third party to provide digital record
management, so long as the contract prohibits certain uses of
the information and ensures the privacy of student records, as
specified. Specifically, this bill :
1)Authorizes a local educational entity to enter into a contract
with a third party for either or both of the following
purposes:
a) To provide cloud-based services for the digital storage,
management, and retrieval of student records.
b) To provide digital educational software that authorizes
a third-party provider of digital educational software to
access and acquire student records.
1)Requires a local educational agency that enters into a
contract for purposes of the above to ensure that the contract
contains all of the following:
a) A statement that student records shall continue to be
the property and under the control of the local educational
agency.
b) A prohibition against the third party using information
in individual student records for commercial or advertising
purposes.
c) A prohibition against the third party from using any
information in the student record for any purpose other
than for the requirements of the contract.
d) A description of the procedures by which a parent, legal
guardian, or eligible student may review the students
records and correct erroneous information.
e) A description of the actions the third party will take,
including the designation and training of responsible
individuals, to ensure security of records; however,
compliance with this requirement will not absolve the
third-party of liability for unauthorized disclosure of
student records.
f) The assignment of liability and the procedures for
notifying the affected parent, legal guardian, and eligible
student in the event of an unauthorized disclosure of
student records.
g) A certification that a student's records shall not be
�
AB 1584
Page 3
retained or available to the third party when that student
is no longer enrolled in the local educational agency and a
description of how that certification will be enforced.
h) A description of how the local educational agency and
the third party will jointly ensure compliance with federal
privacy law.
2)Provides that any contract that fails to comply with the above
requirements shall be voidable and student records in
possession of the third party shall be returned to the local
educational agency.
3)Specifies that if the provisions of this bill conflict with
the terms of an agreement in effect before January 1, 2015,
the provisions of this bill shall not apply until the
expiration, amendment, or renewal of that agreement.
EXISTING LAW :
1)Prohibits a school district from permitting access to student
records to any person without written parental consent or
pursuant to a judicial order, subject to specified exceptions.
(Education Code Section 49076.)
2)Provides, notwithstanding the above, that access to particular
records relevant to the legitimate educational interest of the
requester shall be permitted to the following:
a) Members of a school attendance review board, and
designated school officials and employees, for the purpose
of providing follow up services to students referred to the
board.
b) Officials or employees of other public schools or school
systems for purposes of transfer of enrollment, subject to
parental notification, as specified.
c) Other federal, state, and local officials as authorized
by federal or state law.
d) A student 16 years of age or older, or who has completed
grade 10, and who requests access.
e) A district attorney, judge, or probation officer who is
participating in or conducting a truancy mediation program
�
AB 1584
Page 4
or participating in the presentation of evidence in a
truancy petition, as specified.
f) A prosecuting agency for consideration of prosecution
against a parent or guardian for failure to comply with
compulsory education laws.
g) A probation officer or district attorney for the
purposes of conducting a criminal investigation or an
investigation in regards to declaring a person a ward of
the court, or involving a violation of a condition of
probation.
h) A county agency engaged in the placement of foster youth
for the purpose of fulfilling case management
responsibilities. (Education Code Section 49076 (a)
(1)-(11).)
3)Provides that a school district may release information from
student records to the following:
a) Appropriate persons in connection with an emergency if
the knowledge of the information is necessary to protect
the health or safety of a student or other persons.
b) Agencies or organizations in connection with the
application of a student for financial aid, as necessary to
determine financial aid eligibility.
c) County election officials for the purpose of identifying
students eligible to register to vote, as specified.
d) Accrediting associations as necessary to carry out
accrediting functions.
e) A contractor or consultant with a legitimate educational
interest who has a formal written agreement or contract
with the school district regarding the provision of
outsourced institutional services or functions by the
contractor or consultant.
f) Organizations conducting studies on behalf of
educational agencies or institutions, relating to the
development, validation, or administration of predictive
tests, the administration of student aid programs, or the
�
AB 1584
Page 5
improvement of instruction.
g) Officials and employees of private schools for purposes
of transferring enrollment, subject to parental
notification, as specified. (Education Code Section 49076
(b).)
4)Permits a school district to participate in an interagency
data information system that permits access to a computerized
database within and between government agencies, subject to
certain security protections. (Education Code Section 49076
(c).)
5)Notwithstanding the above provisions, a school district shall
release information relating to a student's identify and
location, as it relates to a student's transfer to another
school, to a designated peace officer when a proper police
purpose exists for that information. (Education Code Section
49076.5.)
6)Provides, under the federal Family Educational Rights and
Privacy Act (FERPA), that no federal funds shall be made
available to any educational agency or institution which has a
policy or practice of permitting the release of educational
records (or personally identifiable information contained
therein) of a student without express written parental
consent, except as provided. (20 U.S.C. Section 1232g (b); 34
CFR Part 99.)
7)Prohibits, as of January 1, 2015, an operator of an Internet
Web site or online service from knowingly using, disclosing,
compiling, or allowing a third party to use, disclose, or
compile the personal information of a minor for the purpose of
marketing specified products that a minor could not legally
use or purchase. (Business & Professions Code Section 22580.)
FISCAL EFFECT : As currently in print this bill is keyed
non-fiscal.
COMMENTS : Protecting the privacy of a student's educational
records and personal information has long been a priority of
both federal and state law. The federal Family Educational
Rights and Privacy Act (FERPA) protects the privacy of students
by prohibiting a person from having access to a student's
�
AB 1584
Page 6
records without written parental consent, subject to narrow
exemptions. FERPA applies to all schools that receive funds
from the United States Department of Education (USDE) and
prohibits the disbursement of funds to any school that does not
meet FERPA privacy criteria. The California Education Code
contains parallel protections that at least meet and, in some
ways, exceed the requirements of federal law. FERPA, that is,
sets a minimum baseline for student privacy that states must
meet in order to continue receiving federal funds. States may
enact measures that offer more privacy protection than FERPA
without creating a preemption problem.
FERPA and the parallel provisions in the California Education
Code focus primarily on student records and the responsibilities
of the school or school district to protect those records from
unauthorized disclosures; however, these statutes have less to
say about the responsibilities of private parties that may gain
access to student records when they contract to perform some
service that would otherwise be performed by the school.
Indeed, California law expressly permits a school to release
information to a "contractor or consultant with a legitimate
educational interest who has a formal written agreement or
contract with the school district regarding the provision of
outsourced institutional services or functions by the contractor
or consultant." (Education Code Section 49076(b)(G)(i).) These
third party contractors and consultants are not subject to FERPA
regulations or their state law corollaries.
In theory, nothing would prevent a school from requiring,
contractually, that the third party adopt certain privacy
protections or refrain from using or disclosing student
information for certain purposes. But there is nothing in law
that requires it, and the Committee lacks adequate information
to know if existing contracts contain such requirements as a
matter of practice. However, news reports about third party
software providers using student information for commercial and
advertising purposes would suggest that at least some school
districts do not impose such requirements in the contract. This
bill would require that when a "local education agency" (LEA) -
a school district, county office of education, or charter school
- enters into an agreement with a third party provider for
digital storage or educational software services, that the third
party provider be limited in the ways that it can use student
information and that it take affirmative steps to protect the
privacy of student records.
�
AB 1584
Page 7
Structurally, this bill proceeds in two parts. First, the bill
authorizes a LEA to enter into a contract with a third party to
do either or both of the following: (1) to provide services for
the digital storage, management, and retrieval of student
records, including cloud-based services; (2) to provide digital
educational software that authorizes the third-party provider to
access and acquire student information. The bill appears to
create an after-the-fact "authorization" given that many schools
are already contracting for these services, hence the need for
the bill. Second, and more substantively, this bill would
require the contract to include a statement that student records
will continue to be the property and under the control of the
school agency. The contract would prohibit the third party from
using student information for commercial or advertising
purposes, or indeed for any purpose other than fulfilling the
requirements of the contract. The contract would be required to
describe all of the following: how the third party and the LEA
will jointly ensure compliance with FERPA; the procedures by
which a parent, guardian, or student may review and correct
records; and the actions that the third party will take to
ensure the security of the information and who shall be
responsible for notifying the parent, guardian, or student in
the event of a security breach. The contract will also certify
that student records shall not be retained by or available to
the third party after the student is no longer enrolled in the
school. A contract that fails to comply with these requirements
shall be voidable and all student records shall be returned to
the LEA.
Background : This bill reflects a growing concern over the
tendency of schools to contract with companies that provide
digital record-keeping services, including "cloud-computing," or
that provide schools with online and digital educational
software services. The virtues of high-tech, data-driven
education have been touted by political leaders, school
officials, and the high-tech industry. President Obama recently
announced that industry leaders have pledged more than $750
million to give students and classrooms greater access to the
Internet, electronic devices, and software. (New York Times,
February 20, 2014.) Digital storage and management provide
schools with alternatives to bulky, wasteful, and inefficient
paper storage. Digital and online educational software allows
students and teachers to work collaboratively in the classroom
or at home, access an almost infinite array of data and
�
AB 1584
Page 8
documents, submit assignments, or interact with other students
and teachers on blogs or discussion boards. Other services may
provide access to more traditional educational material in
digital form, including images, historical documents, or
interactive graphs and maps. Some of these products - like
Google's "Apps for Education" - provide a "suite of tools" that
provide "free web-based email, calendar & documents for
collaborative study anytime, anywhere." (See "Google Apps for
Education" page at http://www.google.com/edu/apps/)
While these new products may create the potential for more
interactive and engaging approaches to education, they also pose
potential risks to student privacy, both in the case of
cloud-based storage, which essentially hands over student
records to a private entity, and interactive educational
software that may give the service provider access to student
records and personal information, depending on the nature of the
service. Given the business model of Internet commerce, it
seems likely, if not inevitable, that information will be used
to target advertisements to students who use the products for
educational purposes and to complete class assignments. Indeed,
a pending lawsuit against Google alleges that the company
scanned millions of e-mail messages sent by college student
users of Google's "Apps for Education" tool suite. It is well
known that Google uses a software program that scans the e-mail
of its "Gmail" users to search for keywords, which are in turn
used to provide targeted advertising on other Google products,
such Google Search, Google+, and YouTube; however, it was
generally assumed that Google did not scan e-mails of student
users of Apps for Education. Google still maintains, according
to one report, that "ads in Gmail are turned off by default for
Google Apps for Education and we have no plans to change that in
the future." ("Google under Fire for Data-Mining Student Email
Messages," Education Week� March 13, 2014.) Whether Google
turns off its screening software when students use the "Apps for
Education" tool suite or not, it is nonetheless apparent that a
school's reliance on private, outside parties to provide digital
storage and educational software services exposes student
information in ways that might necessitate new forms of privacy
protection.
Bill Would Likely Apply to Any Agreement, Including One That
Provides "Free" Services: Because this measure would apply to
any contract between a LEA and a third-party provider, it would
appear to apply to contracts between schools and "free"
�
AB 1584
Page 9
services, such as Google's "Apps for Education" tool suite. For
example, according to a report in Education Week, even though
"Apps for Education" is nominally "free," school districts adopt
the tool suite by agreement. Indeed, some of these agreements
may already contain restrictions on the use of data for the
purpose of serving ads to students. (Education Week, March 13,
2014.) The "consideration" granted to the company in such
contracts is presumably the opportunity for product exposure and
development.
Comparison to Related Pending Legislation : Reports of schools
entering agreements with digital storage and software providers
has prompted at least three bills this session. In addition to
the bill under consideration, SB 1177 (Steinberg) would prohibit
the operator of an Internet Web site, online service, or
application with "actual knowledge" that its site, service, or
application is used by students for "K-12 [educational]
purposes" from using, sharing, or disclosing student information
for commercial or advertising purposes. Like the bill under
consideration, SB 1177 would also require the operator to secure
the information in its possession, a requirement that can be met
by adopting National Institute of Standards and Technology
(NIST) standards. A key difference between the bill under
consideration and SB 1177 is that the bill under consideration
is much more specific in that it applies to a contract between a
school district and a provider, while SB 1177 applies to any
operator that has "actual knowledge" that its site, service, or
application is being used for "K-12 purposes," regardless of
whether there is a contract between the LEA and the service
provider. On the other hand, while SB 1177 is wider in scope,
it is arguably more ambiguous as to when it would apply,
depending on how one determines "actual knowledge" or
understands the definition "K-12 purposes."
ARGUMENTS IN SUPPORT : According to the author, the "growing use
of online and cloud- based services for providing instructional
software and assessment and for maintaining student records has
put student privacy at risk. Private companies are currently
acquiring access to student records without parental consent or
knowledge and with little oversight to ensure the
confidentiality of those records. At least one company is known
to have used information mined from the use of free
instructional software to target ads. K-12 education agencies
in California are subject to the requirements of the federal
Family Educational Rights and Privacy Act (FERPA) and related
�
AB 1584
Page 10
state law. FERPA allows education agencies to grant access to
student records to private for-profit and not-for-profit
entities for evaluation or auditing purposes or to perform a
function that would otherwise be performed by the education
agency's own employees. In these cases, private entities can be
granted access to student records without the prior written
consent-or even knowledge-of parents or guardians. Neither
state nor federal law provides sufficient safeguards to ensure
that the privacy of student records will be assured and that
student records will not be misused when they are released to
private entities."
Pending Related Legislation : AB 1442 (Gatto) requires a LEA
that considers a program to gather or maintain in its records
personal information obtained through social media on any
student enrolled in the school district shall notify students,
parents, and guardians about the proposed program and provide an
opportunity for public comment prior to the adoption of any such
program and to take other specified steps. (The bill passed in
the Assembly Judiciary on a 9-0 vote and in the Assembly
Education Committee on a 7-0; it is currently pending on the
Assembly Floor.)
AB 2504 (Chau) requires a school district contract with a cloud
service provider to specify the types of data transferred or
collected and include a limit or prohibition on the
re-disclosure of student data. (The bill is pending in the
Assembly Education Committee.)
SB 1177 (Steinberg) prohibits K-12 online educational sites,
services, and applications from compiling, sharing, or
disclosing student personal information and from facilitation,
marketing, or advertising to K-12 students. (The bill passed in
the Senate Education on a 9-0 vote and is scheduled to be heard
today in the Senate Judiciary Committee.)
REGISTERED SUPPORT / OPPOSITION :
Support
None on file
Opposition
None on file
�
AB 1584
Page 11
Analysis Prepared by : Thomas Clark / JUD. / (916) 319-2334