BILL ANALYSIS �Ó
SENATE COMMITTEE ON EDUCATION
Carol Liu, Chair
2013-14 Regular Session
BILL NO: AB 1584
AUTHOR: Buchanan
AMENDED: June 3, 2014
FISCAL COMM: No HEARING DATE: June 11, 2014
URGENCY: No CONSULTANT:Lenin Del Castillo
NOTE : This bill has been referred to the Committees on
Education and
Judiciary. A "do pass" motion should include referral to the
Committee
on Judiciary.
SUBJECT : Pupil records: third-party contracts and digital
storage services.
SUMMARY
This bill requires a local educational agency (LEA) that elects
to enter into a contract with a third-party for the purpose of
providing digital management of pupil records to include
specific assurances in those contracts that are intended to
protect the privacy of student information.
BACKGROUND
Current law prohibits a school district from permitting access
to student records to any person without written parental
consent or pursuant to a judicial order except as set forth in
the federal Family Educational Rights and Privacy Act (FERPA).
Access to those particular records relevant to the legitimate
educational interests of the requester shall be permitted to
the following requesters:
1) School officials, employees of the district, and
members of a school attendance review board;
2) Officials and employees of other public schools where
the pupil intends to or is enrolled;
3) The Controller General of the U. S., the U. S.
Secretary of Education, state and local educational
�
AB 1584
Page 2
authorities, or the U. S. Department of Education's Office
of Civil Rights, if the information is necessary to audit
or evaluate a federally funded program;
4) Other state and local officials if the information is
required to be reported pursuant to state law adopted
before November 19, 1974;
5) Parents of a pupil 18 years of age or older if the
pupil is a dependent;
6) A pupil who is 16 years of age or older or who has
completed 10th grade and a pupil who is 14 years of age or
older who is a homeless or unaccompanied youth;
7) A district attorney conducting a truancy mediation
program or investigating a violation of compulsory
attendance laws;
8) A probation officer, district attorney, or counsel of
record for a minor for purposes of conducting a criminal
investigation or an investigation in regards to declaring
a person a ward of the court or involving a violation of a
condition of probation;
9) A judge or probation officer in relation to a truancy
mediation program;
10) A county placing agency;
11) A representative of a child welfare agency;
12) Appropriate persons in connection with a health or
safety emergency;
13) Agencies in connection with the application of a pupil
for financial aid;
14) Accrediting associations; and
15) A contractor or consultant with a legitimate
�
AB 1584
Page 3
educational interest who has a formal written agreement or
contract with the school district regarding the provision
of outsourced institutional services or functions.
(Education Code § 49076)
Current law requires an operator of a commercial Web site or
online service that collects personally identifiable
information through the Internet about individual consumers
residing in California who use or visit its Web site to
conspicuously post its privacy policy. (Business & Professions
Code Section 22575)
The federal Family Educational Rights and Privacy Act (FERPA)
is intended to protect the privacy of student education
records. It applies to all schools that receive funds under an
applicable program of the U.S. Department of Education.
Generally, schools must have written permission from the parent
or eligible student in order to release any information from a
student's education record. However, FERPA allows schools to
disclose those records, without consent, to the following
parties or under the following conditions:
1) School officials with legitimate educational interest;
2) Other schools to which a student is transferring;
3) Specified officials for audit or evaluation purposes;
4) Appropriate parties in connection with financial aid to
a student;
5) Organizations conducting certain studies for or on
behalf of the school;
6) Accrediting organizations;
7) To comply with a judicial order or lawfully issued
subpoena;
8) Appropriate officials in cases of health and safety
emergencies; and
�
AB 1584
Page 4
9) State and local authorities, within a juvenile justice
system, pursuant to specific State law.
Schools may disclose, without consent, "directory" information
such as a student's name, address, telephone number, and date
and place of birth. However, schools must tell parents and
eligible students about directory information and allow them a
reasonable amount of time to request that the school not
disclose such information. Schools must also notify parents
and eligible students annually of their rights under FERPA.
(20 U.S.C. Section 1232g; 34 CFR Part 99)
ANALYSIS
This bill:
1) Provides that a local educational agency (LEA) may
enter into a contract with a third party for either or
both of the following purposes:
a) To provide services, including cloud-based
services, for the digital storage, management, and
retrieval of pupil records.
b) To provide digital educational software that
authorizes a third-party provider of digital
educational software to access and acquire pupil
records.
1) Requires an LEA that enters into a contract with a
third-party to ensure the contract contains all of the
following:
a) A statement that pupil records continue to be
the property of and under the control of the LEA.
b) A prohibition against the third-party using
personally identifiable information in individual
pupil records for commercial or advertising purposes.
a) A prohibition against the third-party using
any information in the pupil record for any purpose
other than for the requirements of the contract.
�
AB 1584
Page 5
b) A description of the procedures by which a
parent, legal guardian, or eligible pupil may review
the pupil's records and correct erroneous
information.
c) A description of the actions the third-party
will take, including the designation and training of
responsible individuals, to ensure the security of
pupil records. Compliance with this requirement
shall not, in itself, absolve the third-party of
liability in the event of an unauthorized disclosure
of pupil records.
d) A description of the procedures for notifying
the affected parent, legal guardian, and eligible
pupil in the event of an unauthorized disclosure of
pupil records.
e) A certification that a pupil's records shall
not be retained or available to the third-party upon
completion of the terms of the contract and a
description of how that certification will be
enforced.
f) A description of how the local educational
agency (LEA) and the third-party will jointly ensure
compliance with the federal Family Educational Rights
and Privacy Act and the Children's Online Privacy
Protection Act for all pupils, including pupils who
are more than 13 years of age.
1) Provides that a contract that fails to comply with
these requirements shall be voidable and all pupil records
in possession of the third-party shall be returned to the
LEA.
2) Defines pupil records as any information directly
related to a pupil that is maintained by the LEA or any
information acquired directly from the pupil through the
use of instructional software of applications assigned to
the pupil by a teacher or other employee of the LEA.
�
AB 1584
Page 6
3) Provides that pupil records do not include records of
teachers and school administrators that are kept in their
sole possession and not revealed to any other individual
except a substitute teacher.
4) Defines third-party as a provider of digital
educational software or services, including cloud-based
services, for the digital storage, management, and
retrieval of pupil records.
5) Makes other definitions for purposes of the bill.
6) Provides that if the provisions of this section are in
conflict with the terms of a contract in effect before
January 1, 2015, the provisions of this section shall not
apply to the LEA or the third-party subject to that
agreement until the expiration, amendment, or renewal of
the agreement.
STAFF COMMENTS
1) Need for the bill . According to the author's office,
the growing use of online and cloud-based services for
providing instructional software and assessment and for
maintaining student records has put student privacy at
risk. There are loopholes in current law that permit the
disclosure of confidential student records to private
vendors without parental knowledge or consent. The
protections afforded by existing state and federal law
have not kept pace with the use of cloud-based and online
services by private, for-profit companies to "data mine"
student records. The author's office indicates that
private companies are currently acquiring access to
student records with little oversight to ensure the
confidentiality of those records. This bill is intended
to strengthen protections against the misuse or improper
disclosure of student records by requiring contracts
entered into between a K-12 education agency and a
third-party provider to contain specified, privacy-related
provisions.
�
AB 1584
Page 7
2) New era of digital technology . Recent advances in
technology have changed the landscape of education in
schools and have resulted in the expansion of student
data. School districts are increasingly integrating the
use of computers and tablets in the classroom to instantly
deliver personalized content, employ virtual forums for
interacting with other students and teachers, and utilize
other interactive technologies to enhance student
learning. These technologies, which may be provided
directly by school districts and through the use of
private contractors and subcontractors, have the potential
to transform the classroom and learning processes. Online
forums are used to assist teachers with sharing lesson
plans and web-based applications help teachers with
customized learning experiences for individual students.
With access to personal student level education records,
these new technologies raise questions concerning the
security of this information.
3) Strengthening student protections . The United States
Department of Education established the Privacy Technical
Assistance Center (PTAC) as a resource for education
stakeholders to learn about data privacy, confidentiality,
and security practices related to student-level
longitudinal data systems and other uses of student data.
The PTAC recently released new guidance to help schools
and educators understand the major laws and best practices
protecting student privacy while using online educational
services. This guidance summarized the requirements of
the Family Educational Rights and Privacy Act (FERPA) and
the Protection of Pupil Rights Amendment (PPRA) that
relate to these educational services, and urged school
districts to go beyond compliance to follow best practices
for outsourcing school functions using online educational
services, including computer software, mobile
applications, and web-based tools. This lends support to
the notion that FERPA protections may be insufficient with
regards to student data and digital technology with
limited or no ability to enforce penalties on third-party
providers that are in violation.
4) Third-party contracts . The author's office indicates
�
AB 1584
Page 8
that with the use of classroom applications and software,
some of the same information such as personally
identifiable information, grades, attendance, and special
education status may be acquired by third party providers.
If this information were acquired from district records,
it would currently be protected under the Family
Educational Rights and Privacy Act. However, if the same
information is acquired from teachers or students through
the use of classroom applications and software, it would
not be protected and yet, the same protections should
apply. In this new era of digital technology where
schools are increasingly utilizing educational software
and applications to enhance student learning and also
contracting with companies to provide digital
record-keeping services, it is unclear what risks they may
pose to student privacy. It is also unclear to what
extent school districts are choosing to require contracts
with third-party providers that contain sufficient student
privacy protections because current law does not require
it. School districts are certainly authorized to do this
under current law, but anecdotal evidence suggests that
not all school districts are imposing such requirements.
The protections that this bill proposes are consistent
with previous efforts by the state to ensure the privacy
of student records and personal information.
5) Unintended consequences ? As the bill moves forward,
the author may wish to consider addressing potential
issues with the bill's definition of pupil records and
ownership of pupil records that could have unintended
consequences. The bill defines pupil records to include
any information acquired directly from the pupil through
the use of instructional software or applications assigned
to the pupil by a teacher or other employee of the local
educational agency (LEA), which would be prohibited from
being used by a third party for any other purpose. While
the definition is intended to prevent the "data-mining" of
student information and also protect sensitive information
such as home addresses and social security numbers, it
could have overly broad application. The Internet
Association suggests that non-sensitive information, such
as data on a student's user experience with the
�
AB 1584
Page 9
educational software, including what features improved
learning outcomes for the student, what features were less
helpful, and other pieces of information that could
otherwise be used by the third party to innovate and
improve their products, would be considered pupil records.
Could the bill somehow inhibit third party providers from
developing technologies that could benefit schools,
teachers, and students?
Additionally, the bill provides that pupil records would
be the property of and under the control of the LEA.
Would this always be appropriate if the content is
generated by the student, such as classroom assignment
notes taken using the instructional software or
application? Could this perhaps lead to disputes over
intellectual property and who owns or controls personal
content? For instance, would a student be unable to post
a short story that he or she generated (using the software
or application) onto a personal blog because the LEA owns
those records? Or would a student be prohibited from
including videos or photos taken with educational software
as part of his or her portfolio?
The bill also requires an LEA's contract to include a
description of how the LEA and the third-party will
jointly ensure compliance with the Family Educational
Rights and Privacy Act (FERPA) and the Children's Online
Privacy Protection Act (COPPA) for all pupils, including
pupils who are more than 13 years of age. The COPPA
imposes certain requirements intended to place parents in
control over what information is collected from their
young children, such as requiring operators to obtain
parental consent before undertaking specific activities
that include using and disclosing children's personal
information for its own commercial purposes. However,
staff notes that the COPPA currently applies to children
under the age of 13, while the bill would extend the
requirement for LEAs to include a description of how the
LEA and the third-party will ensure compliance with the
FERPA and COPPA to all pupils, not just those that are
under the age of 13. It is unclear if this could result
in other unintended consequences.
�
AB 1584
Page 10
6) Related and prior legislation .
Senate Bill 1177 (Steinberg) prohibits K-12 online
educational sites, services, and applications from
compiling, sharing, or disclosing student personal
information and from facilitating, marketing, or
advertising to K-12 students. This bill is pending before
the Assembly Education Committee.
Assembly Bill 1442 (Gatto) imposes requirements on school
districts and vendors that monitor students' use of social
media. This bill is also scheduled to be heard by the
Senate Education Committee on June 11, 2014.
SUPPORT
Association of California School Administrators
OPPOSITION
Internet Association