State education departments and legislatures are grappling with the privacy implications of the expanded use of technology in classrooms and schools serving as central data repositories of a host of personally identifying information (“PII”) on minors. In New York, a group of parents sued the state’s education department to prevent it from handing over students’ PII to third parties in 2013. While federal law has been slow to keep pace with rapidly changing technology, in the past two years, four dozen states and counties have adopted student data privacy laws. Colorado is the latest state to make a move in this space, with the House unanimously passing a bill that has been called one of the toughest student privacy laws in the country.
The Colorado Student Privacy Bill
The Colorado student privacy bill establishes strict protections for student PII, in recognition of a need for structure around the massive amounts of PII that schools and educational software vendors collect on their students. In particular, the bill requires student PII to be destroyed after a certain period, and it gives parents of public-school students insight into who is collecting their children’s’ data and for what purpose. The bill puts the onus on both vendors and the state to ensure compliance by requiring the state board of education to monitor contractors that have access to student PII. Before becoming law, the bill must pass the Colorado Senate and go to the governor.
We expect to see mounting pressure for entities that collect, store, and process PII to ensure safeguards for the data, particularly those entities in possession of sensitive data like healthcare records and minors’ PII. For example, there has already been a spate of enforcement actions against hospitals that have failed to adequately protect patient information protected under the Health Insurance Portability and Accountability Act (“HIPAA”). The states that have recently enacted student data privacy and security laws will also likely start launching audit and enforcement programs, so institutions and contractors should be prepared.
In addition to establishing clear practices for how student data is collected, stored, and processed, schools should also implement strong data security safeguards. In our practice, we regularly advise educational institutions, from public school districts to large universities, who have been victimized by hacking or phishing scams in which student PII is compromised.
* Mia Havel is admitted to practice law in Massachusetts and the District of Columbia. Her practice is supervised by principals of the firm admitted in Colorado.
To subscribe for updates from our Data Protection Report blog, visit the email sign-up page.