BILL ANALYSIS
|
Senate Research Center |
H.B. 363 |
|
87R13738 CAE-F |
By: VanDeaver (Perry) |
|
|
Education |
|
|
5/7/2021 |
|
|
Engrossed |
AUTHOR'S / SPONSOR'S STATEMENT OF INTENT
It has been reported that student data being shared with state-approved operators (vendors) and their products by public education entities is of a higher volume and specification than is necessary to perform the respective service the product offers. For example, in order to provide textbook resources, an operator may require a school to provide information about a student's date of birth, ethnicity, language status, or free and reduced lunch status in order to utilize their products or services. None of these fields are necessary to utilize the correct textbook resources and are presumably for internal market research purposes. This data collection leads to the creation of large digital footprints of children within the data systems of private companies. Consequences of these continued practices include the use of the data to serve these companies' private financial interests through data mining and research, as well as increasing the risk to children in the event of a cyber attack, where the amount of data stolen about a child is much higher due to the extraneous information gathered about them.
Additionally, control over that data and the quality of its protection standards is dictated by these operators' data agreements instead of a uniform state-approved student data sharing agreement. There is currently no uniform minimum standard for such an agreement that includes a masking standard as well as limiting unnecessary data fields. School districts, especially those that are smaller and/or rural, face an uphill battle in limiting and protecting the data of their students since they must comply with the vendor's expectations if they want to be able to use their products. In order to provide protections for students, the amount of data vendors receive in the course of business must be narrowed, and vendors need to be required to mask the student data as well as abide by state-approved data sharing agreements that articulate minimum standards of safety.
H.B. 363 requires any operator or product that possesses any covered information about students to utilize a unique ID for each student that is already used across the state as the Texas Student Data System (TSDS). In order to implement and maintain reasonable security procedures and practices when creating an account, uploading data, transmitting data, performing analysis, or reporting, this is the masking standard that will provide stronger protections for this information to help prevent theft or exploitation. Examples of such harm include unauthorized access, deletion, use, modification, or disclosure of the data. This bill further allows school districts, open-enrollment charter schools, regional education service centers, and other local education agencies (LEA) the opportunity to require the operators they contract with directly to adhere to a state-approved data sharing agreement. This agreement will include the use of an established unique ID standard.
Only Texas Education Agency-approved or adopted products must utilize this agreement. The bill gives discretionary authority to entities (e.g., school districts, LEAs, etc.) to require vendors who are not agency adopted or approved to utilize the uniform agreement, but it does not require entities to utilize it, nor does it require the vendors to abide by it, unless the vendor agrees. All vendors that are not agency adopted or approved have discretion as to whether they wish to abide by a local district�s policy or contracting requirements.
H.B 363 exempts national assessment providers if the reason they are receiving covered information is for the sole purpose of providing access to information about employment, scholarships, financial aid, postsecondary education opportunities, or educational resources. The commissioner of education may adopt rules as necessary to administer this section.
H.B. 363 amends current law relating to restricting the use of personally identifiable student information by an operator of a website, online service, online application, or mobile application used for a school purpose and providing an exemption from certain restrictions for a national assessment provider.
RULEMAKING AUTHORITY
Rulemaking authority is expressly granted to the commissioner of education in SECTION 1 (Section 32.155, Education Code) of this bill.
SECTION BY SECTION ANALYSIS
SECTION 1. Amends Section 32.155, Education Code, as follows:
Sec. 32.155. PROTECTION OF COVERED INFORMATION. (a) Creates this subsection from existing text and makes no further changes to this subsection.
(b) Requires any operator that has been approved by the Texas Education Agency (TEA) or had a product adopted by TEA and possesses any covered information to use the unique identifier established by the Texas Student Data System (TSDS) or a successor data management system maintained by TEA for any account creation, data upload, data transmission, analysis, or reporting to mask all personally identifiable student information. Requires the operator to adhere to a state-required student data sharing agreement that includes an established unique identifier standard for all operators as prescribed by TEA.
(c) Authorizes an operator, in addition to including the unique identifier in releasing information as provided by Subsection (b), to include any other data field identified by TEA or by a school district, open-enrollment charter school, regional education service center, or other local education agency as necessary for the information being released to be useful.
(d) Authorizes a school district, open-enrollment charter school, regional education service center, or other local education agency to include additional data fields in an agreement with an operator or the amendment of an agreement with an operator under this section. Provides that an operator may agree to include the additional data fields requested by a school district, open‑enrollment charter school, regional education service center, or other local education agency but is prohibited from requiring that additional data fields be included.
(e) Authorizes a school district, open-enrollment charter school, regional education service center, or other local education agency to require an operator that contracts directly with the entity to adhere to a state-required student data sharing agreement that includes the use of an established unique identifier standard for all operators as prescribed by TEA.
(f) Provides that a national assessment provider who receives covered information from a student or from a school district or campus on behalf of a student is not required to comply with Subsection (b) or (e) if the provider receives the covered information solely to provide access to:
(1) employment, educational scholarships, financial aid, or postsecondary educational opportunities; or
(2) educational resources for middle school, junior high school, or high school students.
(g) Authorizes the commissioner of education to adopt rules as necessary to administer this section.
SECTION 2. Effective date: September 1, 2023. �