|
|
A BILL TO BE ENTITLED
|
|
AN ACT
|
|
relating to the protection of personally identifiable student |
|
information and the use of covered information by an operator or |
|
educational entity; authorizing a civil and administrative |
|
penalty. |
|
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: |
|
SECTION 1. Section 32.151, Education Code, is amended by |
|
amending Subdivision (1) and adding Subdivisions (1-a), (1-b), |
|
(1-c), (1-d), (1-e), (1-f), and (5-a) to read as follows: |
|
(1) "Aggregate student information" means student |
|
information collected by an educational entity that: |
|
(A) is totaled and reported at the group, cohort, |
|
school, school district, region, or state level, as determined by |
|
the educational entity; |
|
(B) does not reveal personally identifiable |
|
student information; and |
|
(C) cannot reasonably be used to identify, |
|
contact, single out, or infer information about a student or a |
|
device used by a student. |
|
(1-a) "Biometric identifier" means any measurement of |
|
the human body or its movement that is used to attempt to uniquely |
|
identify or authenticate the identity of an individual, including a |
|
blood sample, hair sample, skin sample, body scan, retina or iris |
|
scan, fingerprint, voiceprint, or record of hand or face geometry. |
|
(1-b) "Coordinating board" means the Texas Higher |
|
Education Coordinating Board. |
|
(1-c) "Covered information" means personally |
|
identifiable information or information that is linked to |
|
personally identifiable information, in any media or format, that |
|
is not publicly available and is: |
|
(A) created by or provided to an operator or |
|
educational entity by a student or the student's parent in the |
|
course of the student's or parent's use of the operator's or |
|
entity's website, online service, online application, or mobile |
|
application for a school purpose; |
|
(B) created by or provided to an operator or |
|
educational entity by an employee of a school district or school |
|
campus for a school purpose; or |
|
(C) gathered by an operator or educational entity |
|
through the operation of the operator's or entity's website, online |
|
service, online application, or mobile application for a school |
|
purpose and personally identifies a student, including the |
|
student's educational record, electronic mail, first and last name, |
|
home address, telephone number, electronic mail address, |
|
information that allows physical or online contact, discipline |
|
records, test results, special education data, juvenile |
|
delinquency records, grades, evaluations, criminal records, |
|
medical records, health records, social security number, biometric |
|
identifier information, disabilities, socioeconomic information, |
|
food purchases, political affiliations, religious information, |
|
text messages, student identifiers, search activity, photograph, |
|
voice recordings, or geolocation information. |
|
(1-d) "Data breach" means an incident in which student |
|
information that is sensitive, protected, or confidential, as |
|
provided by state or federal law, is stolen or is copied, |
|
transmitted, viewed, or used by a person unauthorized to engage in |
|
that action. |
|
(1-e) "Educational entity" includes school districts, |
|
open-enrollment charter schools, regional education service |
|
centers, institutions of higher education, and other local |
|
education agencies. |
|
(1-f) "Information privacy officer" means the |
|
information privacy officer designated by the commissioner under |
|
Section 32.1512. |
|
(5-a) "Student" means a person who is enrolled at a |
|
public primary or secondary school. |
|
SECTION 2. Subchapter D, Chapter 32, Education Code, is |
|
amended by adding Sections 32.1511, 32.1512, 32.1513, 32.1514, |
|
32.1515, 32.1516, 32.1517, 32.1518, 32.1521, 32.1531, 32.1551, |
|
32.1552, 32.1561, 32.1562, 32.1563, 32.158, 32.159, and 32.160 to |
|
read as follows: |
|
Sec. 32.1511. OWNERSHIP OF COVERED INFORMATION AND WORK |
|
PRODUCT. (a) A student retains ownership over the student's own: |
|
(1) covered information; and |
|
(2) work or intellectual product, regardless of |
|
whether the product was created for academic credit. |
|
(b) A student may download, export, transfer, or otherwise |
|
save or maintain any document, covered information, or other data |
|
created by the student that is held or maintained by an educational |
|
entity. |
|
Sec. 32.1512. INFORMATION PRIVACY OFFICER; DUTIES. (a) |
|
The commissioner shall designate an agency employee to serve as an |
|
information privacy officer to oversee privacy and security |
|
policies regarding student information. |
|
(b) The information privacy officer shall: |
|
(1) ensure that the agency handles covered information |
|
maintained by the agency in a manner that complies with this |
|
subchapter, the Family Educational Rights and Privacy Act of 1974 |
|
(20 U.S.C. Section 1232g), and any other federal or state |
|
information privacy or security law; |
|
(2) establish and publish in a form that is easily |
|
accessible policies necessary to ensure that the use of technology |
|
sustains, enhances, and does not erode privacy protections related |
|
to the use, collection, and disclosure of covered information; |
|
(3) develop and provide to each educational entity a |
|
model student information privacy and security plan; |
|
(4) evaluate legislative and regulatory proposals |
|
involving the use, collection, and disclosure of covered |
|
information by educational entities; |
|
(5) conduct privacy impact assessments, including an |
|
assessment of the type of covered information collected and the |
|
number of students affected, for: |
|
(A) legislative proposals affecting educational |
|
entities; and |
|
(B) agency and coordinating board rules and |
|
program initiatives; |
|
(6) consult and coordinate with representatives of the |
|
state, agency, and coordinating board and other appropriate persons |
|
regarding the use of covered information and the implementation of |
|
this subchapter; |
|
(7) establish and operate a privacy incident response |
|
program to ensure that each incident related to covered information |
|
involving the agency is properly reported, investigated, and |
|
mitigated; |
|
(8) establish a model process and policy for a student |
|
or the student's parent to file a complaint regarding: |
|
(A) a violation of student information privacy; |
|
or |
|
(B) an inability to access, review, or correct |
|
information contained in the student's educational record; and |
|
(9) provide training, guidance, technical assistance, |
|
and outreach to build a culture of student information protection |
|
and student data security among educational entities and third |
|
parties who contract with those entities. |
|
(c) Not later than February 1 of each year, the information |
|
privacy officer shall prepare and submit a written report to the |
|
standing committees of each house of the legislature with primary |
|
jurisdiction over primary, secondary, and higher education |
|
regarding actions taken by the agency related to student |
|
information privacy, including complaints regarding privacy |
|
violations, internal controls, and other related matters. |
|
Sec. 32.1513. GENERAL INVESTIGATIVE POWER OF INFORMATION |
|
PRIVACY OFFICER. (a) The information privacy officer may |
|
investigate an operator or educational entity as necessary to |
|
enforce this subchapter and protect covered information gathered |
|
from students in this state. |
|
(b) On request of the information privacy officer, an |
|
operator, educational entity, or a third party who contracts with |
|
an operator or educational entity shall make all applicable records |
|
and materials available to the officer as necessary to enable the |
|
officer to determine compliance with this subchapter. |
|
(c) The information privacy officer shall: |
|
(1) limit the scope of the investigation and any |
|
accompanying report to those matters that are necessary to the |
|
administration of this subchapter; and |
|
(2) in matters related to compliance with federal law, |
|
refer the matter to the appropriate federal agency and cooperate |
|
with an investigation by the federal agency. |
|
Sec. 32.1514. AGENCY COMPREHENSIVE STUDENT INFORMATION |
|
INVENTORY. The agency shall, to the maximum extent possible, |
|
develop, maintain, and post on the agency's Internet website a |
|
comprehensive student information inventory that accounts for all |
|
covered information assets created by, collected by, under the |
|
control or direction of, or maintained by the agency, including |
|
student information that: |
|
(1) is required to be reported by law; |
|
(2) has been proposed for inclusion in the agency's |
|
student information system with a statement regarding the reason |
|
for the proposed inclusion; and |
|
(3) is collected or maintained by the agency for no |
|
current purpose or reason. |
|
Sec. 32.1515. INFORMATION SECURITY POLICIES AND |
|
PROCEDURES. (a) Subject to the approval of the information privacy |
|
officer, each educational entity shall adopt and implement |
|
reasonable information security policies and procedures in |
|
accordance with this subchapter to protect students' educational |
|
records and covered information from unauthorized access, |
|
destruction, use, modification, or disclosure. |
|
(b) An educational entity must take into account the |
|
entity's specific needs and priorities in adopting policies and |
|
procedures under Subsection (a). |
|
Sec. 32.1516. STUDENT INFORMATION MANAGER. (a) Each |
|
educational entity shall designate an individual to act as a |
|
student information manager. The student information manager |
|
shall: |
|
(1) create, maintain, and submit to the information |
|
privacy officer an information governance plan addressing the |
|
protection of existing and future student information and records; |
|
and |
|
(2) establish a review process for all covered |
|
information requests for the purpose of external research or |
|
evaluation. |
|
(b) Not later than December 1 of each year, the student |
|
information manager shall submit a report to the agency's |
|
information privacy officer. The report must include: |
|
(1) proposed changes to the educational entity's |
|
information security policies and procedures adopted under Section |
|
32.1515; and |
|
(2) any data breaches or attempted data breaches |
|
detected by the educational entity. |
|
Sec. 32.1517. CONTRACT PROVISIONS. A contract between an |
|
educational entity and an operator must include the following |
|
provisions: |
|
(1) requirements and restrictions related to the |
|
collection, use, storage, and sharing of covered information by the |
|
operator that are necessary for the educational entity to ensure |
|
the operator's compliance with this subchapter and other law; |
|
(2) a description of the person or type of person, |
|
including an affiliate or subcontractor of the operator, with whom |
|
the operator may share covered information; |
|
(3) when and how to delete covered information |
|
received by the operator; |
|
(4) a prohibition on the secondary use of covered |
|
information by the operator, except when used for a legitimate |
|
school or research purpose or as described by Sections 32.153 and |
|
32.154; |
|
(5) an agreement by the operator that the educational |
|
entity or the educational entity's designee may audit the operator |
|
to verify compliance with the contract; |
|
(6) requirements for the operator or a subcontractor |
|
of the operator to establish security measures to prevent, detect, |
|
or mitigate a data breach; and |
|
(7) requirements for the operator or a subcontractor |
|
of the operator to notify the educational entity of a suspected data |
|
breach. |
|
Sec. 32.1518. NOTICE OF INFORMATION DISCLOSURE. (a) Not |
|
less than annually, an educational entity that collects covered |
|
information shall provide to each parent of a student whose covered |
|
information is collected a notice of information disclosure form |
|
stating in plain language the conditions under which the student's |
|
covered information may be disclosed. The educational entity shall |
|
provide the form as a stand-alone document. |
|
(b) The notice of information disclosure form must: |
|
(1) list the covered information that the educational |
|
entity collects and the rationale for collecting the information, |
|
including whether the information is required by law to be |
|
collected; |
|
(2) state that a student's covered information |
|
collected by the educational entity may not be shared without the |
|
written consent of the student's parent; |
|
(3) list each operator or other third party with |
|
access to or control of covered information maintained by the |
|
educational entity; |
|
(4) outline the rights and responsibilities of the |
|
educational entity under this subchapter; and |
|
(5) contain an acknowledgment section that: |
|
(A) states that the intended recipient of the |
|
notice actually received the notice and understands its contents; |
|
(B) allows for the recipient to record the |
|
recipient's objection to the collection of any covered information |
|
relating to the parent's student that is not required by law to be |
|
collected; and |
|
(C) includes a signature line. |
|
(c) Each parent who receives a notice of information |
|
disclosure form under Subsection (a) shall sign the acknowledgement |
|
section described by Subsection (b)(5) and return the form to the |
|
educational entity as soon as possible. |
|
(d) An educational entity shall: |
|
(1) annually update its notice of information |
|
disclosure form; and |
|
(2) maintain a written or electronic record of each |
|
signed acknowledgment form received under this section. |
|
Sec. 32.1521. PROHIBITED USE OF COVERED INFORMATION AND |
|
COLLECTION OF BIOMETRIC IDENTIFIER INFORMATION BY EDUCATIONAL |
|
ENTITY. (a) Except as otherwise provided by this subchapter, an |
|
educational entity may not release or otherwise disclose a |
|
student's covered information in exchange for a good, product, |
|
application, service, or any other thing of measurable value. |
|
(b) An educational entity may not use or release covered |
|
information for the purpose of targeted advertising unless the |
|
release of the data is essential for a school purpose, including the |
|
use of adaptive educational software or other strictly tailored |
|
educational endeavor with the sole purpose of providing a tailored |
|
educational experience to the student. |
|
(c) An educational entity may not collect a student's |
|
biometric identifier information unless required by law. |
|
Sec. 32.1531. ALLOWED DISCLOSURE OF COVERED INFORMATION BY |
|
EDUCATIONAL ENTITY. (a) An educational entity may disclose |
|
covered information if the disclosure is: |
|
(1) authorized in writing by the student's parent; |
|
(2) determined by the entity to be necessary because |
|
of an imminent health or safety emergency; |
|
(3) ordered by a court of competent jurisdiction; or |
|
(4) authorized or required by a provision of federal |
|
or state law. |
|
(b) The educational entity must comply with the |
|
requirements of federal and state law to protect any student |
|
information disclosed under this section. |
|
(c) This subchapter may not be construed to prohibit or |
|
otherwise limit the ability of an educational entity to report or |
|
make available aggregate student information or other collective |
|
information for reasonable use. |
|
Sec. 32.1551. NOTIFICATION OF DATA BREACH AFFECTING |
|
OPERATOR. (a) Not later than 24 hours after an operator becomes |
|
aware of a data breach, the operator shall notify the applicable |
|
educational entity with whom the operator has contracted of the |
|
breach and take action to determine the scope of student |
|
information affected by the breach. |
|
(b) The operator shall update the educational entity as soon |
|
as the full scope of the data breach is assessed and take all |
|
reasonable steps to notify all persons affected by the breach. |
|
Sec. 32.1552. NOTIFICATION OF DATA BREACH AFFECTING |
|
EDUCATIONAL ENTITY. (a) Not later than 24 hours after an |
|
educational entity becomes aware of a data breach, the educational |
|
entity shall notify the information privacy officer of the |
|
suspected or confirmed breach. |
|
(b) Not later than the third business day after the date a |
|
data breach is verified, an educational entity shall notify the |
|
parent of each student affected by the breach. |
|
Sec. 32.1561. INSPECTION OF INFORMATION CONTAINED IN |
|
STUDENT'S EDUCATIONAL RECORD. (a) On request of a student's |
|
parent, an educational entity or operator shall allow the student's |
|
parent to inspect the covered information and other information |
|
contained in the student's educational record maintained by the |
|
entity or operator. |
|
(b) The educational entity or operator shall provide the |
|
information requested under Subsection (a) in a timely manner and, |
|
if possible, in an electronic format. |
|
(c) An educational entity or operator is not required to |
|
provide information requested under Subsection (a) if: |
|
(1) the information cannot reasonably be made |
|
available to the requesting individual; or |
|
(2) the reproduction of the requested information |
|
would be unduly burdensome. |
|
Sec. 32.1562. CORRECTION OF INFORMATION CONTAINED IN |
|
STUDENT'S EDUCATIONAL RECORD. (a) After reviewing information |
|
requested under Section 32.1561, a student's parent may request |
|
that the educational entity or operator make corrections to address |
|
inaccurate or incomplete data in the student's educational record |
|
maintained by the entity or operator. |
|
(b) On request by a student's parent, an educational entity |
|
or operator shall expunge from the student's educational record |
|
covered information related to: |
|
(1) an unsubstantiated accusation made against the |
|
student; or |
|
(2) alleged conduct committed by the student if: |
|
(A) prosecution of the student's case was refused |
|
for lack of prosecutorial merit or insufficient evidence and no |
|
formal proceedings, deferred adjudication, or deferred prosecution |
|
were initiated; or |
|
(B) the court or jury found the student not |
|
guilty or made a finding the student did not engage in delinquent |
|
conduct or conduct indicating a need for supervision and the case |
|
was dismissed with prejudice. |
|
(c) Not later than the 90th day after the date an |
|
educational entity or operator receives a request under Subsection |
|
(a) or (b), the educational entity or operator shall make changes to |
|
the student's educational record as necessary and confirm the |
|
changes with the student's parent. |
|
Sec. 32.1563. RULES; FORMS. (a) The commissioner shall |
|
adopt rules as necessary to implement this subchapter. |
|
(b) The commissioner shall develop forms as necessary to |
|
implement this subchapter, including model forms for: |
|
(1) providing the notice of information disclosure |
|
required by Section 32.1518; and |
|
(2) obtaining written parental consent for the |
|
disclosure of covered information as required by Section 32.1531. |
|
Sec. 32.158. CIVIL PENALTY. (a) An operator that violates |
|
this subchapter or a rule adopted under this subchapter is liable |
|
for a civil penalty if the violation resulted in a negligent data |
|
breach. |
|
(b) In determining the amount of a civil penalty to impose |
|
under this section, the court shall include: |
|
(1) the cost of identity protection for each person |
|
affected by the data breach or compromise; |
|
(2) legal fees and costs incurred by each person |
|
affected by the data breach or compromise; and |
|
(3) any other penalty that the court deems reasonable |
|
or appropriate. |
|
Sec. 32.159. ADMINISTRATIVE PENALTY. (a) The commissioner |
|
may assess an administrative penalty for a violation of this |
|
subchapter in an amount of not less than $1,000 or more than $5,000. |
|
(b) The aggregate amount of penalties that the commissioner |
|
may assess against a person under this section during a calendar |
|
year may not exceed $1,000,000. |
|
Sec. 32.160. CRIMINAL LIABILITY NOT AFFECTED. This |
|
subchapter may not be construed to limit or otherwise affect a |
|
person's criminal liability under other law. |
|
SECTION 3. The heading to Section 32.152, Education Code, |
|
is amended to read as follows: |
|
Sec. 32.152. PROHIBITED USE OF COVERED INFORMATION AND |
|
COLLECTION OF BIOMETRIC IDENTIFIER INFORMATION BY OPERATOR. |
|
SECTION 4. Section 32.152, Education Code, is amended by |
|
amending Subsection (a) to read as follows: |
|
(a) An operator may not knowingly: |
|
(1) engage in targeted advertising on any website, |
|
online service, online application, or mobile application if the |
|
target of the advertising is based on any information, including |
|
covered information and persistent unique identifiers, that the |
|
operator has acquired through the use of the operator's website, |
|
online service, online application, or mobile application for a |
|
school purpose; |
|
(2) use information, including persistent unique |
|
identifiers, created or gathered by the operator's website, online |
|
service, online application, or mobile application, to create a |
|
profile about a student unless the profile is created for a school |
|
purpose; [or] |
|
(3) except as provided by Subsection (c), sell or rent |
|
any student's covered information; |
|
(4) exchange a student's covered information for any |
|
good, service, or application; |
|
(5) disclose covered information except as provided |
|
under this subchapter; or |
|
(6) unless required by law, collect a student's |
|
biometric identifier information. |
|
SECTION 5. The heading to Section 32.153, Education Code, |
|
is amended to read as follows: |
|
Sec. 32.153. ALLOWED DISCLOSURE OF COVERED INFORMATION BY |
|
OPERATOR. |
|
SECTION 6. Section 32.153, Education Code, is amended by |
|
amending Subsection (a) and adding Subsection (f) to read as |
|
follows: |
|
(a) An operator may use or disclose covered information |
|
under the following circumstances: |
|
(1) to further a school purpose of the website, online |
|
service, online application, or mobile application and the |
|
recipient of the covered information disclosed under this |
|
subsection does not further disclose the information unless the |
|
disclosure is to allow or improve operability and functionality of |
|
the operator's website, online service, online application, or |
|
mobile application; |
|
(2) to ensure legal and regulatory compliance; |
|
(3) to protect against liability; |
|
(4) to respond to or participate in the judicial |
|
process, including to comply with an investigation by law |
|
enforcement as authorized by law or a court order; |
|
(5) to protect: |
|
(A) the safety or integrity of users of the |
|
website, online service, online application, or mobile |
|
application; or |
|
(B) the security of the website, online service, |
|
online application, or mobile application; |
|
(6) for a school, education, or employment purpose |
|
requested by the student or the student's parent and the |
|
information is not used or disclosed for any other purpose; |
|
(7) to use the covered information for: |
|
(A) a legitimate research purpose; or |
|
(B) a school purpose or postsecondary |
|
educational purpose; [or] |
|
(8) for a request by the agency or the school district |
|
for a school purpose; |
|
(9) to market an educational application or product to |
|
a student's parent, if the operator did not use covered information |
|
shared or collected by or on behalf of an educational entity to |
|
develop the application or product; |
|
(10) to allow a recommendation engine on the |
|
operator's website, online service, online application, or mobile |
|
application to recommend to a student's parent content or services |
|
related to learning or employment, if the recommendation is not |
|
motivated by payment or other consideration from another party; or |
|
(11) to respond to the request of a student's parent |
|
for information or feedback, if the content of the response is not |
|
motivated by payment or other consideration from another party. |
|
(f) Notwithstanding any other law, an operator shall use a |
|
student's covered information received under a contract with an |
|
educational entity strictly for the purpose provided under the |
|
contract unless the student's parent affirmatively chooses to |
|
disclose the student's information for a secondary purpose. |
|
SECTION 7. The heading to Section 32.154, Education Code, |
|
is amended to read as follows: |
|
Sec. 32.154. ALLOWED USE OF COVERED INFORMATION BY |
|
OPERATOR. |
|
SECTION 8. The heading to Section 32.155, Education Code, |
|
is amended to read as follows: |
|
Sec. 32.155. PROTECTION OF COVERED INFORMATION BY OPERATOR. |
|
SECTION 9. Sections 32.155(c), (d), and (e), Education |
|
Code, are amended to read as follows: |
|
(c) In addition to including the unique identifier in |
|
releasing information as provided by Subsection (b), an operator |
|
may include any other data field identified by the agency or by an |
|
educational entity [a school district, open-enrollment charter |
|
school, regional education service center, or other local education |
|
agency] as necessary for the information being released to be |
|
useful. |
|
(d) An educational entity [A school district, |
|
open-enrollment charter school, regional education service center, |
|
or other local education agency] may include additional data fields |
|
in an agreement with an operator or the amendment of an agreement |
|
with an operator under this section. An operator may agree to |
|
include the additional data fields requested by an educational |
|
entity [a school district, open-enrollment charter school, |
|
regional education service center, or other local education agency] |
|
but may not require that additional data fields be included. |
|
(e) An educational entity [A school district, |
|
open-enrollment charter school, regional education service center, |
|
or other local education agency] may require an operator that |
|
contracts directly with the entity to adhere to a state-required |
|
student data sharing agreement that includes the use of an |
|
established unique identifier standard for all operators as |
|
prescribed by the agency. |
|
SECTION 10. The heading to Section 32.156, Education Code, |
|
is amended to read as follows: |
|
Sec. 32.156. DELETION OF COVERED INFORMATION BY OPERATOR. |
|
SECTION 11. This Act takes effect September 1, 2023. |