Bill Text: CA AB1584 | 2013-2014 | Regular Session | Amended
NOTE: There are more recent revisions of this legislation. Read Latest Draft
Bill Title: Pupil records: privacy: 3rd-party contracts: digital storage services and digital educational software.
Spectrum: Partisan Bill (Democrat 2-0)
Status: (Passed) 2014-09-29 - Chaptered by Secretary of State - Chapter 800, Statutes of 2014. [AB1584 Detail]
Download: California-2013-AB1584-Amended.html
Bill Title: Pupil records: privacy: 3rd-party contracts: digital storage services and digital educational software.
Spectrum: Partisan Bill (Democrat 2-0)
Status: (Passed) 2014-09-29 - Chaptered by Secretary of State - Chapter 800, Statutes of 2014. [AB1584 Detail]
Download: California-2013-AB1584-Amended.html
BILL NUMBER: AB 1584 AMENDED
BILL TEXT
AMENDED IN SENATE AUGUST 21, 2014
AMENDED IN SENATE JULY 1, 2014
AMENDED IN SENATE JUNE 3, 2014
AMENDED IN ASSEMBLY APRIL 22, 2014
AMENDED IN ASSEMBLY MARCH 28, 2014
INTRODUCED BY Assembly Member Buchanan
(Principal coauthor: Assembly Member Chau)
FEBRUARY 3, 2014
An act to add Section 49073.1 to the Education Code, relating to
pupil records.
LEGISLATIVE COUNSEL'S DIGEST
AB 1584, as amended, Buchanan. Pupil records: privacy: 3rd-party
contracts: digital storage services and digital educational software.
Existing law prohibits a school district from permitting access to
pupil records to any person without parental consent or without a
judicial order, except to specified persons under certain
circumstances, including to a contractor or consultant with a
legitimate educational interest who has a formal written agreement or
contract with the school district regarding the provision of
outsourced institutional services or functions by the contractor or
consultant.
This bill would authorize a local educational agency, as defined,
pursuant to a policy adopted by its governing board or governing
body, as appropriate, to enter into a contract with a 3rd
party, as defined, to provide services for the digital storage,
management, and retrieval of pupil records, as defined, or to provide
digital educational software, or both. The bill would require the
contract to include specified provisions, including a statement that
the pupil records continue to be the property of and under the
control of the local educational agency, a description of the actions
the 3rd party will take to ensure the security and confidentiality
of pupil records, and a description of how the local educational
agency and the 3rd party will jointly ensure compliance with
specified federal privacy acts the federal
Family Educational Rights and Privacy Act . The bill would
require that a contract that fails to comply with the requirements of
this bill be rendered void if certain conditions are satisfied.
The bill would provide that, if these provisions are in conflict
with the terms of a contract in effect before January 1, 2015, the
provisions shall not apply to the local educational agency or the 3rd
party subject to that agreement until the expiration, amendment, or
renewal of the agreement.
Vote: majority. Appropriation: no. Fiscal committee: no.
State-mandated local program: no.
THE PEOPLE OF THE STATE OF CALIFORNIA DO ENACT AS FOLLOWS:
SECTION 1. Section 49073.1 is added to the Education Code, to
read:
49073.1. (a) A local educational agency may
may, pursuant to a policy adopted by its governing b
oard or, in the case of a charter school, its governing body,
enter into a contract with a third party for either or both of the
following purposes:
(1) To provide services, including cloud-based services, for the
digital storage, management, and retrieval of pupil records.
(2) To provide digital educational software that authorizes a
third-party provider of digital educational software to
access and acquire access, store, and use pupil
records in accordance with the contractual provisions listed in
subdivision (b) .
(b) A local educational agency that enters into a contract with a
third party for purposes of subdivision (a) shall ensure the contract
contains all of the following:
(1) A statement that pupil records continue to be the property of
and under the control of the local educational agency. For
purposes of this paragraph, "pupil records" does not include
pupil-generated content.
(2) A Notwithstanding paragraph
(1), a description of the means by which pupils may
retain possession and control of their own pupil-generated content,
if any applicable, including options by which
a pupil may transfer pupil-generated content to a personal account
.
(3) A prohibition against the third party using any information in
the pupil record for any purpose other than for the
requirements of the contract those required or
specifically permitted by the contract .
(4) A description of the procedures by which a parent, legal
guardian, or eligible pupil may review personally identifiable
information in the pupil's records and correct erroneous
information.
(5) A description of the actions the third party will take,
including the designation and training of responsible individuals, to
ensure the security and confidentiality of pupil records. Compliance
with this requirement shall not, in itself, absolve the third party
of liability in the event of an unauthorized disclosure of pupil
records.
(6) A description of the procedures for notifying the affected
parent, legal guardian, and or eligible
pupil in the event of an unauthorized disclosure of the pupil's
records.
(7) (A) A certification that a pupil's
records shall not be retained or available to the third party upon
completion of the terms of the contract and a description of how that
certification will be enforced.
(B) The requirements provided in subparagraph (A) shall not apply
to pupil-generated content if the pupil chooses to establish or
maintain an account with the third party for the purpose of storing
that content pursuant to paragraph (2).
(8) A description of how the local educational agency and the
third party will jointly ensure compliance with the federal Family
Educational Rights and Privacy Act (20 U.S.C. Sec. 1232g)
and the federal Children's Online Privacy Protection Act of 1998 (15
U.S.C. Sec. 6501 et seq.) for all pupils, including pupils who are
more than 13 years of age (20 U.S.C. Sec. 1232g)
.
(9) A prohibition against the third party using personally
identifiable information in pupil records to engage in targeted
advertising.
(c) In addition to any other penalties, a contract that fails to
comply with the requirements of this section shall be rendered void
if, upon notice and a reasonable opportunity to cure, the
noncompliant party fails to come into immediate
compliance and cure any defect. Written notice of noncompliance may
be provided by any party or intended beneficiary of
to the contract. All parties subject to a
contract voided under this subdivision shall immediately
return all pupil records in their possession to the local
educational agency.
(d) For purposes of this section, the following terms have the
following meanings:
(1) "Deidentified information" means information that cannot be
used to identify an individual pupil.
(2) "Eligible pupil" means a pupil who has reached 18 years of
age.
(3) "Local educational agency" includes school districts, county
offices of education, and charter schools.
(4) "Pupil-generated content" means materials created by a pupil,
including, but not limited to, essays, research reports, portfolios,
creative writing, music or other audio files, and
photographs files, photographs, and account
information that enables ongoing ownership of pupil content.
"Pupil-generated content" does not include pupil responses to a
standardized assessment where pupil possession and control would
jeopardize the validity and reliability of that assessment .
(5) (A) "Pupil records" means both of the following:
(i) Any information directly related to a pupil that is maintained
by the local educational agency.
(ii) Any information acquired directly from the pupil through the
use of instructional software or applications assigned to the pupil
by a teacher or other local educational agency employee.
(B) "Pupil records" does not mean any of the following:
(i) Deidentified information, including aggregated deidentified
information, used by the third party to improve educational products
for adaptive learning purposes and for customizing pupil learning.
(ii) Deidentified information, including aggregated deidentified
information, used to demonstrate the effectiveness of the operator's
products in the marketing of those products.
(iii) Deidentified information, including aggregated deidentified
information, used for the development and improvement of educational
sites, services, or applications.
(6) "Third party" refers to a provider of digital educational
software or services, including cloud-based services, for the digital
storage, management, and retrieval of pupil records.
(e) If the provisions of this section are in conflict with the
terms of a contract in effect before January 1, 2015, the provisions
of this section shall not apply to the local educational agency or
the third party subject to that agreement until the expiration,
amendment, or renewal of the agreement.
(f) Nothing in this section shall be construed to impose liability
on a third party for content provided by any other third party.
