Bill Text: MS SB2554 | 2016 | Regular Session | Introduced


Bill Title: Digital privacy; enact protections.

Spectrum: Partisan Bill (Republican 1-0)

Status: (Failed) 2016-02-23 - Died In Committee [SB2554 Detail]

Download: Mississippi-2016-SB2554-Introduced.html

MISSISSIPPI LEGISLATURE

2016 Regular Session

To: Judiciary, Division B; Education

By: Senator(s) Watson

Senate Bill 2554

AN ACT TO PROVIDE THAT A GOVERNMENT ENTITY MUST OBTAIN A SEARCH WARRANT BEFORE OBTAINING LOCATION INFORMATION OF AN ELECTRONIC DEVICE; TO PROVIDE EXCEPTIONS AND A CIVIL PENALTY; TO CREATE THE STUDENT DATA ACCESSIBILITY, TRANSPARENCY AND ACCOUNTABILITY ACT OF 2015; TO DEFINE TERMS; TO REQUIRE THE STATE BOARD OF EDUCATION TO CREATE CERTAIN DATA INVENTORY AND TO DEVELOP CERTAIN POLICIES; TO PROHIBIT THE TRANSFER OF CERTAIN DATA; TO PROVIDE CERTAIN EXCEPTIONS; TO REQUIRE A DATA SECURITY PLAN; TO REQUIRE COMPLIANCE WITH CERTAIN LAWS AND POLICIES; TO REQUIRE CERTAIN CONTRACTS TO INCLUDE PRIVACY AND SECURITY PROVISIONS; TO REQUIRE THE BOARD TO NOTIFY THE GOVERNOR AND LEGISLATURE ANNUALLY CONCERNING CERTAIN INFORMATION; TO REQUIRE THE BOARD TO ADOPT CERTAIN RULES; TO PROVIDE FOR CONSIDERATION OF CERTAIN EXISTING DATA; TO LIMIT INTERFERENCE WITH CERTAIN LAWS; TO PROVIDE FOR CODIFICATION; AND FOR RELATED PURPOSES.

     BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF MISSISSIPPI:

     SECTION 1.  (1)  Except as provided in subsection (2), a government entity may not obtain the location information of an electronic device without a search warrant issued by a duly authorized court.

     (2)  A government entity may obtain location information of an electronic device under any of the following circumstances:

          (a)  The device is reported stolen by the owner;

          (b)  In order to respond to the user's call for emergency services;

          (c)  With the informed, affirmative consent of the owner or user of the electronic device; or

          (d)  There exists a possible life-threatening situation.

     (3)  Any evidence obtained in violation of this section is not admissible in a civil, criminal, or administrative proceeding and may not be used in an affidavit of probable cause in an effort to obtain a search warrant.

     (4)  A violation of this section will result in a civil fine of One Hundred Dollars ($100.00) per day for each day of the violation not to exceed Five Thousand Dollars ($5,000.00).

     (5)  As used in this section, the following definitions apply:

          (a)  "Electronic communication service" means a service that provides to users of the service the ability to send or receive wire or electronic communications.

          (b)  "Electronic device" means a device that enables access to or use of an electronic communication service, remote computing service, or location information service.

          (c)  "Government entity" means a state or local agency, including, but not limited to, a law enforcement entity or any other investigative entity, agency, department, division, bureau, board, or commission or an individual acting or purporting to act for or on behalf of a state or local agency.

          (d)  "Location information" means information concerning the location of an electronic device that, in whole or in part, is generated or derived from or obtained by the operation of an electronic device.

          (e)  "Location information service" means the provision of a global positioning service or other mapping, locational, or directional information service.

          (f)  "Remote computing service" means the provision of computer storage or processing services by means of an electronic communications system.

     SECTION 2.  (1)  This section shall be known and may be cited as the "Student Data Accessibility, Transparency and Accountability Act of 2015."

     (2)  As used in this section:

          (a)  "Board" means the State Board of Education.

          (b)  "Department" means the State Department of Education.

          (c)  "Data system" means the Mississippi Student Information System.

          (d)  "Aggregate data" means data collected or reported at the group, cohort, or institutional level.

          (e)  "De-identified data" means a student dataset in which parent and student identifying information, including the state-assigned student identifier, has been removed.

          (f)  "Student testing number" means the unique student identifier assigned by the state to each student that shall not be or include the Social Security number of a student in whole or in part.

          (g)  "Student data" means data collected or reported at the individual student level included in a student's educational record.

              (i)  "Student data" includes:

                   1.  State and national assessment results, including information on untested public school students;

                   2.  Course taking and completion, credits earned, and other transcript information;

                   3.  Course grades and grade point average;

                   4.  Date of birth, grade level and expected graduation date/graduation cohort;

                   5.  Degree, diploma, credential attainment, and other school exit information such as General Educational Development and drop-out data;

                   6.  Attendance and mobility;

                   7.  Data required to calculate the federal four-year adjusted cohort graduation rate, including sufficient exit and drop-out information;

                   8.  Discipline reports limited to objective information sufficient to produce the federal Title IV Annual Incident Report;

                   9.  Remediation;

                   10.  Special education data; and

                   11.  Demographic data and program participation information.

              (ii)  Unless included in a student's educational record, "student data" shall not include:

                   1.  Juvenile delinquency records;

                   2.  Criminal records;

                   3.  Medical and health records;

                   4.  Student social security number; and

                   5.  Student biometric information.

     (3)  The State Board of Education shall:

          (a)  Create, publish and make publicly available a data inventory and dictionary or index of data elements with definitions of individual student data fields currently in the student data system including:

              (i)  Any individual student data required to be reported by state and federal education mandates;

              (ii)  Any individual student data which has been proposed for inclusion in the student data system with a statement regarding the purpose or reason for the proposed collection; and

              (iii)  Any individual student data that the State Department of Education collects or maintains with no current purpose or reason;

          (b)  Develop, publish and make publicly available policies and procedures to comply with the Federal Family Educational Rights and Privacy Act (FERPA) and other relevant privacy laws and policies, including, but not limited to:

              (i)  Access to student and de-identified data in the student data system shall be restricted to:

                   1.  The authorized staff of the State Department of Education and the department's contractors who require such access to perform their assigned duties, including staff and contractors from the Information Services Division of the Office of Management and Enterprise Services assigned to the Department;

                   2.  District administrators, teachers and school personnel who require such access to perform their assigned duties;

                   3.  Students and their parents; and

                   4.  The authorized staff of other state agencies as required by law or defined by interagency data-sharing agreements;

              (ii)  The State Department of Education shall use only aggregate data in public reports or in response to record requests in accordance with paragraph (a) of this subsection;

              (iii)  The State Department of Education shall develop criteria for the approval of research and data requests from state and local agencies, the Legislature, researchers and the public:

                   1.  Unless otherwise approved by the State Board of Education, student data maintained by the State Department of Education shall remain confidential; and

                   2.  Unless otherwise approved by the State Board of Education to release student or de-identified data in specific instances, the department may only use aggregate data in the release of data in response to research and data requests; and

              (iv)  Notification to students and parents regarding their rights under federal and state law;

          (c)  Unless otherwise approved by the State Board of Education, the State Department of Education shall not transfer student or de-identified data deemed confidential under subsection (1)(c) of this section to any federal, state or local agency or other organization or entity outside of the State of Mississippi, with the following exceptions:

              (i)  A student transfers out of state or a school/district seeks help with locating an out-of-state transfer;

              (ii)  A student leaves the state to attend an out-of-state institution of higher education or training program;

              (iii)  A student registers for or takes a national or multistate assessment;

              (iv)  A student voluntarily participates in a program for which such a data transfer is a condition/requirement of participation;

              (v)  The Department enters into a contract that governs databases, assessments, special education or instructional supports with an out-of-state vendor; or

              (vi)  A student is classified as "migrant" for federal reporting purposes;

          (d)  Develop a detailed data security plan that includes:

              (i)  Guidelines for authorizing access to the student data system and to individual student data including guidelines for authentication of authorized access;

              (ii)  Privacy compliance standards;

              (iii)  Privacy and security audits;

              (iv)  Breach planning, notification and procedures; and

              (v)  Data retention and disposition policies;

          (e)  Ensure routine and ongoing compliance by the State Department of Education with FERPA, other relevant privacy laws and policies, and the privacy and security policies and procedures developed under the authority of this act, including the performance of compliance audits;

          (f)  Ensure that any contracts that govern databases, assessments or instructional supports that include student or de-identified data and are outsourced to private vendors include express provisions that safeguard privacy and security and include penalties for noncompliance; and

          (g)  Notify the Governor and the Legislature annually of the following:

              (i)  New student data proposed for inclusion in the state student data system:

                   1.  Any new student data collection proposed by the State Board of Education becomes a provisional requirement to allow districts and their local data system vendors the opportunity to meet the new requirement; and

                   2.  The State Board of Education must submit any new "provisional" student data collection to the Governor and the Legislature for their approval within one (1) year in order to make the new student data a permanent requirement.  Any provisional student data collection not approved by the Governor and the Legislature by the end of the next legislative session expires and is no longer required;

              (ii)  Changes to existing data collections required for any reason, including changes to federal reporting requirements made by the U.S. Department of Education;

              (iii)  An explanation of any exceptions granted by the State Board of Education in the past year regarding the release or out-of-state transfer of student or de-identified data; and

              (iv)  The results of any and all privacy compliance and security audits completed in the past year.  Notifications regarding privacy compliance and security audits shall not include any information that would itself pose a security threat to the state or local student information systems or to the secure transmission of data between state and local systems by exposing vulnerabilities.

     (4)  The State Board of Education shall adopt rules for the State Department of Education to implement the provisions of the Student Data Accessibility, Transparency and Accountability Act of 2015.

     (5)  Upon the effective date of this act, any existing collection of student data by the State Department of Education shall not be considered a new student data collection under this section.

     (6)  Nothing in this act shall interfere with the State Department of Education's compliance with the Educational Accountability Reform Act.

     SECTION 3.  This act shall take effect and be in force from and after July 1, 2016.

feedback