Bill Text: TX SB928 | 2023-2024 | 88th Legislature | Introduced
Bill Title: Relating to the protection of personally identifiable student information and the use of covered information by an operator or educational entity; authorizing a civil and administrative penalty.
Spectrum: Partisan Bill (Republican 1-0)
Status: (Introduced - Dead) 2023-03-03 - Referred to Education [SB928 Detail]
Download: Texas-2023-SB928-Introduced.html
| By: Parker | S.B. No. 928 | |
|
|
||
|
|
||
| relating to the protection of personally identifiable student | ||
| information and the use of covered information by an operator or | ||
| educational entity; authorizing a civil and administrative | ||
| penalty. | ||
| BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: | ||
| SECTION 1. Section 32.151, Education Code, is amended by | ||
| amending Subdivision (1) and adding Subdivisions (1-a), (1-b), | ||
| (1-c), (1-d), (1-e), (1-f), and (5-a) to read as follows: | ||
| (1) "Aggregate student information" means student | ||
| information collected by an educational entity that: | ||
| (A) is totaled and reported at the group, cohort, | ||
| school, school district, region, or state level, as determined by | ||
| the educational entity; | ||
| (B) does not reveal personally identifiable | ||
| student information; and | ||
| (C) cannot reasonably be used to identify, | ||
| contact, single out, or infer information about a student or a | ||
| device used by a student. | ||
| (1-a) "Biometric identifier" means any measurement of | ||
| the human body or its movement that is used to attempt to uniquely | ||
| identify or authenticate the identity of an individual, including a | ||
| blood sample, hair sample, skin sample, body scan, retina or iris | ||
| scan, fingerprint, voiceprint, or record of hand or face geometry. | ||
| (1-b) "Coordinating board" means the Texas Higher | ||
| Education Coordinating Board. | ||
| (1-c) "Covered information" means personally | ||
| identifiable information or information that is linked to | ||
| personally identifiable information, in any media or format, that | ||
| is not publicly available and is: | ||
| (A) created by or provided to an operator or | ||
| educational entity by a student or the student's parent in the | ||
| course of the student's or parent's use of the operator's or | ||
| entity's website, online service, online application, or mobile | ||
| application for a school purpose; | ||
| (B) created by or provided to an operator or | ||
| educational entity by an employee of a school district or school | ||
| campus for a school purpose; or | ||
| (C) gathered by an operator or educational entity | ||
| through the operation of the operator's or entity's website, online | ||
| service, online application, or mobile application for a school | ||
| purpose and personally identifies a student, including the | ||
| student's educational record, electronic mail, first and last name, | ||
| home address, telephone number, electronic mail address, | ||
| information that allows physical or online contact, discipline | ||
| records, test results, special education data, juvenile | ||
| delinquency records, grades, evaluations, criminal records, | ||
| medical records, health records, social security number, biometric | ||
| identifier information, disabilities, socioeconomic information, | ||
| food purchases, political affiliations, religious information, | ||
| text messages, student identifiers, search activity, photograph, | ||
| voice recordings, or geolocation information. | ||
| (1-d) "Data breach" means an incident in which student | ||
| information that is sensitive, protected, or confidential, as | ||
| provided by state or federal law, is stolen or is copied, | ||
| transmitted, viewed, or used by a person unauthorized to engage in | ||
| that action. | ||
| (1-e) "Educational entity" includes school districts, | ||
| open-enrollment charter schools, regional education service | ||
| centers, institutions of higher education, and other local | ||
| education agencies. | ||
| (1-f) "Information privacy officer" means the | ||
| information privacy officer designated by the commissioner under | ||
| Section 32.1512. | ||
| (5-a) "Student" means a person who is enrolled at a | ||
| public primary or secondary school. | ||
| SECTION 2. Subchapter D, Chapter 32, Education Code, is | ||
| amended by adding Sections 32.1511, 32.1512, 32.1513, 32.1514, | ||
| 32.1515, 32.1516, 32.1517, 32.1518, 32.1521, 32.1531, 32.1551, | ||
| 32.1552, 32.1561, 32.1562, 32.1563, 32.158, 32.159, and 32.160 to | ||
| read as follows: | ||
| Sec. 32.1511. OWNERSHIP OF COVERED INFORMATION AND WORK | ||
| PRODUCT. (a) A student retains ownership over the student's own: | ||
| (1) covered information; and | ||
| (2) work or intellectual product, regardless of | ||
| whether the product was created for academic credit. | ||
| (b) A student may download, export, transfer, or otherwise | ||
| save or maintain any document, covered information, or other data | ||
| created by the student that is held or maintained by an educational | ||
| entity. | ||
| Sec. 32.1512. INFORMATION PRIVACY OFFICER; DUTIES. (a) | ||
| The commissioner shall designate an agency employee to serve as an | ||
| information privacy officer to oversee privacy and security | ||
| policies regarding student information. | ||
| (b) The information privacy officer shall: | ||
| (1) ensure that the agency handles covered information | ||
| maintained by the agency in a manner that complies with this | ||
| subchapter, the Family Educational Rights and Privacy Act of 1974 | ||
| (20 U.S.C. Section 1232g), and any other federal or state | ||
| information privacy or security law; | ||
| (2) establish and publish in a form that is easily | ||
| accessible policies necessary to ensure that the use of technology | ||
| sustains, enhances, and does not erode privacy protections related | ||
| to the use, collection, and disclosure of covered information; | ||
| (3) develop and provide to each educational entity a | ||
| model student information privacy and security plan; | ||
| (4) evaluate legislative and regulatory proposals | ||
| involving the use, collection, and disclosure of covered | ||
| information by educational entities; | ||
| (5) conduct privacy impact assessments, including an | ||
| assessment of the type of covered information collected and the | ||
| number of students affected, for: | ||
| (A) legislative proposals affecting educational | ||
| entities; and | ||
| (B) agency and coordinating board rules and | ||
| program initiatives; | ||
| (6) consult and coordinate with representatives of the | ||
| state, agency, and coordinating board and other appropriate persons | ||
| regarding the use of covered information and the implementation of | ||
| this subchapter; | ||
| (7) establish and operate a privacy incident response | ||
| program to ensure that each incident related to covered information | ||
| involving the agency is properly reported, investigated, and | ||
| mitigated; | ||
| (8) establish a model process and policy for a student | ||
| or the student's parent to file a complaint regarding: | ||
| (A) a violation of student information privacy; | ||
| or | ||
| (B) an inability to access, review, or correct | ||
| information contained in the student's educational record; and | ||
| (9) provide training, guidance, technical assistance, | ||
| and outreach to build a culture of student information protection | ||
| and student data security among educational entities and third | ||
| parties who contract with those entities. | ||
| (c) Not later than February 1 of each year, the information | ||
| privacy officer shall prepare and submit a written report to the | ||
| standing committees of each house of the legislature with primary | ||
| jurisdiction over primary, secondary, and higher education | ||
| regarding actions taken by the agency related to student | ||
| information privacy, including complaints regarding privacy | ||
| violations, internal controls, and other related matters. | ||
| Sec. 32.1513. GENERAL INVESTIGATIVE POWER OF INFORMATION | ||
| PRIVACY OFFICER. (a) The information privacy officer may | ||
| investigate an operator or educational entity as necessary to | ||
| enforce this subchapter and protect covered information gathered | ||
| from students in this state. | ||
| (b) On request of the information privacy officer, an | ||
| operator, educational entity, or a third party who contracts with | ||
| an operator or educational entity shall make all applicable records | ||
| and materials available to the officer as necessary to enable the | ||
| officer to determine compliance with this subchapter. | ||
| (c) The information privacy officer shall: | ||
| (1) limit the scope of the investigation and any | ||
| accompanying report to those matters that are necessary to the | ||
| administration of this subchapter; and | ||
| (2) in matters related to compliance with federal law, | ||
| refer the matter to the appropriate federal agency and cooperate | ||
| with an investigation by the federal agency. | ||
| Sec. 32.1514. AGENCY COMPREHENSIVE STUDENT INFORMATION | ||
| INVENTORY. The agency shall, to the maximum extent possible, | ||
| develop, maintain, and post on the agency's Internet website a | ||
| comprehensive student information inventory that accounts for all | ||
| covered information assets created by, collected by, under the | ||
| control or direction of, or maintained by the agency, including | ||
| student information that: | ||
| (1) is required to be reported by law; | ||
| (2) has been proposed for inclusion in the agency's | ||
| student information system with a statement regarding the reason | ||
| for the proposed inclusion; and | ||
| (3) is collected or maintained by the agency for no | ||
| current purpose or reason. | ||
| Sec. 32.1515. INFORMATION SECURITY POLICIES AND | ||
| PROCEDURES. (a) Subject to the approval of the information privacy | ||
| officer, each educational entity shall adopt and implement | ||
| reasonable information security policies and procedures in | ||
| accordance with this subchapter to protect students' educational | ||
| records and covered information from unauthorized access, | ||
| destruction, use, modification, or disclosure. | ||
| (b) An educational entity must take into account the | ||
| entity's specific needs and priorities in adopting policies and | ||
| procedures under Subsection (a). | ||
| Sec. 32.1516. STUDENT INFORMATION MANAGER. (a) Each | ||
| educational entity shall designate an individual to act as a | ||
| student information manager. The student information manager | ||
| shall: | ||
| (1) create, maintain, and submit to the information | ||
| privacy officer an information governance plan addressing the | ||
| protection of existing and future student information and records; | ||
| and | ||
| (2) establish a review process for all covered | ||
| information requests for the purpose of external research or | ||
| evaluation. | ||
| (b) Not later than December 1 of each year, the student | ||
| information manager shall submit a report to the agency's | ||
| information privacy officer. The report must include: | ||
| (1) proposed changes to the educational entity's | ||
| information security policies and procedures adopted under Section | ||
| 32.1515; and | ||
| (2) any data breaches or attempted data breaches | ||
| detected by the educational entity. | ||
| Sec. 32.1517. CONTRACT PROVISIONS. A contract between an | ||
| educational entity and an operator must include the following | ||
| provisions: | ||
| (1) requirements and restrictions related to the | ||
| collection, use, storage, and sharing of covered information by the | ||
| operator that are necessary for the educational entity to ensure | ||
| the operator's compliance with this subchapter and other law; | ||
| (2) a description of the person or type of person, | ||
| including an affiliate or subcontractor of the operator, with whom | ||
| the operator may share covered information; | ||
| (3) when and how to delete covered information | ||
| received by the operator; | ||
| (4) a prohibition on the secondary use of covered | ||
| information by the operator, except when used for a legitimate | ||
| school or research purpose or as described by Sections 32.153 and | ||
| 32.154; | ||
| (5) an agreement by the operator that the educational | ||
| entity or the educational entity's designee may audit the operator | ||
| to verify compliance with the contract; | ||
| (6) requirements for the operator or a subcontractor | ||
| of the operator to establish security measures to prevent, detect, | ||
| or mitigate a data breach; and | ||
| (7) requirements for the operator or a subcontractor | ||
| of the operator to notify the educational entity of a suspected data | ||
| breach. | ||
| Sec. 32.1518. NOTICE OF INFORMATION DISCLOSURE. (a) Not | ||
| less than annually, an educational entity that collects covered | ||
| information shall provide to each parent of a student whose covered | ||
| information is collected a notice of information disclosure form | ||
| stating in plain language the conditions under which the student's | ||
| covered information may be disclosed. The educational entity shall | ||
| provide the form as a stand-alone document. | ||
| (b) The notice of information disclosure form must: | ||
| (1) list the covered information that the educational | ||
| entity collects and the rationale for collecting the information, | ||
| including whether the information is required by law to be | ||
| collected; | ||
| (2) state that a student's covered information | ||
| collected by the educational entity may not be shared without the | ||
| written consent of the student's parent; | ||
| (3) list each operator or other third party with | ||
| access to or control of covered information maintained by the | ||
| educational entity; | ||
| (4) outline the rights and responsibilities of the | ||
| educational entity under this subchapter; and | ||
| (5) contain an acknowledgment section that: | ||
| (A) states that the intended recipient of the | ||
| notice actually received the notice and understands its contents; | ||
| (B) allows for the recipient to record the | ||
| recipient's objection to the collection of any covered information | ||
| relating to the parent's student that is not required by law to be | ||
| collected; and | ||
| (C) includes a signature line. | ||
| (c) Each parent who receives a notice of information | ||
| disclosure form under Subsection (a) shall sign the acknowledgement | ||
| section described by Subsection (b)(5) and return the form to the | ||
| educational entity as soon as possible. | ||
| (d) An educational entity shall: | ||
| (1) annually update its notice of information | ||
| disclosure form; and | ||
| (2) maintain a written or electronic record of each | ||
| signed acknowledgment form received under this section. | ||
| Sec. 32.1521. PROHIBITED USE OF COVERED INFORMATION AND | ||
| COLLECTION OF BIOMETRIC IDENTIFIER INFORMATION BY EDUCATIONAL | ||
| ENTITY. (a) Except as otherwise provided by this subchapter, an | ||
| educational entity may not release or otherwise disclose a | ||
| student's covered information in exchange for a good, product, | ||
| application, service, or any other thing of measurable value. | ||
| (b) An educational entity may not use or release covered | ||
| information for the purpose of targeted advertising unless the | ||
| release of the data is essential for a school purpose, including the | ||
| use of adaptive educational software or other strictly tailored | ||
| educational endeavor with the sole purpose of providing a tailored | ||
| educational experience to the student. | ||
| (c) An educational entity may not collect a student's | ||
| biometric identifier information unless required by law. | ||
| Sec. 32.1531. ALLOWED DISCLOSURE OF COVERED INFORMATION BY | ||
| EDUCATIONAL ENTITY. (a) An educational entity may disclose | ||
| covered information if the disclosure is: | ||
| (1) authorized in writing by the student's parent; | ||
| (2) determined by the entity to be necessary because | ||
| of an imminent health or safety emergency; | ||
| (3) ordered by a court of competent jurisdiction; or | ||
| (4) authorized or required by a provision of federal | ||
| or state law. | ||
| (b) The educational entity must comply with the | ||
| requirements of federal and state law to protect any student | ||
| information disclosed under this section. | ||
| (c) This subchapter may not be construed to prohibit or | ||
| otherwise limit the ability of an educational entity to report or | ||
| make available aggregate student information or other collective | ||
| information for reasonable use. | ||
| Sec. 32.1551. NOTIFICATION OF DATA BREACH AFFECTING | ||
| OPERATOR. (a) Not later than 24 hours after an operator becomes | ||
| aware of a data breach, the operator shall notify the applicable | ||
| educational entity with whom the operator has contracted of the | ||
| breach and take action to determine the scope of student | ||
| information affected by the breach. | ||
| (b) The operator shall update the educational entity as soon | ||
| as the full scope of the data breach is assessed and take all | ||
| reasonable steps to notify all persons affected by the breach. | ||
| Sec. 32.1552. NOTIFICATION OF DATA BREACH AFFECTING | ||
| EDUCATIONAL ENTITY. (a) Not later than 24 hours after an | ||
| educational entity becomes aware of a data breach, the educational | ||
| entity shall notify the information privacy officer of the | ||
| suspected or confirmed breach. | ||
| (b) Not later than the third business day after the date a | ||
| data breach is verified, an educational entity shall notify the | ||
| parent of each student affected by the breach. | ||
| Sec. 32.1561. INSPECTION OF INFORMATION CONTAINED IN | ||
| STUDENT'S EDUCATIONAL RECORD. (a) On request of a student's | ||
| parent, an educational entity or operator shall allow the student's | ||
| parent to inspect the covered information and other information | ||
| contained in the student's educational record maintained by the | ||
| entity or operator. | ||
| (b) The educational entity or operator shall provide the | ||
| information requested under Subsection (a) in a timely manner and, | ||
| if possible, in an electronic format. | ||
| (c) An educational entity or operator is not required to | ||
| provide information requested under Subsection (a) if: | ||
| (1) the information cannot reasonably be made | ||
| available to the requesting individual; or | ||
| (2) the reproduction of the requested information | ||
| would be unduly burdensome. | ||
| Sec. 32.1562. CORRECTION OF INFORMATION CONTAINED IN | ||
| STUDENT'S EDUCATIONAL RECORD. (a) After reviewing information | ||
| requested under Section 32.1561, a student's parent may request | ||
| that the educational entity or operator make corrections to address | ||
| inaccurate or incomplete data in the student's educational record | ||
| maintained by the entity or operator. | ||
| (b) On request by a student's parent, an educational entity | ||
| or operator shall expunge from the student's educational record | ||
| covered information related to: | ||
| (1) an unsubstantiated accusation made against the | ||
| student; or | ||
| (2) alleged conduct committed by the student if: | ||
| (A) prosecution of the student's case was refused | ||
| for lack of prosecutorial merit or insufficient evidence and no | ||
| formal proceedings, deferred adjudication, or deferred prosecution | ||
| were initiated; or | ||
| (B) the court or jury found the student not | ||
| guilty or made a finding the student did not engage in delinquent | ||
| conduct or conduct indicating a need for supervision and the case | ||
| was dismissed with prejudice. | ||
| (c) Not later than the 90th day after the date an | ||
| educational entity or operator receives a request under Subsection | ||
| (a) or (b), the educational entity or operator shall make changes to | ||
| the student's educational record as necessary and confirm the | ||
| changes with the student's parent. | ||
| Sec. 32.1563. RULES; FORMS. (a) The commissioner shall | ||
| adopt rules as necessary to implement this subchapter. | ||
| (b) The commissioner shall develop forms as necessary to | ||
| implement this subchapter, including model forms for: | ||
| (1) providing the notice of information disclosure | ||
| required by Section 32.1518; and | ||
| (2) obtaining written parental consent for the | ||
| disclosure of covered information as required by Section 32.1531. | ||
| Sec. 32.158. CIVIL PENALTY. (a) An operator that violates | ||
| this subchapter or a rule adopted under this subchapter is liable | ||
| for a civil penalty if the violation resulted in a negligent data | ||
| breach. | ||
| (b) In determining the amount of a civil penalty to impose | ||
| under this section, the court shall include: | ||
| (1) the cost of identity protection for each person | ||
| affected by the data breach or compromise; | ||
| (2) legal fees and costs incurred by each person | ||
| affected by the data breach or compromise; and | ||
| (3) any other penalty that the court deems reasonable | ||
| or appropriate. | ||
| Sec. 32.159. ADMINISTRATIVE PENALTY. (a) The commissioner | ||
| may assess an administrative penalty for a violation of this | ||
| subchapter in an amount of not less than $1,000 or more than $5,000. | ||
| (b) The aggregate amount of penalties that the commissioner | ||
| may assess against a person under this section during a calendar | ||
| year may not exceed $1,000,000. | ||
| Sec. 32.160. CRIMINAL LIABILITY NOT AFFECTED. This | ||
| subchapter may not be construed to limit or otherwise affect a | ||
| person's criminal liability under other law. | ||
| SECTION 3. The heading to Section 32.152, Education Code, | ||
| is amended to read as follows: | ||
| Sec. 32.152. PROHIBITED USE OF COVERED INFORMATION AND | ||
| COLLECTION OF BIOMETRIC IDENTIFIER INFORMATION BY OPERATOR. | ||
| SECTION 4. Section 32.152, Education Code, is amended by | ||
| amending Subsection (a) to read as follows: | ||
| (a) An operator may not knowingly: | ||
| (1) engage in targeted advertising on any website, | ||
| online service, online application, or mobile application if the | ||
| target of the advertising is based on any information, including | ||
| covered information and persistent unique identifiers, that the | ||
| operator has acquired through the use of the operator's website, | ||
| online service, online application, or mobile application for a | ||
| school purpose; | ||
| (2) use information, including persistent unique | ||
| identifiers, created or gathered by the operator's website, online | ||
| service, online application, or mobile application, to create a | ||
| profile about a student unless the profile is created for a school | ||
| purpose; [ |
||
| (3) except as provided by Subsection (c), sell or rent | ||
| any student's covered information; | ||
| (4) exchange a student's covered information for any | ||
| good, service, or application; | ||
| (5) disclose covered information except as provided | ||
| under this subchapter; or | ||
| (6) unless required by law, collect a student's | ||
| biometric identifier information. | ||
| SECTION 5. The heading to Section 32.153, Education Code, | ||
| is amended to read as follows: | ||
| Sec. 32.153. ALLOWED DISCLOSURE OF COVERED INFORMATION BY | ||
| OPERATOR. | ||
| SECTION 6. Section 32.153, Education Code, is amended by | ||
| amending Subsection (a) and adding Subsection (f) to read as | ||
| follows: | ||
| (a) An operator may use or disclose covered information | ||
| under the following circumstances: | ||
| (1) to further a school purpose of the website, online | ||
| service, online application, or mobile application and the | ||
| recipient of the covered information disclosed under this | ||
| subsection does not further disclose the information unless the | ||
| disclosure is to allow or improve operability and functionality of | ||
| the operator's website, online service, online application, or | ||
| mobile application; | ||
| (2) to ensure legal and regulatory compliance; | ||
| (3) to protect against liability; | ||
| (4) to respond to or participate in the judicial | ||
| process, including to comply with an investigation by law | ||
| enforcement as authorized by law or a court order; | ||
| (5) to protect: | ||
| (A) the safety or integrity of users of the | ||
| website, online service, online application, or mobile | ||
| application; or | ||
| (B) the security of the website, online service, | ||
| online application, or mobile application; | ||
| (6) for a school, education, or employment purpose | ||
| requested by the student or the student's parent and the | ||
| information is not used or disclosed for any other purpose; | ||
| (7) to use the covered information for: | ||
| (A) a legitimate research purpose; or | ||
| (B) a school purpose or postsecondary | ||
| educational purpose; [ |
||
| (8) for a request by the agency or the school district | ||
| for a school purpose; | ||
| (9) to market an educational application or product to | ||
| a student's parent, if the operator did not use covered information | ||
| shared or collected by or on behalf of an educational entity to | ||
| develop the application or product; | ||
| (10) to allow a recommendation engine on the | ||
| operator's website, online service, online application, or mobile | ||
| application to recommend to a student's parent content or services | ||
| related to learning or employment, if the recommendation is not | ||
| motivated by payment or other consideration from another party; or | ||
| (11) to respond to the request of a student's parent | ||
| for information or feedback, if the content of the response is not | ||
| motivated by payment or other consideration from another party. | ||
| (f) Notwithstanding any other law, an operator shall use a | ||
| student's covered information received under a contract with an | ||
| educational entity strictly for the purpose provided under the | ||
| contract unless the student's parent affirmatively chooses to | ||
| disclose the student's information for a secondary purpose. | ||
| SECTION 7. The heading to Section 32.154, Education Code, | ||
| is amended to read as follows: | ||
| Sec. 32.154. ALLOWED USE OF COVERED INFORMATION BY | ||
| OPERATOR. | ||
| SECTION 8. The heading to Section 32.155, Education Code, | ||
| is amended to read as follows: | ||
| Sec. 32.155. PROTECTION OF COVERED INFORMATION BY OPERATOR. | ||
| SECTION 9. Sections 32.155(c), (d), and (e), Education | ||
| Code, are amended to read as follows: | ||
| (c) In addition to including the unique identifier in | ||
| releasing information as provided by Subsection (b), an operator | ||
| may include any other data field identified by the agency or by an | ||
| educational entity [ |
||
| useful. | ||
| (d) An educational entity [ |
||
| in an agreement with an operator or the amendment of an agreement | ||
| with an operator under this section. An operator may agree to | ||
| include the additional data fields requested by an educational | ||
| entity [ |
||
| but may not require that additional data fields be included. | ||
| (e) An educational entity [ |
||
| contracts directly with the entity to adhere to a state-required | ||
| student data sharing agreement that includes the use of an | ||
| established unique identifier standard for all operators as | ||
| prescribed by the agency. | ||
| SECTION 10. The heading to Section 32.156, Education Code, | ||
| is amended to read as follows: | ||
| Sec. 32.156. DELETION OF COVERED INFORMATION BY OPERATOR. | ||
| SECTION 11. This Act takes effect September 1, 2023. | ||
