By: Parker S.B. No. 928
 
 
 
   
 
 
A BILL TO BE ENTITLED
 
AN ACT
  relating to the protection of personally identifiable student
  information and the use of covered information by an operator or
  educational entity; authorizing a civil and administrative
  penalty.
         BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
         SECTION 1.  Section 32.151, Education Code, is amended by
  amending Subdivision (1) and adding Subdivisions (1-a), (1-b),
  (1-c), (1-d), (1-e), (1-f), and (5-a) to read as follows:
               (1)  "Aggregate student information" means student
  information collected by an educational entity that:
                     (A)  is totaled and reported at the group, cohort,
  school, school district, region, or state level, as determined by
  the educational entity;
                     (B)  does not reveal personally identifiable
  student information; and
                     (C)  cannot reasonably be used to identify,
  contact, single out, or infer information about a student or a
  device used by a student.
               (1-a)  "Biometric identifier" means any measurement of
  the human body or its movement that is used to attempt to uniquely
  identify or authenticate the identity of an individual, including a
  blood sample, hair sample, skin sample, body scan, retina or iris
  scan, fingerprint, voiceprint, or record of hand or face geometry.
               (1-b)  "Coordinating board" means the Texas Higher
  Education Coordinating Board.
               (1-c)  "Covered information" means personally
  identifiable information or information that is linked to
  personally identifiable information, in any media or format, that
  is not publicly available and is:
                     (A)  created by or provided to an operator or
  educational entity by a student or the student's parent in the
  course of the student's or parent's use of the operator's or
  entity's website, online service, online application, or mobile
  application for a school purpose;
                     (B)  created by or provided to an operator or
  educational entity by an employee of a school district or school
  campus for a school purpose; or
                     (C)  gathered by an operator or educational entity
  through the operation of the operator's or entity's website, online
  service, online application, or mobile application for a school
  purpose and personally identifies a student, including the
  student's educational record, electronic mail, first and last name,
  home address, telephone number, electronic mail address,
  information that allows physical or online contact, discipline
  records, test results, special education data, juvenile
  delinquency records, grades, evaluations, criminal records,
  medical records, health records, social security number, biometric
  identifier information, disabilities, socioeconomic information,
  food purchases, political affiliations, religious information,
  text messages, student identifiers, search activity, photograph,
  voice recordings, or geolocation information.
               (1-d)  "Data breach" means an incident in which student
  information that is sensitive, protected, or confidential, as
  provided by state or federal law, is stolen or is copied,
  transmitted, viewed, or used by a person unauthorized to engage in
  that action.
               (1-e)  "Educational entity" includes school districts,
  open-enrollment charter schools, regional education service
  centers, institutions of higher education, and other local
  education agencies.
               (1-f)  "Information privacy officer" means the
  information privacy officer designated by the commissioner under
  Section 32.1512.
               (5-a)  "Student" means a person who is enrolled at a
  public primary or secondary school.
         SECTION 2.  Subchapter D, Chapter 32, Education Code, is
  amended by adding Sections 32.1511, 32.1512, 32.1513, 32.1514,
  32.1515, 32.1516, 32.1517, 32.1518, 32.1521, 32.1531, 32.1551,
  32.1552, 32.1561, 32.1562, 32.1563, 32.158, 32.159, and 32.160 to
  read as follows:
         Sec. 32.1511.  OWNERSHIP OF COVERED INFORMATION AND WORK
  PRODUCT. (a) A student retains ownership over the student's own:
               (1)  covered information; and
               (2)  work or intellectual product, regardless of
  whether the product was created for academic credit.
         (b)  A student may download, export, transfer, or otherwise
  save or maintain any document, covered information, or other data
  created by the student that is held or maintained by an educational
  entity.
         Sec. 32.1512.  INFORMATION PRIVACY OFFICER; DUTIES. (a)
  The commissioner shall designate an agency employee to serve as an
  information privacy officer to oversee privacy and security
  policies regarding student information.
         (b)  The information privacy officer shall:
               (1)  ensure that the agency handles covered information
  maintained by the agency in a manner that complies with this
  subchapter, the Family Educational Rights and Privacy Act of 1974
  (20 U.S.C. Section 1232g), and any other federal or state
  information privacy or security law;
               (2)  establish and publish in a form that is easily
  accessible policies necessary to ensure that the use of technology
  sustains, enhances, and does not erode privacy protections related
  to the use, collection, and disclosure of covered information;
               (3)  develop and provide to each educational entity a
  model student information privacy and security plan;
               (4)  evaluate legislative and regulatory proposals
  involving the use, collection, and disclosure of covered
  information by educational entities;
               (5)  conduct privacy impact assessments, including an
  assessment of the type of covered information collected and the
  number of students affected, for:
                     (A)  legislative proposals affecting educational
  entities; and
                     (B)  agency and coordinating board rules and
  program initiatives;
               (6)  consult and coordinate with representatives of the
  state, agency, and coordinating board and other appropriate persons
  regarding the use of covered information and the implementation of
  this subchapter;
               (7)  establish and operate a privacy incident response
  program to ensure that each incident related to covered information
  involving the agency is properly reported, investigated, and
  mitigated;
               (8)  establish a model process and policy for a student
  or the student's parent to file a complaint regarding:
                     (A)  a violation of student information privacy;
  or
                     (B)  an inability to access, review, or correct
  information contained in the student's educational record; and
               (9)  provide training, guidance, technical assistance,
  and outreach to build a culture of student information protection
  and student data security among educational entities and third
  parties who contract with those entities.
         (c)  Not later than February 1 of each year, the information
  privacy officer shall prepare and submit a written report to the
  standing committees of each house of the legislature with primary
  jurisdiction over primary, secondary, and higher education
  regarding actions taken by the agency related to student
  information privacy, including complaints regarding privacy
  violations, internal controls, and other related matters.
         Sec. 32.1513.  GENERAL INVESTIGATIVE POWER OF INFORMATION
  PRIVACY OFFICER. (a) The information privacy officer may
  investigate an operator or educational entity as necessary to
  enforce this subchapter and protect covered information gathered
  from students in this state.
         (b)  On request of the information privacy officer, an
  operator, educational entity, or a third party who contracts with
  an operator or educational entity shall make all applicable records
  and materials available to the officer as necessary to enable the
  officer to determine compliance with this subchapter.
         (c)  The information privacy officer shall:
               (1)  limit the scope of the investigation and any
  accompanying report to those matters that are necessary to the
  administration of this subchapter; and
               (2)  in matters related to compliance with federal law,
  refer the matter to the appropriate federal agency and cooperate
  with an investigation by the federal agency.
         Sec. 32.1514.  AGENCY COMPREHENSIVE STUDENT INFORMATION
  INVENTORY. The agency shall, to the maximum extent possible,
  develop, maintain, and post on the agency's Internet website a
  comprehensive student information inventory that accounts for all
  covered information assets created by, collected by, under the
  control or direction of, or maintained by the agency, including
  student information that:
               (1)  is required to be reported by law;
               (2)  has been proposed for inclusion in the agency's
  student information system with a statement regarding the reason
  for the proposed inclusion; and
               (3)  is collected or maintained by the agency for no
  current purpose or reason.
         Sec. 32.1515.  INFORMATION SECURITY POLICIES AND
  PROCEDURES. (a) Subject to the approval of the information privacy
  officer, each educational entity shall adopt and implement
  reasonable information security policies and procedures in
  accordance with this subchapter to protect students' educational
  records and covered information from unauthorized access,
  destruction, use, modification, or disclosure.
         (b)  An educational entity must take into account the
  entity's specific needs and priorities in adopting policies and
  procedures under Subsection (a).
         Sec. 32.1516.  STUDENT INFORMATION MANAGER. (a) Each
  educational entity shall designate an individual to act as a
  student information manager. The student information manager
  shall:
               (1)  create, maintain, and submit to the information
  privacy officer an information governance plan addressing the
  protection of existing and future student information and records;
  and
               (2)  establish a review process for all covered
  information requests for the purpose of external research or
  evaluation.
         (b)  Not later than December 1 of each year, the student
  information manager shall submit a report to the agency's
  information privacy officer. The report must include:
               (1)  proposed changes to the educational entity's
  information security policies and procedures adopted under Section
  32.1515; and
               (2)  any data breaches or attempted data breaches
  detected by the educational entity.
         Sec. 32.1517.  CONTRACT PROVISIONS. A contract between an
  educational entity and an operator must include the following
  provisions:
               (1)  requirements and restrictions related to the
  collection, use, storage, and sharing of covered information by the
  operator that are necessary for the educational entity to ensure
  the operator's compliance with this subchapter and other law;
               (2)  a description of the person or type of person,
  including an affiliate or subcontractor of the operator, with whom
  the operator may share covered information;
               (3)  when and how to delete covered information
  received by the operator;
               (4)  a prohibition on the secondary use of covered
  information by the operator, except when used for a legitimate
  school or research purpose or as described by Sections 32.153 and
  32.154;
               (5)  an agreement by the operator that the educational
  entity or the educational entity's designee may audit the operator
  to verify compliance with the contract;
               (6)  requirements for the operator or a subcontractor
  of the operator to establish security measures to prevent, detect,
  or mitigate a data breach; and
               (7)  requirements for the operator or a subcontractor
  of the operator to notify the educational entity of a suspected data
  breach.
         Sec. 32.1518.  NOTICE OF INFORMATION DISCLOSURE. (a) Not
  less than annually, an educational entity that collects covered
  information shall provide to each parent of a student whose covered
  information is collected a notice of information disclosure form
  stating in plain language the conditions under which the student's
  covered information may be disclosed. The educational entity shall
  provide the form as a stand-alone document.
         (b)  The notice of information disclosure form must:
               (1)  list the covered information that the educational
  entity collects and the rationale for collecting the information,
  including whether the information is required by law to be
  collected;
               (2)  state that a student's covered information
  collected by the educational entity may not be shared without the
  written consent of the student's parent;
               (3)  list each operator or other third party with
  access to or control of covered information maintained by the
  educational entity;
               (4)  outline the rights and responsibilities of the
  educational entity under this subchapter; and
               (5)  contain an acknowledgment section that:
                     (A)  states that the intended recipient of the
  notice actually received the notice and understands its contents;
                     (B)  allows for the recipient to record the
  recipient's objection to the collection of any covered information
  relating to the parent's student that is not required by law to be
  collected; and
                     (C)  includes a signature line.
         (c)  Each parent who receives a notice of information
  disclosure form under Subsection (a) shall sign the acknowledgement
  section described by Subsection (b)(5) and return the form to the
  educational entity as soon as possible.
         (d)  An educational entity shall:
               (1)  annually update its notice of information
  disclosure form; and
               (2)  maintain a written or electronic record of each
  signed acknowledgment form received under this section.
         Sec. 32.1521.  PROHIBITED USE OF COVERED INFORMATION AND
  COLLECTION OF BIOMETRIC IDENTIFIER INFORMATION BY EDUCATIONAL
  ENTITY. (a) Except as otherwise provided by this subchapter, an
  educational entity may not release or otherwise disclose a
  student's covered information in exchange for a good, product,
  application, service, or any other thing of measurable value.
         (b)  An educational entity may not use or release covered
  information for the purpose of targeted advertising unless the
  release of the data is essential for a school purpose, including the
  use of adaptive educational software or other strictly tailored
  educational endeavor with the sole purpose of providing a tailored
  educational experience to the student.
         (c)  An educational entity may not collect a student's
  biometric identifier information unless required by law.
         Sec. 32.1531.  ALLOWED DISCLOSURE OF COVERED INFORMATION BY
  EDUCATIONAL ENTITY. (a) An educational entity may disclose
  covered information if the disclosure is:
               (1)  authorized in writing by the student's parent;
               (2)  determined by the entity to be necessary because
  of an imminent health or safety emergency;
               (3)  ordered by a court of competent jurisdiction; or
               (4)  authorized or required by a provision of federal
  or state law.
         (b)  The educational entity must comply with the
  requirements of federal and state law to protect any student
  information disclosed under this section.
         (c)  This subchapter may not be construed to prohibit or
  otherwise limit the ability of an educational entity to report or
  make available aggregate student information or other collective
  information for reasonable use.
         Sec. 32.1551.  NOTIFICATION OF DATA BREACH AFFECTING
  OPERATOR. (a) Not later than 24 hours after an operator becomes
  aware of a data breach, the operator shall notify the applicable
  educational entity with whom the operator has contracted of the
  breach and take action to determine the scope of student
  information affected by the breach.
         (b)  The operator shall update the educational entity as soon
  as the full scope of the data breach is assessed and take all
  reasonable steps to notify all persons affected by the breach.
         Sec. 32.1552.  NOTIFICATION OF DATA BREACH AFFECTING
  EDUCATIONAL ENTITY. (a) Not later than 24 hours after an
  educational entity becomes aware of a data breach, the educational
  entity shall notify the information privacy officer of the
  suspected or confirmed breach.
         (b)  Not later than the third business day after the date a
  data breach is verified, an educational entity shall notify the
  parent of each student affected by the breach.
         Sec. 32.1561.  INSPECTION OF INFORMATION CONTAINED IN
  STUDENT'S EDUCATIONAL RECORD. (a) On request of a student's
  parent, an educational entity or operator shall allow the student's
  parent to inspect the covered information and other information
  contained in the student's educational record maintained by the
  entity or operator.
         (b)  The educational entity or operator shall provide the
  information requested under Subsection (a) in a timely manner and,
  if possible, in an electronic format.
         (c)  An educational entity or operator is not required to
  provide information requested under Subsection (a) if:
               (1)  the information cannot reasonably be made
  available to the requesting individual; or
               (2)  the reproduction of the requested information
  would be unduly burdensome.
         Sec. 32.1562.  CORRECTION OF INFORMATION CONTAINED IN
  STUDENT'S EDUCATIONAL RECORD. (a) After reviewing information
  requested under Section 32.1561, a student's parent may request
  that the educational entity or operator make corrections to address
  inaccurate or incomplete data in the student's educational record
  maintained by the entity or operator.
         (b)  On request by a student's parent, an educational entity
  or operator shall expunge from the student's educational record
  covered information related to:
               (1)  an unsubstantiated accusation made against the
  student; or
               (2)  alleged conduct committed by the student if:
                     (A)  prosecution of the student's case was refused
  for lack of prosecutorial merit or insufficient evidence and no
  formal proceedings, deferred adjudication, or deferred prosecution
  were initiated; or
                     (B)  the court or jury found the student not
  guilty or made a finding the student did not engage in delinquent
  conduct or conduct indicating a need for supervision and the case
  was dismissed with prejudice.
         (c)  Not later than the 90th day after the date an
  educational entity or operator receives a request under Subsection
  (a) or (b), the educational entity or operator shall make changes to
  the student's educational record as necessary and confirm the
  changes with the student's parent.
         Sec. 32.1563.  RULES; FORMS. (a) The commissioner shall
  adopt rules as necessary to implement this subchapter.
         (b)  The commissioner shall develop forms as necessary to
  implement this subchapter, including model forms for:
               (1)  providing the notice of information disclosure
  required by Section 32.1518; and
               (2)  obtaining written parental consent for the
  disclosure of covered information as required by Section 32.1531.
         Sec. 32.158.  CIVIL PENALTY. (a) An operator that violates
  this subchapter or a rule adopted under this subchapter is liable
  for a civil penalty if the violation resulted in a negligent data
  breach.
         (b)  In determining the amount of a civil penalty to impose
  under this section, the court shall include:
               (1)  the cost of identity protection for each person
  affected by the data breach or compromise;
               (2)  legal fees and costs incurred by each person
  affected by the data breach or compromise; and
               (3)  any other penalty that the court deems reasonable
  or appropriate.
         Sec. 32.159.  ADMINISTRATIVE PENALTY. (a) The commissioner
  may assess an administrative penalty for a violation of this
  subchapter in an amount of not less than $1,000 or more than $5,000.
         (b)  The aggregate amount of penalties that the commissioner
  may assess against a person under this section during a calendar
  year may not exceed $1,000,000.
         Sec. 32.160.  CRIMINAL LIABILITY NOT AFFECTED. This
  subchapter may not be construed to limit or otherwise affect a
  person's criminal liability under other law.
         SECTION 3.  The heading to Section 32.152, Education Code,
  is amended to read as follows:
         Sec. 32.152.  PROHIBITED USE OF COVERED INFORMATION AND
  COLLECTION OF BIOMETRIC IDENTIFIER INFORMATION BY OPERATOR.
         SECTION 4.  Section 32.152, Education Code, is amended by
  amending Subsection (a) to read as follows:
         (a)  An operator may not knowingly:
               (1)  engage in targeted advertising on any website,
  online service, online application, or mobile application if the
  target of the advertising is based on any information, including
  covered information and persistent unique identifiers, that the
  operator has acquired through the use of the operator's website,
  online service, online application, or mobile application for a
  school purpose;
               (2)  use information, including persistent unique
  identifiers, created or gathered by the operator's website, online
  service, online application, or mobile application, to create a
  profile about a student unless the profile is created for a school
  purpose; [or]
               (3)  except as provided by Subsection (c), sell or rent
  any student's covered information;
               (4)  exchange a student's covered information for any
  good, service, or application;
               (5)  disclose covered information except as provided
  under this subchapter; or
               (6)  unless required by law, collect a student's
  biometric identifier information.
         SECTION 5.  The heading to Section 32.153, Education Code,
  is amended to read as follows:
         Sec. 32.153.  ALLOWED DISCLOSURE OF COVERED INFORMATION BY
  OPERATOR.
         SECTION 6.  Section 32.153, Education Code, is amended by
  amending Subsection (a) and adding Subsection (f) to read as
  follows:
         (a)  An operator may use or disclose covered information
  under the following circumstances:
               (1)  to further a school purpose of the website, online
  service, online application, or mobile application and the
  recipient of the covered information disclosed under this
  subsection does not further disclose the information unless the
  disclosure is to allow or improve operability and functionality of
  the operator's website, online service, online application, or
  mobile application;
               (2)  to ensure legal and regulatory compliance;
               (3)  to protect against liability;
               (4)  to respond to or participate in the judicial
  process, including to comply with an investigation by law
  enforcement as authorized by law or a court order;
               (5)  to protect:
                     (A)  the safety or integrity of users of the
  website, online service, online application, or mobile
  application; or
                     (B)  the security of the website, online service,
  online application, or mobile application;
               (6)  for a school, education, or employment purpose
  requested by the student or the student's parent and the
  information is not used or disclosed for any other purpose;
               (7)  to use the covered information for:
                     (A)  a legitimate research purpose; or
                     (B)  a school purpose or postsecondary
  educational purpose; [or]
               (8)  for a request by the agency or the school district
  for a school purpose;
               (9)  to market an educational application or product to
  a student's parent, if the operator did not use covered information
  shared or collected by or on behalf of an educational entity to
  develop the application or product;
               (10)  to allow a recommendation engine on the
  operator's website, online service, online application, or mobile
  application to recommend to a student's parent content or services
  related to learning or employment, if the recommendation is not
  motivated by payment or other consideration from another party; or
               (11)  to respond to the request of a student's parent
  for information or feedback, if the content of the response is not
  motivated by payment or other consideration from another party.
         (f)  Notwithstanding any other law, an operator shall use a
  student's covered information received under a contract with an
  educational entity strictly for the purpose provided under the
  contract unless the student's parent affirmatively chooses to
  disclose the student's information for a secondary purpose.
         SECTION 7.  The heading to Section 32.154, Education Code,
  is amended to read as follows:
         Sec. 32.154.  ALLOWED USE OF COVERED INFORMATION BY
  OPERATOR.
         SECTION 8.  The heading to Section 32.155, Education Code,
  is amended to read as follows:
         Sec. 32.155.  PROTECTION OF COVERED INFORMATION BY OPERATOR.
         SECTION 9.  Sections 32.155(c), (d), and (e), Education
  Code, are amended to read as follows:
         (c)  In addition to including the unique identifier in
  releasing information as provided by Subsection (b), an operator
  may include any other data field identified by the agency or by an
  educational entity [a school district, open-enrollment charter
  school, regional education service center, or other local education
  agency] as necessary for the information being released to be
  useful.
         (d)  An educational entity [A school district,
  open-enrollment charter school, regional education service center,
  or other local education agency] may include additional data fields
  in an agreement with an operator or the amendment of an agreement
  with an operator under this section. An operator may agree to
  include the additional data fields requested by an educational
  entity [a school district, open-enrollment charter school,
  regional education service center, or other local education agency]
  but may not require that additional data fields be included.
         (e)  An educational entity [A school district,
  open-enrollment charter school, regional education service center,
  or other local education agency] may require an operator that
  contracts directly with the entity to adhere to a state-required
  student data sharing agreement that includes the use of an
  established unique identifier standard for all operators as
  prescribed by the agency.
         SECTION 10.  The heading to Section 32.156, Education Code,
  is amended to read as follows:
         Sec. 32.156.  DELETION OF COVERED INFORMATION BY OPERATOR.
         SECTION 11.  This Act takes effect September 1, 2023.