Enacts the "K12 student privacy and cloud computing act" to prohibit service providers who offer cloud computing services to primary and secondary educational services from processing student data for commercial purposes.
STATE OF NEW YORK
________________________________________________________________________
7243
2013-2014 Regular Sessions
IN ASSEMBLY
May 8, 2013
___________
Introduced by M. of A. SIMOTAS -- read once and referred to the Commit-
tee on Education
AN ACT to amend the education law, in relation to enacting the "K12
student privacy and cloud computing act" to prohibit service providers
who offer cloud computing services to primary and secondary educa-
tional institutions from processing student data for commercial
purposes
The People of the State of New York, represented in Senate and Assem-bly, do enact as follows:
1 Section 1. Short title. This act shall be known and may be cited as
2 the "K12 student privacy and cloud computing act".
3 § 2. Legislative findings. The legislature hereby finds and declares:
4 1. Cloud computing services enable convenient, on-demand network
5 access to a shared pool of configurable computing resources (including
6 networks, servers, storage, applications, and services) that can be
7 rapidly provisioned and released with minimal management effort or
8 service provider interaction;
9 2. Cloud computing services offer tremendous potential to educational
10 institutions in terms of helping consolidate technical infrastructure,
11 reducing energy and capital costs, increasing collaboration through
12 "anytime-anywhere" access to applications and information, and realizing
13 efficiencies, network resilience, and flexible deployment; and
14 3. Cloud computing service providers hold the potential to invade the
15 privacy of students by tracking students' online activities for commer-
16 cial purposes, such as delivering behaviorally targeted advertising or
17 otherwise improving advertising services that the service provider may
18 offer in connection with or separate from the services it offers to the
19 educational institution.
20 In light of the foregoing, the legislature deems it necessary to
21 ensure that when an educational institution engages a cloud computing
22 service provider to process student data, that the service provider uses
23 student data only for the benefit of the educational institution and
24 does not use such data for the service provider's own commercial
25 purposes.
EXPLANATION--Matter in italics (underscored) is new; matter in brackets
[] is old law to be omitted.
LBD10789-01-3
A. 7243 2
1 § 3. The education law is amended by adding a new section 755 to read
2 as follows:
3 § 755. Student privacy and cloud computing. 1. Definitions. For the
4 purposes of this section, the following terms shall have the following
5 meanings:
6 (a) "Cloud computing service" shall mean a service that enables
7 convenient, on-demand network access to a shared pool of configurable
8 computing resources to provide a student, teacher or staff member
9 account-based productivity applications such as email, document storage
10 and document editing that can be rapidly provisioned and released with
11 minimal management effort or cloud computing service provider inter-
12 action.
13 (b) "Cloud computing service provider" shall mean an entity, other
14 than an educational institution, that operates a cloud computing
15 service.
16 (c) "Educational institution" shall mean any public or nonpublic
17 school, charter school, school district or board of cooperative educa-
18 tional services serving students in grades kindergarten through twelfth
19 grade.
20 (d) "Person" shall mean individual, partnership, corporation, associ-
21 ation, company or any other legal entity.
22 (e) "Process" or "processing" shall mean to use, access, manipulate,
23 scan, modify, transform, disclose, store, transmit, transfer, retain,
24 aggregate, or dispose of student data.
25 (f) "Student data" shall mean any information or materials in any
26 media or format created or provided by: (i) a student in the course of
27 the student's use of the cloud computing service; or (ii) an employee or
28 agent of the educational institution that is related to a student. In
29 each case the term "student data" shall include, but not be limited to
30 the name, electronic mail address, postal address, phone number, email
31 message, word processing documents, unique identifiers, metadata, of a
32 student, or any aggregations or derivatives thereof.
33 2. Prohibition on the use of student data. Any person who, with know-
34 ledge that student data will be processed, provides a cloud computing
35 service to an educational institution, is prohibited from using that
36 cloud computing service to process student data for any secondary uses
37 that benefit the cloud computing service provider or any third party,
38 including, but not limited to, online behavioral advertising, creating
39 or correcting an individual or household profile primarily for the cloud
40 computing service provider's or any third party's benefit, the sale of
41 the data for any commercial purpose, or any other similar commercial
42 for-profit activity; provided, however, a cloud computing service may
43 process or monitor student data solely to provide such service to the
44 educational institution and maintain the integrity of such service.
45 3. Certification of compliance. Any person who enters into an agree-
46 ment to provide a cloud computing service to an educational institution
47 must certify in writing to the educational institution that it shall
48 comply with the terms and conditions set forth in subdivision two of
49 this section.
50 § 4. This act shall take effect on the first of November next succeed-
51 ing the date on which it shall have become a law, provided that the
52 commissioner of education and the board of regents are authorized to
53 promulgate such rules and regulations as may be necessary for the timely
54 implementation of this act on or before such effective date.
