S05932 Summary:
BILL NO | S05932A |
  | |
SAME AS | No same as |
  | |
SPONSOR | ROBACH |
  | |
COSPNSR | ADDABBO, BALL, CARLUCCI, GALLIVAN, HOYLMAN, KRUEGER, LANZA, LATIMER, MARTINS, MONTGOMERY, SAVINO, SERRANO, TKACZYK, YOUNG, ZELDIN |
  | |
MLTSPNSR | |
  | |
Add S3212-b, Ed L | |
  | |
Prohibits the release of personally identifiable student information where parental consent is not provided. |
S05932 Actions:
BILL NO | S05932A | |||||||||||||||||||||||||||||||||||||||||||||||||
  | ||||||||||||||||||||||||||||||||||||||||||||||||||
09/11/2013 | REFERRED TO RULES | |||||||||||||||||||||||||||||||||||||||||||||||||
01/08/2014 | REFERRED TO EDUCATION | |||||||||||||||||||||||||||||||||||||||||||||||||
02/10/2014 | AMEND AND RECOMMIT TO EDUCATION | |||||||||||||||||||||||||||||||||||||||||||||||||
02/10/2014 | PRINT NUMBER 5932A |
S05932 Floor Votes:
There are no votes for this bill in this legislative session.
Go to topS05932 Text:
Go to top STATE OF NEW YORK ________________________________________________________________________ 5932--A 2013-2014 Regular Sessions IN SENATE September 11, 2013 ___________ Introduced by Sens. ROBACH, BALL, CARLUCCI, GALLIVAN, HOYLMAN, KRUEGER, LANZA, LATIMER, MONTGOMERY, SAVINO, SERRANO, TKACZYK, YOUNG -- read twice and ordered printed, and when printed to be committed to the Committee on Rules -- recommitted to the Committee on Education in accordance with Senate Rule 6, sec. 8 -- committee discharged, bill amended, ordered reprinted as amended and recommitted to said commit- tee AN ACT to amend the education law, in relation to the release of personally identifiable student information The People of the State of New York, represented in Senate and Assem- bly, do enact as follows: 1 Section 1. The education law is amended by adding a new section 3212-b 2 to read as follows: 3 § 3212-b. Release of personally identifiable information. 1. Defi- 4 nitions. As used in this section: 5 (a) the terms "disclosure," "education program," "education records," 6 "eligible student," "parent," "party," "personally identifiable informa- 7 tion," "record," and "student" shall have the same meaning as those 8 terms are defined in 34 CFR Part 99.3; 9 (b) the term "institution" shall mean any public or private elementary 10 or secondary school or an institution that provides education to 11 students beyond the secondary education level; secondary education shall 12 have the meaning set forth in subdivision seven of section two of this 13 chapter; 14 2. Limitations on access to, or disclosure of, personally identifiable 15 information. (a) Authorized representatives. The department and district 16 boards of education shall only designate parties that are under their 17 direct control to act as their authorized representatives to conduct any 18 audit or evaluation, or any compliance or enforcement activity in 19 connection with legal requirements that relate to state or district 20 supported educational programs, when any such audit, evaluation or EXPLANATION--Matter in italics (underscored) is new; matter in brackets [] is old law to be omitted. LBD09672-07-4S. 5932--A 2 1 activity requires or is used as the basis for granting access to 2 personally identifiable student information; 3 (b) Outsourcing. The department, district boards of education and 4 institutions may not disclose personally identifiable information from 5 education records of students without the written consent of eligible 6 students or parents to a contractor, consultant, or other party to whom 7 an agency or institution has outsourced institutional services or func- 8 tions unless that outside party: 9 (1) performs an institutional service or function for which the 10 department, district board of education, or institution would otherwise 11 use employees; 12 (2) is under the direct control of the agency or institution with 13 respect to the use and maintenance of education records; 14 (3) limits internal access to education records to those individuals 15 that are determined to have legitimate educational interests; 16 (4) does not use the education records for any other purposes than 17 those explicitly authorized in its contract; 18 (5) does not disclose any personally identifiable information to any 19 other party: 20 (i) without the prior written consent of the parent or eligible 21 student, or 22 (ii) unless required by statute or court order and the party provides 23 a notice of the disclosure to the department, district board of educa- 24 tion, or institution that provided the information no later than the 25 time the information is disclosed, unless providing notice of the 26 disclosure is expressly prohibited by the statute or court order; 27 (6) maintains reasonable administrative, technical and physical safe- 28 guards to protect the security, confidentiality and integrity of 29 personally identifiable student information in its custody; 30 (7) uses encryption technologies to protect data while in motion or in 31 its custody from unauthorized disclosure using a technology or methodol- 32 ogy specified by the Secretary of the U.S. Department of Health and 33 Human Services in guidance issued under section 13402(h)(2) of Public 34 Law 111-5; 35 (8) has sufficient administrative and technical procedures to monitor 36 continuously the security of personally identifiable information in its 37 custody; 38 (9) conducts a security audit annually and provides the results of 39 that audit to each department, district board of education, or institu- 40 tion that provided educational records; 41 (10) provides the department, district board of education, or institu- 42 tion with a breach remediation plan acceptable to the department, 43 district board of education or institution prior to initial receipt of 44 education records; 45 (11) reports all suspected security breaches to the department, 46 district boards of education, or institution that provided education 47 records as soon as possible but not later than forty-eight hours after a 48 suspected breach was known or would have been known by exercising 49 reasonable diligence; 50 (12) reports all actual security breaches to the department, district 51 boards of education, or institution that provided education records as 52 soon as possible but not later than twenty-four hours after an actual 53 breach was known or would have been known by exercising reasonable dili- 54 gence; 55 (13) in the event of a security breach or unauthorized disclosures of 56 personally identifiable information, pays all costs and liabilitiesS. 5932--A 3 1 incurred by the department, district boards of education, or insti- 2 tutions related to the security breach or unauthorized disclosure, 3 including but not limited to the costs of responding to inquiries about 4 the security breach or unauthorized disclosure, of notifying subjects of 5 personally identifiable information about the breach, of mitigating the 6 effects of the breach for the subjects of personally identifiable infor- 7 mation, and of investigating the cause or consequences of the security 8 breach or unauthorized disclosure; and 9 (14) destroys or returns to the department, district boards of educa- 10 tion, or institutions all personally identifiable information in its 11 custody upon request and at the termination of the contract. 12 (c) Studies. The department, district boards of education, or insti- 13 tutions may disclose personally identifiable information from an educa- 14 tion record of a student without the consent of eligible students or 15 parents to a party conducting studies for, or on behalf of, educational 16 agencies or institutions to: 17 (1) develop, validate, or administer predictive tests; 18 (2) administer student aid programs; or 19 (3) improve instruction; 20 Provided that the outside party conducting the study meets all of the 21 requirements for contractors set forth in paragraph (b) of this subdivi- 22 sion; 23 (d) Commercial use prohibited. The department, district boards of 24 education and institutions may not, without the written consent of 25 eligible students or parents, disclose personally identifiable informa- 26 tion from education records to any party for a commercial use, including 27 but not limited to marketing products or services, compilation of lists 28 for sale or rental, development of products or services, or creation of 29 individual, household, or group profiles; nor may such disclosure be 30 made for provision of services other than contracting, studies, and 31 audits or evaluations as authorized and limited by paragraphs (b) and 32 (c) of this subdivision. Any consent from an eligible student or parent 33 must be signed by the student or parent, be dated on the day it was 34 signed, not have been signed more than six months prior to the disclo- 35 sure, must identify the recipient and the purpose of the disclosure, and 36 must state that the information will only be used for that purpose and 37 will not be used or disclosed for any other purpose. 38 3. Data repositories and information practices. 39 (a) The department and district boards of education may not, directly 40 or through contracts with outside parties, maintain personally identifi- 41 able information from education records without the written consent of 42 eligible students or parents unless maintenance of such information is: 43 (1) explicitly mandated in federal or state statute; or 44 (2) administratively required for the proper performance of their 45 duties under the law and is relevant to and necessary for delivery of 46 services; or 47 (3) designed to support a study of students or former students, 48 provided that no personally identifiable information is retained on 49 former students longer than five years after the date of their last 50 enrollment at an institution. 51 (b) The department and district boards of education shall publicly and 52 conspicuously disclose on their web sites and through annual electronic 53 notification to the chairs of the assembly and senate education commit- 54 tees the existence and character of any personally identifiable informa- 55 tion from education records that they, directly or through contractsS. 5932--A 4 1 with outside parties, maintain. Such disclosure and notifications shall 2 include: 3 (1) the name and location of the data repository where such informa- 4 tion is maintained; 5 (2) the legal authority which authorizes the establishment and exist- 6 ence of the data repository; 7 (3) the principal purpose or purposes for which the information is 8 intended to be used; 9 (4) the categories of individuals on whom records are maintained in 10 the data repository; 11 (5) the categories of records maintained in the data repository; 12 (6) each expected disclosure of the records contained in the data 13 repository, including the categories of recipients and the purpose of 14 such disclosure; 15 (7) the policies and practices of the department or the district 16 boards of education regarding storage, retrievability, access controls, 17 retention, and disposal of the records; 18 (8) the title and business address of the department or district board 19 of education official who is responsible for the data repository, and 20 the name and business address of any contractor or other outside party 21 maintaining the data repository for or on behalf of the department or 22 the district board of education; 23 (9) the procedures whereby eligible students or parents can be noti- 24 fied at their request if the data repository contains a record pertain- 25 ing to them or their children; 26 (10) the procedures whereby eligible students or parents can be noti- 27 fied at their request how to gain access to any record pertaining to 28 them or their children contained in the data repository, and how they 29 can contest its content; and 30 (11) the categories of sources of records in the data repository; 31 (c) The department, district boards of education, and institutions may 32 not append education records with personally identifiable information 33 obtained from other federal or state agencies through data matches with- 34 out the written consent of eligible students or parents unless such data 35 matches are: (1) explicitly mandated in federal or state statute; or (2) 36 administratively required for the proper performance of their duties 37 under the law and are relevant to and necessary for delivery of 38 services. 39 4. Penalties and enforcement. (a) Each violation of any provision of 40 this section by an organization or entity that is not the department, a 41 district board of education, or an institution as defined in paragraph 42 (b) of subdivision one of this section shall be punishable by a civil 43 penalty of up to one thousand dollars; a second violation by the same 44 organization or entity involving the educational records and privacy of 45 the same student shall be punishable by a civil penalty of up to five 46 thousand dollars; any subsequent violation by the same organization or 47 entity involving the educational records and privacy of the same student 48 shall be punishable by a civil penalty of up to ten thousand dollars; 49 and each violation involving a different individual educational record 50 or a different individual student shall be considered a separate 51 violation for purposes of civil penalties; 52 (b) The attorney general shall have the authority to enforce compli- 53 ance with this section by investigation and subsequent commencement of a 54 civil action, to seek civil penalties for violations of this section, 55 and to seek appropriate injunctive relief, including but not limited to 56 a prohibition on obtaining personally identifiable information for anS. 5932--A 5 1 appropriate time period. In carrying out such investigation and in main- 2 taining such civil action the attorney general or any deputy or assist- 3 ant attorney general is authorized to subpoena witnesses, compel their 4 attendance, examine them under oath and require that any books, records, 5 documents, papers, or electronic records relevant or material to the 6 inquiry be turned over for inspection, examination or audit, pursuant to 7 the civil practice law and rules; subpoenas issued pursuant to this 8 paragraph may be enforced pursuant to the civil practice law and rules. 9 (c) Nothing contained herein shall be construed as creating a private 10 right of action against the department, a district board of education, 11 or an institution as defined in paragraph (b) of subdivision one of this 12 section. 13 5. Administrative use. Nothing in this section shall limit the admin- 14 istrative use of education records by a person acting exclusively in the 15 person's capacity as an employee of a school, a district board of educa- 16 tion or of the state or any of its political subdivisions, any court or 17 the federal government that is otherwise required by law. 18 § 2. This act shall take effect July 1, 2015 and shall apply to school 19 years beginning with the 2015-2016 academic year.