Connecticut General Statutes 10-234bb – Contracts between boards of education and contractors re student data. Requirements
(a) On and after July 1, 2018, a local or regional board of education shall enter into a written contract with a contractor any time such local or regional board of education shares or provides access to student information, student records or student-generated content with such contractor. Each such contract shall include, but need not be limited to, the following:
Terms Used In Connecticut General Statutes 10-234bb
- Contract: A legal written agreement that becomes binding when signed.
- Evidence: Information presented in testimony or in documents that is used to persuade the fact finder (judge or jury) to decide the case for one side or the other.
- Guardian: A person legally empowered and charged with the duty of taking care of and managing the property of another person who because of age, intellect, or health, is incapable of managing his (her) own affairs.
- Jurisdiction: (1) The legal authority of a court to hear and decide a case. Concurrent jurisdiction exists when two courts have simultaneous responsibility for the same case. (2) The geographic area over which the court has authority to decide cases.
- Public law: A public bill or joint resolution that has passed both chambers and been enacted into law. Public laws have general applicability nationwide.
(1) A statement that student information, student records and student-generated content are not the property of or under the control of a contractor;
(2) A description of the means by which the local or regional board of education may request the deletion of any student information, student records or student-generated content in the possession of the contractor that is not (A) otherwise prohibited from deletion or required to be retained under state or federal law, or (B) stored as a copy as part of a disaster recovery storage system and that is (i) inaccessible to the public, and (ii) unable to be used in the normal course of business by the contractor, provided such local or regional board of education may request the deletion of any such student information, student records or student-generated content if such copy has been used by the operator to repopulate accessible data following a disaster recovery;
(3) A statement that the contractor shall not use student information, student records and student-generated content for any purposes other than those authorized pursuant to the contract;
(4) A description of the procedures by which a student, parent or legal guardian of a student may review personally identifiable information contained in student information, student records or student-generated content and correct erroneous information, if any, in such student record;
(5) A statement that the contractor shall take actions designed to ensure the security and confidentiality of student information, student records and student-generated content;
(6) A description of the procedures that a contractor will follow to notify the local or regional board of education, in accordance with the provisions of section 10-234dd, when there has been an unauthorized release, disclosure or acquisition of student information, student records or student-generated content;
(7) A statement that student information, student records or student-generated content shall not be retained or available to the contractor upon expiration of the contract between the contractor and a local or regional board of education, except a student, parent or legal guardian of a student may choose to independently establish or maintain an electronic account with the contractor after the expiration of such contract for the purpose of storing student-generated content;
(8) A statement that the contractor and the local or regional board of education shall ensure compliance with the Family Educational Rights and Privacy Act of 1974, 20 USC 1232g, as amended from time to time;
(9) A statement that the laws of the state of Connecticut shall govern the rights and duties of the contractor and the local or regional board of education; and
(10) A statement that if any provision of the contract or the application of the contract is held invalid by a court of competent jurisdiction, the invalidity does not affect other provisions or applications of the contract which can be given effect without the invalid provision or application.
(b) All student-generated content shall be the property of the student or the parent or legal guardian of the student.
(c) A contractor shall implement and maintain security procedures and practices designed to protect student information, student records and student-generated content from unauthorized access, destruction, use, modification or disclosure that, based on the sensitivity of the data and the risk from unauthorized access, (1) use technologies and methodologies that are consistent with the guidance issued pursuant to section 13402(h)(2) of Public Law 111-5, as amended from time to time, (2) maintain technical safeguards as it relates to the possession of student records in a manner consistent with the provisions of 45 C.F.R. § 164.312, as amended from time to time, and (3) otherwise meet or exceed industry standards.
(d) A contractor shall not use (1) student information, student records or student-generated content for any purposes other than those authorized pursuant to the contract, or (2) personally identifiable information contained in student information, student records or student-generated content to engage in targeted advertising.
(e) Any provision of a contract entered into between a contractor and a local or regional board of education on or after July 1, 2018, that conflicts with any provision of this section shall be void.
(f) Any contract entered into on and after July 1, 2018, that does not include (1) a provision required by subsection (a) of this section, or (2) the terms-of-service agreement addendum described in section 10-234ff, shall be void, provided the local or regional board of education has given reasonable notice to the contractor and the contractor has failed within a reasonable time to amend the contract to include the provision required by subsection (a) of this section or the terms-of-service agreement addendum.
(g) (1) Each local and regional board of education shall maintain and update, as necessary, an Internet web site with information relating to all contracts entered into pursuant to this section. Not later than five business days after executing a contract pursuant to this section, a local or regional board of education shall post notice of such contract on the board’s Internet web site. The notice shall include the contract and (A) state that the contract has been executed and the date that such contract was executed, (B) provide a brief description of the contract and the purpose of the contract, and (C) state what student information, student records or student-generated content may be collected as a result of the contract.
(2) On or before September first of each school year, the board of education shall electronically notify students and the parents or legal guardians of students of the address of the Internet web site described in this subsection.
(h) A local or regional board of education and a contractor may include in any contract executed pursuant to this section, the uniform student data privacy terms-of-service agreement addendum, described in section 10-234ff, to satisfy the requirements of this section.
(i) A local or regional board of education shall not be required to enter into a contract pursuant to this section if the use of an Internet web site, online service or mobile application operated by a consultant or an operator is unique and necessary to implement a child’s individualized education program or plan pursuant to Section 504 of the Rehabilitation Act of 1973, as amended from time to time, and such Internet web site, online service or mobile application is unable to comply with the provisions of this section, provided (1) such Internet web site, online service or mobile application complies with the Family Educational Rights and Privacy Act of 1974, 20 USC 1232g, as amended from time to time, and the Health Insurance Portability and Accountability Act of 1996, P.L. 104-191, as amended from time to time, (2) such board of education can provide evidence that it has made a reasonable effort to (A) enter into a contract with such consultant or operator to use such Internet web site, online service or mobile application, and (B) find an equivalent Internet web site, online service or mobile application operated by a consultant or an operator that complies with the provisions of this section, (3) the consultant or operator complies with the provisions of section 10-234cc for such use, and (4) the parent or legal guardian of such child, and, in the case of a child with an individualized education program, a member of the planning and placement team, sign an agreement that (A) acknowledges such parent or legal guardian is aware that such Internet web site, online service or mobile application is unable to comply with the provisions of this section, and (B) authorizes the use of such Internet web site, online service or mobile application. A local or regional board of education shall, upon the request of a parent or legal guardian of a child, provide the evidence described in subdivision (2) of this subsection to such parent or legal guardian.