Data privacy bill clears Senate committee – with tweaks

A bill designed to strengthen the privacy and security of student educational data continued down its apparently smooth path to passage Wednesday, winning unanimous Senate Education Committee approval.

The measure previously was approved 11-0 by the House Education Committee and passed the full House 65-0.

House Bill 16-1423 includes a detailed definition of personally identifiable information that must be protected, restrictions on software companies and other vendors, and additional transparency and disclosure requirements for the state Department of Education and school districts. The bill also sets controls over classroom apps and software used by individual teachers, a currently unregulated area.

“If you collect it you must protect it,” said sponsor Sen. Owen Hill, R-Colorado Springs.

Hill said that he didn’t want a bill imposing “a heavy hand” on educational technology and that he believes it strikes the right balance.

The definition of protected personal information has an important twist: it also requires protection of seemingly unidentifiable information that, when cross-referenced with other, outside databases, could identify a student.

Districts and the state collect a long list of data on students, including personal information, test scores, special education information, disciplinary records and more.

Despite the 9-0 committee vote, members sounded cautionary notes.

“I’m not sure this isn’t obsolete before we pass it,” said Sen. Mike Johnston, D-Denver.

Said Sen. Tim Neville, R-Littleton: “In my opinion this is a very, very small start.”

Hill and the House sponsors have acknowledged that technological complexity and rapid change likely mean future legislatures will need to refine the law.

Industry lobbyists and representatives aren’t comfortable with the bill’s definition of personally identifiable information and provisions for contract revocation if a company violates the law.

An amendment proposed by Hill and adopted by the committee would create some due process for companies accused of breaching student privacy. The original bill called for termination of contracts. The amendment specifies that the Department of Education and local school boards must first allow a vendor to explain data misuse or breach and hold a public hearing before deciding whether to terminate a contract.

Industry representatives acknowledge the bill is likely to become law and say they don’t plan a last-minute fight. School districts, traditionally hypersensitive to state mandates imposed without funding, haven’t objected to the bill, either.

Other key elements of HB 16-1423:

  • Bans on selling personal student information and advertising targeted to individual students.
  • Contractor responsibility for subcontractors’ actions.
  • Adoption of privacy policies by school boards.
  • Posting of information about contracts on district websites. The bill was amended to require the state and districts to post the contract texts online.
  • Districts also must post and explain the type of personally identifiable information collected.
  • Specific requirements for data security and for removal after contracts end. An amendment added Monday says such data can’t be retrievable.
  • Guaranteed parent access to information about the data collected on their children and the right to have it corrected.