Recent legislative developments relating to student privacy have something to teach everyone. For professionals in the education space, the developments signal significant forthcoming changes to policies and business practices. But there’s more to the developments than the creation of new sector-specific obligations. The way in which data-sharing agreements with vendors and business partners feature in the new student privacy laws is a good indicator of how important such agreements are becoming.
Last year, parents and educators began to express concern about cloud-based services for educational institutions. Those concerns led inBloom, a student data-management company, to shut down its operations. In July of this year, Sens. Edward Markey (D-MA) and Orrin Hatch (R-UT) responded to the concerns about student privacy by introducing the Protecting Student Privacy Act. The bill would deny federal funding to educational agencies and institutions that use or knowingly disclose students’ personally identifiable information (PII) for the purposes of marketing. The bill also requires educational agencies and institutions to contractually require service providers handling students’ PII to establish comprehensive security programs and comply with access rights established by the Family Educational Rights and Privacy Act. The bill has been referred to the Senate Committee on Health, Education, Labor, and Pensions and could stay there for some time depending upon Congress’s agenda. However, like many other privacy issues, the states appear ready to take the lead on student privacy.
According to the Data Quality Campaign, over 75 percent of state legislatures active in 2014 introduced student data privacy bills. Twenty-eight of those bills were signed into law. Many of those laws, like the federal proposal, require that educational agencies and institutions impose contractual requirements on service providers. There could soon be more, as the California legislature has sent two bills with contractual requirements to Gov. Jerry Brown’s desk. One of the California bills would establish that providers of online educational services must contractually require their own service providers to implement reasonable security programs. The other bill would require educational agencies to impose contractual requirements on third parties that provide digital services for student data. Those provisions would include breach notification requirements; descriptions of privacy and security requirements; access procedures for parents and guardians, and certifications that providers may not retain student records after the completion of the contract. The first bill would take effect on January 1, 2016, the second on January 1, 2015.
If Brown signs the second California bill into law this month, California educational institutions will have just over three months to impose new requirements on providers of digital services for student data. That should be a wake-up call for all privacy professionals. Imagine the unpleasant surprise of learning that you have just three months to revise the privacy and security provisions in your data-sharing and vendor agreements. For some organizations, it might take that long to simply take inventory of applicable agreements.
Now, privacy professionals can’t always anticipate the issues that will grab the attention of legislators or regulators and drive them to swiftly change existing frameworks regarding data sharing. But data sharing is a practice that increasingly draws scrutiny, and what happens with data once shared with a vendor or partner reflects on the organization that originally shared it. There are steps that organizations can take now to manage risk and perhaps to help ease the pain of any upheavals to the laws and regulations governing the sharing of data.
- Organizations should take stock of the data sharing agreements into which their organizations have entered. The inventory should not focus solely on the agreements that have been reviewed by legal or privacy. There’s no guarantee that a business unit has not entered into an agreement without submitting it for review because “it seemed like the data sharing just wasn’t a big deal.”
- Organizations should review existing agreements to determine whether the third parties have agreed to comply with current and future obligations applicable to received data, including providing access rights, implementing appropriate security and privacy programs, establishing appropriate data retention practices and breach notifications.
- Organizations should identify how each agreement may be amended and how essential each agreement is to the organizations’ operations. When legislative or regulatory developments require changes to data-sharing provisions, organizations can prioritize the revision of agreements based on their importance to day-to-day operations and the amount of time it may take to revise them.
Taking these steps may not eliminate all of the headaches that privacy professionals and their organizations could endure in the face of statutory or regulatory change; but taking appropriate action now can help to make the revision process easier. Professionals in the education space should continue to monitor legislative developments and prepare for what looks like a busy year.
If you want to comment on this post, you need to login.