Minnesota Legislature
HF 457
as introduced - 92nd Legislature (2021 - 2022) Posted on 01/28/2021 02:20pm
Bill Text Versions
| Engrossments | ||
|---|---|---|
| Introduction | Posted on 01/28/2021 |
Current Version - as introduced
1.7 1.8 1.9 1.10 1.11 1.12 1.13 1.14 1.15 1.16 1.17 1.18 1.19 1.20 1.21 1.22 1.23
2.1 2.2 2.3 2.4 2.5 2.6 2.7 2.8 2.9 2.10 2.11 2.12 2.13 2.14 2.15 2.16 2.17 2.18 2.19 2.20 2.21 2.22 2.23 2.24 2.25 2.26 2.27 2.28 2.29 2.30 2.31 3.1 3.2 3.3 3.4 3.5 3.6 3.7 3.8 3.9 3.10 3.11 3.12 3.13 3.14 3.15 3.16 3.17 3.18 3.19 3.20 3.21 3.22 3.23 3.24 3.25 3.26 3.27 3.28 3.29 3.30 3.31 4.1 4.2
4.3
A bill for an act
relating to government data practices; requiring public postsecondary institutions
to keep certain student information private; requiring consent before collecting
student location data; amending Minnesota Statutes 2020, section 13.32, subdivision
5; proposing coding for new law in Minnesota Statutes, chapter 135A.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF MINNESOTA:
Section 1.
Minnesota Statutes 2020, section 13.32, subdivision 5, is amended to read:
Subd. 5.
Directory information.
new text begin (a) new text end Information designated as directory information
pursuant to the provisions of United States Code, title 20, section 1232g, and Code of Federal
Regulations, title 34, section 99.37, which are in effect on January 3, 2012, is public data
on individuals, to the extent required under federal law.
new text begin (b)new text end When conducting the directory information designation and notice process required
by federal law, an educational agency or institution shall give parents and students notice
of the right to refuse to let the agency or institution designate any or all data about the student
as directory information. This notice may be given by any means reasonably likely to inform
the parents and students of the right.
new text begin
(c) A public postsecondary institution must maintain documentation of a request for
directory information on 100 students or more for four years from the date of the request.
A public postsecondary institution's directory information policy must not permit an
individual's e-mail address, physical address, telephone number, or identification card
photograph to be publicly disclosed. A student whose directory information has been
requested must be allowed to review the documentation maintained by the institution
regarding that request.
new text end
Sec. 2.
new text begin
[135A.146] STUDENT LOCATION DATA.
new text end
new text begin Subdivision 1. new text end
new text begin Definition. new text end
new text begin
"Technology provider" means a person who:
new text end
new text begin
(1) contracts with a public or private postsecondary educational institution to provide
technological devices for student use or to provide access to a software or online application;
and
new text end
new text begin
(2) creates, receives, or maintains location data pursuant or incidental to a contract with
a public or private postsecondary educational institution.
new text end
new text begin Subd. 2. new text end
new text begin Consent. new text end
new text begin
(a) A public or private postsecondary educational institution must
not collect data on a student's location without the student consenting to having location
data collected. A public or private postsecondary educational institution must not require a
student's consent to location data collection as a condition of:
new text end
new text begin
(1) enrolling in the institution or any program or class;
new text end
new text begin
(2) receiving a scholarship or other financial aid award; or
new text end
new text begin
(3) entering into a dining contract, housing contract, or any other agreement for the
provision of a basic university service, including connecting to campus Wi-Fi.
new text end
new text begin
(b) A student who gives consent to having location data collected may revoke that consent
at any time.
new text end
new text begin Subd. 3. new text end
new text begin Notice. new text end
new text begin
(a) Within 30 days of the start of each school year, a public or private
postsecondary educational institution must give students notice, by United States mail,
e-mail, or other direct form of communication, of any technology provider contract gathering
a student's location data. The notice must:
new text end
new text begin
(1) be written in plain language;
new text end
new text begin
(2) identify each technology provider collecting location data;
new text end
new text begin
(3) identify the location data gathered by the technology provider contract;
new text end
new text begin
(4) include information about the consent required in subdivision 2, including the right
to revoke consent; and
new text end
new text begin
(5) include information about how to access a copy of the contract in accordance with
paragraph (b).
new text end
new text begin
(b) A public or private postsecondary educational institution must publish a complete
copy of any contract with a technology provider on the institution's website for the duration
of the contract.
new text end
new text begin Subd. 4. new text end
new text begin Location data. new text end
new text begin
(a) A technology provider contracting with a public
postsecondary institution is subject to the provisions of section 13.05, subdivision 11. An
assignee or delegate that creates, receives, or maintains location data is subject to the same
restrictions and obligations under this section as the technology provider.
new text end
new text begin
(b) Location data created, received, or maintained by a technology provider pursuant or
incidental to a contract with a public or private postsecondary educational institution are
not the technology provider's property.
new text end
new text begin
(c) If location data maintained by the technology provider are subject to a breach of the
security of the data, as defined in section 13.055, the technology provider must, following
discovery of the breach, disclose to the public postsecondary educational institution all
information necessary to fulfill the requirements of section 13.055.
new text end
new text begin
(d) Within 30 days of the expiration of the contract, unless renewal of the contract is
reasonably anticipated, a technology provider must destroy or return to the appropriate
public or private postsecondary educational institution all location data created, received,
or maintained pursuant or incidental to the contract.
new text end
new text begin
(e) A technology provider must not:
new text end
new text begin
(1) sell, share, or disseminate location data, except as provided by this section or as part
of a valid delegation or assignment of its contract with a public or private postsecondary
educational institution; or
new text end
new text begin
(2) use location data for any commercial purpose, including but not limited to marketing
or advertising to a student or parent.
new text end
new text begin Subd. 5. new text end
new text begin Procedures. new text end
new text begin
(a) A technology provider must establish written procedures to
ensure appropriate security safeguards are in place for location data. A technology provider's
written procedures must require that:
new text end
new text begin
(1) only authorized employees or contractors can access the location data;
new text end
new text begin
(2) a person is authorized to access location data only if access is necessary to fulfill
official duties; and
new text end
new text begin
(3) all actions in which location data are entered, updated, accessed, shared, or
disseminated are recorded in a log of use that includes the identity of the person interacting
with the data and what action was performed. Information recorded in the log of use must
be retained for at least one year.
new text end
new text begin
(b) A technology provider's written procedures establishing security safeguards for
location data are public data, unless classified as not public under any other applicable law.
new text end
new text begin EFFECTIVE DATE. new text end
new text begin
This section is effective July 1, 2021.
new text end