Skip to main content Skip to office menu Skip to footer
Capital IconMinnesota Legislature

HF 1507

2nd Engrossment - 90th Legislature (2017 - 2018) Posted on 03/15/2018 04:34pm

KEY: stricken = removed, old language.
underscored = added, new language.

Bill Text Versions

Engrossments
Introduction Posted on 02/20/2017
1st Engrossment Posted on 03/08/2018
2nd Engrossment Posted on 03/15/2018

Current Version - 2nd Engrossment

Line numbers 1.1 1.2 1.3 1.4 1.5
1.6 1.7 1.8 1.9 1.10 1.11 1.12 1.13 1.14 1.15 1.16 1.17 1.18 1.19 1.20 1.21 1.22 1.23 2.1 2.2 2.3 2.4 2.5 2.6 2.7 2.8 2.9 2.10 2.11 2.12 2.13 2.14 2.15 2.16 2.17 2.18 2.19 2.20 2.21 2.22 2.23 2.24 2.25 2.26 2.27
2.28
2.29 2.30 2.31 2.32 3.1 3.2 3.3 3.4 3.5 3.6 3.7 3.8 3.9 3.10 3.11 3.12 3.13 3.14 3.15
3.16
3.17 3.18 3.19 3.20 3.21 3.22 3.23 3.24
3.25
3.26 3.27 3.28 3.29 4.1 4.2 4.3 4.4 4.5 4.6 4.7 4.8 4.9 4.10 4.11 4.12 4.13 4.14 4.15 4.16 4.17 4.18 4.19 4.20 4.21 4.22 4.23 4.24 4.25 4.26 4.27 4.28 4.29 4.30 4.31 4.32 5.1 5.2 5.3 5.4 5.5 5.6 5.7 5.8 5.9 5.10 5.11 5.12 5.13 5.14
5.15
5.16 5.17 5.18 5.19 5.20 5.21 5.22 5.23 5.24 5.25 5.26 5.27 5.28 5.29 6.1 6.2 6.3 6.4 6.5 6.6 6.7 6.8 6.9 6.10 6.11 6.12 6.13
6.14
6.15 6.16 6.17 6.18 6.19 6.20 6.21 6.22 6.23 6.24 6.25 6.26
6.27

A bill for an act
relating to education; creating the Student Data Privacy Act; providing penalties;
amending Minnesota Statutes 2016, section 13.32, subdivision 1, by adding
subdivisions.

BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF MINNESOTA:

Section 1.

Minnesota Statutes 2016, section 13.32, subdivision 1, is amended to read:


Subdivision 1.

Definitions.

As used in this section:

(a) "Educational data" means data on individuals new text begin which relate to a student and are
new text end maintained by a public educational agency or institution or by a person acting for new text begin or
contracting with
new text end the agency or institution deleted text begin which relates to a studentdeleted text end new text begin , including, but not
limited to, a technology provider
new text end .

Records of instructional personnel which are in the sole possession of the maker thereof
and are not accessible or revealed to any other individual except a substitute teacher, and
are destroyed at the end of the school year, shall not be deemed to be government data.

Records of a law enforcement unit of a public educational agency or institution which
are maintained apart from education data and are maintained solely for law enforcement
purposes, and are not disclosed to individuals other than law enforcement officials of the
jurisdiction are not educational data; provided, that education records maintained by the
educational agency or institution are not disclosed to the personnel of the law enforcement
unit. The University of Minnesota police department is a law enforcement agency for
purposes of section 13.82 and other sections of Minnesota Statutes dealing with law
enforcement records. Records of organizations providing security services to a public
educational agency or institution must be administered consistent with section 13.861.

Records relating to a student who is employed by a public educational agency or
institution which are made and maintained in the normal course of business, relate exclusively
to the individual in that individual's capacity as an employee, and are not available for use
for any other purpose are classified pursuant to section 13.43.

(b) "Juvenile justice system" includes criminal justice agencies and the judiciary when
involved in juvenile justice activities.

new text begin (c) "Parent" means a parent, guardian, or other person having legal custody of a child
under age 18.
new text end

new text begin (d) "School-issued device" means a technological device that a public educational agency
or institution, acting independently or with a technology provider, provides to an individual
student for that student's dedicated personal use. A school-issued device includes a device
issued through a one-to-one program.
new text end

deleted text begin (c)deleted text end new text begin (e)new text end "Student" means an individual currently or formerly enrolled or registered,
applicants for enrollment or registration at a public educational agency or institution, or
individuals who receive shared time educational services from a public agency or institution.

deleted text begin (d)deleted text end new text begin (f)new text end "Substitute teacher" means an individual who performs on a temporary basis the
duties of the individual who made the record, but does not include an individual who
permanently succeeds to the position of the maker of the record.

new text begin (g) "Technology provider" means a person who:
new text end

new text begin (1) contracts with a public educational agency or institution, as part of a one-to-one
program or otherwise, to provide technological devices for student use or to provide access
to a software or online application; and
new text end

new text begin (2) creates, receives, or maintains educational data pursuant or incidental to a contract
with a public educational agency or institution.
new text end

new text begin A technology provider does not include a not-for-profit organization that has the primary
purpose of expanding student access to postsecondary education and that obtains a student's
consent to utilize the student's educational data for that purpose.
new text end

new text begin EFFECTIVE DATE. new text end

new text begin This section is effective for the 2019-2020 school year and later.
new text end

Sec. 2.

Minnesota Statutes 2016, section 13.32, is amended by adding a subdivision to
read:


new text begin Subd. 13. new text end

new text begin Audit trail required for electronic student records systems. new text end

new text begin (a) A public
educational agency or institution must establish written procedures to ensure appropriate
security safeguards for educational data stored in a technology system, including but not
limited to an electronic database, software application, or cloud-based service. These
procedures must require that:
new text end

new text begin (1) a person may access the educational data only if authorized;
new text end

new text begin (2) a person may be authorized to access educational data only if access is necessary to
fulfill official duties; and
new text end

new text begin (3) all actions in which educational data are entered, updated, accessed, shared, or
disseminated, are recorded in a log-of-use that includes the identity of the person interacting
with the data, the identity of the student whose data is affected, the date and time of the
action, and what action was performed. Information recorded in the log-of-use must be
retained for at least one year.
new text end

new text begin (b) The written procedures required by paragraph (a) are public data unless classified
as not public under any other applicable law.
new text end

new text begin (c) Paragraph (a), clause (3), does not apply to technology systems that were in use prior
to January 1, 2019, and that lack the capacity to automatically record actions in a log-of-use.
new text end

new text begin EFFECTIVE DATE. new text end

new text begin This section is effective for the 2019-2020 school year and later.
new text end

Sec. 3.

Minnesota Statutes 2016, section 13.32, is amended by adding a subdivision to
read:


new text begin Subd. 14. new text end

new text begin Training required. new text end

new text begin A public educational agency or institution must provide
at least annual training for administrative staff, IT directors, teachers, and any other individual
with access to educational data to ensure understanding of and compliance with applicable
provisions of this section, section 121A.065, and the Family Educational Rights and Privacy
Act, United States Code, title 20, section 1232g, and its regulations as provided by Code
of Federal Regulations, title 34, part 99.
new text end

new text begin EFFECTIVE DATE. new text end

new text begin This section is effective for the 2019-2020 school year and later.
new text end

Sec. 4.

Minnesota Statutes 2016, section 13.32, is amended by adding a subdivision to
read:


new text begin Subd. 15. new text end

new text begin Technology providers. new text end

new text begin (a) A technology provider is subject to the provisions
of section 13.05, subdivision 11.
new text end

new text begin (b) All educational data created, received, or maintained by a technology provider
pursuant or incidental to a contract with a public educational agency or institution are not
the technology provider's property.
new text end

new text begin (c) If educational data maintained by the technology provider are subject to a breach of
the security of the data, as defined in section 13.055, the technology provider must, following
discovery of the breach, disclose to the public educational agency or institution all
information necessary to fulfill the requirements of section 13.055.
new text end

new text begin (d) Unless renewal of the contract is reasonably anticipated, within 30 days of the
expiration of the contract, a technology provider must destroy or return to the appropriate
public educational agency or institution all educational data created, received, or maintained
pursuant or incidental to the contract.
new text end

new text begin (e) A technology provider must not sell, share, or disseminate educational data, except
as provided by this section or as part of a valid delegation or assignment of its contract with
a public educational agency or institution. An assignee or delegee that creates, receives, or
maintains educational data is subject to the same restrictions and obligations under this
section as the technology provider.
new text end

new text begin (f) A technology provider must not use educational data for any commercial purpose,
including, but not limited to, marketing or advertising to a student or parent.
new text end

new text begin (g) A technology provider must establish written procedures to ensure appropriate
security safeguards for educational data. These procedures must require that:
new text end

new text begin (1) the technology provider's employees or contractors have access to educational data
only if authorized;
new text end

new text begin (2) the technology provider's employees or contractors may be authorized to access
educational data only if access is necessary to fulfill the official duties of the employee or
contractor; and
new text end

new text begin (3) all actions in which educational data are entered, updated, accessed, shared, or
disseminated, are recorded in a log-of-use that includes the identity of the employee or
contractor interacting with the data, the identity of the student whose data is affected, the
date and time of the action, and what action was performed. Information recorded in the
log-of-use must be retained for at least one year.
new text end

new text begin These written procedures are public data unless classified as not public under any other
applicable law.
new text end

new text begin (h) Within 30 days of the start of each school year, a public educational agency or
institution must give parents and students direct, timely notice, by United States mail, e-mail,
or other direct form of communication, of any technology provider contract affecting a
student's educational data. The notice must:
new text end

new text begin (1) identify each technology provider with access to educational data;
new text end

new text begin (2) identify the educational data affected by the technology provider contract; and
new text end

new text begin (3) include information about the contract inspection and, if applicable, the parent or
student's ability to opt out of any program or activity that allows a technology provider to
access a student's educational data.
new text end

new text begin (i) A public educational agency or institution must provide parents and students an
opportunity to inspect a complete copy of any contract with a technology provider.
new text end

new text begin (j) A public educational agency or institution must not penalize or withhold an educational
benefit from a parent or student who opts out of any program or activity that allows a
technology provider to access a student's educational data.
new text end

new text begin EFFECTIVE DATE. new text end

new text begin This section is effective for the 2019-2020 school year and later.
new text end

Sec. 5.

Minnesota Statutes 2016, section 13.32, is amended by adding a subdivision to
read:


new text begin Subd. 16. new text end

new text begin School-issued devices. new text end

new text begin (a) Except as provided in paragraph (b), a government
entity or technology provider must not access or monitor:
new text end

new text begin (1) any location-tracking feature of a school-issued device;
new text end

new text begin (2) any audio or visual receiving, transmitting, or recording feature of a school-issued
device; or
new text end

new text begin (3) student interactions with a school-issued device, including, but not limited to,
keystrokes and Web browsing activity.
new text end

new text begin (b) A government entity or technology provider may only engage in activities prohibited
by paragraph (a) if:
new text end

new text begin (1) the student to whom the school-issued device was issued initiates and agrees to the
activity, and the activity is limited to a noncommercial educational purpose;
new text end

new text begin (2) the activity is permitted under a judicial warrant;
new text end

new text begin (3) the student to whom the school-issued device was provided or that student's parent
notifies the public educational agency or institution or law enforcement agency that the
device is missing or stolen;
new text end

new text begin (4) the activity is necessary to respond to an imminent threat to life or safety and the
access is limited to that purpose; or
new text end

new text begin (5) the activity is limited to that which is prohibited by paragraph (a), clause (3), and is
necessary to enforce a school's acceptable-use policy.
new text end

new text begin (c) If a government entity or technology provider interacts with a school-issued device
as provided in paragraph (b), clause (4), it must, within 72 hours of the access, notify the
student to whom the device was provided or that student's parent and provide a written
description of the interaction, including which features of the device were accessed and a
description of the threat. This notice is not required if the notice itself would pose an
imminent threat to life or safety.
new text end

new text begin EFFECTIVE DATE. new text end

new text begin This section is effective for the 2019-2020 school year and later.
new text end

Sec. 6.

Minnesota Statutes 2016, section 13.32, is amended by adding a subdivision to
read:


new text begin Subd. 17. new text end

new text begin Application to nonpublic schools; exemption. new text end

new text begin (a) Notwithstanding any law
to the contrary, an accredited nonpublic school recognized by the Minnesota Council on
Nonpublic Education under section 123B.445, excluding home schools, must comply with
subdivisions 14 to 16 as if it were a public educational agency or institution.
new text end

new text begin (b) A technology provider contracting with an accredited nonpublic school recognized
by the Minnesota Council on Nonpublic Education under section 123B.445, excluding home
schools, must comply with subdivisions 14 to 16 as if that school were a public educational
agency or institution.
new text end

new text begin (c) A postsecondary institution is exempt from subdivisions 13 to 16. This exemption
extends to a technology provider for purposes of a contract with a postsecondary institution.
new text end

new text begin EFFECTIVE DATE. new text end

new text begin This section is effective for the 2019-2020 school year and later.
new text end