INTERIM Lege Trend: Education Contractors Contracting Changes for Data Security

California revamped its data security statutes for education last year. California Education Code Section 49073.1 requires education contractors to:

• a statement that pupil records continue to be the property of and under the control of the local educational agency;

• a description of the means by which pupils may retain possession and control of their own pupil-generated content, if applicable, including options by which a pupil may transfer pupil-generated content to a personal account;

• a prohibition against the service provider using any information in the pupil record for any purpose other than those required or specifically permitted by the contract;

• a description of the procedures by which a parent, legal guardian, or eligible pupil may review personally identifiable information in the pupil’s records and correct erroneous information;

• a description of the actions the service provider will take, including the designation and training of responsible individuals, to ensure the security and confidentiality of pupil records;

• a description of the procedures for notifying the affected parent, legal guardian, or eligible pupil in the event of an unauthorized disclosure of the pupil’s records;

• a certification that a pupil’s records shall not be retained or available to the service provider upon completion of the terms of the contract and a description of how that certification will be enforced;

• a description of how the local educational agency and the service provider will jointly ensure compliance with the Family Educational Rights and Privacy Act (“FERPA”); and

• a prohibition against the service provider using personally identifiable information in pupil records to engage in targeted advertising.

California Education Code Privacy Chapter 

The Recorder | Keep Up with Data Security