skip to main content

S. 877 (115th): Protecting Student Privacy Act of 2017

The text of the bill below is as of Apr 6, 2017 (Introduced).


II

115th CONGRESS

1st Session

S. 877

IN THE SENATE OF THE UNITED STATES

April 6 (legislative day, April 4), 2017

(for himself and Mr. Hatch) introduced the following bill; which was read twice and referred to the Committee on Health, Education, Labor, and Pensions

A BILL

To amend the Family Educational Rights and Privacy Act of 1974 to ensure that student data handled by private companies is protected, and for other purposes.

1.

Short title

This Act may be cited as the Protecting Student Privacy Act of 2017.

2.

FERPA improvements

Subsection (b) of section 444 of the General Education Provisions Act (20 U.S.C. 1232g) (commonly referred to as the Family Educational Rights and Privacy Act of 1974) is amended—

(1)

by redesignating paragraphs (4) through (7) as paragraphs (8) through (11), respectively;

(2)

by inserting after paragraph (3) the following:

(4)
(A)

No funds shall be made available under any applicable program to any educational agency or institution that has not implemented information security policies and procedures that—

(i)

protect personally identifiable information from education records maintained by the educational agency or institution; and

(ii)

require each outside party to whom personally identifiable information from education records is disclosed to have information security policies and procedures that include a comprehensive security program designed to protect the personally identifiable information from education records.

(B)

For purposes of this subsection, the term outside party means a person that is not an employee, officer, or volunteer of the educational agency or institution or of a Federal, State, or local governmental agency and includes any contractor or consultant acting as a school official or authorized representative or in any other capacity.

(5)

Notwithstanding any other provision of this section or paragraph (2)(A), no funds shall be made available under any applicable program to any educational agency or institution that has a policy or practice of using, knowingly releasing, or otherwise knowingly providing access to personally identifiable information, as described in paragraph (2), in the education records of a student to advertise or market a product or service.

(6)

Each State educational agency receiving funds under an applicable program, and each educational agency or institution, shall ensure that any outside party with access to education records with personally identifiable information complies with the following:

(A)

Any education records that are held by the outside party shall be held in a manner that provides, as directed by the educational agency or institution, parents with—

(i)

the right to access the personally identifiable information held about their students by the outside party, to the same extent and in the same manner as provided in subsection (a)(1); and

(ii)

a process to challenge, correct, or delete any inaccurate, misleading, or otherwise inappropriate data in any education records of such student that are held by the outside party, through an opportunity for a hearing by the agency or institution providing the outside party with access, in accordance with subsection (a)(2).

(B)

The outside party shall maintain a record of all individuals, agencies, or organizations that have requested or obtained access to the education records of a student held by the outside party, in the same manner as is required under paragraph (8).

(C)

The outside party shall have policies or procedures in place regarding information security practices regarding the education records, in accordance with paragraph (4).

(7)

No funds under any applicable program shall be made available to any educational agency or institution, or any State educational agency, unless the agency or institution has a policy or practice that—

(A)

promotes data minimization in order to safeguard individual privacy by meeting any request for student information with non-personally identifiable information, if the purpose of any appropriate request can be effectively met with non-personally identifiable information; and

(B)

requires that all personally identifiable information on an individual student held by any outside party be destroyed when the information is no longer needed for the specified purpose.

; and

(3)

in paragraph (8)(A), as redesignated by paragraph (1)—

(A)

by inserting who are employees, officers, or volunteers of the agency or institution after of this subsection;

(B)

by striking or organizations and inserting organizations, or outside parties;

(C)

by striking or organization and inserting organization, or outside party; and

(D)

by inserting and will describe the information shared with such person, outside party, agency, or organization after obtaining this information.