IN THE SENATE OF THE UNITED STATES
April 6 (legislative day, April 4), 2017
Mr. Markey (for himself and Mr. Hatch) introduced the following bill; which was read twice and referred to the Committee on Health, Education, Labor, and Pensions
To amend the Family Educational Rights and Privacy Act of 1974 to ensure that student data handled by private companies is protected, and for other purposes.
This Act may be cited as the
Protecting Student Privacy Act of 2017.
Subsection (b) of section 444 of the General Education Provisions Act (20 U.S.C. 1232g) (commonly referred to as the
Family Educational Rights and Privacy Act of 1974) is amended—
by redesignating paragraphs (4) through (7) as paragraphs (8) through (11), respectively;
by inserting after paragraph (3) the following:
No funds shall be made available under any applicable program to any educational agency or institution that has not implemented information security policies and procedures that—
protect personally identifiable information from education records maintained by the educational agency or institution; and
require each outside party to whom personally identifiable information from education records is disclosed to have information security policies and procedures that include a comprehensive security program designed to protect the personally identifiable information from education records.
For purposes of this subsection, the term outside party means a person that is not an employee, officer, or volunteer of the educational agency or institution or of a Federal, State, or local governmental agency and includes any contractor or consultant acting as a school official or authorized representative or in any other capacity.
Notwithstanding any other provision of this section or paragraph (2)(A), no funds shall be made available under any applicable program to any educational agency or institution that has a policy or practice of using, knowingly releasing, or otherwise knowingly providing access to personally identifiable information, as described in paragraph (2), in the education records of a student to advertise or market a product or service.
Each State educational agency receiving funds under an applicable program, and each educational agency or institution, shall ensure that any outside party with access to education records with personally identifiable information complies with the following:
Any education records that are held by the outside party shall be held in a manner that provides, as directed by the educational agency or institution, parents with—
the right to access the personally identifiable information held about their students by the outside party, to the same extent and in the same manner as provided in subsection (a)(1); and
a process to challenge, correct, or delete any inaccurate, misleading, or otherwise inappropriate data in any education records of such student that are held by the outside party, through an opportunity for a hearing by the agency or institution providing the outside party with access, in accordance with subsection (a)(2).
The outside party shall maintain a record of all individuals, agencies, or organizations that have requested or obtained access to the education records of a student held by the outside party, in the same manner as is required under paragraph (8).
The outside party shall have policies or procedures in place regarding information security practices regarding the education records, in accordance with paragraph (4).
No funds under any applicable program shall be made available to any educational agency or institution, or any State educational agency, unless the agency or institution has a policy or practice that—
promotes data minimization in order to safeguard individual privacy by meeting any request for student information with non-personally identifiable information, if the purpose of any appropriate request can be effectively met with non-personally identifiable information; and
requires that all personally identifiable information on an individual student held by any outside party be destroyed when the information is no longer needed for the specified purpose.
in paragraph (8)(A), as redesignated by paragraph (1)—
who are employees, officers, or volunteers of the agency or institution after
of this subsection;
or organizations and inserting
organizations, or outside parties;
or organization and inserting
organization, or outside party; and
and will describe the information shared with such person, outside party, agency, or organization after
obtaining this information.