Personally Identifiable Student Information

On November 20, Assembly Education Committee Chairwoman Catherine Nolan conducted a hearing in the Albany Legislative Office Building in order to receive testimony in regard to the release of personally identifiable student information. Many who testified, and many assembly members, expressed strong concern about the types and amount of data collected and how it would be used and protected. Conspicuous by their absence was a representative of inBloom. The chairwoman indicated that she reached out to the inBloom company and was informed through an e-mail message from company spokesperson Adam Gaber that staff was unable to attend the hearing due to prior commitments. The Assemblywoman characterized inBloom’s actions in this regard as a “red flag.”

The hearing also focused upon two legislative bills, each of which would amend Education Law by adding a new Section 3212-b. The bills are:
•    A-7872-A by Assembly member Catherine Nolan
•    A-6059-A by Assembly member Daniel O’Donnell

SAANYS testimony supported neither bill completely, but on a comparative basis, was more supportive of bill 6059-A.

Bill 7872-A would permit parents, guardians, and students at or above 18 years of age to initiate a new “opt-out” procedure for the disclosure of personally identifiable information and biometric records using a form to be developed by the State Education Department (SED) and procedures to be implemented by SED and by school districts.

Bill 6059-A would safeguard confidentiality through consent procedures that would be appropriately augmented by 14 safeguards that apply to all students. Some of the safeguards address long-standing federal confidentiality requirements (such as internal access being restricted to those individuals who have a legitimate educational interest); other safeguards are new and appropriate, such as the use of encryption technology to protect data in motion. The standards also address the manner and extent to which individual student data may be used, what should happen upon the completion/termination of contracts, and what must be done in cases of suspected and actual data breaches. The bill also addresses the use of confidential student data for studies and prohibits its use for commercial purposes. Moreover, the bill includes appropriate indemnification provisions in regard to the payment of all costs and liabilities incurred by SED or by school districts, as well as a system of graduated fiscal penalties for violations by vendors.

Neither bill includes an allocation to SED or school districts to support implementation. Bill 7872-A would require parents, guardians, and age-appropriate students to research third parties and  submit opt-out materials to SED and/or school districts in order to restrict the disclosure of personally identifiable information. Bill 6059-A would impose a new and burdensome annual report procedure upon SED and all school districts.
The SAANYS testimony is posted at saanys.org.