Protecting Student Privacy Act of 2014 - Amends the Family Educational Rights and Privacy Act of 1974 to prohibit programs administered by the Department of Education from making funds available to any educational agency or institution that has not implemented information security policies that: (1) protect personally identifiable information (PII) from education records, and (2) require each outside party to whom PII from education records is disclosed to have a comprehensive security program to protect such information.
Defines "outside party" as a person that is not an employee, officer, or volunteer of the educational agency or institution or of a government agency. Includes within such term any contractor or consultant acting as a school official or authorized representative or in any other capacity.
Prohibits such funds from being made available to any educational agency or institution that has a policy or practice of using, releasing, or providing access to PII to advertise or market a product or service.
Requires state agencies receiving such funds, and each educational agency or institution, to ensure that any outside party with access to such records: (1) provides parents access to any PII it holds about their students; (2) provides a process to challenge, correct, or delete any inaccurate, misleading, or inappropriate data through a hearing by the agency or institution providing the outside party with access; (3) maintains a record of all individuals, agencies, or organizations that have requested or obtained access to the education records of a student; and (4) has information security procedures in place.
Prohibits funds from being made available to any educational agency or institution, or any state educational agency, unless the agency or institution has a practice that: (1) promotes data minimization by meeting requests for student information with non-PII, and (2) requires that PII held by any outside party be destroyed when the information is no longer needed for the specified purpose.
Directs educational agencies and institutions to maintain a record of all outside parties which have requested or obtained access to a student's education records. Requires such record to describe the information shared and to indicate specifically the party's legitimate interest in obtaining this information.
[Congressional Bills 113th Congress]
[From the U.S. Government Publishing Office]
[S. 2690 Introduced in Senate (IS)]
113th CONGRESS
2d Session
S. 2690
To amend the Family Educational Rights and Privacy Act of 1974 to
ensure that student data handled by private companies is protected, and
for other purposes.
_______________________________________________________________________
IN THE SENATE OF THE UNITED STATES
July 30, 2014
Mr. Markey (for himself, Mr. Hatch, Mr. Walsh, and Mr. Kirk) introduced
the following bill; which was read twice and referred to the Committee
on Health, Education, Labor, and Pensions
_______________________________________________________________________
A BILL
To amend the Family Educational Rights and Privacy Act of 1974 to
ensure that student data handled by private companies is protected, and
for other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Protecting Student Privacy Act of
2014''.
SEC. 2. FERPA IMPROVEMENTS.
Subsection (b) of section 444 of the General Education Provisions
Act (20 U.S.C. 1232g) (commonly referred to as the ``Family Educational
Rights and Privacy Act of 1974'') is amended--
(1) by redesignating paragraphs (4) through (7) as
paragraphs (8) through (11), respectively;
(2) by inserting after paragraph (3) the following:
``(4)(A) No funds shall be made available under any applicable
program to any educational agency or institution that has not
implemented information security policies and procedures that--
``(i) protect personally identifiable information from
education records maintained by the educational agency or
institution; and
``(ii) require each outside party to whom personally
identifiable information from education records is disclosed to
have information security policies and procedures that include
a comprehensive security program designed to protect the
personally identifiable information from education records.
``(B) For purposes of this subsection, the term `outside party'
means a person that is not an employee, officer, or volunteer of the
educational agency or institution or of a Federal, State, or local
governmental agency and includes any contractor or consultant acting as
a school official or authorized representative or in any other
capacity.
``(5) Notwithstanding any other provision of this section or
paragraph (2)(A), no funds shall be made available under any applicable
program to any educational agency or institution that has a policy or
practice of using, knowingly releasing, or otherwise knowingly
providing access to personally identifiable information, as described
in paragraph (2), in the education records of a student to advertise or
market a product or service.
``(6) Each State educational agency receiving funds under an
applicable program, and each educational agency or institution, shall
ensure that any outside party with access to education records with
personally identifiable information complies with the following:
``(A) Any education records that are held by the outside
party shall be held in a manner that provides, as directed by
the educational agency or institution, parents with--
``(i) the right to access the personally
identifiable information held about their students by
the outside party, to the same extent and in the same
manner as provided in subsection (a)(1); and
``(ii) a process to challenge, correct, or delete
any inaccurate, misleading, or otherwise inappropriate
data in any education records of such student that are
held by the outside party, through an opportunity for a
hearing by the agency or institution providing the
outside party with access, in accordance with
subsection (a)(2).
``(B) The outside party shall maintain a record of all
individuals, agencies, or organizations that have requested or
obtained access to the education records of a student held by
the outside party, in the same manner as is required under
paragraph (8).
``(C) The outside party shall have policies or procedures
in place regarding information security practices regarding the
education records, in accordance with paragraph (4).
``(7) No funds under any applicable program shall be made available
to any educational agency or institution, or any State educational
agency, unless the agency or institution has a policy or practice
that--
``(A) promotes data minimization in order to safeguard
individual privacy by meeting any request for student
information with non-personally identifiable information, if
the purpose of any appropriate request can be effectively met
with non-personally identifiable information; and
``(B) requires that all personally identifiable information
on an individual student held by any outside party be destroyed
when the information is no longer needed for the specified
purpose.''; and
(3) in paragraph (8)(A), as redesignated by paragraph (1)--
(A) by inserting ``who are employees, officers, or
volunteers of the agency or institution'' after ``of
this subsection'';
(B) by striking ``or organizations'' and inserting
``organizations, or outside parties'';
(C) by striking ``or organization'' and inserting
``organization, or outside party''; and
(D) by inserting ``and will describe the
information shared with such person, outside party,
agency, or organization'' after ``obtaining this
information''.
<all>
Introduced in Senate
Read twice and referred to the Committee on Health, Education, Labor, and Pensions.
Llama 3.2 · runs locally in your browser
Ask anything about this bill. The AI reads the full text to answer.
Enter to send · Shift+Enter for new line