Ohio Senate Bill 29: New mandates on student data privacy and technology contracts take effect

In recent years, data privacy legislation has seen significant activity across all industries. Last October, Ohio Senate Bill 29 (SB 29) officially went into effect. The new regulation implements requirements for school districts regarding student data privacy, technology contracts, and the tracking and monitoring the online activities of students.

Collection, use, and protection of educational records by “technology providers”

SB 29 requires “technology providers” to implement certain security measures when providing services to school districts and handling student data.

Under the new regulation, “technology provider" means a person who contracts with a school district to provide a school-issued device for student use and creates, receives, or maintains educational records pursuant or incidental to its contract with the district.

A school-issued device has quite a broad definition and encompasses hardware, software, devices, and accounts that a school district, acting independently or with a technology provider, provides to an individual student for that student's dedicated personal use.

School districts will need to be mindful that “student,” in this context, means an individual currently or formerly enrolled in a school district and/or applicants for enrollment.

Some of the security measures include the following:

• Educational records received by a technology provider pursuant to a contract are considered solely the property of the school district
• If educational records maintained by the technology provider are subject to a breach of the security of the data, as defined under ORC 1347.12, the technology provider shall disclose to the school district all information necessary to fulfill the requirement of that section
• Technology providers must delete all, destroy, or return all education records or data within 90 days of the termination of a contract unless they anticipate a renewal of the contract
• Technology providers are inhibited from selling sharing, or disseminating education records for commercial purposes

Contracts between school districts and technology providers

Under this new law school districts and technology providers contracting with one another are also required to ensure appropriate security safeguards for educational records including both of the following:

1. A restriction on unauthorized access by the technology provider's employees or contractors;
2. A requirement that the technology provider's employees or contractors may be authorized to access educational records only as necessary to fulfill the official duties of the employee or contractor 

Notice to students and parents of contracts affecting educational records

Additionally, by the first day of August of each school year, school districts will be required to provide parents and student notice of any curriculum, testing, or assessment technology provider contract affecting a student’s educational records.

The notice is required to contain the following:

1. Identify each curriculum, testing, or assessment technology provider with access to educational records;
2. Identify the educational records affected by the curriculum, testing, or assessment technology provider contract;
3. Include information about the contract inspection and provide contact information for a school department to which a parent or student may direct questions or concerns regarding any program or activity that allows a curriculum, testing, or assessment technology provider access to a student's educational records

Schools must also provide parents and students with the opportunity to inspect a complete copy of any contract with a technology provider.

This portion of the law allows for a grace period as the first notice does not need to be issued until August 1, 2025. Schools should utilize this period to conduct an inventory of educational records impacted by curriculum, testing, or assessment technology provider contracts. Schools can anticipate an influx of inquiries from student and parents regarding the impacted educational records, technology provider contracts, and the drafting process of technology vendor contracts.

Limitations to accessing and monitoring student devices

School districts and technology providers will now have certain limitations on monitoring any of the following:

1. Location-tracking features of a school-issued device;
2. Audio or visual receiving, transmitting, or recording feature of a school-issued device;
3. Student interactions with a school-issued device, including, but not limited to, keystrokes and web-browsing activity

There are several carve outs to this limitation such as for: non-commercial educational purposes, under a judicial warrant, recovering missing or stolen technology, prevention of harm or threat to life, complying with state or federal law, and participating in a federal or state funding program.

Notice to students and parents of educational records subject to breach

Finally, SB29 states that in the event educational records maintained by a technology provider are subject to a breach, the school within 72 hours of the access, must notify the students’ parents and provide:

• A written description of the triggering circumstance
• Which features of the device were accessed
• A description of the threat

It’s important to note that the notice is not required at any time when or if a notice itself would pose a threat to life or safety, but must instead be given within 72 hours after that threat has ceased.

If you have any questions about your company’s compliance with cyber regulations, concerns about vulnerability to attacks or other breaches, or if you want to learn more about proactive cybersecurity defense, contact a member of McDonald Hopkins’ national data privacy and cybersecurity team.