20-7-1326. Pupil records -- online privacy protections. (1) A school district may, pursuant to a policy adopted by its trustees, enter into a contract with a third party to:
(a) provide services, including cloud-based services, for the digital storage, management, and retrieval of pupil records; or
(b) provide digital educational software that authorizes a third-party provider of digital educational software to access, store, and use pupil records in accordance with the contractual provisions listed in subsection (2).
(2) A school district that enters into a contract with a third party for purposes of subsection (1) shall ensure the contract contains all of the following:
(a) a statement that pupil records continue to be the property of and under the control of the school district;
(b) notwithstanding subsection (2)(a), a description of the means by which pupils may retain possession and control of their own pupil-generated content, if applicable, including options by which a pupil may transfer pupil-generated content to a personal account;
(c) a prohibition against the third party for using any information in pupil records for any purpose other than those required or specifically permitted by the contract;
(d) a description of the procedures by which a parent, legal guardian, or eligible pupil may review personally identifiable information in the pupil's records and correct erroneous information;
(e) a description of the actions the third party will take, including the designation and training of responsible individuals, to ensure the security and confidentiality of pupil records. Compliance with this requirement does not, in itself, absolve the third party of liability in the event of an unauthorized disclosure of pupil records.
(f) a description of the procedures for notifying the affected parent, legal guardian, or pupil if 18 years of age or older in the event of an unauthorized disclosure of the pupil's records;
(g) a certification that pupil records will not be retained or available to the third party upon completion of the terms of the contract and a description of how that certification will be enforced. This requirement does not apply to pupil-generated content if a pupil chooses to establish or maintain an account with the third party for the purpose of storing that content pursuant to subsection (2)(b).
(h) a description of how the school district and the third party will jointly ensure compliance with the federal Family Educational Rights and Privacy Act (20 U.S.C. 1232g); and
(i) a prohibition against the third party using personally identifiable information in pupil records to engage in targeted advertising.
(3) In addition to any other penalties, a contract that fails to comply with the requirements of this section is void if, upon notice and a reasonable opportunity to cure, the noncompliant party fails to come into compliance and cure any defect. Written notice of noncompliance may be provided by any party to the contract. All parties subject to a contract voided under this subdivision shall return all pupil records in their possession to the school district.
(4) If the provisions of this section are in conflict with the terms of a contract in effect before May 7, 2019, the provisions of this section do not apply to the school district or the third party subject to that agreement until the expiration, amendment, or renewal of the agreement.
(5) Nothing in this section may be construed to impose liability on a third party for content provided by any other third party.
History: En. Sec. 4, Ch. 369, L. 2019.