On May 22, 2022, Minnesota Gov. Tim Walz (D) signed the Student Data Privacy Act (the “Act”), H.F. No. 2353, into law which amends Minnesota’s Government Data Practices Act. The Act went into effect beginning with the 2022-2023 school year.
The Act applies to Minnesota students who attend public educational institutions or agencies, and provides protections against surveillance activities that could occur through the use of “School-Issued Devices.” Specifically, the Act focuses on ensuring student data privacy as it relates to “Technology Providers” that contract with public educational agencies or institutions. The Act does not apply to Technology Provider contracts with post-secondary institutions or, in certain instances, with nonprofit national assessment providers. Finally, the Act classifies “education support services data” as private data that cannot be disclosed except under certain conditions.
The Act defines a Technology Provider as someone who (1) contracts with a public educational agency or institution to provide a school-issued device for student use, and (2) creates, receives or maintains educational data according to that contract. Provisions of the Act regarding Technology Providers are summarized as follows:
- Technology Providers are not the owners of educational data.
- If the educational data being maintained by the Technology Provider is subject to a breach, as defined in § 13.055 of the Government Data Privacy Act, the provider must, after discovery of the breach, disclose to the educational agency or institution all information to fulfill the requirements of § 13.055.
- Ninety days before expiration of the contract, a Technology Provider must destroy or return all educational data created, received, or maintained pursuant to the contract.
- Technology providers cannot sell, share, or disseminate educational data unless doing so is part of a valid delegation or assignment of the contract. The assignee or delegee is subject to the same restrictions and obligations as the Technology Provider.
- Technology Providers cannot use educational data for any commercial purpose, marketing, or advertising to a student or parent. However, use of aggregated de-identified data may be used for the purposes of improving, maintaining, developing, supporting, or diagnosing the operator’s site, service or operations.
- The contract between Technology Providers and the educational agency or institution must include appropriate security safeguards for educational data including access controls for only authorized employees or contractors. The contract must also provide that employee or contractor access is permitted only if the access is needed to allow them to fulfill their official duties.
- Public educational agencies and institutions must provide parents and students with “direct and timely notice” of any “curriculum, testing, or assessment technology provider contract” affecting student education data. The notice must include certain provisions that identify the Technology Provider, the educational data affected, contact information for parents or students to ask questions, and an opportunity to inspect the contract.
The Act prohibits a government entity or Technology Provider from electronically accessing or monitoring the following:
- Any location-tracking feature of a School-Issued Device.
- Any audio or visual receiving, transmitting or recording feature of a School-Issued Device.
- Any student interactions with a School-Issued Device, including keystrokes and web-browsing activity.
However, there are exceptions to these prohibitions where 1) the activity relates to noncommercial educational purposes for instruction, technical support, or exam-proctoring with advance notice, 2) the activity is permitted under a judicial warrant, 3) the School-Issued Device is missing or stolen, 4) the activity is necessary to respond to an imminent threat to life or safety and access is limited to that purpose, or 5) the activity is necessary to comply with federal or state law or to participate in federal or state funding programs. If a government entity or Technology Provider interacts with a Student-Issued Device to respond to an imminent threat, notice must be provided within 72 hours of the access unless the notice itself would create an imminent threat to life or safety. In the latter event, notice must be given within 72 hours after the imminent threat has ceased
The Act provides students and parents with greater protections against unwanted surveillance and usage of educational data by Technology Providers, and also provides clarity over ownership of student data in the possession of a Technology Provider and steps to be taken by the Technology Provider when a breach of security occurs.
In the event of a breach or data compromise, the Constangy Cyber team is here to help. You can reach us 24 hours a day, 7 days a week at BreachResponse@constangy.com or #877-382-2724 (877-DTA-BRCH).
The Constangy Cyber Advisor posts regular updates on legislative developments, data privacy, and information security trends. Our blog posts are informed through the Constangy Cyber Team's experience managing thousands of data breaches, providing robust compliance advisory services, and consultation on complex data privacy and security litigation.
- Suzie Allen
- John Babione
- Dafina Buçaj
- Jason Cherry
- Maria Efaplomatidis
- Jordan L. Fischer
- Sebastian Fischer
- Laura Funk
- Lauren Godfrey
- Amir Goodarzi
- Taren N. Greenidge
- Julie Hess
- Carolyn C. Ho
- Sean Hoar
- Julie A. Keersmaekers
- Donna Maddux
- David McMillan
- Amanda Novak
- Ashley L. Orler
- Alyssa Pearce
- Rebecca Pollack
- Allison Prout
- Todd Rowe
- Sarah Rugnetta
- Allen Sattler
- Alyssa Watzman
- Aubrey Weaver