Minnesota’s Student Data Privacy Act Signed into Law
By on Posted in Cybersecurity, Data Privacy, Education, Student Data Privacy Act

On May 22, 2022, Minnesota Gov. Tim Walz (D) signed the Student Data Privacy Act (the “Act”), H.F. No. 2353, into law which amends Minnesota’s Government Data Practices Act. The Act went into effect beginning with the 2022-2023 school year. 

The Act applies to Minnesota students who attend public educational institutions or agencies, and provides protections against surveillance activities that could occur through the use of “School-Issued Devices.” Specifically, the Act focuses on ensuring student data privacy as it relates to “Technology Providers” that contract with public educational agencies or institutions. The Act does not apply to Technology Provider contracts with post-secondary institutions or, in certain instances, with nonprofit national assessment providers. Finally, the Act classifies “education support services data” as private data that cannot be disclosed except under certain conditions. 

Technology Providers

The Act defines a Technology Provider as someone who (1) contracts with a public educational agency or institution to provide a school-issued device for student use, and (2) creates, receives or maintains educational data according to that contract. Provisions of the Act regarding Technology Providers are summarized as follows:

  • Technology Providers are not the owners of educational data.
  • If the educational data being maintained by the Technology Provider is subject to a breach, as defined in § 13.055 of the Government Data Privacy Act, the provider must, after discovery of the breach, disclose to the educational agency or institution all information to fulfill the requirements of § 13.055.
  • Ninety days before expiration of the contract, a Technology Provider must destroy or return all educational data created, received, or maintained pursuant to the contract.
  • Technology providers cannot sell, share, or disseminate educational data unless doing so is part of a valid delegation or assignment of the contract. The assignee or delegee is subject to the same restrictions and obligations as the Technology Provider.
  • Technology Providers cannot use educational data for any commercial purpose, marketing, or advertising to a student or parent. However, use of aggregated de-identified data may be used for the purposes of improving, maintaining, developing, supporting, or diagnosing the operator’s site, service or operations.
  • The contract between Technology Providers and the educational agency or institution must include appropriate security safeguards for educational data including access controls for only authorized employees or contractors. The contract must also provide that employee or contractor access is permitted only if the access is needed to allow them to fulfill their official duties.
  • Public educational agencies and institutions must provide parents and students with “direct and timely notice” of any “curriculum, testing, or assessment technology provider contract” affecting student education data. The notice must include certain provisions that identify the Technology Provider, the educational data affected, contact information for parents or students to ask questions, and an opportunity to inspect the contract.

School-Issued Devices

The Act prohibits a government entity or Technology Provider from electronically accessing or monitoring the following:

  • Any location-tracking feature of a School-Issued Device.
  • Any audio or visual receiving, transmitting or recording feature of a School-Issued Device.
  • Any student interactions with a School-Issued Device, including keystrokes and web-browsing activity.

However, there are exceptions to these prohibitions where 1) the activity relates to noncommercial educational purposes for instruction, technical support, or exam-proctoring with advance notice, 2) the activity is permitted under a judicial warrant, 3) the School-Issued Device is missing or stolen, 4) the activity is necessary to respond to an imminent threat to life or safety and access is limited to that purpose, or 5) the activity is necessary to comply with federal or state law or to participate in federal or state funding programs. If a government entity or Technology Provider interacts with a Student-Issued Device to respond to an imminent threat, notice must be provided within 72 hours of the access unless the notice itself would create an imminent threat to life or safety. In the latter event, notice must be given within 72 hours after the imminent threat has ceased

The Act provides students and parents with greater protections against unwanted surveillance and usage of educational data by Technology Providers, and also provides clarity over ownership of student data in the possession of a Technology Provider and steps to be taken by the Technology Provider when a breach of security occurs.

In the event of a breach or data compromise, the Constangy Cyber team is here to help.  You can reach us 24 hours a day, 7 days a week at BreachResponse@constangy.com or #877-382-2724 (877-DTA-BRCH).

TAGS: Cyber Team, CyberMonday, Cybersecurity, Data Privacy, Educational Institutions, Minnesota, Student Data Privacy Act
Facebook Twitter/X Linkedin Email
  • Lauren Godfrey wearing a gray blazer over a white top, accessorized with a cross necklace and drop earrings, arms crossed, posed against a light blue and white geometric background.
    Lauren Godfrey
    Partner
    412.870.4129 |

    Lauren guides clients through data security incidents, leading initial assessments and coordinating forensic and remediation efforts to contain, investigate, and resolve issues. She helps clients develop privacy, incident ...

    More from Lauren: Full Bio | Contact Author | Blog Posts

The Constangy Cyber Advisor posts regular updates on legislative developments, data privacy, and information security trends. Our blog posts are informed through the Constangy Cyber Team's experience managing thousands of data breaches, providing robust compliance advisory services, and consultation on complex data privacy and security litigation. 

Search

Get Updates By Email

Subscribe

Archives

Jump to Page

Constangy, Brooks, Smith & Prophete, LLP Cookie Preference Center

Your Privacy

When using this website, Constangy and certain third parties may collect and use cookies or similar technologies to enhance your experience. These technologies may collect information about your device, activity on our website, and preferences. Some cookies are essential to site functionality, while others help us analyze performance and usage trends to improve our content and features.

Please note that if you return to this website from a different browser or device, you may need to reselect your cookie preferences.

For more information about our privacy practices, including your rights and choices, please see our Privacy Policy. 

Strictly Necessary Cookies

Always Active

Strictly Necessary Cookies are essential for the website to function, and cannot be turned off. We use this type of cookie for purposes such as security, network management, and accessibility. You can set your browser to block or alert you about these cookies, but if you do so, some parts of the site will not work. 

Functionality Cookies

Always Active

Functionality Cookies are used to enhance the functionality and personalization of this website. These cookies support features like embedded content (such as video or audio), keyword search highlighting, and remembering your preferences across pages—for example, your cookie choices or form inputs during submission.

Some of these cookies are managed by third-party service providers whose features are embedded on our site. These cookies do not store personal information and are necessary for certain site features to work properly.

Performance Cookies

Performance cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek