Amended Student Data Law in the State of Virginia

Virginia’s Student Online Personal Information Protection Act or SOPIPA, also known as SB 951, is a student data protection law that was amended in the U.S. state of Virginia in 2017. As the personal information of all individuals around the world, including students, can be obtained and used for both business-related and nefarious purposes, Virginia’s SOPIPA was amended to provide students with further protections as it relates to the personal information they disclose to educators and school service providers when pursuing their various educational objectives. With this being said, SB 951 mandates that educators and school service providers within the state of Virginia take various steps and measures to protect the personal data and privacy of their respective students.

How are school services defined under Virginia’s SB 951?

Under Virginia’s SB 951, a school service is defined as “a website, mobile application, or online service that (i) is designed and marketed primarily for use in elementary or secondary schools; (ii) is used (a) at the direction of teachers or other employees at elementary or secondary schools or (b) by any school-affiliated entity; and (iii) collects and maintains, uses, or shares student personal information. “School service” does not include a website, mobile application, or online service that is (a) used for the purposes of college and career readiness assessment or (b) designed and marketed for use by individuals or entities generally, even if it is also marketed for use in elementary or secondary schools.”

What are the duties of school service providers under the law?

Under the provisions of SB 951, the responsibilities that school service providers within the state of Virginia have as it concerns protecting the personal data and privacy of students include but are not limited to:

• School service providers are responsible for providing students and their families with clear and easily understandable information regarding the categories of personal information that will be collected from students, as well as the manner in which this information will be maintained, used, and shared.
• School service providers are responsible for implementing and maintaining a privacy policy for the purpose of governing the collection, use, and disclosure of personal information obtained from students. Moreover, school service providers are also responsible for providing prominent notice to both parents and their families regarding any changes to said policy.
• School service providers are required to implement and maintain a comprehensive information security program that is designed to protect the privacy, confidentiality, and integrity of student information, including the use of physical, technological, and administrative safeguards.
• School service providers are required to facilitate the means necessary for students to access and correct their personal information, either directly or through a student’s school or teacher.
• School service providers are only permitted to collect the personal information of students in accordance with expressed written consent. Furthermore, school service providers must also obtain consent from the parents of students that are under the age of 18 prior to collecting their personal information.

What categories of personal data are protected under the law?

Under Virginia’s SB 951, the following categories of personal information are protected from unauthorized access, use, modification, disclosure, and dissemination, in accordance with the provisions of the Family Educational Rights and Privacy Act or FERPA:

• Student names.
• Email addresses.
• Telephone numbers.
• Dates and places of birth.
• Participation information.
• Medical and health records.
• Social security numbers.
• Juvenile dependency records.
• Special education data.
• Grades and grade point averages.
• Student enrollment information.
• Attendance information.

Maintaining compliance with the law

When looking to fulfill their respective job functions and responsibilities, school service providers within Virginia will be forced to disclose the personal data of their students at some point. For example, when sending emails concerning an academic scholarship, school service providers will be forced to disclose the personal names of students, among other pertinent information. To this point, one way in which school service providers can maintain compliance with Virginia’s SB 951 is through the utilization of automatic redaction software. In keeping with the example of sending emails, school service operators could use redaction software to remove any personal information that is not relevant to the task at hand, ensuring that the personal privacy of students is upheld at all times.

As data protection and personal privacy have become more pronounced issues worldwide during the last decade, legislation has been enacted to provide data protection to consumers. As it relates to the personal information of students within the state of Virginia, the provisions of Virginia’s SB 951 protect the personal data that students share with their teachers and school service providers during the course of their respective educational journeys. As such, parents within Virginia can have the assurance that the privacy of their children is being protected when they are attending school.