Cloud Computing and Education in the State of Kentucky
Kentucky HB 232 is a student data privacy law that was enacted in 2014. As online access and communication continue to play an essential role in the manner in which many K-12 students around the country pursue their respective educational careers, HB 232 was passed for the purpose of regulating the personal information and data that students share with cloud computing service providers when attending school. With this being said, the law both provides a clear and concise definition of the terms cloud computing and cloud computing service providers, and also outlines the responsibilities that these service providers have as it concerns protecting the confidentiality of student data.
How is a cloud computing service defined under the law?
Under Kentucky HB 232, a cloud computing service is defined as “a service that provides, and that is marketed and designed to provide, an educational institution with account-based access to online computing resources.” Alternatively, the law defines a cloud computing service provider as “any person other than an educational institution that operates a cloud computing service.” To this point, the law defines an educational institution to mean “any public, private, or school administrative unit serving students in kindergarten to grade twelve”, while a person is defined as “an individual, partnership, corporation, association, company, or any other legal entity.”
What are the duties of cloud computing service providers?
The student data protection and privacy responsibilities that cloud computing services providers and other associated entities have under the provisions of Kentucky HB 232 include:
- Cloud computing service providers are prohibited from processing personal data pertaining to students for any purpose other than providing, improving, developing, or maintaining the integrity of cloud computing services. However, cloud computing service providers are permitted to process the personal data of a student if the parent or guardian of the student in question gives them permission to do so.
- Cloud computing service providers are prohibited from using personal student data for the purpose of engaging in targeted advertising.
- Cloud computing service providers are prohibited from selling or renting personal data pertaining to their students.
- Cloud computing service providers are prohibited from using personal data obtained from students for the purpose of amassing an online profile for said students.
- Cloud computing service providers must ensure that any agreements or contracts that they force with educational institutions within the state of Kentucky are in accordance with the provisions of the law.
- Cloud computing service providers that are found to be in violation of the law are subject to administrative regulations imposed by the Kentucky Board of Education.
What data elements are protected under the law?
The data elements concerning K-12 students within the state of Kentucky that are legally protected from unauthorized access, use, and disclosure under HB 232 include but are not limited to:
- Student names.
- Email addresses.
- Postal addresses.
- Phone numbers.
- Dates and places of birth.
- Student identification numbers.
- Driver’s licenses.
- Social security numbers.
- Mother’s maiden name.
- Transcript data.
- Photos and voice recordings.
- Healthcare and medical records.
Student data privacy and redaction
When looking to comply with legislation such as Kentucky HB 232, automatic redaction software can be used to safeguard the integrity and confidentiality of student records and information. These redaction software programs allow educational institutions to render student data inaccessible, ensuring that it won’t be able to fall into the hands of cybercriminals and other bad actors. What’s more, as these software programs contain automatic functionality, educators can also save valuable time and resources when protecting student data and privacy, instead of allocating these resources to other areas of education such as the pursuit of post-secondary educational opportunities.
Just as the advent of cloud computing has altered the manner in which professionals handle their responsibilities and tasks in the business world, the technology has also changed the way in which students pursue their education. To this end, Kentucky HB 232 gives parents within the state the peace of mind that the personal privacy of their school-aged children cannot be infringed upon without consequence. As students do not have the means to protect themselves from the adverse effects of being involved in a cyberattack, legislation such as HB 232 is very much needed to prevent such occurrences whenever possible.