Rhode Island, Data Privacy, Social Media and Cloud Services

Rhode Island’s H 7124 is a social media and cloud service provider data privacy law that was passed in the U.S. state of Rhode Island in 2014. In contrast to many other student data privacy laws around the country, H 7124 was passed for the purpose of regulating the interactions that students, teachers, and other related faculty members have with social media websites and cloud computing services in the context of K-12 educational pursuits. To this point, the law places responsibilities on educational institutions and cloud service providers as it concerns the level of access and privacy that students, teachers, and faculty members within Rhode Island are afforded in relation to their social media and cloud computing service usage.

How are social media accounts and cloud computing defined under the law?

Under Rhode Island’s H 7124, a social media account is defined as “an electronic service or account, or electronic content, including, but not limited to, videos, still photographs, blogs, video blogs, podcasts, instant and text messages, email, online service or accounts, or Internet website profiles or locations. For the purposes of this chapter, social media account does not include an account opened at a school’s behest, or provided by the school, or intended to be used primarily on behalf of the school.” Alternatively, the law defines student data as “any information in any media or format created or provided: (i) By a student; or (ii) By a school board employee about a student in the course of using a cloud computing service, including the student’s name, email address, postal address, email message, documents, unique identifiers, and metadata.”

Conversely, the law defines a cloud computing service as “a service that enables convenient on-demand network access to a shared pool of configurable computing resources to provide a student, teacher, or staff member account-based productivity applications such as email, document storage, and document editing that can be rapidly provisioned and released with minimal management effort or cloud computing service provider interaction.” Furthermore, the law defines a cloud computing service provider as “an entity other than a public elementary or secondary school that operates a cloud computing service.”

What are the duties of educational institutions under the law?

Under the provisions of Rhode Island’s H 7124, educators, school administrators, cloud computing service providers, and associated third parties have the following duties and responsibilities as it relates to data protection and personal privacy:

• Educational institutions are prohibited from requiring, coercing, or requesting a student, prospective student, educator, or faculty member provide them with the password to any of their social media accounts, or any other forms of information that could be used to permit access to such accounts.
• Educational institutions are prohibited from requiring students, prospective students, or applicants to provide them with access to their social media accounts as a condition of acceptance or participation in a particular course, extracurricular activity, or other related school activity. Moreover, educational institutions are also prohibited from requiring students to alter the settings of their social media accounts to allow for third-party access.
• Educational institutions are prohibited from requiring students, educators, or faculty members to divulge any personal information that may be contained within their social media accounts.
• Educational institutions are prohibited from discharging, disciplining, or penalizing students, educators, or faculty members for failing to provide them will their social media account login credentials.
• Cloud computing service providers are only permitted to collect and process information obtained from students within the state of Rhode Island for the purpose of providing them with cloud computing services, notwithstanding any legislation to the contrary.
• Cloud computing service providers that enter into contracts with educational institutions within the state of Rhode Island are required to certify in writing that they will comply with all provisions of the law.

What are the penalties for violating Rhode Island’s H 7124?

Educational institutions and cloud service providers that fail to comply with Rhode Island’s H 7124 are subject to a number of sanctions and penalties. Such punishments include:

• A monetary award to a student, prospective student, or applicant, including student declaratory relief, damages, and reasonable attorney costs and fees.
• An award of injunctive relief against any school, educational institution, could service provider, or associated third party that proposes or commits a violation of any of the provisions set forth in the law.

Through the provisions of Rhode Island’s H 7124, students within the state were provided with a modicum of legal protection as it relates to the personal information they share via their social media accounts and cloud services. What’s more, the law also provides safeguards for teachers and other related school employees, as these individuals are also afforded legal protections in terms of the forms of personal information they disclose via the internet. While many student data privacy laws at the U.S. state-level pertain largely to the data and privacy protection of students, lawmakers around the country will have to consider the implications of failing to protect the personal information and privacy of the employees that teach students when drafting legislation moving forward.