Student Data Privacy Law in the State of Georgia
March 29, 2022 | 4 minutes read
Georgia’s Student Online Personal Information Protection Act); Student Data Accessibility, Transparency & Accountability Act, also known as SB 89, is a student data privacy law that was passed in the U.S. state of Georgia in 2015. SB 89 sets forth the requirements that online operators within the state of Georgia are responsible for adhering to as it concerns the protection of the personal information and privacy of students within the state. More specifically, the law “acknowledges that student data is a vital resource for parents, teachers, and school staff, and it is the intent of the General Assembly to ensure that student data is safeguarded and that students’ and parents’ privacy is honored, respected, and protected.”
How is the term online operator defined under the law?
Under Georgia’s SB 89, an online operator is defined as “any entity other than the department, local boards of education, the Georgia Student Finance Commission, or schools to the extent that the entity: (A) Operates an Internet website, online service, online application, or mobile application with actual knowledge that the website, service, or application is used for K-12 school purposes and was designed and marketed for K-12 school purposes to the extent that it is operating in that capacity; and collects, maintains, or uses student personally identifiable information in a digital or electronic format.” Conversely, the law defines a state data system as “the department state-wide longitudinal data system 90 established pursuant to Code Section 20-2-320.”
What are the duties of online operators and educators under SB 89?
Under the provisions of SB 89, online operators, educators, and school administrators that serve students within the state of Georgia have a number of obligations and responsibilities as it relates to the protection of data and privacy of said students. These responsibilities include but are not limited to:
- Developing and implementing data security training measures and policies, including administrative, physical, and technical safeguards.
- Developing the protocol that needs to be followed in the event that a data breach occurs, including notifications, remediations, and other relevant procedures.
- Creating policies that govern the retention and disposal of personal data.
- Ensuring that the Georgia State School Superintendent designates a “senior department employee” to serve as the chief privacy officer for all educational institutions and school boards within the state. This designated senior employee is responsible for implementing data security and privacy policies, including conducting privacy impact assessments, establishing a model process that parents and guardians within the state can use “to file complaints of privacy violations or inability to access his or her child’s education records against the responsible local board of education”, and ensuring that all student data is handled in accordance with the provisions of the Family Educational Rights and Privacy Act or FERPA, among other responsibilities.
- Providing the technical assistance, guidance, and community outreach necessary to foster a culture of privacy protection, data security, and transparency between online operators, students, school administrators, and parents and guardians.
- Ensuring that the personal data of students is not used to engage in targeted advertising or marketing.
What categories of personal data are covered under Georgia’s SB 89?
Under the provisions of Georgia’s SB 89, the data elements that are legally protected from unauthorized access, use, modification, disclosure, and destruction include but are not limited to the following:
- First and last names.
- The names of parents and other family members.
- Phone numbers.
- Email addresses.
- Physical addresses.
- Personal identifiers, such as student identification numbers.
- Indirect identifiers, such as dates and places of birth.
- Administered assessment results at both the state and local levels.
- Participation information.
- Course grades and grade point averages.
- Credits earned.
- Degrees, diplomas, and credential attainment.
- Attendance and mobility information.
- Socioeconomic information.
- Text messages and documents.
- Search activity, photos, and voice recordings.
What are the penalties for violating Georgia’s SB 89?
The provisions established in Georgia’s SB 89 are enforceable by the Georgia State Board of Education. To this point, the law states that “the State Board of Education may adopt rules and regulations necessary to implement the provisions of this article.” With this being said, the provisions of the law provide parents of students within the state of Georgia with the right to file a complaint with the State Board of Education should they feel as though their children’s rights have been violated under the law. Moreover, violations of Georgia’s SB 89 may also be violations of the Family Educational Rights and Privacy Act or FERPA.
While many U.S. states have passed legislation aimed at protecting the personal information and privacy of their respective students, the provisions of Georgia’s SB 89 also promote the level of communication and transparency that is necessary to ensure such protections are being afforded to students in an effective and efficient manner. Furthermore, the law also places obligations and responsibilities on the Georgia State Board of Education, educational institutions, and school administrators, in addition to online operators and school districts. Through this comprehensive approach to data privacy, parents and guardians within the state have the legal means to ensure that the privacy of their school children is being safeguarded at the highest level possible.