Student Data Privacy Requirements in the State of Tennessee
Tennessee’s Student Online Personal Information Protection Act, otherwise known as HB 1931/SB 1900, is a student data protection law that was enacted in 2016. HB 1931/SB 1900 was passed to amend previous data protection legislation that had been passed in the state, which took the form of the Student Data Accessibility, Transparency & Accountability Act which was enacted in 2014. As such, HB 1931/SB 1900 amends and updates the requirements that educators and online operators within the state of Tennessee must adhere to when managing the personal data of students. Furthermore, the law also outlines the specific categories of personal data that are protected from unauthorized access, use, and dissemination.
How is the term online operator defined under the law?
Under Tennessee’s HB 1931/SB 1900, an online operator is defined as “the operator of an Internet website, online service, online application, or mobile application with actual knowledge that the site, service, or application is used primarily for K-12 school purposes and is designed and marketed for K-12 school purposes”. Conversely, the law defines k-12 school purposes to mean “purposes that are directed by or that customarily take place at the direction of a K-12 school, teacher, or LEA or that aid in the administration of school activities, including, but not limited to, instruction in the classroom or at home, administrative activities, and collaboration among students, school personnel, or parents, or are otherwise for the use and benefit of the school.”
What are the duties of online operators under the law?
The duties that online operators have under Tennessee’s HB 1931/SB 1900 include:
- Online operators are forbidden from using the personal data of students for the purpose of engaging in targeted advertising activities.
- Online operators are forbidden from using personal data obtained from students, such as persistent unique identifiers, for the purpose of amassing an online profile for said students, unless such a profile will be used solely for the furtherance of educational endeavors.
- Online operators are forbidden from selling or renting the personal data of their respective students.
- Online operators are responsible for both implementing and maintaining reasonable security measures and procedures that can effectively protect the personal data of students from unauthorized access, use, modification, destruction, and disclosure.
- Online operators are responsible for deleting the personal data of a student after a reasonable period of time upon receiving such a request from a student’s parent or guardian, or the educational institution in which the student is enrolled.
What data elements are protected under the law?
Tennessee’s HB 1931/SB 1900 protects the following data elements pertaining to students enrolled in K-12 educational institutions within the state from unauthorized access, use, and transfer:
- First and last names.
- Home addresses.
- Email addresses.
- Disability information.
- Race, ethnicity, and gender information.
- Medical and healthcare information.
- Dates of birth.
- Academic year.
- Student event or participation information.
- Student state identification numbers.
- Attendance information.
- Credits attempted and earned.
- Juvenile delinquency records.
- Social security numbers.
- Grades and grade point averages.
Enforcement of the law
As it concerns the enforcement of Tennessee’s HB 1931/SB 1900, the provisions set forth in the law are enforceable by the Tennesse attorney general. More specifically, the law states that “the attorney general and reporter shall have the authority to conduct civil investigations and bring civil actions.” As such, online operators, educators, and other related school personnel that are found to be in violation of the law are subject to a number of civil penalties, to be imposed at the discretion of the Tennessee attorney general. Moreover, violations of Tennessee’s HB 1931/SB 1900 also constitute an unfair or deceptive practice under the Tennessee Consumer Protection Act of 1977.
As many students around the country have been forced to submit their personal data to statewide longitudinal data systems for the purposes of furthering their educational careers, legislation is needed around the U.S. to protect these data elements. To this point, Tennessee’s HB 1931/SB 1900 serves to protect the various data elements that K-12 students around the state disclose to their respective teachers, online operators, and support personnel, ensuring that this information is safeguarded and secured from unauthorized use and disclosure, as well the adverse consequences of being involved in a data breach.