On July 24, 2024, Governor DeWine signed into law Senate Bill 29 (“SB 29”), with an effective date of October 24, 2024. The Bill amends certain sections of the law and enacts new sections of law regarding student education records and student data privacy.

Use of Educational Records by Technology Providers, Security Safeguards, and Breach

SB 29  governs the collection, use, and protection of educational records by technology providers.

“Technology Provider” is defined as “a person who contracts with a school district to provide a school-issued device for student use and creates, receives, or maintains educational records pursuant or incidental to its contract with the district.”

A "school-issued device" means “hardware, software, devices, and accounts that a school district, acting independently or with a technology provider, provides to an individual student for that student's dedicated personal use.”

Under SB 29, a contract between a technology provider and a school district must ensure appropriate security safeguards for educational records and must include the following:

1. A restriction on unauthorized access by the technology provider's employees or contractors;

2. A requirement that the technology provider's employees or contractors may be authorized to access educational records only as necessary to fulfill the official duties of the employee or contractor.

Additionally, the contract should ensure that educational records created, received, maintained, or disseminated by a technology provider remain the sole property of the school district. Further, if educational records/student data maintained by the technology provider are subject to a breach of security, the technology provider must disclose to the school district any personal information that was accessed due to the breach.  

The contract must also prohibit the technology provider from selling, sharing, or disseminating educational records, except as provided by law or as part of a valid delegation or assignment of its contract with a school district. However, the provider may use aggregate information devoid of any personally identifiable information for improving, maintaining, developing, supporting, or diagnosing the provider’s site, service, or operation.

If the contract between the school district and the technology provider is not renewed, within 90  days the of the contract’s expiration, the technology provider must destroy or return all educational records created, received, or maintained pursuant or incidental to the contract.

Notice to Parents

Not later than August 1 of each school year, each school district must provide parents and students direct and timely notice, by mail, electronic mail, or other direct form of communication, of any curriculum, testing, or assessment technology provider contract affecting a student's educational records. The notice must do all of the following:

1. Identify each curriculum, testing, or assessment technology provider with access to educational records;

2. Identify the educational records affected by the curriculum, testing, or assessment technology provider contract;

3. Include information about the contract inspection and provide contact information for a school department to which a parent or student may direct questions or concerns regarding any program or activity that allows a curriculum, testing, or assessment technology provider access to a student's educational records.

Each school district shall provide parents and students an opportunity to inspect a complete copy of any contract with a technology provider.

This law does not take effect until October 24, 2024, well beyond the August 1 deadline regarding notice to parents for this school year. Fortunately, the effective date of this law gives school districts time to take inventory of all curriculum, testing, or assessment technology provider contracts, the educational records affected by those contracts, and information regarding the contract vetting process and contact information where parents/students may direct questions. It is advisable that districts consider updates that may be necessary to the vetting process in light of this new inspection.

Limitations on Accessing or Monitoring School-Issued Devices

According to newly enacted law per SB 29, a school district or technology provider cannot electronically access or monitor any of the following:

1. Location-tracking features of a school-issued device;

2. Audio or visual receiving, transmitting, or recording feature of a school-issued device;

3. Student interactions with a school-issued device, including, but not limited to, keystrokes and web-browsing activity.

SB 29 waives this prohibition when the access or monitoring is any of the following circumstances:

1. Limited to a noncommercial educational purpose for instruction, technical support, or exam-proctoring by school district employees, student teachers, or contractors, vendors, or the Department of Education, provided advance notice is given;

2. Permitted under a judicial warrant;

3. Based upon the device being missing or stolen;

4. Necessary to prevent or respond to a threat to life or safety, and limited to that purpose;

5. Necessary to comply with federal or state law; or

6. Necessary to participate in federal or state funding programs.

When a school district or technology provider elects to generally monitor a school-issued device for any of the circumstances outlined above, the school district must provide annual notice of that fact to its students’ parents. In the event that one of the circumstances is triggered, the school district must give notice of that fact to the student’s parent within 72 hours. The 72-hour notice must include a written description of the triggering circumstance, identifying which features of the device were accessed and a description of the threat, if any. If notice would pose a threat to life or safety, it must instead be given within 72 hours after the threat has ceased.

School districts must be prepared to issue the annual notice no later than October 24, 2024, as well as any 72-hour notice if triggered. It is important that districts still disclose to parents the monitoring of student internet access/usage, even if required by federal law (for example, E-rate funding and the Children Internet Protection Act), as well as provide notice of any software, programs, and/or third-party providers that monitor student access/usage for possible harmful content, threats, abuse, violence, etc. While these reasons are permissible, annual notice and trigger notice must still be provided to parents.

Educational Support Services Data and Public Record Exemption

The Public Records Act (R.C. 149.43) contains a list of records and types of information removed from the definition of “public record,” which therefore are not subject to disclosure if requested by a member of the public. For example, “educational records” are not subject to public disclosure under R.C. 149.43, to ensure student privacy - this would include records like student grades, attendance, discipline, and any other records directly related to a student.

SB 29 amends R.C. 149.43 to include an additional exemption from the definition of a public record. Now, R.C. 149.43 prohibits the release of “[e]ducational support services data, as defined in section 3319.325 of the Revised Code.” Under that law, “educational support services data” is “data on individuals collected, created, maintained, used, or disseminated relating to programs administered by a school district board of education or an entity under contract with a school district designed to eliminate disparities and advance equities in educational achievement for youth by coordinating services available to participants, regardless of the youth's involvement with other government services.”

While “educational support services data” is not considered a public record and therefore cannot be released, SB 29 makes clear that this data must be made available to the Opportunities for Ohioans with Disabilities Agency to support that agency's duties and supports to individuals with disabilities.

School districts must be aware that if there is a request for records that fall within the definition of “educational support services data,” it must be denied based on this exemption, unless another statute requires disclosure.

Licensure Penalties for Release of Confidential Information

Currently, R.C. 3319.31 provides authority to the State Board of Education to refuse to issue a license or to suspend, revoke, or limit a license that has already been issued for reasons issued in law, including certain criminal convictions, violent offenses, and/or immoral act(s) or conduct that is unbecoming to the profession.

The Licensure Code of Professional Conduct considers conduct unbecoming to the profession to include publishing or providing access to certain confidential student information, using confidential student information in a non-professional manner, and/or violating confidentiality laws related to standardized tests and resources.

SB 29 adds the following to the listed reasons that the State Board may take action on a license: “[u]sing or releasing information that is confidential under state or federal law concerning a student or student's family members for purposes other than student instruction.”

School districts should be aware that the Bill provides stronger protection to confidential student information by limiting the release of such information to the release for the purpose of student instruction.