As we previously reported, on March 21, 2020, Governor Lamont issued Executive Order 7I, Protection of Public Health and Safety During COVID-19 Pandemic and Response – Municipal Operations and Availability of Assistance and Healthcare, which permitted the Commissioner of Education (“Commissioner”) to temporarily waive any requirements included in Connecticut’s student data privacy laws, Conn. Gen. Stat. §§ 10-234aa through 10-234dd, during school closures resulting from the pandemic. Please refer to our March 22, 2020 post detailing various requirements of Connecticut’s student data privacy law. On March 23, 2020, the Commissioner issued a Memorandum to all superintendents identifying “temporary flexibilities” in the student data privacy laws and providing guidance to schools in their use of internet-based tools during the school closure as relating to data privacy.

The Commissioner’s temporary waiver is strictly limited to the contracting requirements identified in Conn. Gen. Stat. § 10-234bb.  As the Commissioner explained, “effective immediately, and for the duration of the cancellation of in-school classes, districts may bypass the process of crafting individual contracts for new technology solutions that fall under the data privacy statute.” Instead of entering into individual contracts, districts may use any of the educational technology offered by companies that have signed Connecticut’s Student Data Privacy Pledge, available on the Connecticut Educational Software Hub. In signing the Pledge, providers agree that they will comply with Connecticut’s student data privacy protections. A list of the pledged products can also be found here. Please note that the following platforms can also be used because they have negotiated contract terms directly with the Connecticut Commission for Educational Technology: Apple, Google, Code.org, and Khan Academy.

School districts must be aware that all other aspects of Connecticut’s student data privacy laws still apply; this includes but is not limited to the requirements for and prohibitions on the use of student data by operators, under Conn. Gen. Stat. § 10-234cc; and the breach notification requirements for schools and operators, under Conn. Gen. Stat. § 10-234dd.  Moreover, schools are still permitted to use the internet-based educational technology for which they already have contracts in accordance with Connecticut law, or technology that does not fall under the law’s contracting requirements.  School districts are also still permitted to enter into contracts with these providers, or in the alternative, may request that vendors sign onto the Student Data Privacy Pledge, as suggested in the Commissioner’s Memorandum.

Schools are cautioned that additional laws may be implicated through the use of internet-based services for students, including but not limited to the Family Educational Rights and Privacy Act (“FERPA”). Schools are permitted to provide third parties with personally identifiable information (“PII”) of students under FERPA with parent consent or if an applicable exception applies. The “school official” exception will permit the school to release PII to an online education provider, without parent consent, as long as the online provider: (1) “performs an institutional service or function for which the school or district would otherwise use its own employees”; (2) “has been determined to meet the criteria set forth in the school’s or district’s annual notification of FERPA rights for being a school official with a legitimate educational interest in the education records”; (3) “is under the direct control of the school or district with regard to the use and maintenance of education records”; and (4) “uses education records only for authorized purposes and may not re-disclose PII from education records to other parties (unless the provider has specific authorization from the school or district to do so and it is otherwise permitted by FERPA).” See 34 C.F.R. § 99.31. Importantly, by signing the Student Data Privacy Pledge, vendors agree that they will comply with FERPA in their use of and access to student data. As such, the required elements of the school official exception are likely met for these online providers.  The Student Privacy Policy Office of the U.S. Department of Education recently issued “FERPA and Virtual Learning Related Resources,” which reviews school district obligations under FERPA and other federal laws in connection with distance learning.

The intent of the Governor’s Executive Order and the Commissioner’s subsequent Memorandum are to assist schools in the provision of distance learning during these unprecedented times, while still protecting student data. Schools should always exercise caution in releasing student data to third parties. Even though Connecticut’s student data privacy contracting requirements have been temporarily relaxed, schools should continue to make student privacy a top priority in their provision of distance learning during school closures.

Please continue to monitor ctschoollaw.com for updates concerning COVID-19.  You may subscribe to receive automatic updates, or you may visit our COVID-19 Resource Center, where we have gathered all of the guidance we have issued so far as well as state and federal guidance under the heading “For Schools.” If you have specific questions about online learning tools and contract requirements, please contact Gwen J. Zittoun at gzittoun@goodwin.com or Chris Tracey at ctracey@goodwin.com.