California Education Code – AB 1584
Section 49073.1 is added to the Education Code, to read:
(a) A local educational agency may, pursuant to a policy adopted by its governing board or, in the case of a charter school, its governing body, enter into a contract with a third party for either or both of the following purposes:
(1) To provide services, including cloud-based services, for the digital storage, management, and retrieval of pupil records.
(2) To provide digital educational software that authorizes a third-party provider of digital educational software to access, store, and use pupil records in accordance with the contractual provisions listed in subdivision (b).
(b) A local educational agency that enters into a contract with a third party for purposes of subdivision (a) shall ensure the contract contains all of the following:
| Law |
Notes |
| (1) A statement that pupil records continue to be the property of and under the control of the local educational agency. | See High5.ID security statement, section 2.2 |
| (2) Notwithstanding paragraph (1), a description of the means by which pupils may retain possession and control of their own pupil-generated content, if applicable, including options by which a pupil may transfer pupil-generated content to a personal account. | See High5.ID security statement, section 3.2 |
| (3) A prohibition against the third party using any information in the pupil record for any purpose other than those required or specifically permitted by the contract. | See High5.ID privacy policy, section 2.
See High5.ID security statement, sections 2.5-2.7. |
| (4) A description of the procedures by which a parent, legal guardian, or eligible pupil may review personally identifiable information in the pupil’s records and correct erroneous information. | See High5.ID security statement, section 6.5.and 6.6 |
| (5) A description of the actions the third party will take, including the designation and training of responsible individuals, to ensure the security and confidentiality of pupil records. Compliance with this requirement shall not, in itself, absolve the third party of liability in the event of an unauthorized disclosure of pupil records. | See High5.ID security statement, section 6.1 |
| (6) A description of the procedures for notifying the affected parent, legal guardian, or eligible pupil in the event of an unauthorized disclosure of the pupil’s records. | See High5.ID security statement, section 6.2 |
| (7) (A) A certification that a pupil’s records shall not be retained or available to the third party upon completion of the terms of the contract and a description of how that certification will be enforced. | See High5.ID security statement, section 6.3 |
| (B) The requirements provided in subparagraph (A) shall not apply to pupil-generated content if the pupil chooses to establish or maintain an account with the third party for the purpose of storing that content pursuant to paragraph (2). | See High5.ID security statement, section 6.3 |
| (8) A description of how the local educational agency and the third party will jointly ensure compliance with the federal Family Educational Rights and Privacy Act (20 U.S.C. Sec. 1232g). | [topic of another document] |
| (9) A prohibition against the third party using personally identifiable information in pupil records to engage in targeted advertising. | See High5.ID security statement, section 2.5 |