Bethel Data Privacy PA-189

Bethel Public Schools Privacy Overview

Commitment to Student Privacy:

Bethel Public Schools is committed to innovative teaching and learning using 21st century personalized curriculum with 1:1 digital resources available in a protected anytime anywhere learning environment. While we are dedicated to provide rich, relevant, and rigorous resources we will only do so in compliance with Federal and State laws on student data privacy. These pages are designed to inform and address concerns on how Bethel Public Schools protects and informs staff, students, and parents on using digital resources in our district.

Plan Overview:

  1. Ensure we are compliant with Federal Privacy Acts and have parent sign off on our Parent Student Handbook
  2. Unpack, analyze, and apply the new PA -189 criteria to our district (see below)
  3. Communicate with the State Department of Education, State Commission for Educational Technology, and other school districts on best practices on student data privacy
  4. Create and post information as relates to student data privacy
  5. Establish a vetting process for digital resources in our district
  6. Train staff and students to best practices as relates to student data privacy
  7. Keep our community informed on our efforts and best practices regarding student data privacy

The Law

On June 9, 2016, Governor Malloy signed into law Public Act 16-189, “An Act Concerning Student Data Privacy” (the “Act”), which ushers in sweeping changes to the protection and use of student data. As schools increasingly turn to software, web-based learning, mobile apps, cloud computing and other electronic methods to improve student outcomes and the educational experience, the Act sets forth minimum privacy and contractual standards for all parties involved in the creation, use, or handling of student data. Unless otherwise noted, the Act’s requirements are effective October 1, 2016.

The law designates ten requirements for three types of student data (a) directory information, (b) personally identifiable information, and (c) student generated content. These ten requirements apply to three categories of vendors using student data namely operators, contractors, and consultants. Our Bethel contract contains direct language to these terms and specifically addresses the ten requirements each vendor must sign off on. See PA-189 Contract Checklist for these ten contract requirements.


OLR Bill Analysis

sHB 7207



This bill makes the following changes in the education statutes governing student data privacy:

1. extends the date by which local or regional boards of education must begin entering into written contracts with entities with which they share student data (§ 1);

2. modifies the deadline by which a board of education must electronically notify students and their parents or guardians about a breach of student data security from 48 hours to two business days after learning of the breach (§ 2);

3. requires the State Department of Education to provide guidance to boards of education on how to implement the (a) federal Family Educational Rights and Privacy Act (FERPA), which protects student education records, and (b) state's student data privacy laws (§ 3);

4. adds to the members of the student data privacy task force (see BACKGROUND) an attorney with expertise in Connecticut school law, replacing the Connecticut high school student member (§ 4); and

5. extends the task force reporting deadline by one year, from January 1, 2017 to January 1, 2018 (§ 4).

EFFECTIVE DATE: Upon passage, except the provisions about data security breach notice (§ 2) take effect July 1, 2017.


Under current law, boards of education must enter into written contracts with contractors with whom they share student information, student records, or student-generated content beginning October 1, 2016. The bill postpones this start date to July 1, 2018.

Additionally, the bill specifies that any such contract entered into on and after July 1, 2018, rather than October 1, 2016, is void if it lacks any of the provisions required by law (see BACKGROUND). Existing law requires the board to give the contractor reasonable notice to amend the contract to include the missing provisions, however. It also specifies that a contractual provision is void if it conflicts with any of the provisions required by law beginning on July 1, 2018, rather than October 1, 2016.


Required Contractual Provisions

By law, a contract between a board of education and a contractor with whom it shares or provides access to student data must state the following:

1. student records, student information, and student-generated content are not the property of, or under the control of, a contractor;

2. the contractor will not use student information, student records, and student-generated content for any purposes except those the contract authorizes;

3. the contractor must take actions designed to ensure security and confidentiality of student information, student records, and student-generated content;

4. the contractor will not retain or have available student information, student records, or student-generated content after completing the contracted services unless a student, parent, or guardian chooses to establish or maintain an electronic account with the contractor to store student-generated content (e. g. , essays, research papers, portfolios, creative writing, music, audio files, or photographs, but not standardized assessment responses);

5. the contractor and the board of education must ensure compliance with FERPA;

6. Connecticut law governs the rights and duties of all parties to the contract; and

7. a court finding of invalidity of any contract provision does not invalidate other contract provisions or applications not affected by the finding.

The contract must also describe the following:

1. how the board of education may request deletion of student information, student records, or student-generated content in the contractor's possession;

2. procedures for a student, parent, or guardian to (a) review personally identifiable information in student information, student records, and student-generated content and (b) correct erroneous information, if any, in the record; and

3. procedures that a contractor must follow to notify the board of education when there has been an unauthorized release, disclosure, or acquisition of student information, student records, or student-generated content (CGS § 10-234bb).

Student Data Privacy Task Force

This task force must examine various student data privacy topics, including (1) notice to students and parents when websites or mobile applications are being used for class assignments; (2) strategies other states use to train schools, contractors for student data services, and website operators in data security handling; and (3) reasonable penalties for contractors and operators who violate state student data privacy laws (Public Act 16-189, § 5).

Connecticut PA - 189 Requirements 2016

Here is Bethel Public School's mandatory response and preparation to each of the seven criteria expressed by Shipman & Goodwin:

  1. Conduct an in-district inventory of all internet websites, online services, and mobile applications teachers in the district are using in conjunction with the education of students;
    See Bethel Software Services Contracts

  2. Prepare a draft contract and student/parent notice of contracts that will be posted on the district’s website and sent electronically to students/parents;
    Link to
     Bethel Contract and Parent Letter of Notice

  3. Review Requests for Proposal (RFP) documents and templates to ensure that the documents requested from potential vendors contain information on the privacy topics addressed in the Act, so that the board of education can incorporate privacy concerns in its decision-making process;
    Link to PA-189
     RFP document Checklist

  4. Consider implementing a data privacy screening tool for potential vendors, which may or may not be included as part of a RFP.  The screening tool can provide some assurances to boards of education that vendors are aware of the requirements and have taken action to comply with them;
    Link to PA-189 
    RFP document Checklist

  5. Review and consider revision to the board’s Student Records Policy to ensure compliance with the Act and relevant provisions of FERPA;
    Link to Bethel BOE CABE documents

  6. Develop a preferred description of the actions the board of education will expect a contractor to take to ensure student record security and confidentiality, including administrative, physical and technical standards; and
    Link to PA-189
     RFP document Checklist

  7. Prepare a procedure to govern who is responsible for receiving notice of data breaches and how the district will respond to such notification.
    Link to
     Breach process and notification letter

    Source: Shipman & Goodwin