Privacy Compliance

With the passage of Connecticut General Statutes §§ 10-234aa through 10-234dd, K-12 school districts are required to comply with all provisions of the law to not only ensure the privacy of student data but also notify students and parents in the event of a data breach. For more information regarding the specific definitions of terms used within the law, please refer here. Below is a brief overview of the obligations of both the Contractor and the District.

Contractor Obligations

• A contractor shall implement and maintain security procedures and practices designed to protect student information, student records and student-generated content from unauthorized access, destruction, use, modification or disclosure.
• Upon the discovery of a breach of security that results in the unauthorized release, disclosure or acquisition of student information, excluding any directory information contained in such student information, a contractor shall notify, without unreasonable delay, but not more than thirty (30) days after such discovery, the local or regional board of education of such breach of security.
• Upon the discovery of a breach of security that results in the unauthorized release, disclosure or acquisition of directory information, student records or student-generated content, a contractor shall notify, without unreasonable delay, but not more than sixty (60) days after such discovery, the local or regional board of education of such breach of security.

District Obligations

• On and after October 1, 2016, a local or regional board of education shall enter into a written contract with a contractor any time such local or regional board of education shares or provides access to student information, student records or student-generated content with such contractor.
• Within five (5) days of entering into any new or renewed contract with an educational technology operator, districts need to electronically communicate (CPS Product Notification page) directly with students and their parents or guardians the following information: date of contract execution, brief description of the contract and the purpose of the contract, and the student information, student records, or student-generated content that may be collected as a result of the contract.
• Upon receipt of notice of a breach of security, a local or regional board of education shall electronically notify, not later than forty-eight (48) hours after receipt of such notice, the student and the parents or guardians of the student whose student information, student records or student-generated content is involved in such breach of security. The local or regional board of education shall post such notice on the board's Internet website. (CPS Breach Notification page)

Connecticut Commission for Educational Technology. “Student Data Privacy: A Toolkit for Connecticut School Districts.” Connecticut Educational Software Hub, www.ct.gov/ctedtech/cwp/view.asp?a=1182&q=253410.

Websites that are collecting information from children under the age of thirteen (13) are required to comply with the Children's Online Privacy Protection Act (COPPA) as enforced by the Federal Trade Commission (FTC) .