To protect student privacy when students are required to use online educational services or when districts contract with third party vendors or service providers. This rule will strengthen the privacy and rights of students ....  

  •  

    DEPARTMENT OF EDUCATION

    State Board of Education

    RULE NO.:RULE TITLE:

    6A-1.0955Education Records

    PURPOSE AND EFFECT: To protect student privacy when students are required to use online educational services or when districts contract with third party vendors or service providers. This rule will strengthen the privacy and rights of students and safeguard their educational record in accordance with state and federal law.

    SUMMARY: The rule adds definitions for clarity and criteria for the circumstances when reported threats, which do not rise to a transient level, may be maintained in a student’s file. In addition, the rule requires school districts to adopt policies to protect student information when students are required to use online services. The rule will also require districts to ensure their contracts with vendors protect student information.

    SUMMARY OF STATEMENT OF ESTIMATED REGULATORY COSTS AND LEGISLATIVE RATIFICATION:

    The Agency has determined that this will not have an adverse impact on small business or likely increase directly or indirectly regulatory costs in excess of $200,000 in the aggregate within one year after the implementation of the rule. A SERC has not been prepared by the Agency.

    The Agency has determined that the proposed rule is not expected to require legislative ratification based on the statement of estimated regulatory costs or if no SERC is required, the information expressly relied upon and described herein: Based upon the nature of the changes, this proposed rule is not expected to have any adverse impact on economic growth, business competitiveness or any other factors listed in s. 120.541(2)(a), F.S., and will not require legislative ratification. No increase in regulatory costs are anticipated as a result of the rule changes.

    Any person who wishes to provide information regarding a statement of estimated regulatory costs, or provide a proposal for a lower cost regulatory alternative must do so in writing within 21 days of this notice.

    RULEMAKING AUTHORITY: 1001.02(1), (2)(n), 1002.22(3), 1003.25(2), F.S.

    LAW IMPLEMENTED: 1001.52(2), (3), 1002.22(2), (3), 1002.221, 1003.25, 1008.405, F.S.

    A HEARING WILL BE HELD AT THE DATE, TIME AND PLACE SHOWN BELOW:

    DATE AND TIME: October 19, 2022, 9:00 a.m.

    PLACE: Caribe Royale, 8101 World Center Drive, Orlando, FL 32821.

    THE PERSON TO BE CONTACTED REGARDING THE PROPOSED RULE IS: Dr. Andre Smith, Deputy Commissioner, Division of Technology and Innovation, Andre.Smith@fldoe.org.

     

    THE FULL TEXT OF THE PROPOSED RULE IS:

     

    6A-1.0955 Education Records.

    (1) Purposes. This rule applies to education records maintained to facilitate the instruction, guidance, and educational progress of pupils and adult students in programs operated under the authority and direction of a district school board or other agency or institution as defined in Section 1002.22(1), F.S. This rule is intended to further the intent of Section 1002.22(2), F.S., that the rights of students and their parents with respect to education records created, maintained, or used by public educational institutions and agencies must shall be protected in accordance with the Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. s. 1232g, the implementing regulations issued pursuant thereto, and Sections 1002.22 and 1002.221, F.S. For the purpose of this rule, the term “education records” refers to those records that are included in the definition of “education records” found in 34 CFR §99.3.

    (2) Definitions.

    (a) “Education records” means records that are directly related to a student and that are maintained by an educational agency or institution or a party acting for or on behalf of the agency or institution, as defined in 20 U.S.C. s. 1232g(a)(4).

    (b) “Eligible student” means a student who has reached 18 years of age or is attending a postsecondary institution, at any age.

    (c) “Institution” means any public school, center, or other entity that is part of Florida’s education system under Section 1000.04(2), (4), and (5), F.S.

    (d) “Online educational service” means computer software, mobile applications (apps), and web-based tools that students or parents are required to use and access through the internet and as part of a school activity or function. Examples include online services that students or parents use to access class readings, assignments, or videos, to view learning progression, or to complete assignments. This does not include online services that students or parents may use in their personal capacity or to online services that districts or schools may use to which students or parents do not have access, such as a district student information system.

    (e) “Parent” includes parents or guardians of students who are or have been in attendance at a school or institution as defined in paragraph (2)(c).

    (f) “Personally identifiable information” or “PII” means information that can be used to distinguish or trace a student’s identity either directly or indirectly through linkages with other information, as defined in 34 CFR §99.3. PII includes, but is not limited to direct identifiers (such as a student’s or other family member’s name), indirect identifiers (such as a student’s date of birth, place of birth, or mother’s maiden name), and other personal identifiers (such as a student’s social security number or Florida Education Identifier (FLEID) number). PII also includes information that, alone or in combination, is linked or linkable to a specific student that would allow a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty.

    (g) “School Board or School District” means a Florida school district or district school board, charter school governing board, the Florida Virtual School (Section 1002.37, F.S.), the Florida School for the Deaf and the Blind (Section 1002.36, F.S.), and Developmental Research (Laboratory) Schools (Section 1002.32, F.S.).

    (h) “School day(s)” means any weekday that school is in session, based on the school district’s calendar;

    (i) “Student” means any individual who is or has been in attendance at an educational agency or institution and regarding whom the agency or institution maintains education records.

    (j)(a) “Therapeutic treatment plan” means a plan that identifies the mental health diagnosis, or condition, the therapy or intervention goal(s), the type of school-based mental health intervention, and the school-based mental health services provider responsible for providing the mental health intervention or therapy.

    (k)(b) “Therapy progress notes” means notes maintained by a school-based mental health services provider that summarize the focus and progress toward treatment goals(s) of each therapy or intervention session.

    (l) “Third-party vendor” or “Third-party service provider” means any entity, whether public or private, that provides services to a school board or institution through a contract or agreement. The term does not include the Florida Department of Education or the Department’s contractors and subcontractors.

    (3) Information contained in education records must shall be classified and retained as follows:

    (a) Category A: Information for each student which must shall be kept current while the student is enrolled and retained permanently in the manner prescribed by Section 1001.52(2), F.S.

    (b) Category B: Information which is subject to periodic review and elimination when the information is no longer useful in the manner prescribed by Section 1001.52(3), F.S.

    (4) Content of Category A records. The following information must shall be maintained for each student:

    (a) through (i) No change.

    (5) Content of Category B records. These records may include but are not limited to the following:

    (a) through (j) No change.

    (k) Except as provided in subsection (6), tThreat assessments done by the threat assessment team pursuant to Section 1006.07(7), F.S.,

    (l) through (s) No change.

    (6) Threat assessments.

    (a) Transient or Substantive Threats. Threat assessments determined to be transient or substantive, as defined in Rule 6A-1.0018, Fla Admin. Code, are Category B records and shall be maintained in a student’s file as long as determined useful by a threat assessment team, pursuant to Section 1006.07(7), F.S., and Rule 6A-1.0018, Fla. Admin. Code.

    (b) Non-Threats. In order to protect students from stigma and unintended consequences, reported threats which are determined by a threat assessment team not to be a threat at all, meaning the threat does not rise to the level of transient or substantive, may be maintained by the threat assessment team, but must not be maintained in a student’s file, unless one of the following conditions are met:

    1. The parent of the student who was the subject of a non-threat finding requests that the record be retained in the student’s file; or

    2. The threat assessment team has made a determination that the non-threat finding must be retained in order to ensure the continued safety of the school community or to ensure the well-being of the student.

    a. Such determination and reasoning for maintaining the record must be documented with the non-threat finding.

    b. Where such a determination is made, the threat assessment team must re-evaluate the decision on an annual basis to determine if the record is no longer useful. The student’s age and length of time since the original assessment must be considered in those evalulations.

    (7) (6)School districts must shall maintain sufficient information, to include social security numbers for adult students enrolled in a postsecondary program so that they can be located after they have either withdrawn or completed a program of study.

    (8) (7) Each school board must shall adopt a policy for educational records which must shall include:

    (a) Provisions for an annual written notice and other notices necessary to inform parents and eligible the adult students or the parent or guardian of students of their rights as defined in Section 1002.22(2), F.S., and FERPA. The district must shall develop methods of notice for informing parents and eligible the parent or guardian of students, or adult students unable to comprehend a written notice in English;,

    (b) Provisions for permitting parents and eligible students the adult student or the parent or guardian of the student who is or has been in attendance in the school district to inspect and review the education records of the student. The district must shall comply with a request within a reasonable period of time, but in no case more than thirty (30) days after it has been made;,

    (c) Provisions for parents and eligible adult students or the parent or guardian of students to exercise the right of waiver of access to confidential letters or statements. School districts must  not require that parents or eligible adult students or the parent or guardian of students waive any of their rights under Section 1002.22(2), F.S. and FERPA;

    (d) A schedule of fees and charges for copies of education records which charges no more than the fees and charges for public records as set forth in Section 119.07, F.S. In no circumstance must shall the cost reflect the costs to retrieve the education records;

    (e) A listing of the types and locations of education records maintained by the educational agency or institution and the titles and addresses of the officials responsible for those records;,

    (f) Provisions for disclosure of personally identifiable information where prior written consent of the parent or eligible adult student or the parent or guardian of students is not required;,

    (g) Provisions for disclosure of personally identifiable information where prior written consent of the parent or eligible adult student or the parent or guardian of a student, as appropriate, is required, and provisions for maintaining records of requests and disclosures;,

    (h) Provisions for the maintenance and security of student records, including procedures to ensure the confidentiality of student records and safeguard records from unauthorized or unintentional access;,

    (i) Provisions for disclosure of personally identifiable information in health and safety emergencies;,

    (j) Provisions for disclosure of directory information;,

    (k) Provisions for challenging the content of any record which the parent or eligible adult student or the parent or guardian of a student believe to be inaccurate, misleading or a violation of the right of privacy and for providing an opportunity for amendment of such information;, and

    (l) Provisions for ensuring the accuracy of information maintained and for periodic review and elimination of information no longer useful, in the manner prescribed by Section 1001.52(3), F.S.

    (9) School board and charter school governing board policies for required use of online educational services by students and parents. In order to protect a student’s PII from potential misuse and in order to protect students from data mining or targeting for marketing or other commercial purposes, school boards and charter school governing boards must adopt policies that provide for review and approval of any online educational service that students or their parents are required to use as part of a school activity. These policies are required whether or not there is a written agreement governing student use, and whether or not the online educational service is free. These policies are required even if the use of the online educational service is unique to specific classes or courses.

    (a) These policies must include the following:

    1. Review of the online educational service’s terms of service and privacy policy to ensure compliance with state and federal privacy laws, including FERPA and its implementing regulations, the Children’s Online Privacy Protection Act (COPPA), 15 U.S.C. ss. 6501-6506, and Section 1002.22, F.S.;

    2. Designation of a person or persons responsible for the review and approval of online educational services that will be required for students to use and the procedure for seeking such approval;

    3. Procedures for notifying parents and eligible students if student PII will be collected by the online educational service;

    4. Where student PII will be collected by the online educational service, procedures for notifying parents and eligible students of  information that will be collected, how it will be used, when and how it will be destroyed, and the terms of re-disclosure, if any; and

    5. An explicit prohibition against using any online educational service that will share or sell a student’s PII for commerical purposes without providing parents a means to either consent or disapprove.

    (b) For any online educational service that a student is required to use, a district must provide notice on its website of the PII information that may be collected, how it will be used, when it will be destroyed and the terms of re-disclosure. This notice must include a link to the online service’s terms of service and privacy policy, if publicly available.

    (10) (8) Procedures for transfer of education records.

    (a) The transfer of records must shall be made immediately upon written request of an eligible adult student, a parent or guardian of a student or a receiving school. The principal or designee must shall transfer a copy of all Category A and Category B information and must shall retain a copy of Category A information; however, student records which are required for audit purposes for programs listed in Section 1010.305, F.S., must shall be maintained in the district for the time period indicated in Rule 6A-1.0453, F.A.C.

    (b) The transfer of education records must shall not be delayed for nonpayment of a fee or fine assessed by the school.

    (c) The transfer of records of students who transfer from school to school must occur within three (3) school days of receipt of the request for records from the new school or district, or receipt of the identity of the new school and district of enrollment, whichever occurs first. Student records must contain verified reports of serious or recurrent behavior patterns, including substantive and transient threat assessments and intervention services, and psychological evaluations, including therapeutic treatment plans and therapy progress notes created or maintained by district or charter school staff. Non-threats as described in subsection (6) must not be transferred with a student’s educational record unless one of the conditions described in subparagraph (6)(b)1. and 2. are met.  

    (11) School district and charter school contracts or agreements with third-party vendors.

    (a) All contracts or agreements executed by or on behalf of a school district or charter school with a third-party vendor or a third-party service provider must protect the privacy of education records and student PII contained therein. Any agreement that provides for the disclosure or use of student PII must:

    1. Require compliance with FERPA, its implementing regulations, and Section 1002.22, F.S.;

    2. Where applicable, require compliance with COPPA, 15 U.S.C. ss. 6501-6506, and its implementing regulations;

    3. Ensure that only the PII necessary for the service being provided will be disclosed to the third party;

    4. Prohibit disclosure or re-disclosure of student PII unless one of the conditions set forth in paragraph (11)(b) has been met;

    (b) Contracts or agreements with a third-party vendor or third-party service provider may permit the disclosure of PII to the third party only where one or more of the following conditions has been met:

    1. The disclosure is authorized by FERPA and 34 CFR § 99.31;

    2. The disclosure is authorized by the school board or charter governing board’s directory information policy implemented in accordance with FERPA and 34 CFR § 99.37; or

    3. The disclosure is authorized by written consent of an eligible student or parent. Consent must include, at a minimum, an explanation of who the PII would be disclosed to, how it would be used, and whether re-disclosure is permitted. Any re-disclosure must meet the requirements of paragraph (11)(b) and must be authorized by the school board or charter school governing board.

    ­(12)(9) Security of education records.

    (a) The school principal or designee must shall be responsible for the privacy and security of all student records maintained in the school.

    (b) The superintendent of schools or designee must shall be responsible for the privacy and security of all student records that are not under the supervision of a school principal.

    (c) Institutions and agencies that are not part of a school district must shall designate the office or position responsible for the privacy and security of all student records.

    Rulemaking Authority 1001.02(1), 1002.22(3), 1003.25(2), 1008.405 FS. Law Implemented 1001.52(2), (3), 1002.22(2), (3),1002.221, 1003.25, 1008.405 FS. History–New 4-11-70, Repromulgated 12-5-74, Revised 6-1-75, Amended 10-7-75, 2-21-77, 3-1-78, 5-24-81, Formerly 6A-1.955, Amended 6-17-87, 1-2-95, 10-25-10, 5-5-20,

     

    NAME OF PERSON ORIGINATING PROPOSED RULE: Dr. Andre Smith, Deputy Commissioner, Division of Technology and Innovation.

    NAME OF AGENCY HEAD WHO APPROVED THE PROPOSED RULE: Manny Diaz Jr., Commissioner, Department of Education.

    DATE PROPOSED RULE APPROVED BY AGENCY HEAD: September 23, 2022

    DATE NOTICE OF PROPOSED RULE DEVELOPMENT PUBLISHED IN FAR: August 5, 2022

Document Information

Comments Open:
9/26/2022
Summary:
The rule adds definitions for clarity and criteria for the circumstances when reported threats, which do not rise to a transient level, may be maintained in a student’s file. In addition, the rule requires school districts to adopt policies to protect student information when students are required to use online services. The rule will also require districts to ensure their contracts with vendors protect student information.
Purpose:
To protect student privacy when students are required to use online educational services or when districts contract with third party vendors or service providers. This rule will strengthen the privacy and rights of students and safeguard their educational record in accordance with state and federal law.
Rulemaking Authority:
1001.02(1), (2)(n), 1002.22(3), 1003.25(2), F.S.
Law:
1001.52(2), (3), 1002.22(2), (3), 1002.221, 1003.25, 1008.405, F.S.
Related Rules: (1)
6A-1.0955. Education Records