[Congressional Bills 115th Congress]
[From the U.S. Government Publishing Office]
[S. 877 Introduced in Senate (IS)]
<DOC>
115th CONGRESS
1st Session
S. 877
To amend the Family Educational Rights and Privacy Act of 1974 to
ensure that student data handled by private companies is protected, and
for other purposes.
_______________________________________________________________________
IN THE SENATE OF THE UNITED STATES
April 6 (legislative day, April 4), 2017
Mr. Markey (for himself and Mr. Hatch) introduced the following bill;
which was read twice and referred to the Committee on Health,
Education, Labor, and Pensions
_______________________________________________________________________
A BILL
To amend the Family Educational Rights and Privacy Act of 1974 to
ensure that student data handled by private companies is protected, and
for other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Protecting Student Privacy Act of
2017''.
SEC. 2. FERPA IMPROVEMENTS.
Subsection (b) of section 444 of the General Education Provisions
Act (20 U.S.C. 1232g) (commonly referred to as the ``Family Educational
Rights and Privacy Act of 1974'') is amended--
(1) by redesignating paragraphs (4) through (7) as
paragraphs (8) through (11), respectively;
(2) by inserting after paragraph (3) the following:
``(4)(A) No funds shall be made available under any applicable
program to any educational agency or institution that has not
implemented information security policies and procedures that--
``(i) protect personally identifiable information from
education records maintained by the educational agency or
institution; and
``(ii) require each outside party to whom personally
identifiable information from education records is disclosed to
have information security policies and procedures that include
a comprehensive security program designed to protect the
personally identifiable information from education records.
``(B) For purposes of this subsection, the term `outside party'
means a person that is not an employee, officer, or volunteer of the
educational agency or institution or of a Federal, State, or local
governmental agency and includes any contractor or consultant acting as
a school official or authorized representative or in any other
capacity.
``(5) Notwithstanding any other provision of this section or
paragraph (2)(A), no funds shall be made available under any applicable
program to any educational agency or institution that has a policy or
practice of using, knowingly releasing, or otherwise knowingly
providing access to personally identifiable information, as described
in paragraph (2), in the education records of a student to advertise or
market a product or service.
``(6) Each State educational agency receiving funds under an
applicable program, and each educational agency or institution, shall
ensure that any outside party with access to education records with
personally identifiable information complies with the following:
``(A) Any education records that are held by the outside
party shall be held in a manner that provides, as directed by
the educational agency or institution, parents with--
``(i) the right to access the personally
identifiable information held about their students by
the outside party, to the same extent and in the same
manner as provided in subsection (a)(1); and
``(ii) a process to challenge, correct, or delete
any inaccurate, misleading, or otherwise inappropriate
data in any education records of such student that are
held by the outside party, through an opportunity for a
hearing by the agency or institution providing the
outside party with access, in accordance with
subsection (a)(2).
``(B) The outside party shall maintain a record of all
individuals, agencies, or organizations that have requested or
obtained access to the education records of a student held by
the outside party, in the same manner as is required under
paragraph (8).
``(C) The outside party shall have policies or procedures
in place regarding information security practices regarding the
education records, in accordance with paragraph (4).
``(7) No funds under any applicable program shall be made available
to any educational agency or institution, or any State educational
agency, unless the agency or institution has a policy or practice
that--
``(A) promotes data minimization in order to safeguard
individual privacy by meeting any request for student
information with non-personally identifiable information, if
the purpose of any appropriate request can be effectively met
with non-personally identifiable information; and
``(B) requires that all personally identifiable information
on an individual student held by any outside party be destroyed
when the information is no longer needed for the specified
purpose.''; and
(3) in paragraph (8)(A), as redesignated by paragraph (1)--
(A) by inserting ``who are employees, officers, or
volunteers of the agency or institution'' after ``of
this subsection'';
(B) by striking ``or organizations'' and inserting
``organizations, or outside parties'';
(C) by striking ``or organization'' and inserting
``organization, or outside party''; and
(D) by inserting ``and will describe the
information shared with such person, outside party,
agency, or organization'' after ``obtaining this
information''.
<all>