Senate Bill 29 (“SB29”) was passed by the Ohio General Assembly at the end of June 2024 and was signed by Governor DeWine on July 24, 2024. Generally, the bill impacted a number of sections of the Ohio Revised Code with a few amendments and added several new code sections that govern education records and student data privacy. SB29 contains four main sections, each with its own implications and timelines for implementation in school districts.
Previous to SB29, Ohio protected personally identifiable student information pursuant to O.R.C. §3319.321. Ohio defines “educational records” similar to the definition in the federal Family Educational Rights and Privacy Act (FERPA), as “records, files, documents and other materials that contain information directly related to a student and are maintained by a school district board of education or by a person acting for the school district.” Educational records do not include records in the sole possession of school personnel, employee personnel records, or records of an adult student that are maintained by a professional providing medical treatment to the student.
Section I: New Public Records Exemption
Effective: October 24, 2024*
Implications: Immediate on Effective Date
SB29 amended O.R.C. §149.43 to include an additional exemption to the list of records that are not be considered “public records” under Ohio’s Public Records law. “Educational support services data” is a new term under the Ohio Revised Code and is not the same as “educational records” as defined above. It is defined at O.R.C. §3319.325 as:
“…data on individuals collected, created, maintained, used or disseminated relating to programs administered by a school district board of education or an entity under contract with a school district designed to eliminate disparities and advance equities in educational achievement for youth by coordinating services available to participants regardless of the youth’s involvement with other government services.”
Therefore, “educational support services data” is not a public record and may not be released or accessed unless it is pursuant to law. However, O.R.C. §3319.326 specifically outlines that this data shall be made available to the state Opportunities for Ohioans with Disabilities agency for that agencies’ duties in supporting students with disabilities.
Action Required for School Districts: This new definition requires an awareness of a new exception to Ohio’s Public Records law of a category of student records, rather than action from school districts. If there are requests for records meeting the definition of “educational support services data,” those requests should be denied unless otherwise permitted under other statutes.
Section II: Licensure Penalties for Release of Confidential Information
Effective: October 24, 2024*
Implications: Immediate on Effective Date
SB29 added an additional reason for the State Board of Education to refuse to issue a license to an applicant; limit a license to an applicant; suspend, revoke, or limit a license that has been issued; or revoke a license that has been expired as follows:
“…using or releasing information that is confidential under state or federal law concerning a student or student’s family members for purposes other than student instruction.” O.R.C. §3319.31
Action Required for School Districts: The Licensure Code of Professional Conduct for Ohio Educators already includes penalties for educators who fail to comply with student confidentiality requirements. The Licensure Code considers the following to be conduct unbecoming to the teaching profession:
- Willfully or knowingly violating any student confidentiality required by federal or state laws, including publishing, providing access to, or altering confidential student information on district or public websites, such as grades, personal information, photographs, disciplinary actions, or individualized educational programs (IEPs) without parental consent or consent of students 18 years of age and older.
- Using confidential student, family, or school-related information in a non-professional way (for example, gossip, malicious talk, or disparagement).
- Violating local, state, or federal procedures or laws related to the confidentiality of standardized tests, test supplies, or resources.
However, this direction from the Ohio Legislature through SB29 appears to expand what is considered to be a violation of student confidentiality and further limits the use of such confidential information to only student instruction.
This amendment could impact student confidentiality policies for your District, so those should be reviewed for compliance. It also may be important for your district to train staff on this shift in statutory language, as the focus and penalty is on the licensed individual, not the employing school district in this statute.
Section III: Technology Providers and their Use of Educational Records
Effective: October 24, 2024*
Implications: Immediate and by August 1, 2025
SB29 is Ohio’s first substantive step into setting legal expectations for contracts between school districts and technology providers set forth in O.R.C. §§3319.325 and 3319.326.
“Technology providers” means:
“…a person who contracts with a school district to provide a school-issued device for student use and creates, receives, or maintains educational records pursuant or incidental to its contract with the district.”
“School-issued device” means:
“…hardware, software, devices, and accounts that a school district, acting independently or with a technology provider, provides to an individual student for that student’s dedicated personal use.”
Schools are required to ensure that contracts with technology providers include the following terms:
- Educational records are the sole property of the school district.
- Breach of security protocols, including disclosure to the school district to allow the school district to meet its data security requirements in O.R.C. §1347.12.
- Return or destruction of educational records within 90 days of termination or expiration, unless renewal expected.
- No selling, sharing or dissemination of educational records by the technology provider.
- No use of educational records for a commercial purpose by the technology provider.
- Ensure security safeguards for educational records:
- Restrict unauthorized access by technology provider’s employees or contractors.
- Requirement that access is only necessary to fulfill official duties.
By August 1st of each school year, school districts are required to provide parents and students with notice of the curriculum, testing, or assessment technology provider contract affecting the student’s educational records. This notice is required to be sent to the student and the parent via mail, email or other direct form and must include:
- Identification of each curriculum, testing or assessment technology provider.
- Identification of the educational records affected by the curriculum, testing or assessment technology provider contract.
- Information about how to inspect the contract.
- Provide contact information for a school department to contact with questions or concerns regarding any program or activity that allows a curriculum, testing or assessment technology provider access to educational records.
Action Required for School Districts: The timeline in the statute requires notice by August 1st each school year, and that deadline has passed for 2024-25 well before the statute is in effect. Therefore, school districts will want to use this school year to gather information on all the curriculum, testing or assessment technology provider contracts it maintains, as well as centralizing the process for approval of curriculum, testing or assessment technology utilized by staff. Only central office administration should authorize and approve each curriculum, testing or assessment technology providers.
Schools will want to consider an approval process for how each curriculum, testing or assessment technology provider will be vetted, as well as verification that each technology provider contract includes the provisions required by SB29, as well as any other implications from FERPA, COPPA (Children’s Online Privacy Protection Rule), CIPA (Children’s Internet Protection Act), and ADA/Section 504.
Additionally, school districts will need to have their notice process established so that all parents and students are provided with the required notice by August 1, 2025, and August 1st each year thereafter.
Section IV: Access or Monitoring of Student Activity on School-Issued Devices
Effective: October 24, 2024*
Implications: Immediate on Effective Date
Under a new statute, O.R.C. §3319.327, school districts and technology providers are prohibited from electronically accessing or monitoring the following:
- Location tracking features of a school-issued device;
- Audio or visual receiving, transmitting, or recording feature of a school-issued device; or
- Student interactions with a school-issued device, including keystrokes and web-browsing activities.
There are several exceptions that allow electronic access and monitoring under this new statute, but the intent of the law was clearly set forth by bill sponsor Senator Huffman:
“Everyone deserves the right to privacy and students are no different,” Huffman said. “Our children need privacy to express themselves, and it should be left to parents, not tech companies, to monitor our children’s online presence.”
The limited circumstances in which a school district or technology provider is permitted to electronically access or monitor a student’s activity on a school-issued device are:
- Noncommercial educational purposes for instruction, technical support, or exam proctoring by a school district employee, student teachers or contracted staff with notice provided in advance.
- Judicial warrant.
- Notice is provided to the school district or technical provider that the school-issued device is missing or stolen.
- Necessary to prevent or respond to a threat to life or safety, and access is limited to that purpose.
- Necessary to comply with federal or state law.
- Necessary to participate in federal or state funding programs.
If a school district elects to electronically access or monitor a school-issued device pursuant to one of the above exceptions, it must provide written notice of the monitoring to the parents of enrolled students (“General Notice”).
Additionally, if a student’s device is electronically accessed because an exception occurs, the school district must provide notice to the student’s parent of the circumstances that caused the school district to access the student’s interactions with the school-issued device within 72 hours of the access (“72-Hour Notice”). The 72-Hour Notice must include details of what features were accessed and, if applicable, a description of the threat. If the 72-Hour Notice itself is a threat to life or safety, then it must be provided within 72 hours after the threat has ended.
Action Required for School Districts: School districts should be ready on October 24, 2024*, to provide both the General Notice and the 72-Hour Notice to the parents/guardians of currently enrolled students.
In its General Notice, districts must disclose any monitoring of school-issued devices for any of the permissible reasons outlined above. For example, schools that participate in E-Rate and other federal funding programs will automatically be required to notify parents of the monitoring that occurs due to the Child Internet Protection Act (CIPA). As a reminder, under CIPA, not only must your school district have an internet safety policy that includes technology protection measures to block or filter Internet access to pictures that are obscene, child pornography; or harmful to minors, but schools also must monitor the online activities of minors. While this is still permissible under SB29 and required for schools to receive federal E-Rate monies, the General Notice still must disclose monitoring pursuant to federal law.
If your District has other applicable monitoring it utilizes for one of the permissible reasons, these also must be included within your District’s General Notice, including any technology provider that monitors student activity online, filters content, and/or alerts school officials to possible threats, violence, suicidal or self-harm ideation.
Your District should also have a 72-Hour Notice ready for use if a triggering circumstance occurs causing the District to electronically access the school-issued device. It may be necessary to provide training and/or consensus to building administration on implementing these new requirements.
Contact an Ennis Britton attorney if you have questions about any of the new requirements of SB 29 for your district.
*While Gongwer reports the effective date of SB 29 as October 21, 2024, the Ohio Secretary of State and the Ohio Legislative Service Commission report the effective date as October 24, 2024. For the purposes of this Client Alert, Ennis Britton is using October 24, 2024 as the effective date for SB 29.