Ohio Senate Bill (“SB”) 29, which becomes effective on October 24, 2024, makes changes to a number of statutes affecting Ohio public school districts, and its implementation is likely to create significant challenges. The bill adjusts two existing Ohio Revised Code Sections (“RC”), and creates three new statutes (RC 3319.325, 3319.326, and 3319.327) that include school district obligations related to technology contracts, monitoring limitations, and parent and student notifications.
RC 3319.325 defines several terms applicable to the new statutes, notably defining “school-issued device” to include “hardware, software, devices and accounts that a school district, acting independently or with a technology provider, provides to an individual student for that student’s dedicated personal use.” Additionally, “technology provider” is defined to include “a person who contracts with a school district to provide a school-issued device for student use and creates, receives, or maintains educational records pursuant or incidental to its contract with the district.” “Educational support services data” includes “data on individuals collected, created, maintained, used or disseminated relating to programs administered by a school board or entity under contract with a school district designed to eliminate disparities and advance equities in educational achievement for youth by coordinator services available to participants, regardless of the youth’s involvement with other government services.”
RC 3319.326 addresses technology provider responsibilities, including limitations on access to and use of student educational records by technology providers. This statute also requires that any contract between a school district and a “technology provider” must ensure appropriate security safeguards for “educational records” (as defined by RC 3319.325), and must include both: (1) a restriction on unauthorized access by the technology provider’s employees or contractors; and (2) a limitation on the technology provider’s employees or contractors access to educational records only to that which is necessary to fulfill the official duties of the employee or contractor. In order to ensure that existing and future contracts meet these standards, districts should consider seeking legal review of existing and potential contracts addressing: (1) provision of school-issued devices; and (2) tracking or monitoring of student activities on school-issued devices, including access to and/or use of such tracking or monitoring data. This review can help to identify compliance-related exposure points with existing contracts and ensure that language included in any new tech-based contracts comply with these new requirements.
Legal review of existing and potential contract language also assists with compliance with the RC 3319.326 annual notice requirement, which provides that no later than August 1 each year, school districts are required to provide notice to parents and students of any curriculum, testing, or assessment technology provider contract affecting the student’s educational records (as defined by RC 3319.325). The notice must: (1) identify each curriculum, testing, or assessment technology provider with access to educational records; (2) identify the educational records affected by the contract; and (3) include information about the ability to inspect the contract and provide contact information about where a parent or student may direct questions or concerns related to any program or activity that allows curriculum, testing, or assessment technology provider access to a student’s educational records. Because this annual deadline will have passed prior to the bill’s effective date, districts will need to be prepared to issue this notice prior to August 1, 2025.
RC 3319.326 also requires Districts to provide parents and students an opportunity to inspect a complete copy of any contract with a technology provider. Districts will need to consider how to best provide this access promptly upon request, and who should serve as the best point of contact for parent/student questions.
RC 3319.327 focuses on school district and technology provider obligations, and imposes a prohibition against electronic access and monitoring of location tracking, audio or visual features, student interactions with a school-issued device, including web-browsing activities, etc. The statute lists six circumstances to which the section does not apply, including when the:
1) activity is limited to a noncommercial educational purpose for instruction, technical support, or exam-proctoring by school district employees, student teachers, staff contracted by a district, a vendor, or the department of education, and notice is provided in advance;
2) activity is permitted under a judicial warrant;
3) school district or technology provider is notified or becomes aware that the device is missing or stolen;
4) activity is necessary to prevent or respond to a threat to life or safety, and the access is limited to that purpose;
5) activity is necessary to comply with federal or state law; or
6) activity is necessary to participate in federal or state funding programs.
These limitations should prompt district discussions regarding any necessary adjustments to district practices.
In addition to considering necessary adjustments to district practices, districts also need to consider the notice requirements associated with the electronic access and monitoring and be prepared to issue such notices beginning with the bill’s October 24, 2024, effective date. RC 3319.327 further provides that in any school year in which a school district elects to generally monitor a school-issued device for any of the circumstances listed in the limited exceptions, the District is required to provide written notice of the monitoring to parents of its enrolled students. This is likely to impact many districts, as districts that receive E-rate funding, likely implement monitoring under the Children’s Internet Protection Act (“CIPA”) requirement that recipient internet safety policies include monitoring the online activities of minors. Regardless of whether your school participates in the E-rate program, if you implement general monitoring for any of the six listed items during a school year, this notice must be provided.
Moreover, regarding the general monitoring notice, a 72-hour notice is required if one of the six listed exceptions is triggered. This notice is required to be provided to the student’s parent within 72 hours and must include a written description of the triggering circumstance, which features of the device were accessed, and a description of the threat, if any. Care should be taken to ensure information disclosed by way of this 72-hour notice does not run afoul of other state and federal laws as they relate to student privacy, threat assessment procedures, etc. The statute specifically provides that the 72-hour notice is not required to be provided if the notice itself would pose a threat to life or safety. Instead, if providing the 72-hour notice would pose a threat to life or safety, the notice is then required to be provided within 72 hours after the threat has ceased, rather than within 72 hours of the triggering event. Assessing when this notice is required and what information can/should be included likely will be a case-by-case basis determination that depends on the particular circumstances/triggering event.
RC 3319.327 further provides that, unless otherwise provided by law, no person shall release or permit access to educational support services data concerning a student attending a public school for any purpose, but specifically provides that such data shall be made available to the Opportunities for Ohioans with Disabilities agency in furtherance of the agency’s duties and supports to individuals with disabilities.
In addition to the new statutes, SB 29 also revises RC 149.43 to specify that “educational support services data” as defined by RC 3319.325, is exempt from the definition of “public record” for purposes of Ohio’s Public Records Act. The bill further revises RC 3319.31 to add use or release of “information that is confidential under state or federal law concerning a student or student’s family members for purposes other than student instruction” to the list of reasons for which the state board may refuse to issue, or may suspend, revoke, or limit a license.
For Further Information: As noted above, legal review of contracts, consideration of necessary adjustments to district practices, and planning for provision of required notices is necessary to ensure compliance with these new standards. Please feel free to reach out to any of the attorneys in Weston Hurd’s Education Law Group with questions regarding SB 29, related contract review, and/or required notices.