[Congressional Bills 115th Congress]
[From the U.S. Government Publishing Office]
[S. 877 Introduced in Senate (IS)]

<DOC>






115th CONGRESS
  1st Session
                                 S. 877

   To amend the Family Educational Rights and Privacy Act of 1974 to 
ensure that student data handled by private companies is protected, and 
                          for other purposes.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                April 6 (legislative day, April 4), 2017

 Mr. Markey (for himself and Mr. Hatch) introduced the following bill; 
     which was read twice and referred to the Committee on Health, 
                     Education, Labor, and Pensions

_______________________________________________________________________

                                 A BILL


 
   To amend the Family Educational Rights and Privacy Act of 1974 to 
ensure that student data handled by private companies is protected, and 
                          for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Protecting Student Privacy Act of 
2017''.

SEC. 2. FERPA IMPROVEMENTS.

    Subsection (b) of section 444 of the General Education Provisions 
Act (20 U.S.C. 1232g) (commonly referred to as the ``Family Educational 
Rights and Privacy Act of 1974'') is amended--
            (1) by redesignating paragraphs (4) through (7) as 
        paragraphs (8) through (11), respectively;
            (2) by inserting after paragraph (3) the following:
    ``(4)(A) No funds shall be made available under any applicable 
program to any educational agency or institution that has not 
implemented information security policies and procedures that--
            ``(i) protect personally identifiable information from 
        education records maintained by the educational agency or 
        institution; and
            ``(ii) require each outside party to whom personally 
        identifiable information from education records is disclosed to 
        have information security policies and procedures that include 
        a comprehensive security program designed to protect the 
        personally identifiable information from education records.
    ``(B) For purposes of this subsection, the term `outside party' 
means a person that is not an employee, officer, or volunteer of the 
educational agency or institution or of a Federal, State, or local 
governmental agency and includes any contractor or consultant acting as 
a school official or authorized representative or in any other 
capacity.
    ``(5) Notwithstanding any other provision of this section or 
paragraph (2)(A), no funds shall be made available under any applicable 
program to any educational agency or institution that has a policy or 
practice of using, knowingly releasing, or otherwise knowingly 
providing access to personally identifiable information, as described 
in paragraph (2), in the education records of a student to advertise or 
market a product or service.
    ``(6) Each State educational agency receiving funds under an 
applicable program, and each educational agency or institution, shall 
ensure that any outside party with access to education records with 
personally identifiable information complies with the following:
            ``(A) Any education records that are held by the outside 
        party shall be held in a manner that provides, as directed by 
        the educational agency or institution, parents with--
                    ``(i) the right to access the personally 
                identifiable information held about their students by 
                the outside party, to the same extent and in the same 
                manner as provided in subsection (a)(1); and
                    ``(ii) a process to challenge, correct, or delete 
                any inaccurate, misleading, or otherwise inappropriate 
                data in any education records of such student that are 
                held by the outside party, through an opportunity for a 
                hearing by the agency or institution providing the 
                outside party with access, in accordance with 
                subsection (a)(2).
            ``(B) The outside party shall maintain a record of all 
        individuals, agencies, or organizations that have requested or 
        obtained access to the education records of a student held by 
        the outside party, in the same manner as is required under 
        paragraph (8).
            ``(C) The outside party shall have policies or procedures 
        in place regarding information security practices regarding the 
        education records, in accordance with paragraph (4).
    ``(7) No funds under any applicable program shall be made available 
to any educational agency or institution, or any State educational 
agency, unless the agency or institution has a policy or practice 
that--
            ``(A) promotes data minimization in order to safeguard 
        individual privacy by meeting any request for student 
        information with non-personally identifiable information, if 
        the purpose of any appropriate request can be effectively met 
        with non-personally identifiable information; and
            ``(B) requires that all personally identifiable information 
        on an individual student held by any outside party be destroyed 
        when the information is no longer needed for the specified 
        purpose.''; and
            (3) in paragraph (8)(A), as redesignated by paragraph (1)--
                    (A) by inserting ``who are employees, officers, or 
                volunteers of the agency or institution'' after ``of 
                this subsection'';
                    (B) by striking ``or organizations'' and inserting 
                ``organizations, or outside parties'';
                    (C) by striking ``or organization'' and inserting 
                ``organization, or outside party''; and
                    (D) by inserting ``and will describe the 
                information shared with such person, outside party, 
                agency, or organization'' after ``obtaining this 
                information''.
                                 <all>