Protecting Student Privacy Act of 2017
This bill amends the Family Educational Rights and Privacy Act of 1974 to prohibit programs administered by the Department of Education from making funds available to any educational agency or institution that has not implemented information security policies that: (1) protect personally identifiable information (PII) from education records, and (2) require each outside party to whom PII from education records is disclosed to have a comprehensive security program to protect such information.
An "outside party" is defined as a person that is not an employee, officer, or volunteer of the educational agency or institution or of a government agency. The term includes any contractor or consultant acting as a school official or authorized representative or in any other capacity.
The bill prohibits such funds from being made available to any educational agency or institution that has a policy or practice of using, releasing, or providing access to PII to advertise or market a product or service.
State agencies receiving such funds, and each educational agency or institution, must ensure that any outside party with access to such records: (1) provides parents access to any PII it holds about their students; (2) provides a process to challenge, correct, or delete any inaccurate, misleading, or inappropriate data through a hearing by the agency or institution providing the outside party with access; (3) maintains a record of all individuals, agencies, or organizations that have requested or obtained access to the education records of a student; and (4) has information security procedures in place.
The bill prohibits funds from being made available to any educational agency or institution, or any state educational agency, unless the agency or institution has a practice that: (1) promotes data minimization by meeting requests for student information with non-PII; and (2) requires that PII held by any outside party be destroyed when the information is no longer needed for the specified purpose.
Educational agencies and institutions must maintain a record of all outside parties that request or obtain access to a student's education records. Such a record must describe the information shared and indicate specifically the party's legitimate interest in obtaining this information.