New MN student data privacy laws and regulations for 2022-2023

Changes are coming for school districts and technology providers with regards to protecting educational data in the state of Minnesota.

Governor Walz recently signed H.F. 2353 into law, establishing new requirements for the upcoming 2022-2023 school year and beyond. This bill emphasizes tightening existing Minnesota data practices and ensuring that educators and technology providers accessing educational data are respecting and protecting sensitive student information.

The new Minnesota student data privacy law, H.F. 2353, a bill for an act relating to data practices; modifying certain education data provisions; and classifying education support service data, defines new provisions for technology vendors and Minnesota district leaders, alike.

Under H.F. 2353, contracts between technology providers and a public educational agency or institution must include requirements to ensure appropriate security safeguards for educational data.

The law requires Minnesota school districts to do the following within 30 days of the start of each school year:

Provide parents and students direct and timely notice of any curriculum, testing, or assessment technology provider contract that uses student's educational data.
- Identify (1) each curriculum, testing, or assessment technology provider with access to educational data; (2) the educational data affected by the curriculum, testing, or assessment technology provider contract.
- Include information about the contract inspection and provide contact information for a school department to which a parent or student may direct questions or concerns.
Provide an opportunity for parents and students to inspect a complete copy of any contract with a technology provider.

Technology providers, or anyone who (1) contracts with a public educational agency or institution, as part of a one-to-one program or otherwise, to provide a school-issued device for student use; (2) creates, receives, or maintains educational data pursuant or incidental to a contract with a public educational agency or institution, are subject to the following provisions:

All educational data created, received, maintained, or disseminated by a technology provider are not the technology provider's property.
If educational data maintained by the technology provider are subject to a breach of the security of the data, the technology provider must, following discovery of the breach, disclose to the public educational agency or institution all information necessary.
Unless renewal of the contract is reasonably anticipated, within 90 days of the expiration of the contract, a technology provider must destroy or return to the appropriate public educational agency or institution all educational data created, received, or maintained pursuant or incidental to the contract.
A technology provider must not sell, share, or disseminate educational data.
A technology provider must not use educational data for any commercial purpose, including but not limited to marketing or advertising to a student or parent.
A contract between a technology provider and a public educational agency or institution must include requirements to ensure appropriate security safeguards for educational data. The contract must require:

(1) the technology provider's employees or contractors have access to educational data only if authorized; and

(2) the technology provider's employees or contractors may be authorized to access educational data only if access is necessary to fulfill the official duties of the employee or contractor.

Regarding school-issued devices, a government entity or technology provider must not electronically access or monitor any location-tracking feature of a school-issued device, any audio or visual receiving, transmitting, or recording feature of a school-issued device, or student interactions with a school-issued device, including but not limited to keystrokes and web-browsing activity.

How EdPrivacy Can Help

EdPrivacy is an award winning student data privacy solution that helps U.S. school district manage federal and state student data privacy obligations. EdPrivacy simplifies the app vetting and contract management process so that you can stay organized and up to date with all of your student data privacy compliance activities. Your district can utilize our machine learning-based artificial intelligence system to request privacy quality scores for thousands of online technology resources commonly used in classrooms. The privacy quality scoring system helps Minnesota educators and administrators quickly identify safe online technologies and easily determine which service providers meet or exceed the requirements of the new Minnesota Student Data Privacy Act.

With EdPrivacy, school district leaders better understand school privacy laws for students, and enjoy student data privacy peace of mind. Designed to help districts proactively protect student information, EdPrivacy is positioned well to quickly implement the necessary school district policy changes under the new Minnesota privacy law.

For more information on what school and district administrators should know about federal student privacy laws, read EFI’s federal legislation page.