March 30, 2017
Armed with the understanding that Social Security numbers are the piece of information most used by criminals perpetrating identity thefts, the California legislature has barred local education agencies from collecting them.
Effective January 1, 2017, Assembly Bill (AB) 2097 modified section 56601 of the Education Code to prohibit school districts, county offices of education and charter schools from collecting or soliciting Social Security numbers or the last four digits of Social Security numbers from pupils or their parents or guardians. Prior to the law’s effective date, Education Code section 56601 authorized the Superintendent of Public Instruction to collect and use the Social Security numbers of individuals with exceptional needs as student identification numbers in order to assist the state in evaluating the effectiveness of special education programs.
AB 2097 was a direct response to issues raised inMorgan Hill Concerned Parents Ass’n v. Cal. Dep’t of Educ. (E.D. Cal., No. 2:11-cv-3471) (Morgan Hill), a case brought by parent groups who claimed the state systematically failed to provide disabled children with a free and appropriate public education. ( See 2016 Client News Brief No. 12.) During the discovery process in Morgan Hill, the court issued an order requiring the California Department of Education (CDE) to release student data relating to as many as 10 million current and past public school students. The data was presumed to include sensitive information, such as student Social Security numbers. Some of the central concerns raised by parents in response to this order were the security of their children’s information and the possibility of identity theft.
AB 2097 repealed Education Code section 56601’s authorization to collect and use Social Security numbers in conjunction with special education programs and requires the Superintendent of Public Instruction to instead assign and use student identification numbers, commencing with the 2017-18 fiscal year and phased in over a two-year period. AB 2097 also added section 49076.7 to the Education Code to implement a broad prohibition on local educational agencies from collecting or soliciting Social Security numbers or their last four digits from pupils or their parents or guardians in any program, unless otherwise required to do so by state or federal law. Going even further, AB 2097 authorizes the CDE to create additional restrictions on the collection and solicitation of other personally identifiable information.
This new law should not only alert public agencies to the risks of and prohibitions against requesting Social Security numbers, but should serve as a reminder that public agencies should review and update non-complying forms and processes.
The newly added Education Code section 49076.7 declares that pupil data privacy is a priority because students are at risk of identity theft when providing their Social Security numbers to local educational agencies. It cites to a technical brief published by the United States Department of Education (DOE) in 2010, “ Data Stewardship: Managing Personally Identifiable Information in Electronic Student Education Records.” Through its brief, the DOE provides guidance and “best practices” regarding the ongoing management of electronic data collection, processing, storage, maintenance and use of student records. It addresses data stewardship at all levels of governance, ranging from the state department of education to individual schools. Resources like this may be invaluable to public agencies as they assess their current practices and vulnerabilities.
Data governance and stewardship in the public sector are becoming increasingly important as public sector agencies continue to transition from the use and storage of paper records to electronic and online data. For educational agencies, this transition has raised concerns about the storage and release of sensitive and confidential student information because the laws and regulations governing student records have been slower to evolve than the technology used to electronically collect, use and store the data.
To better protect electronic data maintained by public sector agencies, as well as the agencies themselves, Lozano Smith’s Technology & Innovation Practice Group is committed to working with its clients in order to refine
and develop their data policies and practices. If you have any questions about AB 2097 or any other issues related to student privacy or data protection, please contact the authors of this Client News Brief or an attorney in our
Technology & Innovation Practice Group or at one of our nine offices located statewide. You can also visit our website, follow us on Facebook or Twitter or download our Client News Brief App.
©2017 Lozano Smith
As the information contained herein is necessarily general, its application to a particular set of facts and circumstances may vary. For this reason, this News Brief does not constitute legal advice. We recommend that you consult with your counsel prior to acting on the information contained herein.