Minnesota Enacts Student Data Privacy Act | Practical Law

Minnesota Enacts Student Data Privacy Act | Practical Law

Minnesota has enacted a new student data privacy law that governs public school technology providers' use, retention, and disclosure of student data and limits provider and government access to students' school-issued devices.

Minnesota Enacts Student Data Privacy Act

Practical Law Legal Update w-035-8814 (Approx. 5 pages)

Minnesota Enacts Student Data Privacy Act

by Practical Law Data Privacy & Cybersecurity
Published on 13 Jun 2022Minnesota
Minnesota has enacted a new student data privacy law that governs public school technology providers' use, retention, and disclosure of student data and limits provider and government access to students' school-issued devices.
On May 22, 2022, Minnesota Governor Tim Walz signed the Student Data Privacy Act (HF 2353) into law. The law creates compliance requirements for:
  • School-issued devices, defined as hardware or software provided to an individual student of a public educational agency or institution for dedicated personal use.
  • Technology providers, defined as a person that both:
    • as part of a one-to-one program or otherwise, contracts with a public educational agency or institution to provide a school-issued device for student use; and
    • creates, receives, or maintains educational data pursuant or incidental to a contract with a public educational agency or institution.
The Student Data Privacy Act states that educational data is:
  • Defined as data on individuals maintained by a public educational agency or institution or by a person acting for the agency or institution which relates to a student.
  • Not the technology provider's property when created, received, or maintained by a technology provider pursuant or incidental to a contract with a public educational agency or institution.
It also:
  • Requires that technology providers:
    • destroy or return educational data to the school within 90 days of contract expiration unless renewal is reasonably anticipated;
    • not use educational data for any commercial purpose, including but not limited to, marketing or advertising;
    • not sell, share, or disclose educational data except as provided by law or as part of a valid delegation or assignment of its school contract; and
    • notify schools of data breaches and provide them certain information under Minnesota's state agency data breach notification law.
  • Requires that contracts between technology providers and public educational agencies and institutions:
    • restrict technology provider employee access to educational data to only when necessary and authorized; and
    • ensure appropriate security safeguards for educational data.
  • Requires public educational agencies and institutions to notify students and parents directly of any curriculum, testing, or assessment technology provider contract that affects a student's data within 30 days of the start of the school year.
  • Prohibits government agencies and technology providers from accessing or monitoring certain features of school-issued devices, such as location tracking, audio or visual recording, and keystroke or web browsing monitoring, unless an exception applies.
The law exempts postsecondary institutions and their contracts and limits its applicability to nonprofit national assessment providers in certain contexts.
The Student Data Privacy Act is effective beginning with the 2022-2023 school year.