Privacy and Security Rules, Resources, and Legislation

This is a foundational list of resources and links to understand the privacy and security environment in which our data systems operate.

There maybe more local, state and federal laws that apply in different contexts.

Rule, Resource, or Legislation	Description	Links
Family Educational Rights and Privacy Act (FERPA)	The Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99) is a Federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education. The Family Educational Rights and Privacy Act (FERPA) makes it clear that only a student can authorize release of his/her community college records.	FERPA Link
Gramm-Leach-Bliley Act (GLBA)	The Gramm-Leach-Bliley Act requires financial institutions – companies that offer consumers financial products or services like loans, financial or investment advice, or insurance – to explain their information-sharing practices to their customers and to safeguard sensitive data.	GLBA Link
Children's OnLine Privacy Protection Act (COPPA)	COPPA requires operators of commercial websites, online services, and mobile apps to notify parents and obtain their consent before collecting any personal information on children under the age of 13. NOTE: This rarely, but sometimes, applies to Community Colleges.	COPPA explanation Link
Privacy Technical Assistance Center (PTAC)	The US Department of Education's Privacy Technical Assistance Center (PTAC), located within the Student Privacy Policy and Assistance Division, was established in 2010 as a “one-stop” resource for education stakeholders to learn about data privacy, confidentiality, and security practices related to student-level data systems and other uses of student data.	PTAC Legal Basics Link
California S.B. 570	This California law defines the breach notification requirements	CA SB 570 Link
California A.B. 964	This California law defines encryption	CA AB 964 Link
General Data Protection Regulation (GDPR)	The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU). It also addresses the export of personal data outside the EU.	GDPR Wikipedia Link
California Education Code 76001	Education Code 76001 authorize colleges to admit minors but also permit colleges to establish criteria for admission based on age, grade level, and eligibility. Note: This is a critical law for the issue of Dual Enrollment.	CA ED Code 76001 Link
California Education Code 76002	Education Code 76002 authorize colleges to admit minors but also permit colleges to establish criteria for admission based on age, grade level, and eligibility. Note: This is a critical law for the issue of Dual Enrollment.	CA ED Code 76002 Link
California Penal Code 11165	Penal Code 11165 include information about child abuse reporting and state that faculty and any community college employee who has direct contact with enrolled minors are considered mandated reporters.	CA Penal Code 11165 Link
California Penal Code 11166	Penal Code 11166 include information about child abuse reporting and state that faculty and any community college employee who has direct contact with enrolled minors are considered mandated reporters.	CA Penal Code 11166 Link
Payment Card Industry Data Security Standard (PCI DSS)	PCI DSS is an information security standard for organizations that handle branded credit cards from the major card schemes. The PCI Standard is mandated by the card brands and administered by the Payment Card Industry Security Standards Council. The standard was created to increase controls around cardholder data to reduce credit card fraud.	PCI DSS Link
Red Flags Rule (RFR)	The Red Flags Rule (RFR) is a set of United States federal regulations that require certain businesses and organizations to develop and implement documented plans to protect consumers from identity theft.	RFR Link

Federal

Federal Education Rights and Privacy Act (FERPA)

https://ed.gov/policy/gen/guid/fpco/ferpa/index.html

Protection of Pupil Rights Amendment (PPRA)

http://familypolicy.ed.gov/ppra

Privacy Technical Assistance Center (US DOE)

http://ptac.ed.gov/

Children’s Online Privacy Protection Act (COPPA)

https://www.ftc.gov/enforcement/rules/rulemaking-regulatory-reform-proceedings/childrens-online-privacy-protection-rule

Gramm-Leach-Bliley Act (GLB)

https://www.ftc.gov/tips-advice/business-center/privacy-and-security/gramm-leach-bliley-act

Carl D Perkins Career and Technical Education Act

https://www2.ed.gov/policy/sectech/leg/perkins/index.html

Workforce Innovation and Opportunity Act (WIOA)

https://www.doleta.gov/wioa/

Reauthorized No Child Left Behind (NCLB), known as the Every Student Succeeds Act (ESSA)

ESSA maintains NCLB’s strong focus on data and requires states to redesign their accountability systems; produce new postsecondary, attendance, and financial indicators; report on more groups of students, including those who are homeless or connected to the military; and engage stakeholders to design new public reports that will make data useful to the public. For the first time, data privacy and literacy training are listed as allowable uses of the law’s Title II funds.

State

CA

2014: AB 1584, SB 1177 (SOPIPA)
2016: AB 2097, AB 2799

AB 2799 (K-12) - http://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201520160AB2799

Data Privacy (general)

http://www.cde.ca.gov/ds/dp/
California Information Practices Act (California Civil Code Section 1798 et seq.)
California Education Code (EC) Section 49062 et seq., Article 1, Section 1 of the California Constitution
California Longitudinal Pupil Achievement Data System (CALPADS)