365.734 Prohibited uses of personally identifiable student information by cloud computing service provider -- Administrative regulations.

KY Rev Stat § 365.734 (2019) (N/A)
Copy with citation
Copy as parenthetical citation

365.734 Prohibited uses of personally identifiable student information by cloud computing service provider -- Administrative regulations. (1) As used in this section: (a) (b) (c) (d) (e) (f) "Cloud computing service" means a service that provides, and that is marketed and designed to provide, an educational institution with account-based access to online computing resources; "Cloud computing service provider" means any person other than an educational institution that operates a cloud computing service; "Educational institution" means any public, private, or school administrative unit serving students in kindergarten to grade twelve (12); "Person" means an individual, partnership, corporation, association, company, or any other legal entity; "Process" means to use, access, collect, manipulate, scan, modify, analyze, transform, disclose, store, transmit, aggregate, or dispose of student data; and "Student data" means any information or material, in any medium or format, that concerns a student and is created or provided by the student in the course of the student's use of cloud computing services, or by an agent or employee of the educational institution in connection with the cloud computing services. Student data includes the student's name, e-mail address, e-mail messages, postal address, phone number, and any documents, photos, or unique identifiers relating to the student. (2) A cloud computing service provider shall not process student data for any purpose other than providing, improving, developing, or maintaining the integrity of its cloud computing services, unless the provider receives express permission from the student's parent. However, a cloud computing service provider may assist an educational institution to conduct educational research as permitted by the Family Educational Rights and Privacy Act of 1974, as amended, 20 U.S.C. sec. 1232g. A cloud computing service provider shall not in any case process student data to advertise or facilitate advertising or to create or correct an individual or household profile for any advertisement purpose, and shall not sell, disclose, or otherwise process student data for any commercial purpose. (3) A cloud computing service provider that enters into an agreement to provide cloud computing services to an educational institution shall certify in writing to the educational institution that it will comply with subsection (2) of this section. (4) The Kentucky Board of Education may promulgate administrative regulations in accordance with KRS Chapter 13A as necessary to carry out the requirements of this section. Effective: July 15, 2014 History: Created 2014 Ky. Acts ch. 84, sec. 2, effective July 15, 2014.