Section 3319.326 | Technology provider student data and educational records use.

A technology provider shall comply with Chapter 1347. of the Revised Code with regard to the collection, use, and protection of data as if it were a school district.

(A) Educational records created, received, maintained, or disseminated by a technology provider pursuant or incidental to a contract with a school district are solely the property of the school district.

(B) If educational records maintained by the technology provider are subject to a breach of the security of the data, as described in section 1347.12 of the Revised Code, the technology provider shall, following discovery of the breach, disclose to the school district all information necessary to fulfill the requirements of that section.

(C) Unless renewal of the contract is reasonably anticipated, within ninety days of the expiration of the contract, a technology provider shall destroy or return to the appropriate school district all educational records created, received, or maintained pursuant or incidental to the contract.

(D) A technology provider shall not sell, share, or disseminate educational records, except as provided by this section or as part of a valid delegation or assignment of its contract with a school district.

(E) A technology provider shall not use educational records for any commercial purpose, including, but not limited to, marketing or advertising to a student or parent. A commercial purpose does not include providing the specific services contracted for by a school district. Nothing in this division prohibits the technology provider from using aggregate information removed of any personally identifiable information for improving, maintaining, developing, supporting, or diagnosing the provider's site, service, or operation.

(F) A contract between a technology provider and a school district shall ensure appropriate security safeguards for educational records and include both of the following:

(1) A restriction on unauthorized access by the technology provider's employees or contractors;

(2) A requirement that the technology provider's employees or contractors may be authorized to access educational records only as necessary to fulfill the official duties of the employee or contractor.

(G) Not later than the first day of August of each school year, each school district shall provide parents and students direct and timely notice, by mail, electronic mail, or other direct form of communication, of any curriculum, testing, or assessment technology provider contract affecting a student's educational records. The notice shall do all of the following:

(1) Identify each curriculum, testing, or assessment technology provider with access to educational records;

(2) Identify the educational records affected by the curriculum, testing, or assessment technology provider contract;

(3) Include information about the contract inspection and provide contact information for a school department to which a parent or student may direct questions or concerns regarding any program or activity that allows a curriculum, testing, or assessment technology provider access to a student's educational records.

Each school district shall provide parents and students an opportunity to inspect a complete copy of any contract with a technology provider.