Connecticut Student Data Privacy Legal Compliance Guide

The following chart provides a brief overview of the laws of the state of Connecticut addressing privacy and security of student data, and the corresponding provisions of Microsoft’s standard operating documents that demonstrate compliance with those laws and regulations.

As an entity that provides online services, Microsoft is an “operator” under Connecticut law.

Microsoft’s standard Online Services Data Protection Addendum (“DPA”) addresses the requirements imposed on operators (who may also be contractors) by Connecticut’s statutory framework.  The DPA sets forth Microsoft’s standard obligations with respect to the processing and security of customer data and personal data in connection with Microsoft’s provision of online services. 

The reference chart below briefly identifies those provisions of Connecticut law that are applicable to Microsoft, and the relevant provision(s) from Microsoft’s DPA that addresses Microsoft’s compliance with that requirement.

Connecticut Law ProvisionCompliant Microsoft Provision(s)
Conn. Gen. Stat. Ann. § 10-234bb(c)
Operator’s duty to implement and maintain reasonable security procedures and practices
Microsoft Online Services Data Protection Addendum -> Data Protection Terms -> Data Security -> Security Practices and Policies

See also Microsoft Online Services Data Protection Addendum -> Appendix A – Security Measures

Conn. Gen. Stat. Ann. § 10-234bb(d)(1)–(2)
Targeted advertising or any other purpose not authorized pursuant to the contract
Microsoft Online Services Data Protection Addendum -> Data Protection Terms -> Nature of Data Processing; Ownership -> Processing to Provide Customer the Online Services
Conn. Gen. Stat. Ann. § 10-234cc(a)(1)
Operator’s duty to implement and maintain reasonable security procedures and practices
Microsoft Online Services Data Protection Addendum -> Data Protection Terms -> Data Security -> Security Practices and Policies

See also Microsoft Online Services Data Protection Addendum -> Appendix A – Security Measures
Conn. Gen. Stat. Ann. § 10-234cc(a)(2)
Deletion of student information, student records, or student-generated content within a reasonable time
Microsoft Online Services Data Protection Addendum -> Data Protection Terms -> Data Retention and Deletion
Conn. Gen. Stat. Ann. § 10-234cc(b)(1)
Prohibition against targeted advertising
Microsoft Online Services Data Protection Addendum -> Data Protection Terms -> Nature of Data Processing; Ownership -> Processing to Provide Customer the Online Services
Conn. Gen. Stat. Ann. § 10-234cc(b)(2)
Collecting, storing, and using student information, student records, student-generated content or persistent unique identifiers for purposes other than the furtherance of school purposes
Microsoft Online Services Data Protection Addendum -> Data Protection Terms -> Nature of Data Processing; Ownership -> Processing to Provide Customer the Online Services
Conn. Gen. Stat. Ann. § 10-234cc(b)(3)
Selling, renting, or trading student information, student records, or student-generated content
Microsoft Online Services Data Protection Addendum -> Data Protection Terms -> Nature of Data Processing; Ownership -> Processing to Provide Customer the Online Services
Conn. Gen. Stat. Ann. § 10-234cc(b)(4)
No disclosure of covered information unless based on defined exceptions
Microsoft Online Services Data Protection Addendum -> Data Protection Terms -> Disclosure of Processed Data

See also Microsoft Online Services Data Protection Addendum -> Data Protection Terms -> Nature of Data Processing; Ownership -> Processing for Microsoft’s Legitimate Business Operations
Conn. Gen. Stat. Ann. § 10-234dd(a)(1); (3)(b)
Contractors must notify the educational entity and operators must notify students and their parents, of any unauthorized disclosures of student information (excluding directory information) within 30 days after the discovery

During such 30-day period, the contractor may (A) conduct an investigation to determine the nature and scope of such unauthorized release, disclosure or acquisition, and the identity of the students whose student information is involved in such unauthorized release, disclosure or acquisition, or (B) restore the reasonable integrity of the contractor’s data system
Microsoft Online Services Data Protection Addendum -> Data Protection Terms -> Data Security -> Security Incident Notification

Microsoft Online Services Data Protection Addendum-> Appendix A – Security Measures -> Information Security Incident Management
Conn. Gen. Stat. Ann. § 10-234dd(a)(2); (3)(b)
Contractors must notify the educational entity and operators must notify students and their parents, of any unauthorized disclosures of directory information, student records, or student-generated content within 60 days after the discovery

During such 60-day period, the contractor may (A) conduct an investigation to determine the nature and scope of such unauthorized release, disclosure or acquisition, and the identity of the students whose student information is involved in such unauthorized release, disclosure or acquisition, or (B) restore the reasonable integrity of the contractor’s data system
Microsoft Online Services Data Protection Addendum -> Data Protection Terms -> Data Security -> Security Incident Notification

Microsoft Online Services Data Protection Addendum-> Appendix A – Security Measures -> Information Security Incident Management

In addition to the provisions above, any time a local or regional board of education shares or provides access to student information, student records, or student-generated content with a contractor, each contract shall include, but need not be limited to, the following:

(1) A statement that student information, student records and student-generated content are not the property of or under the control of a contractor;

(2) A description of the means by which the local or regional board of education may request the deletion of any student information, student records or student-generated content in the possession of the contractor that is not (A) otherwise prohibited from deletion or required to be retained under state or federal law, or (B) stored as a copy as part of a disaster recovery storage system and that is (i) inaccessible to the public, and (ii) unable to be used in the normal course of business by the contractor, provided such local or regional board of education may request the deletion of any such student information, student records or student-generated content if such copy has been used by the operator to repopulate accessible data following a disaster recovery;

(3) A statement that the contractor shall not use student information, student records and student-generated content for any purposes other than those authorized pursuant to the contract;

(4) A description of the procedures by which a student, parent or legal guardian of a student may review personally identifiable information contained in student information, student records or student-generated content and correct erroneous information, if any, in such student record;

(5) A statement that the contractor shall take actions designed to ensure the security and confidentiality of student information, student records and student-generated content;

(6) A description of the procedures that a contractor will follow to notify the local or regional board of education, in accordance with the provisions of section 10-234dd, when there has been an unauthorized release, disclosure or acquisition of student information, student records or student-generated content;

(7) A statement that student information, student records or student-generated content shall not be retained or available to the contractor upon expiration of the contract between the contractor and a local or regional board of education, except a student, parent or legal guardian of a student may choose to independently establish or maintain an electronic account with the contractor after the expiration of such contract for the purpose of storing student-generated content;

(8) A statement that the contractor and the local or regional board of education shall ensure compliance with the Family Educational Rights and Privacy Act of 1974, 20 USC 1232g, as amended from time to time;

(9) A statement that the laws of the state of Connecticut shall govern the rights and duties of the contractor and the local or regional board of education; and

(10) A statement that if any provision of the contract or the application of the contract is held invalid by a court of competent jurisdiction, the invalidity does not affect other provisions or applications of the contract which can be given effect without the invalid provision or application.

Conn. Gen. Stat. Ann. § 10-234bb(a).

Conn. Gen. Stat. Ann. § 10-234ff requires that the Commission for Educational Technology shall develop a uniform student data privacy terms-of-service agreement addendum that may be used in contracts entered into pursuant to section 10-234bb. The provisions of such addendum shall conform to the requirements for a contract described in said section. The commission shall make such addendum available on its Internet web site, or in any online registry maintained by the commission for contractors and operators, as those terms are defined in section 10-234aa, and local and regional boards of education.