How Ohio Senate Bill 29 impacts student privacy data in K-12 schools

Listen to an audio version of this post:

As technology becomes a bigger part of learning, protecting student information is increasingly important. From online exams to digital tools in the classroom, K-12 schools collect a lot of data, and that’s raised real concerns about privacy and security. 

In Ohio, lawmakers responded with Ohio Senate Bill 29, a new law designed to give parents  more transparency and schools increased accountability when it comes to student data. 

Understanding what Ohio Senate Bill 29 means is key for educators, parents and  administrators. This blog will break down the bill, discussing how it impacts schools, especially those that contract edtech providers. 

Finally, we’ll outline steps schools can take to help protect student privacy moving forward. 

What schools need to know about Senate Bill 29 

What is Senate Bill 29 Ohio?

In brief, Senate Bill 29, also known as the Protecting Ohio’s Children’s Information Act, is legislation designed to protect data privacy for students in Ohio’s K-12 schools. It addresses reasonable concerns about the management of student records as well as who can access information about students. Ohio joins 40 other states that have passed laws to protect data privacy for children residing within their states.

Since the law came into effect in fall of 2024, schools are legally required to take specific precautions when collecting, storing and sharing student data. This Ohio Senate Bill 29 summary outlines three main goals of the law.

Three key goals of Ohio Senate Bill 29

1. Greater transparency in data collection
2. Limitations on third-party use of student data
3. Parental rights regarding student information

How Senate Bill 29 provides increased transparency in data collection

One basic goal of Ohio Senate Bill 29 is to ensure greater transparency with the data that is collected about students. It provides new consent requirements for sensitive information and additional reporting obligations for schools.

How Senate bill 29 limits third-party use of student data

Under the statutes of the bill, third parties such as technology partners must comply with new limits on how they can use the student information they can access. Most importantly, no data can be used for non-educational purposes. The law also outlines specific requirements for data deletion. 

How Senate Bill 29 gives parents more rights with their student’s information

To safeguard students and their families, the bill calls for increased transparency between school and home about how student data is handled. Under the new law, parents have the right to be fully aware of the data handling practices at their children’s school and those of the companies the school contracts with. They also have the right to review a complete copy of contracts with technology providers that may affect their student’s data. 

Key provisions of Ohio Senate Bill 29 impacting schools

The changes Ohio Senate Bill 29 requires of school districts have raised some questions about balancing compliance with other obligations. Schools with 1:1 student /device instruction models often use edtech solutions in their classrooms to maintain student safety as required by other legislation, such as the Children’s Internet Protection Act (CIPA) that provides internet discounts through the E-rate program.

Ohio school districts must guarantee that their technology and that of their providers is in compliance. This includes information that is generated during day-to-day school activity like grades, test scores and other information necessary for managing instruction. Other data stored by schools includes private personal information such as addresses, birthdates and social security numbers.

Notification policies for data collection

Schools and districts are now required to notify parents and students of third-party technology providers each school year when these contracts affect student records. This annual notification must take place prior to August 1 and disclose the level of data access the provider has as well as which records are affected. For example, records may include a student’s curriculum, testing or assessment information. 

The school or district’s annual notice to parents and students must also include contact information for the department at the school where they can go to voice their concerns and ask questions about data privacy. If the district must access a child’s device due to a warrant or threat, a specific 72-hour notice is required.

Restrictions on selling or monetizing student data privacy

Schools are expected to ensure compliance with not only their own data collection and handling practices but also those of their technology providers. As a result, each vendor must sign a data privacy agreement guaranteeing that they are using data solely for educational purposes. This means providers are prohibited from selling, sharing, or disseminating the data they have access to for commercial purposes, including any type of advertising or marketing to students. 

The law states that student data belongs to the school or district, not the technology provider. Contracts between districts and technology providers must reflect this understanding and include specific terms stating that education records are the sole property of the school district.  

New security and storage protocols

The law puts security protocols in place to prevent undisclosed surveillance of student activity on devices. There are strict limitations on when the online activities of students can be monitored or accessed by schools. The law prohibits accessing the online activities of students outside class time and any general electronic monitoring of those devices. Neither schools nor technology providers are allowed to track device location, access visual recording capabilities, unless authorized by the law as in the case of a warrant, subpoena, or missing or stolen device. 

Hāpara provides schools with the flexibility to customize their setup to meet the requirements of local laws and regulations. In the case of Ohio, schools would be able to configure their Hāpara tools to only monitor while students are on campus during instructional time for education purposes. Additionally, technical administrators can configure access so that teachers can only monitor their own students, not the entire school population. 

Monitoring the web activity or key strokes on any school-issued device is prohibited unless it falls under an exception. An important exception to this provision for schools is monitoring is permitted for non-commercial education purposes such as classroom instruction and exam proctoring. Technical support for school devices also falls under the umbrella of education purposes.

In terms of the storage of data, the law requires contracts to include appropriate security safeguards. One such requirement is for providers to delete and/or destroy student records within 90 days of a contract’s end. This is a best practice for data privacy and is a part of Hāpara’s standard process. 

How Ohio Senate Bill 29 changes student data collection and security

The bill reshapes data handling practices in schools in several ways. First, it limits the types of data collected by schools and third-party providers. There are new consent requirements for sensitive information. Schools must now prioritize student data privacy solution options to  ensure compliance. Any provider must have measures in place to restrict unauthorized access to educational records by their employees or contractors.

New obligations for vendors and edtech providers. 

An important statute of Senate Bill 29 for schools is stronger requirements that edtech providers must be in alignment with Ohio data privacy laws, especially those having to do with student data. Financial penalties are in place for vendors that willfully violate student confidentiality by using student information in a manner that is not professional. 

To secure student data, breach notification is another requirement schools must communicate to their technology providers. In the case of an incident where student data has been compromised, the district must be alerted immediately.

Clarity around data sharing

To clarify aspects of the law and to reduce some of the administrative burden on schools, the law was amended in December. The terms “education support service data” was more clearly defined, which clarified that student data isn’t a public record. This means that unless it is legally required, schools cannot release or access it. There is no need for school districts to take immediate action. However, they should be aware of this rule in case there are future requests for records that fall under the definition of education support service data. Unless the request is valid under an exemption or different statute, schools will know to deny it. 

Challenges and opportunities for educators and administrators

The most obvious challenge for schools and districts is the administrative juggling act of compliance. In response, several Ohio-based legal firms have published blogs on the topic. Some schools may elect to reach out for legal counsel. To reduce the amount of administrative burden school districts had reported since the bill went into effect, significant amendments were made in House Bill 432 that clarify the scope of the law and redefine certain terms. 

Another challenge for schools will be determining when parent or guardian notification is required. The amended bill indicates that it is not necessary to notify parents about daily access to a school-issued device when purposes are non-commercial and educational. 

Potential for collaboration with tech designers

Opportunities for administrators may emerge over time. One area would be the potential for collaboration between school systems and the companies designing technology solutions to ensure data privacy for students. Going forward, special considerations and careful planning will be required of engineers to comply with this law. Companies like Hāpara that use real feedback from their customers can work together to develop better systems that both protect and serve the purposes of education.

Discussion around the new bill can also create an opportunity for greater collaboration directed toward online safety for students throughout the school community. Open communication that covers pitfalls as well as the positives can support the goals of the law. It can also help prevent problems with data safety and promote quick action to mitigate harm if a breach were to occur.

Promoting the tenets of ethical monitoring

The conversation around this bill presents an opportunity to educate the school community on how monitoring in a non-invasive way, or ethical monitoring, supports better learning. Ethical browser monitoring in the classroom is based on direct and transparent communication. For teachers, it means being open with learners that their screens and where they are navigating during instructional time are visible. As importantly, teachers can model what responsible browsing behavior looks like while they use the visibility to guide practice and facilitate communication.

How classroom management tools can support student data privacy compliance

Schools can continue to use software that supports student safety at the network and device levels under the new law, as long as all the legal stipulations are followed. Technology tools are beneficial to a productive and respectful digital environment when used in ways that foster student development and academic achievement. Its centralized controls make it much simpler for districts to manage student data privacy.

Practicing effective classroom management with help from Hāpara

Hāpara’s classroom management suite is a strong student data privacy solution that helps educators personalize learning while keeping students safe and engaged online. Hāpara designed their classroom management solution to support ethical monitoring that helps learners reach their academic goals while they develop digital citizenship. 

Once a school district notifies parents or guardians prior to the beginning of the school year that they are using Hāpara as their classroom management tool, they have met the notification requirement of Ohio Senate Bill 29.

Hāpara empowers teachers to effectively manage learning for their digital classroom in several ways. For example, teachers can use Hāpara to guide learners’ internet browsing and open useful websites onto their devices. This not only promotes responsible digital citizenship but supports the development of executive functioning skills.

Teachers also have the ability to check in on the progress learners are making on their Google Drive files. For all learners, and particularly those struggling with self-confidence, teachers can try giving three positive comments for every constructive one. Teachers using Hāpara can do this with just a couple of clicks.

By offering visibility into student activity to keep learners safe and engaged in learning without intrusive data collection, Hāpara Highlights helps schools provide secure monitoring aligned with Ohio Senate Bill 29 requirements. 

Frequently Asked Questions (FAQ)

1. What is Ohio Senate Bill 29?
   Ohio Senate Bill 29, also called the Protecting Ohio’s Children’s Information Act, is a law designed to safeguard student data privacy in K-12 schools. Its goal is to increase transparency, limit third-party data use and give parents more control over their child’s information.
2. What does Ohio Senate Bill 29 mean for student data privacy?
   The bill ensures that schools and their technology providers handle student data responsibly, with strict rules on data collection, storage and sharing. It prohibits the use of student data for non-educational purposes and requires parental notification about data practices.
3. How does Ohio Senate Bill 29 impact schools?
   Schools must notify parents about third-party technology providers, secure student data and ensure edtech vendors follow strict privacy agreements. 
4. What are the main provisions of Ohio Senate Bill 29?
   The law focuses on greater transparency in data collection, restrictions on third-party use of student data and enhanced parental rights to review and control their child’s information.
5. What is a student data privacy solution under Ohio Senate Bill 29?
   A student data privacy solution refers to tools or practices that help schools comply with the law, such as secure data storage, ethical monitoring software and agreements with edtech providers to ensure data is used solely for educational purposes.