Minnesota's Student Data Privacy Act (MSDPA)

Minnesota's Student Data Privacy Act (MSDPA) (HF 2353) was passed by Governor Tim Walz on May 22nd, 2022. The law was designed to protect Minnesota students' privacy, and dictates how public schools and their technology providers manage educational data.

This article explains what the MSDPA is, who it applies to, what it requires, steps you can take to comply with the law, and the penalties for noncompliance.

What is Minnesota's Student Data Privacy Act (MSDPA)?

Minnesota's Student Data Privacy Act (MSDPA) is a privacy act that works to help protect the data privacy of Minnesota students who attend public educational institutions or agencies. It protects them against surveillance activities that may occur when using devices issued by the educational institution or agency.

Minnesota's Student Data Privacy Act (MSDPA) updates Minnesota Statutes 2020, section 13.32, which covers educational data.

Who Does Minnesota's Student Data Privacy Act (MSDPA) Apply to?

Minnesota's Student Data Privacy Act (MSDPA) applies to public educational agencies and technology providers that handle Minnesota students' educational data.

What is Educational Data Under Minnesota's Student Data Privacy Act (MSDPA)?

Educational data is defined by Minnesota's Student Data Privacy Act (MSDPA) as student data that is maintained by public schools or by individuals acting on behalf of public schools.

Educational data is a form of government data, which is any information that a government entity:

• Creates
• Collects
• Disseminates
• Maintains
• Receives

What Doesn't Count as Educational Data Under Minnesota's Student Data Privacy Act (MSDPA)?

The following types of information don't count as educational data under Minnesota's Student Data Privacy Act (MSDPA):

• Teacher's records that are in their sole possession, are only shared with substitute teachers, and are destroyed at the end of the school year
• School law enforcement's records that are maintained separately from educational data, are used for law enforcement purposes, and are only shared with other law enforcement authorities
• Employee records concerning students who are employed by a school and are only used for employment purposes

Here's how the text of Minnesota's Student Data Privacy Act (MSDPA) explains the types of information that don't count as educational data under the law:

What are Technology Providers Under Minnesota's Student Data Privacy Act (MSDPA)?

Minnesota's Student Data Privacy Act (MSDPA) defines a technology provider as anyone who contracts with a public school or education program to provide school-issued devices for students to use, and "creates, receives, or maintains" educational data.

School-issued devices can include hardware, such as laptops or tablets, as well as software, including educational apps and computer programs.

For example, a tech company that provides laptops for students in a Minnesota public school and maintains student names and email addresses as part of their contract would be considered a technology provider under Minnesota's Student Data Privacy Act (MSDPA).

The text of Minnesota's Student Data Privacy Act (MSDPA) defines technology providers as anyone who contracts with a public educational institution and creates, receives, or maintains educational data:

Who is Exempt From Minnesota's Student Data Privacy Act (MSDPA)?

Minnesota's Student Data Privacy Act (MSDPA) does not apply to the following entities:

• Postsecondary institutions (such as a universities or vocational schools)
• Technology providers contracted with postsecondary institutions
• Nonprofit national assessment providers (as long as the providers only use educational data for employment, education, and financial aid opportunities and get consent from the students or their parents)

Subdivision 15 of Minnesota's Student Data Privacy Act (MSDPA) explains that the law does not apply to certain entities, including postsecondary institutions and some nonprofit national assessment providers:

What Does Minnesota's Student Data Privacy Act (MSDPA) Require?

Minnesota's Student Data Privacy Act (MSDPA) has specific requirements for public educational agencies and technology providers.

Public educational institutions are required to:

• Inform students and their parents about certain contracts they have with technology providers
• Enable students and parents to review contracts with technology providers

Minnesota's Student Data Privacy Act (MSDPA) requires technology providers that contract with public schools to:

• Notify schools if educational data is affected by a data breach
• Destroy or return educational data once their contract is up
• Ensure that only authorized individuals can access educational data

Furthermore, technology providers are not allowed to sell, share, or disseminate educational data, or use educational data for marketing purposes.

Both public educational agencies and technology providers are prohibited from using school-issued devices to track students' locations, recordings, or communication activities.

How Do You Comply With Minnesota's Student Data Privacy Act (MSDPA)?

Let's take a deeper look at what public educational agencies and technology providers need to do to comply with Minnesota's Student Data Privacy Act (MSDPA).

Public schools must:

• Notify students and parents within 30 days of the beginning of the school year of any contracts they have with technology providers that concern curriculums, testing, or assessments.
• Give students and parents the opportunity to review any technology provider contracts.

Minnesota's Student Data Privacy Act (MSDPA) explains that public educational agencies must notify parents and students about contracts with technology providers and give them a chance to review technology provider contracts:

Technology providers must:

• Inform the public educational agency they are contracted with if any educational data is affected by a data breach.
• Destroy or return educational data to the contracted public school within 90 days of the expiration of their contract.
• Refrain from selling, sharing, or disseminating educational data unless taking these actions is part of their contract.
• Refrain from using educational data for marketing purposes, including for any advertising that targets students or their parents.
• Ensure that only authorized staff have access to educational data.
• Ensure that authorized staff only access educational data when necessary.

Minnesota's Student Data Privacy Act (MSDPA) explains the rules that technology providers must follow, including informing educational agencies of data breaches and destroying or returning educational data after their contracts end:

Public schools and technology providers both must refrain from using school-issued devices to track students' locations, audio or video recordings, or communications with other students.

However, there are certain circumstances in which public schools or technology providers can use school-issued devices for tracking or monitoring purposes, including when:

• The activity is used for instructional, tech support, or exam-taking purposes, and students are notified in advance of the tracking or monitoring
• A warrant has been issued
• The device is missing or stolen
• There is a threat to life or safety
• The activity is necessary to comply with a federal or state law or to take part in federal or state funding programs

If a public school or technology provider accesses or monitors a school-issued device for any of the above purposes, they must notify the student or parents within 72 hours of accessing the device, unless the notification itself could present a threat to life or safety.

Minnesota's Student Data Privacy Act (MSDPA) explains that government entities and technology providers must not access school-issued devices except under specific circumstances:

What are the Penalties for Noncompliance With Minnesota's Student Data Privacy Act (MSDPA)?

Anyone who intentionally violates Minnesota's Student Data Privacy Act (MSDPA) can be charged with a misdemeanor. Anyone found guilty of a misdemeanor in Minnesota faces up to 90 days in jail, a fine of up to $1,000, or both.

Section 13.09 of the Minnesota Statutes explains that anyone who intentionally breaks the rules outlined in Chapter 13 (including the MSDPA) is guilty of a misdemeanor, and that public employees who violate the law may be suspended without pay or dismissed from their positions:

According to Section 609.02 of the Minnesota Statutes, a misdemeanor in Minnesota is punishable by up to 90 days of imprisonment and/or a fine of up to $1,000:

Public employees who knowingly violate the MSDPA may also be suspended or dismissed from their positions. Public employees include anyone employed by a public employer (including individuals employed by a public school).

Summary

Minnesota's Student Data Privacy Act (MSDPA) is an amendment to the Minnesota Statutes that covers the use of educational data by public schools and technology providers.

The act applies to public educational agencies and institutions and any technology providers they contract with. It does not apply to postsecondary institutions, technology providers that contract with postsecondary institutions, and any nonprofit national assessment providers that meet the law's criteria.

Minnesota's Student Data Privacy Act (MSDPA) has specific requirements for public educational agencies and technology providers.

Public educational institutions must:

• Inform students and their parents about certain contracts they have with technology providers
• Give students and parents the chance to review technology provider contracts

Technology providers that contract with public educational agencies must:

• Notify schools of any data breaches affecting educational data
• Destroy or return educational data when their contract ends
• Ensure that only authorized individuals can access educational data
• Limit access to educational data by authorized individuals to that which is strictly necessary to fulfill their purposes
• Refrain from selling, sharing, or disseminating educational data
• Not use educational data for commercial purposes

Public educational agencies and technology providers cannot use school-issued devices to track students' locations, recordings, or communication activities.

To comply with Minnesota's Student Data Privacy Act (MSDPA), public schools must:

• Notify students and parents within 30 days of the start of the school year of any technology provider contracts concerning curriculums, testing, or assessments
• Provide students and parents with the opportunity to review technology provider contracts

Technology providers must:

• Inform the public school they are contracted with if a data breach affects educational data
• Destroy or return educational data to the contracted public school within 90 days of the expiration of their contract
• Refrain from selling, sharing, or disseminating educational data
• Refrain from using educational data for commercial purposes
• Ensure that only authorized staff have access to educational data
• Ensure that authorized staff only access educational data when necessary

Anyone found to have intentionally violated the MSDPA may be charged with a misdemeanor. Individuals found guilty of a misdemeanor in Minnesota face up to 90 days in jail, a fine of up to $1,000, or both. Public employees can also face suspension or dismissal.