North Dakota’s State Board of Higher Education recently implemented the Student Data Privacy and Security Bill of Rights (the “Policy”). The Policy, which went into effect on May 29, 2020, was created by the North Dakota Student Association to facilitate students’ access to their Personally Identifiable Information (“PII”), and to regulate the North Dakota University System and its institutions’ collection and use of PII.

Key Provisions Under The Policy

The Policy outlines students’ right to know the types of PII collected by the North Dakota University System and its institutions (“NDUS”), including how the data is used and stored. Under the Policy, NDUS must, to the extent possible, make information available concerning the types of PII provided to NDUS vendors and contractors.

Use of PII

NDUS is prohibited from selling, releasing, or disclosing “non-directory” information for commercial or advertisement purposes. Directory information constitutes public record. While NDUS may use student PII for assessments and research related to accreditation, accountability, and policy implementation, NDUS may not subject students to punitive consequences as a result of the findings from such use.

Third-Party Providers and Vendors

NDUS must responsibly engage with third-party providers of educational services and vendors to ensure that student PII disclosed to these third parties are protected by the applicable industry standards. Generally, NDUS may not require students to disclose their PII to third-party service providers as a course requirement.

Record Review and Student Remedies

Students have the right to inspect, review, and challenge the accuracy and completeness of their academic record through a written request based on the NDUS institution’s request process. NDUS may limit the means of access to the educational record to ensure proper security of the record. These provisions are also afforded to students under the Federal Education Rights and Privacy Act (“FERPA”). NDUS is also required to comply with FERPA, which includes adhering to student requests to prevent disclosure of certain PII as “directory information”.

Students have the right to file complaints about violations under the Policy or other possible breaches of student data through an institutional grievance process.

Trends In State Student Privacy Laws

North Dakota follows the growing nation-wide trend towards stronger state privacy laws related to student information. Since 2013, 40 states and Washington D.C. have enacted legislation specific to student privacy issues. Most states, including New York and Vermont have regulated student privacy issues only for K-12. North Dakota joins the few states that regulate the use of student PII in higher education. As K-12 and higher education institutions continue to increase the use of educational technological services to facilitate classroom instruction, the need to strengthen student privacy laws, specifically as to higher education, will also continue to increase. In light of recent large-scale data breaches, educational institutions should continue to assess and enhance their data breach prevention and response procedures.