HF 2899 Summary

• Establishes comprehensive student data privacy protections for Minnesota educational institutions, defining personally identifiable student information to include names, addresses, photos, biometric records, Social Security numbers, and any data linkable to identify a specific student.

• Requires Student Information System (SIS) providers to implement security measures, establish data breach notification procedures (within 30 days of discovery), permanently delete student data within 90 days of contract termination, and prohibit selling, sharing, or analyzing student data except under limited circumstances.

• Mandates opt-in agreements (signed by parents/guardians or students based on age) that specifically identify what student data SIS providers can access, the named provider, educational purpose, and individual student; prohibits general authorization and requires providers to prove compliance.

• Requires deletion of all student data from SIS one year after student graduation, withdrawal, or expulsion (with exceptions for transcripts, ongoing disciplinary actions, de-identified research data, and legally required retention), and deletion of third-party copies within 180 days of notification.

• Provides civil remedies including actual damages, mental pain and suffering, and attorney fees for violations; makes evidence obtained in violation inadmissible in legal proceedings; applies effective January 1, 2017.