AB 2627, as amended
| Author: |
Rebecca Bauer-Kahan (D-016) |
| Coauthor |
Wilson (D) |
| Title: |
Electronically Collected Personal Information |
| Fiscal Committee: |
yes |
|
| Urgency Clause: |
no |
|
| Introduced: |
02/18/2022 |
| Last Amend: |
06/23/2022 |
| Disposition: |
Pending |
| Committee: |
Senate Appropriations Committee |
| Hearing: |
08/01/2022 10:00 am, 1021 O Street, Room 2200 |
| Summary: |
Authorizes a local agency, at the request of the governing board of a California Community College district, to enter into a memorandum of understanding that would allow the agency and the district to share electronically collected personal information about users, unless the user has not provided informed written consent for that disclosure, for purposes of facilitating outreach to, and enrollment of, individuals in the California Community Colleges system. |
| Status: |
| 06/23/2022 |
In SENATE. Read second time and amended. Re-referred to Committee on APPROPRIATIONS. |
|
AB 2627 authorizes community college districts to partner with state and local agencies in order to share data that would enable those community college district to provide outreach of educational services to vulnerable populations within its service area.
Staff concerns about the bill include liability for mistakenly disclosing confidential personal information. If the County were to mistakenly disclose confidential personal information without first notifying individuals that it might be shared with community college districts, it could be liable to the individuals whose data was disclosed. Additionally, much of the information for the populations of interest under the legislation, e.g., foster youth and incarcerated persons, is statutorily protected from disclosure. (See, e.g., Welf. & Inst. Code, §§ 827, 10850.) If this information were mistakenly released, the County also might be liable under these statutes. However, these concerns would only arise if the County decided to enter into a data sharing agreement.
2021 CA A 2627: Bill Analysis - 06/17/2022 - Senate Judiciary Committee, Hearing Date 06/21/2022
SENATE JUDICIARY COMMITTEE
Senator Thomas Umberg, Chair
2021-2022 Regular Session
Bill No: AB 2627 (Bauer-Kahan)
Version: April 28, 2022
Hearing Date: June 21, 2022
Fiscal: Yes
Urgency: No
Consultant: CK
SUBJECT
Electronically collected personal information: local agencies: the
California Community Colleges: memorandum of understanding
DIGEST
This bill authorizes local agencies and California Community College districts to enter into data sharing agreements to facilitate outreach and enrollment.
EXECUTIVE SUMMARY
The primary mission of the California Community Colleges (CCC) is to offer academic and vocational instruction at the lower division level for both younger and older students, including those persons returning to school. The CCC system is intended to advance California's economic growth and global competitiveness through education, training, and services that contribute to continuous work force improvement. The CCCs are required to provide remedial instruction for those in need of it, instruction in English as a second language, adult noncredit instruction, and support services which help students succeed at the postsecondary level.
The bill is motivated by declining enrollment at CCCs and a struggle to connect the crucial services they provide with populations outside of the K-12 school system, including formerly incarcerated residents, former foster youth, unemployed or underemployed Californians. This bill seeks to facilitate the outreach to these communities by authorizing local agencies coming into contact with them to enter into memorandums of understanding (MOU) with CCC districts to share contact information of local residents, with their consent. CCC districts are able to use this information to facilitate outreach and enrollment efforts.
This bill is sponsored by the Contra Costa Community College District. It is supported by several other CCC districts. There is no known opposition. This bill passed out of the Senate Education Committee on a 5 to 0 vote.
PROPOSED CHANGES TO THE LAW
Existing law:
1) Provides, pursuant to the California Constitution, that all people have inalienable rights, including the right to pursue and obtain privacy. (Cal. Const., art. I, Section 1.)
2) Establishes, at the federal level, the Family Educational Rights and Privacy Act (FERPA), which protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education. (20 U.S.C. Section 1232g; 34 C.F.R. Part 99.)
3) Establishes the Information Practices Act of 1977 (IPA), which declares that the right to privacy is a personal and fundamental right and that all individuals have a right of privacy in information pertaining to them. It regulates the handling of personal information in the hands of state agencies. The IPA states the following legislative findings:
a) the right to privacy is being threatened by the indiscriminate collection, maintenance, and dissemination of personal information and the lack of effective laws and legal remedies;
b) the increasing use of computers and other sophisticated information technology has greatly magnified the potential risk to individual privacy that can occur from the maintenance of personal information; and
c) in order to protect the privacy of individuals, it is necessary that the maintenance and dissemination of personal information be subject to strict limits. (Civ. Code Section 1798 et seq.)
4) Provides that, on or after July 1, 2001, unless otherwise authorized by the Department of Information Technology, every state agency that utilizes any method, device, identifier, or other database application on the internet to electronically collect personal information, as defined, regarding any user shall prominently display specified notices in an initial point of communication with a potential user and in instances when the specified information would be collected, including notice of:
a) the usage or existence of the information gathering method, device, identifier, or other database application;
b) the type of personal information collected and the purpose for which it will be used;
c) the length of time that the information gathering device, identifier, or other database application will exist in the user's hard drive, if applicable;
d) the option of having the user's personal information discarded without reuse or distribution, as specified;
e) the fact that any information acquired is subject to the limitations set forth in the Information Practices Act of 1977;
f) the fact that state agencies must not distribute or sell the electronically collected information about users to any third party without permission;
g) exemption from the California Public Records Act; and
h) the contact information of the agency official who is responsible for records requests. (Gov. Code Section 11015.5.)
5) Defines "user" for the above to mean an individual who communicates with a state agency or with an agency employee or official electronically. (Gov. Code Section 11015.5.)
6) Provides that nothing precludes a community college from providing, in its discretion, statistical data from which no student may be identified to any public agency or entity or private nonprofit college, university, or educational research and development organization when such actions would be in the best educational interests of students. (Educ. Code Section 76241.)
7) Prohibits a state agency from disclosing any personal information in a manner that would link the information disclosed to the individual to whom it pertains unless the information is disclosed as specifically provided, including when disclosed to the individual to whom the information pertains or with the person's prior written voluntary consent, but only if that consent has been obtained not more than 30 days before the disclosure, or in the time limit agreed to by the individual in the written consent. (Civ. Code Section 1798.24.)
8) Defines "local agency," for purposes of the California Public Records Act (CPRA) to include a county; city, whether general law or chartered; city and county; school district; municipal corporation; district; political subdivision; or any board, commission, or agency thereof; other local public agency; or entities that are legislative bodies of a local agency, as provided. (Gov. Code Section 6252(a).)
This bill:
1) Authorizes a local agency, as defined in Section 6252, at the request of a CCC district, to enter into a memorandum of understanding that would allow the agency and the district to share electronically collected personal information about users, subject to compliance with subdivision (a) of Section 11015.5.
2) Requires users to first grant permission for the above disclosure.
3) Requires the shared electronically collected personal information to only be used for facilitating outreach to, and enrollment of, individuals in the CCC system and notifying the user of all available support resources. A CCC district is prohibited from using the information for purposes of prepopulating admission applications or enrollment documents.
4) Prohibits the CCC District from providing student personal information or student level data to the local agency unless it is for the purposes described in Section 76241 of the Education Code.
5) Requires a CCC district that enters into an MOU to do all of the following:
a) comply with the United States Constitution and applicable federal laws, including FERPA and its implementing regulations (34 C.F.R. 99);
b) comply with the California Constitution, and applicable state laws and regulations, including, but not limited to, Section 1798.24 of the Civil Code;
c) ensure that material used by the CCC district for outreach, enrollment, and notification of resources protects the user's identity so that the user's membership in the targeted population is not revealed; and
d) limit the MOU to personal identifying user data received from the local agency to the service area of the community college district. A CCC district that receives data from the service area of another CCC district is required to delete the data without using it.
6) Requires a CCC district, upon first contact with the user, to notify the individual of any educational services available to them and include an opportunity to opt out of future contact. In any and all subsequent contact, the CCC district shall notify the user of the opportunity to opt out of future contact. The CCC district must discard without reuse or distribution any electronically collected information upon the request of the user or when the user has enrolled at the California Community College district.
7) Defines "electronically collected personal information" as a user's name, home address, home telephone number, cellular phone number, electronic mail address, and education.
8) Defines "user" to mean an individual who communicates with a state agency or with an agency employee or official electronically.
COMMENTS
1. Privacy in California
Article I, Section 1 of the California Constitution provides: "All people are by nature free and independent and have inalienable rights. Among these are enjoying and defending life and liberty, acquiring, possessing, and protecting property, and pursuing and obtaining safety, happiness, and privacy." Privacy is therefore not just a policy goal; it is a constitutional right of every Californian. However, it has been under increasing assault.
The phrase "and privacy" was added to the California Constitution as a result of Proposition 11 in 1972; it was known as the "Privacy Initiative." The arguments in favor of the amendment were written by Assemblymember Kenneth Cory and Senator George Moscone. The ballot pamphlet stated, in relevant part:
At present there are no effective restraints on the information activities of government and business. This amendment creates a legal and enforceable right of privacy for every Californian. The right of privacy . . . prevents government and business interests from collecting and stockpiling unnecessary information about us and from misusing information gathered for one purpose in order to serve other purposes or to embarrass us. . . . The proliferation of government and business records over which we have no control limits our ability to control our personal lives. . . . Even more dangerous is the loss of control over the accuracy of government and business records on individuals. . . . Even if the existence of this information is known, few government agencies or private businesses permit individuals to review their files and correct errors. . . . Each time we apply for a credit card or a life insurance policy, file a tax return, interview for a job[,] or get a drivers' license, a dossier is opened and an informational profile is sketched.[1]
The Information Practices Act reaffirms that the right of privacy is a "personal and fundamental right" and that "all individuals have a right of privacy in information pertaining to them." (Civ. Code Section 1798.1.) It further stated the following findings:
* "The right to privacy is being threatened by the indiscriminate collection, maintenance, and dissemination of personal information and the lack of effective laws and legal remedies."
* "The increasing use of computers and other sophisticated information technology has greatly magnified the potential risk to individual privacy that can occur from the maintenance of personal information."
* "In order to protect the privacy of individuals, it is necessary that the maintenance and dissemination of personal information be subject to strict limits."
In light of these findings, the law emphasizes that public agencies should collect personal information "to the greatest extent practicable directly from the individual who is the subject of the information rather than from another source. (Civ. Code Section 1798.15.) To protect against unauthorized disclosures or improper use, agencies are required to establish appropriate and reasonable administrative, technical, and physical safeguards to ensure the security and confidentiality of records, and to protect against threats or hazards to their security or integrity. (Civ. Code Section 1798.21.) To minimize the data susceptible to these threats and hazards, agencies are also required to maintain "only personal information which is relevant and necessary to accomplish a purpose of the agency required or authorized by the California Constitution or statute or mandated by the federal government." (Civ. Code Section 1798.14.)
2. Connecting communities to the benefits of community colleges
According to the author:
Everyone deserves to have the option and access to an education. Community colleges are having a hard time reaching out to vulnerable populations like veterans, adults, and incarcerated individuals who could potentially have a second chance at a higher education, but are not aware of the services and programs available to them. AB 2627 will eliminate this obstacle and give community colleges the access they need to reach out to such populations.
The bill accomplishes this by authorizing local agencies to enter into MOUs with CCC districts to facilitate the sharing of certain personal information of users. The goal is to provide local community colleges with the contact information of residents within their jurisdiction that can benefit from the schools' services.
Whenever state laws involve the collection or disclosure of individuals' personal information, there are baseline protections that should be implemented. These include notice to and consent of the relevant individual, data minimization, some level of control for the individual, reasonable security measures, use limitations, and restrictions on further disclosure.
This bill includes many of these protections. First, it does not allow for any sharing unless the user has "granted permission for that disclosure." This provision seeks to provide users control over their information, and only authorizes sharing of that information when they are comfortable with it. To ensure users are clearly providing consent for the sharing, the author has agreed to an amendment that requires "informed written consent" before the sharing can take place. Bolstering this element of notice and user control, the bill also specifically provides that the relevant CCC district must notify the individual, both upon first contact and in all subsequent contacts, of the individual's right to opt out of future contact. The CCC district is also required to "discard without reuse or distribution" an individual's information upon request by the user.
The bill also places limitations on what can be done with the information shared. The bill provides that it can "only be used for facilitating outreach to, and enrollment of, individuals in the California Community Colleges system and notifying the user of all available support resources." CCC districts are prohibited from using the information to prepopulate forms. The bill also makes clear that no personal information from students shall be provided by the CCC district to the local agency, except for already authorized sharing of non-identifiable statistical data. To ensure that any information shared by a local agency with the CCC districts is not further disclosed, the author has agreed to an amendment that specifically prohibits any disclosure of that information.
In order to protect this information, the bill clarifies that the CCC district must comply with the state and federal constitutions and all applicable laws, specifically identifying FERPA and provisions of the Information Practices Act.
The bill also incorporates data minimization principles by limiting the personal information shared to a user's name, home address, home telephone number, cellular phone number, electronic mail address, and education. Furthermore, the bill requires CCC districts to limit the MOUs to personal information from users within the service area of the district. A CCC district is required to delete any data on users from outside their service area without using it.
The bill defines "user" as an individual who communicates with a state agency or with an agency employee or official electronically. Given the information is being provided by local agencies, the author has agreed to amend this definition to include local agencies.
3. Stakeholder positions
Writing in support, a coalition of CCC districts explain the need for the bill:
Community colleges offer a myriad of education and job training opportunities that have proven to lift Californians out of poverty and into the workforce. Additionally, these colleges have programs that waive fees while providing wrap around services that help students succeed. However, under current law, community colleges are limited in how they can access contact information to let potential students know of the opportunities that each college can provide.
Under current law, community colleges have access to K-12 school student information. This enables colleges to reach out to high school students and let them know of dual enrollment opportunities, as well as courses and programs that each student can access once they are out of high school. However, there is little ability for community colleges to reach out to potential students once he or she has left high school. Students that are seeking retraining or to enter higher education as an older adult may not know about the vast programs that are offered at the community colleges. Additionally, they may not know that most of these courses could be fee free.
SUPPORT
Contra Costa Community College District (sponsor)
Antelope Valley Community College District
San Diego Community College District
Yuba Community College District
OPPOSITION
None known
RELATED LEGISLATION
Pending Legislation:
AB 1633 (Seyarto, 2022) requires the California State University, and requests the University of California, to electronically transmit specified personal information regarding students, with their consent, whose tuition or fees, or both, are paid, or intended to be paid, using GI Bill educational benefits, as defined, to the Department of Veterans Affairs for each academic year, starting with the 2023-24 academic year, as provided. This bill is currently in the Senate Military and Veterans Affairs Committee.
SB 222 (Dodd, 2021) requires the development of a data-sharing mechanism to facilitate data sharing between the Department of Community Services and Development and electrical and gas corporations. It also authorizes the Department of Community Services and Development to enter into agreements with local publicly owned utilities for the purpose of regularly sharing data. The ultimate purpose is to connect eligible customers with affordability programs. This bill is currently on the Assembly Floor.
Prior Legislation: AB 132 (Committee on Budget, Ch. 144, Stats. 2021) clarified the money allocated for the retention and enrollment of community college students should be primarily used to engage former community college students, who had withdrawn from the college due to the impacts of COVID - 19.
PRIOR VOTES:
Senate Education Committee (Ayes 5, Noes 0)
Assembly Floor (Ayes 64, Noes 6)
Assembly Appropriations Committee (Ayes 13, Noes 2)
Assembly Higher Education Committee (Ayes 11, Noes 0)
Assembly Privacy and Consumer Protection Committee (Ayes 10, Noes 0)
**************
[1] Hill v. National Collegiate Athletic Assn. (1994) 7 Cal.4th 1, 17, quoting the official ballot pamphlet for the Privacy Initiative.
|