OHIO LEGISLATIVE SERVICE COMMISSION
Office of Research Legislative Budget
www.lsc.ohio.gov and Drafting Office
S.B. 29 Final Analysis
135th General Assembly
Click here for S.B. 29’s Fiscal Note
Primary Sponsor: Sen. S. Huffman
Effective date: October 24, 2024
Effective date:
Rachel Larsen, Research Analyst UPDATED VERSION*
SUMMARY
Use of educational records by technology providers
▪ Specifies that educational records created, received, maintained, or disseminated by a
technology provider that has contracted with a school district are solely the district’s
property.
▪ Generally prohibits a technology provider from selling, sharing, or disseminating
educational records or using those records for a commercial purpose.
▪ Requires each contract between a technology provider and a school district to ensure
appropriate security safeguards for educational records.
▪ Requires each school district to provide parents and students with notice of any
curriculum, testing, or assessment technology provider contract affecting a student’s
educational records.
▪ Permits a school district or a technology provider to electronically access or monitor a
student’s activity on a school-issued device only in specific limited circumstances and
requires the school district to notify parents of any permitted access.
Educational support services data
▪ Prohibits any person from releasing or permitting access to educational support services
data concerning any student attending a public school for any reason.
▪ Requires that educational support services data be made available to the state
Opportunities for Ohioans with Disabilities agency.
* This version updates the effective date.
August 5, 2024
Office of Research and Drafting LSC Legislative Budget Office
▪ Exempts educational support services data from Ohio’s Public Records laws.
Licensure penalties for release of confidential information
▪ Permits the State Board of Education to refuse to issue a license to, or limit, suspend, or
revoke the license of, an individual who uses or releases student information that is
confidential under state or federal law for purposes other than student instruction.
DETAILED ANALYSIS
Use of educational records by technology providers
The act governs the collection, use, and protection of educational records by technology
providers.
For purposes of the act, a “technology provider” is a person who contracts with a school
district to provide a school-issued device for student use and creates, receives, or maintains
educational records pursuant to or incidental to its contract with the district. Further,
“educational records” mean records, files, documents, and other materials that contain
information directly related to a student and are maintained by a school district or by a person
acting for the school district. Under continuing state and federal law, educational records are
confidential and cannot be released without parental permission. The act provides that the
following types of documents are not subject to confidentiality:
1. Records of educational personnel that are in the sole possession of the maker and are not
revealed to anyone but a substitute teacher;
2. Employee personnel records; and
3. Records of an adult student, which are made or maintained by a recognized professional
or paraprofessional acting in a professional capacity and that are used only in connection
with treatment and not available to any other persons except by a physician or other
appropriate professional of the student’s choice.
These exceptions are in compliance with federal law.1
A “school-issued device” means hardware, software, devices, and accounts that a school
district, acting independently or with a technology provider, provides to an individual student for
that student’s dedicated personal use.2
Maintenance of educational records
The act specifies that educational records created, received, maintained, or disseminated
by a technology provider are solely property of the school district. If records maintained by the
technology provider are subject to a security breach, the provider must disclose to the school
district all information necessary to comply with Ohio law on agency disclosures of security
1 See R.C. 3319.321 and 20 United States Code 1232g(A)(4)(B), not in the act.
2 R.C. 3319.325.
P a g e |2 S.B. 29
Final Analysis
Office of Research and Drafting LSC Legislative Budget Office
breaches. Relatedly, the act subjects technology providers to the state law regarding security
breaches of computerized personal information data.
Within 90 days after a contract expires, unless renewal is reasonably anticipated, the act
requires a technology provider to destroy or return to the appropriate school district all
educational records created, received, or maintained pursuant to or incidental to the contract.
The act prohibits a technology provider from selling, sharing, or disseminating educational
records, except as permitted by the act or as part of a valid delegation or assignment of the
contract with a school district. It also prohibits a technology provider from using educational
records for any commercial purpose, including marketing or advertising to a student or parent.
However, the provider may use aggregate information removed of any personally identifiable
information for improving, maintaining, developing, supporting, or diagnosing the provider’s site,
service, or operation.3
Security safeguards
The act requires that each contract between a technology provider and a school district
ensure appropriate security safeguards for educational records. The safeguards must include a
restriction on unauthorized access by the technology provider’s employees or contractors and a
requirement that the technology provider’s employees may access educational records only as
necessary to perform official duties.4
Parental notice and inspection
By August 1 of each school year, each school district must provide parents and students
with direct and timely notice by mail, email, or other direct communication, of any curriculum,
testing, or assessment technology provider contract affecting a student’s educational records.
The notice must:
1. Identify each technology provider with access to educational records;
2. Identify the educational records affected by the contract; and
3. Include information about the contract inspection and provide contact information for a
school department to which a parent or student may direct questions or concerns
regarding any program or activity that allows a technology provider to access a student’s
educational records.
Parents and students must be given an opportunity to inspect a complete copy of any
contract with a technology provider.5
3 R.C. 3319.326. See also R.C. 1347.12, not in the act.
4 R.C. 3319.326(F).
5 R.C. 3319.326(G).
P a g e |3 S.B. 29
Final Analysis
Office of Research and Drafting LSC Legislative Budget Office
Prohibitions related to school-issued devices
The act prohibits a school district or a technology provider from electronically accessing
or monitoring: (1) location-tracking features of a school-issued device, (2) audio or visual
receiving, transmitting, or recording features of a school-issued device, or (3) student
interactions with a school issued device, including keystrokes and web-browsing activity.
The act waives this prohibition when the access or monitoring is any of the following
circumstances:
1. Limited to a noncommercial educational purpose for instruction, technical support, or
exam-proctoring by school district employees, student teachers, or contractors, vendors,
or the Department of Education,6 provided advance notice is given;
2. Permitted under a judicial warrant;
3. Based upon the device being missing or stolen;
4. Necessary to prevent or respond to a threat to life or safety, and limited to that purpose;
5. Necessary to comply with federal or state law; or
6. Necessary to participate in federal or state funding programs.
When a school district or technology provider elects to generally monitor a school-issued
device for any of the circumstances outlined above, the school district must provide annual notice
of that fact to its students’ parents. In the event that one of the circumstances is triggered, the
school district must give notice of that fact to the student’s parent within 72 hours. The 72-hour
notice must include a written description of the triggering circumstance, identifying which
features of the device were accessed and a description of the threat, if any. If notice would pose
a threat to life or safety, it must instead be given within 72 hours after the threat has ceased.7
Educational support services data
The act also prohibits any person from releasing or permitting access to educational
support services data concerning any student attending a public school for any reason except
where provided otherwise in law. The act requires educational support services data to be made
available to the state Opportunities for Ohioans with Disabilities agency in furtherance of the
agency’s duties and supports for individuals with disabilities. It further provides that educational
support services data are not subject to Ohio’s Public Records laws.8
The act defines “educational support services data” as data on individuals collected,
created, maintained, used, or disseminated relating to programs administered by a school
district, or an entity under contract with a school district, designed to eliminate disparities and
6The act refers to the Department of Education. It should refer to the Department of Education and
Workforce.
7 R.C. 3319.327.
8 R.C. 149.43(A)(1)(tt) and 3319.327(C). See also R.C. 3304.15, not in the act.
P a g e |4 S.B. 29
Final Analysis
Office of Research and Drafting LSC Legislative Budget Office
advance equities in educational achievement for youth by coordinating services, regardless of
the youth’s involvement with other government services.9
Licensure penalties for release of confidential information
The act permits the State Board of Education to take licensure action against an individual
who uses or releases information that is confidential under state or federal law concerning a
student or student’s family member for purposes other than student instruction. These actions
include refusing to issue a license to an applicant, limiting a license that the State Board issues to
an applicant, suspending, revoking, or limiting an active license, or revoking an expired license.
This provision applies to licenses, certificates, and permits issued by the State Board.10
HISTORY
Action Date
Introduced 01-23-23
Reported, S. Education 11-14-23
Passed Senate (30-0) 11-15-23
Reported, H. Primary and Secondary Education 06-25-24
Passed House (96-1) 06-26-24
Senate concurred in House amendments (30-1) 06-26-24
24-ANSB0029EN-UPDATED-135/sb
9 R.C. 3319.325(B).
10 R.C. 3319.31(B)(5).
P a g e |5 S.B. 29
Final Analysis


Statutes affected:
As Introduced: 149.43
As Reported By Senate Committee: 149.43, 3319.31
As Passed By Senate: 149.43, 3319.31
As Reported By House Committee: 149.43, 3319.31
As Passed By House: 149.43, 3319.31
As Enrolled: 149.43, 3319.31