(1) The state board
shall:
(a) Create, publish, and make publicly available a data inventory and
dictionary or index of data elements with definitions of individual student data
fields used in the student data system including:
(I) Individual student personally identifiable information that school districts
and public schools are required to report by state and federal education mandates;
and
(II) Individual student personally identifiable information that is proposed for
inclusion in the student data system with a statement regarding the purpose or
reason for the proposed collection and the use of the collected data;
(b) Develop, publish, and make publicly available policies and procedures to
comply with the federal Family Educational Rights and Privacy Act of 1974, 20
U.S.C. sec. 1232g, and other relevant privacy laws and policies, including but not
limited to policies that restrict access to student personally identifiable information
in the student data system to:
(I) The authorized staff of the department that require access to perform
assigned or contractual duties, including staff and contractors from the office of
information and technology that are assigned to the department;
(II) The department's contractors that require access to perform assigned or
contractual duties that comply with the requirements specified in paragraph (g) of
this subsection (1);
(III) School district administrators, teachers, and school personnel who
require access to perform assigned duties;
(IV) Students and their parents; and
(V) The authorized staff of other state agencies, including public institutions
of higher education, as required by law or defined by interagency data-sharing
agreements;
(c) Develop user-friendly information for the public related to the
department's data-sharing agreements that is posted on the department's website
as provided in section 22-16-105 (4);
(d) Develop a detailed data security plan that includes:
(I) Guidance for authorizing access to the student data system and to
individual student personally identifiable information, including guidance for
authenticating authorized access;
(II) Privacy compliance standards;
(III) Privacy and security audits;
(IV) Security breach planning, notice, and procedures;
(V) Student personally identifiable information retention and destruction
policies, which must include specific requirements for identifying when and how the
student personally identifiable information will be destroyed;
(VI) Guidance for school districts and staff regarding student personally
identifiable information use;
(VII) Consequences for security breaches; and
(VIII) Staff training regarding the policies;
(e) Ensure routine and ongoing compliance by the department with the
federal Family Educational Rights and Privacy Act of 1974, 20 U.S.C. sec. 1232g,
other relevant privacy laws and policies, and the privacy and security policies and
procedures developed under the authority of this article, including the performance
of compliance audits;
(f) Ensure that agreements involving the disclosure of student personally
identifiable information for research conducted on behalf of the department to
develop, validate, or administer predictive tests; administer student aid programs;
or improve instruction must:
(I) Specify the purpose, scope, and duration of the study or studies and the
information to be disclosed;
(II) Require the entity, and any subcontractors or employees of the entity, to
use student personally identifiable information from education records only to meet
the purpose or purposes of the study as stated in the written agreement;
(III) Require the entity, and any subcontractors or employees of the entity, to
conduct the study in a manner that does not permit access to the student
personally identifiable information of parents and students by anyone other than
representatives of the entity with legitimate interests;
(IV) Require the entity, and any subcontractors or employees of the entity, to
destroy all student personally identifiable information when the information is no
longer needed for the purposes for which the study was conducted and to specify
the time period in which the information must be destroyed; and
(V) Require the entity, and any subcontractors or employees of the entity, to
comply with the requirements specified in sections 22-16-109 (1), (2), and (3)(b) and
22-16-110 (1) and (3) that are imposed on school service contract providers;
(g) Develop requirements that any department contracts that affect
databases, assessments, or instructional supports that include student personally
identifiable information and are outsourced to vendors include express provisions
that safeguard privacy and security, including specifying that student personally
identifiable information may be used only for the purpose specified in the contract
and must be destroyed when no longer needed for the purpose specified in the
contract; specifying the time period in which the information must be destroyed;
prohibiting further disclosure of the student personally identifiable information or
its use for commercial purposes that are outside the scope of the contract; and
specifying penalties for noncompliance, which must include termination of the
contract as required in section 22-16-105 (5); and
(h) Promulgate rules as necessary to implement the provisions of this article.