(1) The department shall
assign to each student who is enrolled in a public school a unique student identifier
that must neither be nor include the social security number of a student in whole or
in sequential part.
(2) (a) The department shall develop a process to consider and review all
outside requests for student personally identifiable information, other than
aggregate student information already publicly available, by individuals not
employed by the state who seek to conduct research using school system data or
student personally identifiable information already collected by the department.
The department shall implement the process subject to approval by the state
board.
(b) (I) Before allowing an individual to receive student personally identifiable
information for research purposes, the department must enter into an agreement
with the individual that includes the entity that sponsors the individual or with
which the individual is affiliated. At a minimum, the agreement must include the
items specified in section 22-16-104 (1)(f) and require the individual to comply with
the requirements specified in sections 22-16-109 (1), (2), and (3)(b) and 22-16-110 (1)
and (3) that are imposed on school service contract providers.
(II) The provisions of this paragraph (b) do not apply to an individual who is
seeking only aggregate student information. For each request for aggregate
student information, the department shall determine whether the size of the group,
cohort, or institution is too small to preserve the anonymity of the individuals
included in the data, in which case the student data does not qualify as aggregate
data.
(III) Notwithstanding the provisions of subparagraph (I) of this paragraph (b),
an individual who conducts research through an institution of higher education may
demonstrate to the department compliance with the institution review board
practices and requirements, as regulated by federal law, in lieu of the terms
specified in section 22-16-104 (1)(f).
(c) The department may enter into a data-sharing agreement with a public
institution of higher education to allow the sharing of student personally
identifiable information for the purpose of satisfying requirements imposed on the
public institution of higher education by the institution's accrediting body. At a
minimum, the data-sharing agreement must include the items specified in section
22-16-104 (1)(f) and require the public institution of higher education to comply with
the requirements specified in sections 22-16-109 (1), (2), and (3)(b) and 22-16-110 (1)
and (3) that are imposed on school service contract providers. For purposes of these
requirements, the accrediting body is considered a subcontractor of the public
institution of higher education.
(3) (a) The department shall not require a local education provider to provide
student personally identifiable information that is not required by state or federal
law; except that it may require student personally identifiable information not
mandated by state or federal law that is associated with a grant proposal, or the
department may ask a local education provider to voluntarily submit data or
information as a condition of receiving a benefit, such as grant funding or special
designations.
(b) Unless required by state or federal law, the department shall not collect:
(I) Juvenile delinquency records;
(II) Criminal records;
(III) Medical and health records;
(IV) Student social security numbers;
(V) Student biometric information; and
(VI) Information concerning the political affiliations or the beliefs or
attitudes of students and their families.
(c) Unless otherwise approved by the state board, the department shall not
transfer student personally identifiable information to a federal, state, or local
agency or other entity, which agency or entity is outside of the state, except under
the following circumstances:
(I) If a student transfers to an education entity in state or out of state or if a
school or school district seeks help in locating a student who transfers out of state;
(II) If a student seeks to enroll in or to attend an out-of-state institution of
higher education or training program;
(III) If a student participates in a program or assessment for which a data
transfer is a condition of participation;
(IV) If a student is classified as migrant for federal reporting purposes;
(V) If the department enters into a contract with an out-of-state vendor or
researcher that affects databases, assessments, special education, or instructional
support related to an audit or evaluation of federal- or state-supported education
programs; for the enforcement of or compliance with federal legal requirements
that relate to those programs; or for conducting studies for or on behalf of the
department to develop, validate, or administer predictive tests, administer student
aid programs, or improve instruction; or
(VI) If the disclosure is to comply with a judicial order or lawfully issued
subpoena or in connection with a health or safety emergency.
(d) The department shall not sell, trade, gift, or monetize student personally
identifiable information for commercial use or investment interests.
(4) The department shall publish and maintain on its website a list of all of
the entities or individuals, including but not limited to vendors, individual
researchers, research organizations, institutions of higher education, and
government agencies, that the department contracts with or has agreements with
and that hold student personally identifiable information and a copy of each
contract or agreement. The list must include:
(a) The name of the entity or individual. In naming an individual, the list must
include the entity that sponsors the individual or with which the individual is
affiliated, if any. If the individual is conducting research at an institution of higher
education, the list may include the name of the institution of higher education and a
contact person in the department that is associated with the research in lieu of the
name of the researcher.
(b) The purpose and scope of the contract or agreement;
(c) The duration of the contract or agreement;
(d) The types of student personally identifiable information that the entity or
individual holds under the contract or agreement;
(e) The use of the student personally identifiable information under the
contract; and
(f) The length of time for which the entity or individual may hold the student
personally identifiable information.
(5) (a) The department shall ensure that the terms of each contract that the
department enters into or renews with a school service contract provider on and
after August 10, 2016, at a minimum, require the contract provider to comply with
the requirements in sections 22-16-108 to 22-16-110. If the contract provider
commits a material breach of the contract that involves the misuse or unauthorized
release of student personally identifiable information, the department shall
determine whether to terminate the contract in accordance with a policy adopted
by the state board. At a minimum, the policy must require the state board, within a
reasonable time after the department identifies the existence of a material breach,
to hold a public hearing that includes discussion of the nature of the material
breach, an opportunity for the contract provider to respond concerning the material
breach, public testimony, and a decision as to whether to direct the department to
terminate or continue the contract.
(b) The department shall ensure that the terms of each contract or other
agreement that the department enters into or renews on and after August 10, 2016,
which contract or agreement includes access to or use of student personally
identifiable information by an individual or entity other than a contract provider, at a
minimum, require the individual or entity to comply with the requirements in
sections 22-16-109 (1), (2), and (3)(b) and 22-16-110 (1) and (3). If the individual or
entity commits a material breach of the contract or agreement that involves the
misuse or unauthorized release of student personally identifiable information, the
department shall determine whether to terminate the contract or agreement in
accordance with the state board policy described in paragraph (a) of this subsection
(5).
(c) Notwithstanding any provision of law to the contrary, on and after August
10, 2016, the department shall not enter into or renew:
(I) A contract with a school service contract provider that refuses to accept
the terms specified in paragraph (a) of this subsection (5) or that has substantially
failed to comply with one or more of the requirements in sections 22-16-108 to 22-16-110; or
(II) A contract or other agreement, which includes access to or use of
student personally identifiable information, with an individual or entity other than a
contract provider, that refuses to accept the terms specified in paragraph (b) of this
subsection (5) or that has substantially failed to comply with one or more of the
requirements in section 22-16-109 (1), (2), or (3)(b) or 22-16-110 (1) or (3).