(1)The
department shall develop data security guidance that may be used by local
education providers. The department's data security guidance must include:
(a)Guidance for authorizing access to the student data system and to
student personally identifiable information, including guidance for authenticating
authorized access;
(b)Privacy compliance standards;
(c)Best practices for privacy and security audits;
(d)Security breach planning, notice, and procedures;
(e)Data retention and destruction procedures;
(f)Data collection and sharing procedures;
(g)Recommendations that any contracts that affect databases,
assessments, or instructional supports that include student personally identifiable
information and are outsourced to vendors include express provisions that
safegu
Free access — add to your briefcase to read the full text and ask questions with AI
(1) The
department shall develop data security guidance that may be used by local
education providers. The department's data security guidance must include:
(a) Guidance for authorizing access to the student data system and to
student personally identifiable information, including guidance for authenticating
authorized access;
(b) Privacy compliance standards;
(c) Best practices for privacy and security audits;
(d) Security breach planning, notice, and procedures;
(e) Data retention and destruction procedures;
(f) Data collection and sharing procedures;
(g) Recommendations that any contracts that affect databases,
assessments, or instructional supports that include student personally identifiable
information and are outsourced to vendors include express provisions that
safeguard privacy and security and include penalties for noncompliance;
(h) Best security practices for privacy when using online education services,
including websites and applications;
(i) Guidance for contracts involving the outsourcing of educational services;
(j) Guidance for contracts involving online education services;
(k) Guidance for publishing a list of vendors that local education providers
contract with that hold student personally identifiable information;
(l) Consequences for security breaches; and
(m) Examples of staff training regarding the procedures.
(2) Based on the data security guidance adopted pursuant to subsection (1)
of this section, on or before March 1, 2017, the department shall create and make
available to local education providers a sample student information privacy and
protection policy. The department shall annually review the sample policy and
revise it as necessary to ensure that it remains current and adequate to protect the
privacy of student personally identifiable information in light of advances in data
technology and dissemination. At a minimum, the sample policy must include
protocols for:
(a) Creating and maintaining a student data index;
(b) Retaining and destroying student personally identifiable information;
(c) Using student personally identifiable information for purposes internal to
a local education provider;
(d) Preventing breaches in the security of student personally identifiable
information and for responding to any security breaches that occur;
(e) Contracting with school service contract providers and using school
services provided by school service on-demand providers;
(f) Disclosing student personally identifiable information to school service
contract providers, school service on-demand providers, or other third parties;
(g) Notifying parents regarding collection of, retention of, and access to
student personally identifiable information; and
(h) Providing training in student information security and privacy to
employees of a local education provider.
(3) The department shall prepare and make available to local education
providers sample contract language for use in contracting with school service
contract providers. The department shall update the sample contract language as
necessary to ensure that it remains current and adequate to protect the privacy of
student personally identifiable information in light of advances in data technology
and dissemination.
(4) The department shall identify and make available to local education
providers resources that the local education providers may use in training
employees with regard to student information security and privacy. At the request
of a local education provider, the department shall provide training related to
student information security and privacy.
(5) If the department receives notice that a local education provider has
ceased using a school service on-demand provider for reasons described in section
22-16-107 (3), the department shall post the notice on the department's website.
The department shall also post any written response from an on-demand provider
that the local education provider may submit. The department shall post the notices
and written responses for twenty-four months following the date received.