http://bit.ly/1biiNbR
The education task force of the American Legislative Exchange Council, or
ALEC, is pushing a bill, modeled after a new Oklahoma law, that would:
1) ban districts from reporting certain sensitive information (such as
student medical and criminal records) to the state
2) Requires states to appoint a chief privacy officer and let parents know exactly
what information is being collected about their kids.
3) Give parents the right to review their children’s files, but doesn’t let them opt out of databases
Student Data Accessibility, Transparency, and Accountability Act
Summary
The Student Data Accessibility, Transparency, and Accountability Act would require the [State Board of Education/State Department of Education] to make publicly available an inventory and index of all data elements with definitions of individual student data fields currently in the statewide longitudinal data system. The [State Board of Education/State Department of Education] would be required to create a data security plan, ensuring compliance with federal and state data privacy laws and policies. Certain contracts would be required to include privacy and security provisions. A Chief Privacy Officer will be created within the State Department of Education whose primary mission includes ensuring department-wide compliance with all privacy laws and regulations. This bill adds new annual security and privacy reporting requirements to the Governor and Legislature.
Model Policy
Section 1. Title.
This section shall be known and may be cited as the “Student Data Accessibility, Transparency, and Accountability Act.”
Section 2. Definitions.
(A) In this Act:
(1) “Board” means the State Board of Education;
(2) “Department” means the State Department of Education;
(3) “Data system” means the State Department of Education statewide longitudinal data system;
(4) “Aggregate data” means data collected and/or reported at the group, cohort, or institutional level;
(5) “Redacted data” means a student dataset in which parent and student identifying information has been removed;
(6) “State-assigned student identifier ” means the unique student identifier assigned by the state to each student that shall not be or include the Social Security number of a student in whole or in part; and
(7) “Student data” means data collected and/or reported at the individual student level included in a student’s educational record.
(8) “Provisional student data” means new student data proposed for inclusion in the state student data system.
Section 3. Data Inventory – Responsibilities.
(A) The [State Board of Education/State Department of Education] shall:
(1) Create, publish, and make publicly available a data inventory and dictionary or index of data elements with definitions of individual student data fields in the student data system to include, but not be limited to:
(a) any individual student data required to be reported by state and federal education mandates;
(b) any individual student data which has been proposed for inclusion in the student data system with a statement regarding the purpose or reason for the proposed collection; and
(c) any individual student data that the State Department of Education collects or maintains with no current identified purpose;
(2) Develop, publish, and make publicly available policies and procedures to comply with all relevant state and federal privacy laws and policies, including but not limited to the Federal Family Educational Rights and Privacy Act (FERPA) and other relevant privacy laws and policies, including but not limited to:
(a) access to student and redacted data in the statewide longitudinal data system shall be restricted to:
(1) the authorized staff of the State Department of Education and the contractors working on behalf of the Department who require such access to perform their assigned duties as required by law and/or defined by interagency data-sharing agreements;
(2) district administrators, teachers and school personnel who require such access to perform their assigned duties;
(3) students and their parents; and
(4) the authorized staff of other state agencies in the State of [State] as required by law and/or defined by interagency data-sharing agreements;
(b) the State Department of Education shall use only aggregate data in public reports or in response to record requests in accordance with paragraph 3 of this subsection;
(c) unless otherwise prohibited by law, the State Department of Education shall develop criteria for the approval of research and data requests from state and local agencies, the State Legislature, researchers working on behalf of the Department, and the public. Unless otherwise approved by the [State Board of Education/State Department of Education], student data maintained by the State Department of Education shall remain redacted; and
(d) notification to students and parents regarding student privacy rights under federal and state law;
(3) Unless otherwise provided by law or approved by the [State Board of Education/State Department of Education] shall not transfer student or redacted data deemed confidential under division (1) of subparagraph (c) of paragraph 2 of subsection A of this section to any federal, state or local agency or other organization, with the following exceptions:
(a) a student transfers out of state or a school/district seeks help with locating an out-of-state transfer;
(b) a student leaves the state to attend an out-of-state institution of higher education or training program;
(c) a student registers for or takes a national or multistate assessment;
(d) a student voluntarily participates in a program for which such a data transfer is a condition/requirement of participation;
(e) the Department enters into a contract that governs databases, assessments, special education or instructional supports with an out-of-state contractor for the purposes of state level reporting;
(f) a student is classified as “migrant” for federal reporting purposes; or
(g) a federal agency is performing a compliance review;
(4) Develop a detailed data security plan that includes:
(a) guidelines for authorizing access to the student data system and to individual student data including guidelines for authentication of authorized access;
(b) privacy compliance standards;
(c) privacy and security audits;
(d) breach planning, notification and procedures;
(e) data retention and disposition policies; and
(f) data security policies including electronic, physical, and administrative safeguards, such as data encryption and training of employees;
(5) Ensure routine and ongoing compliance by the State Department of Education with FERPA, other relevant privacy laws and policies, and the privacy and security policies and procedures developed under the authority of this act, including the performance of compliance audits;
(6) Ensure that any contracts that govern databases, assessments or instructional supports that include student or redacted data and are outsourced to private vendors include express provisions that safeguard privacy and security and include penalties for noncompliance; and
(7) Notify the Governor and the Legislature annually of the following:
(a) new student data proposed for inclusion in the state student data system:
(1) any new student data collection proposed by the [State Board of Education/State Department of Education] becomes a provisional requirement to allow districts and their local data system vendors the opportunity to meet the new requirement; and
(2) the [State Board of Education/Department of Education] must announce any new provisional student data collection to the general public for a review and comment period of at least 60 days;
(b) changes to existing data collections required for any reason, including changes to federal reporting requirements made by the U.S. Department of Education;
(c) an explanation of any exceptions granted by the [State Board of Education/State Department of Education] in the past year regarding the release or out-of-state transfer of student or redacted data; and
(d) the results of any and all privacy compliance and security audits completed in the past year. Notifications regarding privacy compliance and security audits shall not include any information that would itself pose a security threat to the state or local student information systems or to the secure transmission of data between state and local systems by exposing vulnerabilities.
(B) Districts shall not report to the state the following individual student data:
(1) juvenile delinquency records;
(2) criminal records;
(3) medical and health records; and
(4) student biometric information.
(C) Schools shall not collect the following individual student data:
(1) political affiliation; and
(2) religion.
Section 4. Chief Policy Officer
(A) The Superintendent shall appoint a Chief Privacy Officer, who shall report directly to the Superintendent, to assume primary responsibility for privacy policy, including:
assuring that the use of technologies sustain, and do not erode, privacy protections
relating to the use, collection, and disclosure of student data;
assuring that student data contained in the Department of Education student data
system is handled in full compliance with the Student Data Accessibility, Transparency, and Accountability Act, FERPA, and other state and federal privacy laws;
evaluating legislative and regulatory proposals involving collection, use, and
disclosure of student data by the Department of Education;
conducting a privacy impact assessment on proposed rules of the Department in
general and proposed rules of the Department on the privacy of student data, including the type of personal information collected and the number of students affected;
coordinating with the Office of the General Counsel, other legal entities, and
organization officers to ensure that programs, policies, and procedures involving civil rights, civil liberties, and privacy considerations are addressed in an integrated and comprehensive manner;
preparing a report to the Legislature on an annual basis on activities of the
Department that affect privacy, including complaints of privacy violations, internal controls, and other manners;
(7) establishing department-wide policies necessary for implementing Fair Information Practice Principles to enhance privacy protections;
(8) working with the Chief Information Officer, General Counsel, and other officials in engaging with stakeholders about the quality, usefulness, openness, and privacy of data;
(9) establishing and operating a Department-wide Privacy Incident Response Program to ensure that incidents are properly reported, investigated and mitigated, as appropriate;
(10) establishing and operating a process for parents to file complaints of privacy violations;
(11) establishing and operating a process to collect and respond to complaints of privacy violations and provides redress, as appropriate; and
(12) Provides training, education and outreach to build a culture of privacy across the Department and transparency to the public;
(B) The Chief Privacy Officer has the authority to investigate under certain conditions and may:
have access to all records, reports, audits, reviews, documents, papers,
recommendations, and other materials available to the Department that relate to programs and operations with respect to the responsibilities of the Chief Privacy Officer under this section; and
make such investigations and reports relating to the administration of the
programs and operations of the Department as are necessary or desirable;
(C) The Chief Privacy Officer shall report to, and be under the general supervision of, the Superintendent.
Section 5. Parental request for information.
(A) Parents have the right to inspect and review their child’s education record maintained by the school.
(B) Parents have the right to request student data specific to their child’s educational record.
(C) School districts must provide parents or guardians with an electronic copy of their child’s educational record upon request.
(D) The State Department of Education shall develop policies for school districts that:
(1) annually notify parents of their right to request student information;
(2) ensure security when providing student data to parents;
(3) ensure student data is provided only to the authorized individuals;
(4) detail the timeframe within which record requests must be provided; and
(5) ensure that school districts have a plan to allow parents to view online, download, and transmit data specific to their child’s educational record.
Section 6. Rules.
(A) The [State Board of Education/State Department of Education] may adopt rules necessary to implement the provisions of the Student Data Accessibility, Transparency, and Accountability Act.
(B) Upon the effective date of this act, any existing collection of student data by the State Department of Education shall not be considered a new student data collection in accordance with subparagraph (a) of Paragraph (7) of Subsection (A) of Section (2).
Section 7. {Severability clause.}
Section 8. {Repealer clause.}
Section 9. Effective Date. This act shall become effective July 1, [20XX].
Approved by the ALEC Legislative Board of Directors September 29, 2013.