GENERAL ASSEMBLY OF NORTH CAROLINA
SENATE DRS45138-TCz-24A (02/12)
Short Title: Ensuring Privacy of Student Records.
Senators Barefoot, Brock, and Soucek (Primary Sponsors).
THE BILL TO BE ENTITLED
AN ACT to ensure the privacy and security of student educational records, as RECOMMENDED by the Joint Legislative Oversight Committee on Information Technology.
The General Assembly of North Carolina enacts:
PART I: Ensure security of student records
SECTION 1. Article 29 of Chapter 115C of the General Statutes is amended by adding a new section to read:
"§ 115C‑402.5. Student Data System Security.
(a) Definitions. The following definitions apply in this section:
(1) Aggregate student data. Data collected or reported at the group, cohort, or institutional level,
(2) De‑identified student data. A student dataset in which parent and student personal or indirect identifiers, including the unique student identifier, have been removed.
(3) FERPA. The federal Family Educational Rights and Privacy Act, 20 U.S.C. § 1232g.
(4) Personally identifiable student data. Includes, but is not limited to the following:
a. Student name.
b. Name of the student's parent or other family members.
c. Address of the student or student's family.
d. Personal identifier, such as the student's social security number or unique student identifier.
e. Other indirect identifiers, such as the student's date of birth, place of birth, and mother's maiden name.
f. Other information that, alone or in combination, is linked or linkable to a specific student that would allow a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty.
g. Information requested by a person who the Department of Public Instruction or local school administrative unit reasonably believes knows the identity of the student to whom the education record relates.
(5) Student data system. The student information management system used by the State Board of Education and Department of Public Instruction as part of the Uniform Education Reporting Systems for collection and reporting of student data from local boards of education.
(b) Security of student data system. To ensure student data accessibility, transparency, and accountability relating to the student data system, the State Board of Education shall do all of the following:
(1) Create and make publicly available a data inventory and index of data elements with definitions of individual student data fields in the student data system, including but not limited to:
a. Any personally identifiable student data required to be reported by State and federal education mandates.
b. Any other individual student data which has been proposed for inclusion in the student data system, with a statement regarding the purpose or reason for the proposed collection.
(2) Develop rules to comply with all relevant State and federal privacy laws and policies that apply to personally identifiable student data in the student data system, including but not limited to FERPA and other relevant privacy laws and policies. At a minimum, the rules shall include the following:
a. Restrictions on access to personally identifiable student data in the student data system to the following individuals:
1. Authorized staff of the State Board of Education and Department of Public Instruction and the contractors working on behalf of the Department who require such access to perform their assigned duties.
2. Authorized local school administrative unit administrators, teachers, and other school personnel, and contractors working on behalf of the local board of education who require such access to perform their assigned duties.
3. Students and their parents.
4. Authorized staff of other State agencies as required by law and governed by interagency data‑sharing agreements.
b. Criteria for approval of research and data requests for personally identifiable student data in the student data system made to the State Board of Education from State or local agencies, researchers working on behalf of the Department, and the public.
(3) Prohibit the transfer of personally identifiable student data in the student data system, unless otherwise provided by law and authorized by rules adopted under this section. Such rules shall authorize the transfer of personally identifiable data out of state when a student transfers out of state or a local school administrative unit seeks help with locating an out-of-state transfer.
(4) Develop a detailed data security plan for the student data system that includes all of the following:
a. Guidelines for authorizing access to the student data system and to individual student data, including guidelines for authentication of authorized access.
b. Privacy compliance standards.
c. Privacy and security audits.
d. Breach planning, notification, and procedures.
e. Data retention and disposition policies.
f. Data security policies, including electronic, physical, and administrative safeguards such as data encryption and training of employees.
(5) Ensure routine and ongoing compliance by the Department of Public Instruction with FERPA, other relevant privacy laws and policies, and the privacy and security rules, policies, and procedures developed under the authority of this section related to personally identifiable student data in the student data system, including the performance of compliance audits within the Department.
(6) Ensure that any contracts for the student data system that govern databases, assessments, or instructional supports that include aggregate student data, de‑identified student data, or personally identifiable student data and are outsourced to private vendors include express provisions that safeguard privacy and security and include penalties for noncompliance.
(7) Notify the Governor and the General Assembly annually by October 1 of the following:
a. New student data included or proposed for inclusion in the student data system for the current school year.
b. Changes to existing data collections for the student data system required for any reason, including changes to federal reporting requirements made by the United States Department of Education.
(c) Restricting on student data collection. The following information shall not be collected in nor reported as part of the student data system:
(1) Student biometric information.
(2) Student political affiliation.
(3) Student religion."
PART II: INCREASE TRANSPARENCY ON STUDENT PRIVACY ISSUES
SECTION 2. Article 29 of Chapter 115C of the General Statutes is amended by adding a new section to read:
"§ 115C‑402.15. Parental Notification Regarding Rights to Student Records and Opt-Out Opportunities.
(a) Annual Parental Notification. Local boards of education shall annually provide parents, by a method reasonably designed to provide actual notice, information on parental rights under State and federal law with regards to student records and opt-out opportunities for disclosure of directory information as provided under the Family Educational Rights and Privacy Act, 20 U.S.C. § 1232g, and notice and opt-out opportunities for surveys covered by the Protection of Pupil Rights Amendment, 20 U.S.C. § 1232h.
(b) Notice Content. The notice shall include information on parental rights under State and federal law to:
(1) Inspect and review education records.
(2) Seek to amend inaccurate education records.
(3) Provide written consent prior to disclosure of personally identifiable information from education records, except as otherwise provided by law. Information shall be included on disclosure of directory information and parental rights to opt out of disclosure of directory information.
(4) File a complaint with the U.S. Department of Education concerning alleged failures to comply with the Family Educational Rights and Privacy Act.
(5) Receive notice and the opportunity to opt out prior to the participation of the student in a protected information survey under 20 U.S.C. § 1232h.
(c) Model Notice. Local boards of education shall consider use of model notices developed by the United State Department of Education to provide annual information as required by this section."
PART III: Effective date
SECTION 3. This act is effective when it becomes law. Annual notice requirements to parents required by Section 2 apply beginning with the 2014‑2015 school year.