The original instrument and the following digest, which constitutes no part of the
legislative instrument, were prepared by Jeanne C. Johnston.
DIGEST
Appel (SB 449)
Proposed law provides for the "Student Data Privacy and Protection Act".
Proposed law provides for the following definitions:
(1)"State board" means the State Board of Elementary and Secondary Education.
(2)"State department" means the state Department of Education.
(3)"Postsecondary management board" means the LSU Board of Supervisors, the SU Board
of Supervisors, the Board of Supervisors for the UL System, and the Board of Supervisors
of Louisiana Community and Technical Colleges (LCTCS).
(4)"Data system" means any data system, including a longitudinal data system, created and
maintained by or through the BESE, the governing authority of a public elementary and
secondary school, or a postsecondary education management board that contains student
data.
(5)"Aggregate data" means data collected or reported at the group, cohort, or institutional
level.
(6)"De-identified data" means a student dataset in which parent and student identifying
information has been removed.
(7)"Student identifier" means the unique student identifier assigned by the state or an
educational institution to each student that shall not be or include the Social Security
number of a student in whole or in part.
(8)"Student data" means data collected or reported at the individual student level and
included in a student's educational record. Provides that student data includes state and
national assessment results; course taking and completion, credits earned, and other
transcript information; course grades and grade point average; date of birth, grade level,
and expected graduation date or graduation cohort; degree, diploma, credential
attainment, and other school exit information; attendance and mobility; data required to
calculate the federal four-year adjusted cohort graduation rate; remediation; special
education data; and demographic data and program participation information. Provides
that student data does not include, unless included in a student's educational record,
juvenile delinquency records; criminal records; medical and health records; student Social
Security number; or student biometric information. (9) "Provisional student data" means new student data proposed for inclusion in a student
data system.
Proposed law requires BESE and each postsecondary management board to develop and oversee
implementation of a comprehensive policy which provides administrative, technical, and physical
safeguards to ensure the privacy and protection of student data. Further requires each of these
boards to create, publish, and make publicly available a data inventory and dictionary or index of
data elements with definitions of individual student data fields currently in the student data
system that includes any individual student data required to be reported by state and federal
education mandates, any individual student data proposed for inclusion in a student data system
with a statement regarding the purpose or reason for the proposed collection, and any individual
student data that the state board, the state department, a postsecondary management board, a
public school governing authority, or any public educational institution collects or maintains with
no current purpose or reason.
Proposed law requires BESE and the postsecondary management boards to develop, publish, and
make publicly available policies and procedures to comply with the Federal Family Educational
Rights and Privacy Act (FERPA) and any other applicable state and federal laws and policies.
Further provides that such policies provide as follows:
(1)Access to student and de-identified data in the student data system shall be restricted to:
(a) authorized staff of the state board, the state department, a postsecondary management
board, the governing authority of a public elementary and secondary school, or a public
postsecondary educational institution, and third-party private contractors working on
behalf of these entities who require such access to perform their assigned duties; (b)
school administrators, teachers, and school personnel who require such access to perform
their assigned duties; (c) students and their parents; and (d) authorized staff of other state
agencies as required by law or defined by interagency data-sharing agreements or
memorandums of understanding.
(2)Only aggregate data shall be used in public reports or in response to record requests.
(3)Requires the state board and each postsecondary management board to develop criteria
for the approval of research and data requests from state and local agencies, the
legislature, researchers, and the public. Provides that unless otherwise approved by the
state board or appropriate postsecondary management board, student data maintained by
these boards and institutions under their supervision shall remain confidential. Further
provides that unless otherwise approved by the state board or appropriate postsecondary
management board, only aggregate data may be used in the release of data in response to
research and data requests.
(4)Notification to students and parents regarding their rights under federal and state law.
Proposed law provides that unless otherwise approved by the state board, the state department, or
the appropriate postsecondary management board, student or de-identified data deemed confidential pursuant to proposed law shall not be transferred to any federal, state or local agency
or other entity outside of this state and provides for the following exceptions:
(1)A student transfers out-of-state or a school or district seeks help with locating an
out-of-state transfer.
(2)A student leaves the state to attend an out-of-state institution of higher education or
training program.
(3)A student registers for or takes a national or multistate assessment.
(4)A student voluntarily participates in a program for which such a data transfer is a
condition or requirement of participation.
(5)The state board, the state department, a postsecondary management board, public school
governing authority, or educational institution enters into a contract that governs
databases, assessments, special education, or instructional supports with a private
provider or vendor.
(6)A student is classified as "migrant" for federal reporting purposes.
Proposed law requires the state board and each postsecondary education management board to
have a detailed data security plan that includes:
(1)Guidelines for authorizing access to the student data system and to individual student data
including guidelines for authentication of authorized access.
(2)Privacy compliance standards.
(3)Privacy and security audits.
(4)Breach planning, notification, and remediation procedures.
(5)Data storage, retention, and disposition policies.
Proposed law requires the state board and each postsecondary management board to:
(1)Ensure routine and ongoing compliance with FERPA, other relevant state and federal
privacy laws and policies, and the privacy and security policies and procedures developed
under the authority of proposed law, including the performance of compliance audits.
(2)Ensure that any contracts with private vendors or providers that govern databases,
assessments or instructional supports that include student data or de-identified data
include express provisions that safeguard privacy and security and include penalties for
noncompliance. Proposed law requires the state board and each postsecondary management board to annually
notify the legislature of the following:
(1)New student data proposed for inclusion in the state student data system: provides that
any new student data collection proposed by the state board, the state department, or a
postsecondary management board becomes a provisional requirement to allow institutions
and data system vendors the opportunity to meet the new requirement; provides that any
new "provisional" student data collection must be submitted to the legislature for its
approval within one year in order to make the new student data a permanent requirement;
further provides that any provisional student data collection not approved by the
legislature by the end of the next legislative session expires, is no longer required, and
shall not be collected.
(2)Changes to existing data collections required for any reason, including changes to federal
reporting requirements made by the U.S. Department of Education.
(3)An explanation of any exceptions granted by the state board, the state department, a
postsecondary management board, or any educational institution in the past year
regarding the release or out-of-state transfer of student or de-identified data.
(4)The results of any and all privacy compliance and security audits completed in the past
year. Further provides that notifications regarding privacy compliance and security audits
shall not include any information that would itself pose a security threat to state or local
student information systems or to the secure transmission of data between state and local
systems by exposing vulnerabilities.
Proposed law requires the state board and each postsecondary management board to designate a
chief privacy officer who shall be responsible for ensuring that all student data policies and
procedures are followed and every precaution is taken to ensure the privacy and protection of
student data. Provides that each chief privacy officer shall:
(1)Continually monitor emerging and evolving technology and recommend policy changes
needed to ensure the continued privacy and protection of student data.
(2)Ensure that student data contained in a student data system is handled in full compliance
with the provisions of proposed law and all other applicable state and federal law,
including FERPA.
Proposed law provides that any data being collected and included in a data system on the
effective date of proposed law shall not be considered new data for purposes of proposed law.
Proposed law requires BESE and postsecondary management boards to provide for the
implementation of proposed law not later than January 1, 2015.
Proposed law requires BESE and each postsecondary management board to promulgate rules and regulations to implement proposed law in accordance with the Administrative Procedure Act.
Effective upon signature of the governor or lapse of time for gubernatorial action.
(Adds R.S. 17:4051 - 4055)