SLS 14RS-136 ORIGINAL
Page 1 of 11
Coding: Words which are struck through are deletions from existing law;
words in boldface type and underscored are additions.
Regular Session, 2014
SENATE BILL NO. 449
BY SENATORS APPEL AND LAFLEUR
STUDENTS. Provides relative to the privacy and protection of student data for students
enrolled in public elementary, secondary, and postsecondary educational institutions. (gov
sig)
AN ACT1
To enact Chapter 45 of Title 17 of the Louisiana Revised Statutes of 1950, to be comprised2
of R.S. 17:4051 through 4055, relative to student data; to require the State Board of3
Elementary and Secondary Education and the postsecondary education management4
boards to develop and implement policies and procedures to ensure the privacy and5
protection of student data; to provide for definitions and policy requirements; to6
provide relative to the appointment of chief privacy officers and their duties; to7
provide relative to implementation; to provide for rules; and to provide for related8
matters.9
Be it enacted by the Legislature of Louisiana:10
Section 1. Chapter 45 of Title 17 of the Louisiana Revised Statutes of 1950,11
comprised of R.S. 17:4051 through 4055, is hereby enacted to read as follows: 12
CHAPTER 45. PRIVACY AND PROTECTION OF STUDENT DATA13
§4051. Short title14
This Chapter shall be known and may be cited as the "Student Data15
Privacy and Protection Act".16
§4052. Definitions17 SB NO. 449
SLS 14RS-136 ORIGINAL
Page 2 of 11
Coding: Words which are struck through are deletions from existing law;
words in boldface type and underscored are additions.
As used in this Chapter, unless otherwise clearly indicated, the following1
terms mean:2
(1) "State board" means the State Board of Elementary and Secondary3
Education.4
(2) "State department" means the state Department of Education.5
(3) "Postsecondary management board" means the Board of6
Supervisors of Louisiana State University and Agricultural and Mechanical7
College, the Board of Supervisors of Southern University and Agricultural and8
Mechanical College, the Board of Supervisors for the University of Louisiana9
System, and the Board of Supervisors of Louisiana Community and Technical10
Colleges.11
(4) "Data system" means any data system, including a longitudinal data12
system, created and maintained by or through the state board, the governing13
authority of a public elementary and secondary school, or a postsecondary14
education management board that contains student data.15
(5) "Aggregate data" means data collected or reported at the group,16
cohort, or institutional level.17
(6) "De-identified data" means a student dataset in which parent and18
student identifying information has been removed.19
(7) "Student identifier" means the unique student identifier assigned by20
the state or an educational institution to each student that shall not be or21
include the Social Security number of a student in whole or in part.22
(8) "Student data" means data collected or reported at the individual23
student level and included in a student's educational record.24
(a) Student data includes:25
(i) State and national assessment results, including information on26
untested public school students.27
(ii) Course taking and completion, credits earned, and other transcript28
information.29 SB NO. 449
SLS 14RS-136 ORIGINAL
Page 3 of 11
Coding: Words which are struck through are deletions from existing law;
words in boldface type and underscored are additions.
(iii) Course grades and grade point average.1
(iv) Date of birth, grade level, and expected graduation date or2
graduation cohort.3
(v) Degree, diploma, credential attainment, and other school exit4
information such as General Educational Development and drop-out data.5
(vi) Attendance and mobility.6
(vii) Data required to calculate the federal four-year adjusted cohort7
graduation rate, including sufficient exit and drop-out information.8
(viii) Remediation.9
(ix) Special education data.10
(x) Demographic data and program participation information.11
(b) Unless included in a student's educational record, student data shall12
not include:13
(i) Juvenile delinquency records.14
(ii) Criminal records.15
(iii) Medical and health records.16
(iv) Student Social Security number.17
(v) Student biometric information.18
(9) "Provisional student data" means new student data proposed for19
inclusion in a student data system.20
§4053. Student information and data; privacy; protection; policies21
A. The State Board of Elementary and Secondary Education and each22
postsecondary management board shall develop and oversee implementation of23
a comprehensive policy which provides administrative, technical, and physical24
safeguards to ensure the privacy and protection of student data.25
B. The state board and each management board shall create, publish,26
and make publicly available a data inventory and dictionary or index of data27
elements with definitions of individual student data fields currently in the28
student data system which includes:29 SB NO. 449
SLS 14RS-136 ORIGINAL
Page 4 of 11
Coding: Words which are struck through are deletions from existing law;
words in boldface type and underscored are additions.
(1) Any individual student data required to be reported by state and1
federal education mandates.2
(2) Any individual student data which has been proposed for inclusion3
in a student data system with a statement regarding the purpose or reason for4
the proposed collection.5
(3) Any individual student data that the state board, the state6
department, a postsecondary management board, a public school governing7
authority, or any public educational institution collects or maintains with no8
current purpose or reason.9
C. The state board and each postsecondary management board shall10
develop, publish, and make publicly available policies and procedures to comply11
with the Federal Family Educational Rights and Privacy Act and any other12
applicable state and federal laws and policies, including but not limited to:13
(1) Access to student and de-identified data in the student data system14
shall be restricted to:15
(a) Authorized staff of the state board, the state department, a16
postsecondary management board, the governing authority of a public17
elementary and secondary school, or a public postsecondary educational18
institution, and third-party private contractors working on behalf of these19
entities who require such access to perform their assigned duties.20
(b) School administrators, teachers, and school personnel who require21
such access to perform their assigned duties.22
(c) Students and their parents.23
(d) Authorized staff of other state agencies as required by law or defined24
by interagency data-sharing agreements or memorandums of understanding.25
(2) Only aggregate data shall be used in public reports or in response to26
record requests.27
(3) The state board and each postsecondary management board shall28
develop criteria for the approval of research and data requests from state and29 SB NO. 449
SLS 14RS-136 ORIGINAL
Page 5 of 11
Coding: Words which are struck through are deletions from existing law;
words in boldface type and underscored are additions.
local agencies, the legislature, researchers, and the public.1
(a) Unless otherwise approved by the state board or appropriate2
postsecondary management board, student data maintained by these boards3
and institutions under their supervision shall remain confidential.4
(b) Unless otherwise approved by the state board or appropriate5
postsecondary management board, only aggregate data may be used in the6
release of data in response to research and data requests.7
(4) Notification to students and parents regarding their rights under8
federal and state law.9
D. Unless otherwise approved by the state board, the state department,10
or the appropriate postsecondary management board, student or de-identified11
data deemed confidential pursuant to this Chapter shall not be transferred to12
any federal, state, or local agency or other entity outside of this state, with the13
following exceptions:14
(1) A student transfers out-of-state or a school or district seeks help with15
locating an out-of-state transfer.16
(2) A student leaves the state to attend an out-of-state institution of17
higher education or training program.18
(3) A student registers for or takes a national or multistate assessment.19
(4) A student voluntarily participates in a program for which such a20
data transfer is a condition or requirement of participation.21
(5) The state board, the state department, a postsecondary management22
board, public school governing authority, or educational institution enters into23
a contract that governs databases, assessments, special education, or24
instructional supports with a private provider or vendor.25
(6) A student is classified as "migrant" for federal reporting purposes.26
E. The state board and each postsecondary education management27
board shall have a detailed data security plan that includes:28
(1) Guidelines for authorizing access to the student data system and to29 SB NO. 449
SLS 14RS-136 ORIGINAL
Page 6 of 11
Coding: Words which are struck through are deletions from existing law;
words in boldface type and underscored are additions.
individual student data including guidelines for authentication of authorized1
access.2
(2) Privacy compliance standards.3
(3) Privacy and security audits.4
(4) Breach planning, notification, and remediation procedures.5
(5) Data storage, retention, and disposition policies.6
F. The state board and each postsecondary management board shall:7
(1) Ensure routine and ongoing compliance with the Federal Family8
Educational Rights Privacy Act, other relevant state and federal privacy laws9
and policies, and the privacy and security policies and procedures developed10
under the authority of this Chapter, including the performance of compliance11
audits.12
(2) Ensure that any contracts with private vendors or providers that13
govern databases, assessments, or instructional supports that include student14
data or de-identified data include express provisions that safeguard privacy and15
security and include penalties for noncompliance.16
G. The state board and each postsecondary management board shall17
annually notify the legislature of the following:18
(1) New student data proposed for inclusion in the state student data19
system:20
(a) Any new student data collection proposed by the state board, the21
state department, or a postsecondary management board becomes a provisional22
requirement to allow institutions and data system vendors the opportunity to23
meet the new requirement.24
(b) Any new "provisional" student data collection shall be submitted to25
the legislature for its approval within one year in order to make the new student26
data a permanent requirement. Any provisional student data collection not27
approved by the legislature by the end of the next legislative session expires, is28
no longer required, and shall not be collected.29 SB NO. 449
SLS 14RS-136 ORIGINAL
Page 7 of 11
Coding: Words which are struck through are deletions from existing law;
words in boldface type and underscored are additions.
(2) Changes to existing data collections required for any reason,1
including changes to federal reporting requirements made by the U.S.2
Department of Education.3
(3) An explanation of any exceptions granted by the state board, the state4
department, a postsecondary management board, or any educational institution5
in the past year regarding the release or out-of-state transfer of student or6
de-identified data.7
(4) The results of any and all privacy compliance and security audits8
completed in the past year. Notifications regarding privacy compliance and9
security audits shall not include any information that would itself pose a10
security threat to state or local student information systems or to the secure11
transmission of data between state and local systems by exposing vulnerabilities.12
H.(1) The state board and each postsecondary management board shall13
designate a chief privacy officer who shall be responsible for ensuring that all14
student data policies and procedures are followed and every precaution is taken15
to ensure the privacy and protection of student data.16
(2) Each chief privacy officer shall:17
(a) Continually monitor emerging and evolving technology and18
recommend policy changes needed to ensure the continued privacy and19
protection of student data.20
(b) Ensure that student data contained in a student data system is21
handled in full compliance with the provisions of this Chapter and all other22
applicable state and federal laws, including the Federal Family Educational23
Rights Privacy Act.24
I. Any data being collected and included in a data system on the effective25
date of this Chapter shall not be considered new data for purposes of Subsection26
(G) of this Section.27
§4054. Implementation28
The State Board of Elementary and Secondary Education and the29 SB NO. 449
SLS 14RS-136 ORIGINAL
Page 8 of 11
Coding: Words which are struck through are deletions from existing law;
words in boldface type and underscored are additions.
postsecondary education management boards shall provide for the1
implementation of this Chapter not later than January 1, 2015.2
§4055. Rules3
The state board and each postsecondary management board shall4
promulgate rules and regulations to implement the provisions of this Chapter5
in accordance with the Administrative Procedure Act.6
Section 2. This Act shall become effective upon signature by the governor or, if not7
signed by the governor, upon expiration of the time for bills to become law without signature8
by the governor, as provided by Article III, Section 18 of the Constitution of Louisiana. If9
vetoed by the governor and subsequently approved by the legislature, this Act shall become10
effective on the day following such approval.11
The original instrument and the following digest, which constitutes no part
of the legislative instrument, were prepared by Jeanne C. Johnston.
DIGEST
Appel (SB 449)
Proposed law provides for the "Student Data Privacy and Protection Act".
Proposed law provides for the following definitions:
(1)"State board" means the State Board of Elementary and Secondary Education.
(2)"State department" means the state Department of Education.
(3)"Postsecondary management board" means the LSU Board of Supervisors, the SU
Board of Supervisors, the Board of Supervisors for the UL System, and the Board
of Supervisors of Louisiana Community and Technical Colleges (LCTCS).
(4)"Data system" means any data system, including a longitudinal data system, created
and maintained by or through the BESE, the governing authority of a public
elementary and secondary school, or a postsecondary education management board
that contains student data.
(5)"Aggregate data" means data collected or reported at the group, cohort, or
institutional level.
(6)"De-identified data" means a student dataset in which parent and student identifying
information has been removed.
(7)"Student identifier" means the unique student identifier assigned by the state or an
educational institution to each student that shall not be or include the Social Security
number of a student in whole or in part.
(8)"Student data" means data collected or reported at the individual student level and
included in a student's educational record. Provides that student data includes state SB NO. 449
SLS 14RS-136 ORIGINAL
Page 9 of 11
Coding: Words which are struck through are deletions from existing law;
words in boldface type and underscored are additions.
and national assessment results; course taking and completion, credits earned, and
other transcript information; course grades and grade point average; date of birth,
grade level, and expected graduation date or graduation cohort; degree, diploma,
credential attainment, and other school exit information; attendance and mobility;
data required to calculate the federal four-year adjusted cohort graduation rate;
remediation; special education data; and demographic data and program participation
information. Provides that student data does not include, unless included in a
student's educational record, juvenile delinquency records; criminal records; medical
and health records; student Social Security number; or student biometric information.
(9) "Provisional student data" means new student data proposed for inclusion in a
student data system.
Proposed law requires BESE and each postsecondary management board to develop and
oversee implementation of a comprehensive policy which provides administrative, technical,
and physical safeguards to ensure the privacy and protection of student data. Further requires
each of these boards to create, publish, and make publicly available a data inventory and
dictionary or index of data elements with definitions of individual student data fields
currently in the student data system that includes any individual student data required to be
reported by state and federal education mandates, any individual student data proposed for
inclusion in a student data system with a statement regarding the purpose or reason for the
proposed collection, and any individual student data that the state board, the state
department, a postsecondary management board, a public school governing authority, or any
public educational institution collects or maintains with no current purpose or reason.
Proposed law requires BESE and the postsecondary management boards to develop, publish,
and make publicly available policies and procedures to comply with the Federal Family
Educational Rights and Privacy Act (FERPA) and any other applicable state and federal
laws and policies. Further provides that such policies provide as follows:
(1)Access to student and de-identified data in the student data system shall be restricted
to: (a) authorized staff of the state board, the state department, a postsecondary
management board, the governing authority of a public elementary and secondary
school, or a public postsecondary educational institution, and third-party private
contractors working on behalf of these entities who require such access to perform
their assigned duties; (b) school administrators, teachers, and school personnel who
require such access to perform their assigned duties; (c) students and their parents;
and (d) authorized staff of other state agencies as required by law or defined by
interagency data-sharing agreements or memorandums of understanding.
(2)Only aggregate data shall be used in public reports or in response to record requests.
(3)Requires the state board and each postsecondary management board to develop
criteria for the approval of research and data requests from state and local agencies,
the legislature, researchers, and the public. Provides that unless otherwise approved
by the state board or appropriate postsecondary management board, student data
maintained by these boards and institutions under their supervision shall remain
confidential. Further provides that unless otherwise approved by the state board or
appropriate postsecondary management board, only aggregate data may be used in
the release of data in response to research and data requests.
(4)Notification to students and parents regarding their rights under federal and state law.
Proposed law provides that unless otherwise approved by the state board, the state
department, or the appropriate postsecondary management board, student or de-identified
data deemed confidential pursuant to proposed law shall not be transferred to any federal,
state or local agency or other entity outside of this state and provides for the following
exceptions: SB NO. 449
SLS 14RS-136 ORIGINAL
Page 10 of 11
Coding: Words which are struck through are deletions from existing law;
words in boldface type and underscored are additions.
(1)A student transfers out-of-state or a school or district seeks help with locating an
out-of-state transfer.
(2)A student leaves the state to attend an out-of-state institution of higher education or
training program.
(3)A student registers for or takes a national or multistate assessment.
(4)A student voluntarily participates in a program for which such a data transfer is a
condition or requirement of participation.
(5)The state board, the state department, a postsecondary management board, public
school governing authority, or educational institution enters into a contract that
governs databases, assessments, special education, or instructional supports with a
private provider or vendor.
(6)A student is classified as "migrant" for federal reporting purposes.
Proposed law requires the state board and each postsecondary education management board
to have a detailed data security plan that includes:
(1)Guidelines for authorizing access to the student data system and to individual student
data including guidelines for authentication of authorized access.
(2)Privacy compliance standards.
(3)Privacy and security audits.
(4)Breach planning, notification, and remediation procedures.
(5)Data storage, retention, and disposition policies.
Proposed law requires the state board and each postsecondary management board to:
(1)Ensure routine and ongoing compliance with FERPA, other relevant state and federal
privacy laws and policies, and the privacy and security policies and procedures
developed under the authority of proposed law, including the performance of
compliance audits.
(2)Ensure that any contracts with private vendors or providers that govern databases,
assessments or instructional supports that include student data or de-identified data
include express provisions that safeguard privacy and security and include penalties
for noncompliance.
Proposed law requires the state board and each postsecondary management board to annually
notify the legislature of the following:
(1)New student data proposed for inclusion in the state student data system: provides
that any new student data collection proposed by the state board, the state
department, or a postsecondary management board becomes a provisional
requirement to allow institutions and data system vendors the opportunity to meet
the new requirement; provides that any new "provisional" student data collection
must be submitted to the legislature for its approval within one year in order to make
the new student data a permanent requirement; further provides that any provisional
student data collection not approved by the legislature by the end of the next
legislative session expires, is no longer required, and shall not be collected.
(2)Changes to existing data collections required for any reason, including changes to SB NO. 449
SLS 14RS-136 ORIGINAL
Page 11 of 11
Coding: Words which are struck through are deletions from existing law;
words in boldface type and underscored are additions.
federal reporting requirements made by the U.S. Department of Education.
(3)An explanation of any exceptions granted by the state board, the state department,
a postsecondary management board, or any educational institution in the past year
regarding the release or out-of-state transfer of student or de-identified data.
(4)The results of any and all privacy compliance and security audits completed in the
past year. Further provides that notifications regarding privacy compliance and
security audits shall not include any information that would itself pose a security
threat to state or local student information systems or to the secure transmission of
data between state and local systems by exposing vulnerabilities.
Proposed law requires the state board and each postsecondary management board to
designate a chief privacy officer who shall be responsible for ensuring that all student data
policies and procedures are followed and every precaution is taken to ensure the privacy and
protection of student data. Provides that each chief privacy officer shall:
(1)Continually monitor emerging and evolving technology and recommend policy
changes needed to ensure the continued privacy and protection of student data.
(2)Ensure that student data contained in a student data system is handled in full
compliance with the provisions of proposed law and all other applicable state and
federal law, including FERPA.
Proposed law provides that any data being collected and included in a data system on the
effective date of proposed law shall not be considered new data for purposes of proposed
law.
Proposed law requires BESE and postsecondary management boards to provide for the
implementation of proposed law not later than January 1, 2015.
Proposed law requires BESE and each postsecondary management board to promulgate rules
and regulations to implement proposed law in accordance with the Administrative Procedure
Act.
Effective upon signature of the governor or lapse of time for gubernatorial action.
(Adds R.S. 17:4051 - 4055)