115C-402.5. Student data system security.
(a) Definitions. - The following definitions apply in this section:
(1) Aggregate student data. - Data collected or reported at the group, cohort, or institutional level.
(2) De-identified student data. - A student dataset in which parent and student personal or indirect identifiers, including the unique student identifier, have been removed.
(3) FERPA. - The federal Family Educational Rights and Privacy Act, 20 U.S.C. 1232g.
(4) Personally identifiable student data. - Student data that:
a. Includes, but is not limited to, the following:
1. Student name.
2. Name of the student's parent or other family members.
3. Address of the student or student's family.
4. Personal identifier, such as the student's Social Security number or unique student identifier.
5. Other indirect identifiers, such as the student's date of birth, place of birth, and mother's maiden name.
6. Other information that, alone or in combination, is linked or linkable to a specific student that would allow a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty.
7. Information requested by a person who the Department of Public Instruction or local school administrative unit reasonably believes knows the identity of the student to whom the education record relates.
b. Does not include directory information that a local board of education has provided parents with notice of and an opportunity to opt out of disclosure of that information, as provided under the Family Educational Rights and Privacy Act, 20 U.S.C. 1232g, unless a parent has elected to opt out of disclosure of the directory information.
(5) Student data system. - The student information management system used by the State Board of Education and Department of Public Instruction as part of the Uniform Education Reporting Systems for collection and reporting of student data from local boards of education.
(b) Security of Student Data System. - To ensure student data accessibility, transparency, and accountability relating to the student data system, the State Board of Education shall do all of the following:
(1) Create and make publicly available a data inventory and index of data elements with definitions of individual student data fields in the student data system, including, but not limited to:
a. Any personally identifiable student data required to be reported by State and federal education mandates.
b. Any other individual student data which has been proposed for inclusion in the student data system, with a statement regarding the purpose or reason for the proposed collection.
(2) Develop rules to comply with all relevant State and federal privacy laws and policies that apply to personally identifiable student data in the student data system, including, but not limited to, FERPA and other relevant privacy laws and policies. At a minimum, the rules shall include the following:
a. Restrictions on access to personally identifiable student data in the student data system to the following individuals:
1. Authorized staff of the State Board of Education and Department of Public Instruction and the contractors working on behalf of the Department who require such access to perform their assigned duties.
2. Authorized North Carolina public school administrators, teachers, and other school personnel and contractors working on behalf of the board of the North Carolina public school who require such access to perform their assigned duties.
3. Students and their parents or legal guardians, or any individual that a parent or legal guardian has authorized to receive personally identifiable student data.
4. Authorized staff of other State agencies and contractors working on behalf of those State agencies as required by law and governed by interagency data-sharing agreements.
b. Criteria for approval of research and data requests for personally identifiable student data in the student data system made to the State Board of Education from State or local agencies, researchers working on behalf of the Department, and the public.
(3) Prohibit the transfer of personally identifiable student data in the student data system to individuals other than those identified in subdivision (2) of this subsection, unless otherwise permitted by law and authorized by rules adopted under this section. Such rules shall authorize the release of personally identifiable data out of State to schools or educational agencies when a student enrolls in a school out of State or a local school administrative unit seeks help with locating a student formerly enrolled in this State who is now enrolled out of State.
(4) Develop a detailed data security plan for the student data system that includes all of the following:
a. Guidelines for authorizing access to the student data system and to individual student data, including guidelines for authentication of authorized access.
b. Privacy compliance standards.
c. Privacy and security audits.
d. Breach planning, notification, and procedures.
e. Data retention and disposition policies.
f. Data security policies, including electronic, physical, and administrative safeguards such as data encryption and training of employees.
(5) Ensure routine and ongoing compliance by the Department of Public Instruction with FERPA, other relevant privacy laws and policies, and the privacy and security rules, policies, and procedures developed under the authority of this section related to personally identifiable student data in the student data system, including the performance of compliance audits within the Department.
(6) Ensure that any contracts for the student data system that include de-identified student data or personally identifiable student data and are outsourced to private contractors include express provisions that safeguard privacy and security and include penalties for noncompliance.
(7) Notify the Governor and the General Assembly annually by October 1 of the following:
a. New student data, whether aggregate data, de-identified data, or personally identifiable student data, included or proposed for inclusion in the student data system for the current school year.
b. Changes to existing data collections for the student data system required for any reason, including changes to federal reporting requirements made by the United States Department of Education.
(c) Restricting on Student Data Collection. - The following information about a student or a student's family shall not be collected in nor reported as part of the student data system:
(1) Biometric information.
(2) Political affiliation.
(3) Religion.
(4) Voting history.
Copyright ©2024 LegalFix. All rights reserved. LegalFix is not a law firm, is not licensed to practice law, and does not provide legal advice, services, or representation. The information on this website is an overview of the legal plans you can purchase—or that may be provided by your employer as an employee benefit or by your credit union or other membership group as a membership benefit.
LegalFix provides its members with easy access to affordable legal services through a network of independent law firms. LegalFix, its corporate entity, and its officers, directors, employees, agents, and contractors do not provide legal advice, services, or representation—directly or indirectly.
The articles and information on the site are not legal advice and should not be relied upon—they are for information purposes only. You should become a LegalFix member to get legal services from one of our network law firms.
You should not disclose confidential or potentially incriminating information to LegalFix—you should only communicate such information to your network law firm.
The benefits and legal services described in the LegalFix legal plans are not always available in all states or with all plans. See the legal plan Benefit Overview and the more comprehensive legal plan contract during checkout for coverage details in your state.
Use of this website, the purchase of legal plans, and access to the LegalFix networks of law firms are subject to the LegalFix Terms of Service and Privacy Policy.