(1) Create, publish and make publicly available a data inventory and dictionary or index of data elements with definitions of individual student data fields currently in the student data system along with the purpose or reason for inclusion in the data system;

(2) Develop, publish and make publicly available policies and procedures to comply with FERPA, § 10-7-504 and other relevant privacy laws and policies. These policies and procedures shall, at a minimum, require that:

(A) Access to student and de-identified data in the student data system is restricted to:

(i) The authorized staff of the department and the department's contractors who require access to perform their assigned duties;

(ii) LEA administrators, teachers, school personnel and the LEA's contractors who require access to perform their assigned duties;

(iii) Students and their parents; provided, however, that a student or the student's parents may only access the student's individual data;

(iv) The authorized staff of other state agencies as permitted by law; provided, however, that within sixty (60) days of providing such access, the department shall provide notice of the release to the state board, the education committee of the senate, and the education committee of the house of representatives, and post such notice on the department's web site;

(v) Parties conducting research for or on behalf of the department or an LEA; provided, that such access is granted in compliance with FERPA and other relevant state and federal privacy laws and policies and that the department shall provide notice of the release to the state board, the education committee of the senate, and the education committee of the house of representatives, and post such notice on the department's web site;

(vi) Appropriate entities in compliance with a lawfully issued subpoena or court order; or

(vii) Appropriate officials in connection with an interagency audit or evaluation of a federal or state supported education program;

(B) The department uses only aggregate data in public reports or in response to public record requests in accordance with subdivision (3);

(C)

(i) The commissioner develops criteria for the approval of research and data requests from state and local agencies, the general assembly, researchers and the public; provided, however, that:

(a) Unless otherwise approved by the state board or permitted in this part, student data maintained by the department shall remain confidential; and

(b) Unless otherwise permitted in this part or approved by the state board to release student or de-identified data in specific instances, the department may only use aggregate data in the release of data in response to research and data requests;

(ii) Unless otherwise approved in this part or by the state board, the department shall not transfer student or de-identified data deemed confidential under subdivision (2)(C)(i)(a) to any federal agency or other organization or entity outside the state, except when:

(a) A student transfers out of state or an LEA seeks help with locating an out-of-state transfer;

(b) A student leaves the state to attend an out-of-state institution of higher education or training program;

(c) A student registers for or takes a national or multistate assessment;

(d) A student voluntarily participates in a program for which such data transfer is a condition or requirement of participation;

(e) The department enters into a contract that governs databases, assessments, special education or instructional supports with an out-of-state vendor; or

(f) A student is classified as “migrant” for federal reporting purposes; and

(D) Students and parents are notified of their rights under federal and state law;

(3) Develop a detailed data security plan that includes:

(A) Guidelines for authorizing access to the teacher data system and to individual teacher data including guidelines for authentication of authorized access;

(B) Guidelines for authorizing access to the student data system and to individual student data including guidelines for authentication of authorized access;

(C) Privacy compliance standards;

(D) Privacy and security audits;

(E) Breach planning, notification and procedures; and

(F) Data retention and disposition policies;

(4) Ensure routine and ongoing compliance by the department with FERPA, § 10-7-504, other relevant privacy laws and policies, and the privacy and security policies and procedures developed under the authority of this part, including the performance of compliance audits;

(5) Ensure that any contracts that govern databases, assessments or instructional supports that include student or de-identified data and are outsourced to private vendors include express provisions that safeguard privacy and security and include penalties for noncompliance; and

(6) Notify the governor and the general assembly within sixty (60) days of the following:

(A) Any new student data fields included in the state student data system;

(B) Changes to existing data collections required for any reason, including changes to federal reporting requirements made by the United States department of education;

(C) Any exceptions granted by the state board in the past year regarding the release or out-of-state transfer of student or de-identified data accompanied by an explanation of each exception; and

(D) The results of any and all privacy compliance and security audits completed in the past year. Notifications regarding privacy compliance and security audits shall not include any information that would itself pose a security threat to the state or local student information systems or to the secure transmission of data between state and local systems by exposing vulnerabilities.