ARTICLE 15
STUDENT DATA PRIVACY, ACCESSIBILITY, AND TRANSPARENCY
20-2-664. Role of department.
The department shall:
-
Create, publish, and make publicly available a data inventory and dictionary or index of data elements with definitions of student personally identifiable data fields in the state data system to include, but not be limited to:
-
Any student personally identifiable data required to be reported by state and federal education mandates;
-
Any student personally identifiable data which is included or has been proposed for inclusion in the state data system with a statement regarding the purpose or reason for the proposed collection; and
-
Any student data that the department collects or maintains with no current identified purpose;
-
Develop, publish, and make publicly available policies and procedures for the state data system to comply with this article and other applicable state and federal data privacy and security laws, including the federal Family Educational Rights and Privacy Act. Such policies and procedures shall include, at a minimum:
-
Restrictions on granting access to student data in the state data system, except to the following:
-
Students and their parents, as provided by the collecting local board of education;
-
The authorized administrators, teachers, and other school personnel of local boards of education, and the contractors or other authorized entities working on their behalf, that enroll students who are the subject of the data and who require such access to perform their assigned duties;
-
The authorized staff of the department, and the contractors or other authorized entities working on behalf of the department, who require such access to perform their assigned duties as authorized by law or defined by interagency or other data sharing agreements; and
-
The authorized staff of other state agencies in this state as required or authorized by law, including contractors or other authorized entities working on behalf of a state agency that require such access to perform their duties pursuant to an interagency agreement or other data sharing agreement;
-
Prohibitions against publishing student data other than aggregate data or de-identified data in public reports; and
-
Consistent with applicable law, criteria for the approval of research and data requests from state and local agencies, the General Assembly, those conducting research including on behalf of the department, and the public that involve access to student personally identifiable information;
-
Unless otherwise provided by law or approved by the State Board of Education, not transfer student personally identifiable data to any federal, state, or local agency or nongovernmental organization, except for disclosures incident to the following actions:
-
A student transferring to another school or school system in this state or out of state or a school or school system seeking help with locating a transferred student;
-
A student enrolling in a postsecondary institution or training program;
-
A student registering for or taking a state, national, or multistate assessment where such data is required to administer the assessment;
-
A student voluntarily participating in a program for which such a data transfer is a condition or requirement of participation;
-
The federal government requiring the transfer of student data for a student classified as a "migrant" for related federal program purposes;
-
A federal agency requiring student personally identifiable data to perform an audit, compliance review, or complaint investigation; or
-
An eligible student or student's parent or legal guardian requesting such transfer;
-
Develop a detailed data security plan for the state data system that includes:
-
Guidelines for authorizing access to the state data system and to student personally identifiable data including guidelines for authentication of authorized access;
-
Privacy and security audits;
-
Plans for responding to security breaches, including notifications, remediations, and related procedures;
-
Data retention and disposal policies;
-
Data security training and policies including technical, physical, and administrative safeguards;
-
Standards regarding the minimum number of students or information that must be included in a data set in order for the data to be considered aggregated and, therefore, not student personally identifiable data subject to requirements in this article and in other federal and state data privacy laws;
-
A process for evaluating and updating as necessary the data security plan, at least on an annual basis, in order to identify and address any risks to the security of student personally identifiable data; and
-
Guidance for local boards of education to implement effective security practices that are consistent with those of the state data system;
-
Ensure routine and ongoing compliance by the department with the federal Family Educational Rights and Privacy Act, other relevant privacy laws and policies, and the privacy and security policies and procedures developed under the authority of this article, including the performance of compliance audits for the department;
-
Notify the Governor and the General Assembly annually of the following matters relating to the state data system:
-
New provisional student data proposed for inclusion in the state data system:
-
Any new provisional student data collection proposed by the department shall become a provisional requirement to allow local boards of education and their local data system vendors the opportunity to meet the new requirement; and
-
The department shall announce any new provisional student data collection to the general public for a review and comment period of at least 60 days;
-
Changes to existing student personally identifiable data collections required for any reason, including changes to federal reporting requirements made by the United States Department of Education;
-
A list of any special approvals granted by the department pursuant to subparagraph (C) of paragraph (3) of this Code section in the past year regarding the release of student personally identifiable data; and
-
The results of any and all privacy compliance and security audits completed in the past year. Notifications regarding privacy compliance and security audits shall not include any information that would itself pose a security threat to the state or local student information systems or to the secure transmission of data between state and local systems by exposing vulnerabilities; and
-
Develop policies and procedures to ensure the provision of at least annual notifications to eligible students and parents or guardians regarding student privacy rights under federal and state law.
(Code 1981, §20-2-664, enacted by Ga. L. 2015, p. 1031, § 1-1/SB 89.)
U.S. Code.
- The Family Educational Rights and Privacy Act, referred to in this Code section, is codified at 20 U.S.C.
§
1232g.