The Legislative Council Study Committee on School Data met for the final time Thursday (Nov. 17) and unanimously voted to recommend two formal bill drafts for legislation and three informal recommendations for further consideration and possible legislation.
In general, the recommendations from the committee require the state Department of Public Instruction (DPI) to provide model plans or informational resources regarding school data best practices to school districts. School boards retain their local decision-making in these areas.
The committee voted unanimously to recommend two proposed bill drafts with minor modifications:
- Bill draft 0377 requires the State Superintendent to develop and post on the DPI website a data inventory that: a) lists student data elements collected by the department; b) provides a statement of the purpose or reason for collecting each data element; and c) meets other conditions specified by the committee. This inventory would be required to include every distinct type of pupil data collected by DPI from schools and school districts, a definition of the type of pupil data collected, the purpose for collecting the pupil data, and the state or federal law requiring collection of the pupil data. The data inventory also would have to be updated each time DPI begins collecting an additional type of pupil data or stops collecting a type of pupil data.
- Bill draft 0445 assigns specified, privacy-related duties to the State Superintendent such as developing a model security plan for school districts and establishing a privacy incident response program to provide assistance to school districts in responding to a data breach. It also requires the Superintendent to take certain steps to engage with members of the public and governmental officials regarding data privacy and security issues.
The committee also unanimously approved three recommendations. Recommendations are not formal bill drafts and are used when a study committee does not believe it had the expertise or purview to take an issue up formally but felt it warranted further exploration. They are included in the committee’s final report and are available to be taken up by interested lawmakers:
- Recommendation — Third-party vendor contracts
This proposal contains draft language recommending that DPI develop best practices for contracting with third-party education technology vendors for school districts to consult when evaluating and entering into contracts with these vendors. The guidance shall include model terms of service and identify issues for school districts to consider when evaluating a contract, such as, but not limited to: (a) whether the contract permits a vendor to sell student information to another person or entity; (b) whether the contract prohibits a vendor from amassing a profile about a student; and (c) whether the contract permits a vendor to engage in targeted advertising to students or their parents or legal guardians. The guidance should also include a list of vendors that offer terms of service that comply with the DPI model.
- Recommendation — Electronic access
This proposal contains draft language recommending that the Legislature consider options for encouraging or requiring the State Superintendent to facilitate access to, and transfer of, electronic student records and data by schools, students, and parents. Such consideration should include reviewing measures adopted in other states to facilitate access to student records, including providing access to a “data backpack” of records maintained in electronic form on behalf of a student.
- Recommendation — Personally identifiable information impact reports
Recommends that the Legislature consider requiring agency personnel to prepare a personally identifiable information impact report for any bill or administrative rule impacting privacy or security of personally identifiable information collected by that agency. The report or reports should be distributed prior to a vote or hearing on the proposal, as is the case with a fiscal estimate under current law.