4590L.01I                                                                                                                                                  D. ADAM CRUMBLISS, Chief Clerk



To amend chapter 161, RSMo, by adding thereto one new section relating to the privacy of student data.

Be it enacted by the General Assembly of the state of Missouri, as follows:

            Section A. Chapter 161, RSMo, is amended by adding thereto one new section, to be known as section 161.108, to read as follows:

            161.108. 1. The state board of education shall adopt a rule regarding student data accessibility, transparency, and accountability relating to the statewide longitudinal data system. Such rule shall require the department of elementary and secondary education to:

            (1) Create and make publicly available a data inventory and index of data elements with definitions of individual student data fields in the student data system, including but not limited to:

            (a) Any personally identifiable student data required to be reported by state and federal education mandates; and

            (b) Any other individual student data which has been proposed for inclusion in the student data system with a statement regarding the purpose or reason for the proposed collection;

            (2) Develop policies to comply with all relevant state and federal privacy laws and policies, including but not limited to the Federal Educational Rights and Privacy Act (FERPA) and other relevant privacy laws and policies, and shall include but not be limited to:

            (a) Access to personally identifiable student data in the statewide longitudinal data system shall be restricted to:

            a. The authorized staff of the department of elementary and secondary education and the contractors working on behalf of the department who require such access to perform their assigned duties as required by law;

            b. District administrators, teachers, and school personnel who require such access to perform their assigned duties;

            c. Students and their parents; and

            d. The authorized staff of other state agencies in the state of Missouri as required by law and governed by interagency data-sharing agreements;

            (b) Development by the department of elementary and secondary education of criteria for the approval of research and data requests from state and local agencies, researchers working on behalf of the department, and the public;

            (3) Prohibit the transfer of personally identifiable student data, unless otherwise provided by law and authorized by policies adopted under this section;

            (4) Develop a detailed data security plan that includes:

            (a) Guidelines for authorizing access to the student data system and to individual student data, including guidelines for authentication of authorized access;

            (b) Privacy compliance standards;

            (c) Privacy and security audits;

            (d) Breach planning, notification, and procedures;

            (e) Data retention and disposition policies; and

            (f) Data security policies, including electronic, physical, and administrative safeguards such as data encryption and training of employees;

            (5) Ensure routine and ongoing compliance by the department of elementary and secondary education with FERPA, other relevant privacy laws and policies, and the privacy and security policies and procedures developed under the authority of this section, including the performance of compliance audits;

            (6) Ensure that any contracts that govern databases, assessments, or instructional supports which include student or redacted data and are outsourced to private vendors include express provisions that safeguard privacy and security and include penalties for noncompliance; and

            (7) Notify the governor and the general assembly annually of the following:

            (a) New student data proposed for inclusion in the state student data system; and

            (b) Changes to existing data collections required for any reason, including changes to federal reporting requirements made by the United States Department of Education.

            2. The department of elementary and secondary education shall not collect, nor shall school districts report the following individual student data;

            (1) Juvenile court delinquency records;

            (2) Criminal records;

            (3) Student biometric information;

            (4) Student political affiliation; or

            (5) Student religion.