Current with legislation from 2024 Fiscal and Special Sessions.
Section 6-18-2607 - School service contract provider - Data security and destruction(a)(1) A school service contract provider shall maintain a comprehensive information security program that is reasonably designed to protect the security, privacy, confidentiality, and integrity of student personally identifiable information.(2) The comprehensive information security program required under subdivision (a)(1) of this section shall make use of appropriate administrative, technological, and physical safeguards.(b) During the term of a contract between a school service contract provider and a public education entity, if the contracting public education entity requests destruction of a student's student personally identifiable information collected, generated, or inferred as a result of the contract, the contracting school service contract provider shall destroy the student personally identifiable information as soon as practicable after the date of the request unless: (1) The school service contract provider obtains the consent of the student or the student's parent to retain the student's student personally identifiable information; or(2) The student has transferred to another public education entity and the receiving public education entity has requested that the school service contract provider retain the student's student personally identifiable information.(c)(1) Following the termination or conclusion of a contract between a school service contract provider and a public education entity, the school service contract provider shall, within the time period specified in the contract, destroy all student personally identifiable information collected, generated, or inferred as a result of the contract.(2) If the contract does not specify a period for destruction of student personally identifiable information, the school service contract provider shall destroy the student personally identifiable information as soon as practicable after the student personally identifiable information is no longer needed for the purpose of the contract between the school service contract provider and the public education entity.(3) Upon request of the public education entity, the school service contract provider shall notify the public education entity of the date upon which all of the student personally identifiable information is destroyed.Added by Act 2023, No. 754,§ 1, eff. 6/1/2024.