Current with changes from the 2024 Legislative Session
Section 161.096 - Statewide longitudinal data system, regulation on student data accessibility, transparency, and accountability required - regulation requirements - data not to be reported - rulemaking authority - violation, penalty - attorney general to enforce1. The state board of education shall promulgate a rule relating to student data accessibility, transparency, and accountability relating to the statewide longitudinal data system. This rule shall mandate that the department of elementary and secondary education do the following: (1) Create and make publicly available a data inventory and index of data elements with definitions of individual student data fields in the student data system to include, but not be limited to: (a) Any personally identifiable student data required to be reported by state and federal education laws; and(b) Any other individual student data which has been proposed for inclusion in the student data system with a statement regarding the purpose or reason for the proposed collection;(2) Develop policies to comply with all relevant state and federal privacy laws and policies, including but not limited to the federal Family Educational Rights and Privacy Act (FERPA) and other relevant privacy laws and policies. These policies shall include, but not be limited to the following requirements: (a) Access to personally identifiable student data in the statewide longitudinal data system shall be restricted to: a. The authorized staff of the department of elementary and secondary education and the contractors working on behalf of the department who require such access to perform their assigned duties as required by law;b. District administrators, teachers, and school personnel who require such access to perform their assigned duties;c. Students and their parents for their own data; andd. The authorized staff of other state agencies in this state as required by law and governed by interagency data sharing agreements;(b) The department of elementary and secondary education shall develop criteria for the approval of research and data requests from state and local agencies, researchers working on behalf of the department, and the public;(3) Shall not, unless otherwise provided by law and authorized by policies adopted pursuant to this section, transfer personally identifiable student data;(4) Develop a detailed data security plan that includes:(a) Guidelines for authorizing access to the student data system and to individual student data including guidelines for authentication of authorized access;(b) Privacy compliance standards;(c) Privacy and security audits;(d) Breach planning, notification and procedures;(e) Data retention and disposition policies; and(f) Data security policies including electronic, physical, and administrative safeguards, such as data encryption and training of employees;(5) Ensure routine and ongoing compliance by the department of elementary and secondary education with FERPA, other relevant privacy laws and policies, and the privacy and security policies and procedures developed under the authority of this section, including the performance of compliance audits;(6) Ensure that any contracts that govern databases, assessments, or instructional supports that include student or redacted data and are outsourced to private vendors include express provisions that safeguard privacy and security, including provisions that prohibit private vendors from selling student data or from using student data in furtherance of advertising, with penalties for noncompliance, except to a local service provider for the limited purpose authorized by the school or district whose access to student data, if any, is limited to "directory information" as that term is defined in the federal regulations implementing the federal Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. Section 1232g; and(7) Notify the governor, the president pro tempore of the senate, the speaker of the house of representatives, and the joint committee on education annually of the following: (a) New student data proposed for inclusion in the state student data system; and(b) Changes to existing data collections required for any reason, including changes to federal reporting requirements made by the U.S. Department of Education.2. Quantifiable student performance data shall only include performance on locally developed or locally approved assessments, including but not limited to formative assessments developed by classroom teachers.3. The department of elementary and secondary education shall not collect nor shall school districts report the following individual student data: (1) Juvenile court delinquency records;(3) Student biometric information;(4) Student political affiliation; or4. Any rule or portion of a rule, as that term is defined in section 536.010, that is created under the authority delegated in this section shall become effective only if it complies with and is subject to all of the provisions of chapter 536 and, if applicable, section 536.028. This section and chapter 536 are nonseverable and if any of the powers vested with the general assembly pursuant to chapter 536 to review, to delay the effective date, or to disapprove and annul a rule are subsequently held unconstitutional, then the grant of rulemaking authority and any rule proposed or adopted after August 28, 2014, shall be invalid and void.5. Each violation of any provision of any rule promulgated pursuant to this section by an organization or entity other than a state agency, a school board, or an institution shall be punishable by a civil penalty of up to one thousand dollars. A second violation by the same organization or entity involving the education records and privacy of the same student shall be punishable by a civil penalty of up to five thousand dollars. Any subsequent violation by the same organization or entity involving the education records and privacy of the same student shall be punishable by a civil penalty of up to ten thousand dollars. Each violation involving a different individual education record or a different individual student shall be considered a separate violation for purposes of civil penalties.6. The attorney general shall have the authority to enforce compliance with this section by investigation and subsequent commencement of a civil action, to seek civil penalties for violations of this section, and to seek appropriate injunctive relief, including but not limited to a prohibition on obtaining personally identifiable information for an appropriate time period. In carrying out such investigation and in maintaining such civil action, the attorney general or any deputy or assistant attorney general is authorized to subpoena witnesses, compel their attendance, examine them under oath, and require that any books, records, documents, papers, or electronic records relevant to the inquiry be turned over for inspection, examination, or audit. Subpoenas issued under this subsection may be enforced pursuant to the Missouri rules of civil procedure.Added by 2014 Mo. Laws, HB 1490,s A, eff. 8/28/2014.