AN ACT Relating to privacy and security of personally identifiable student information; amending RCW 28A.300.500, 28A.300.507, 28A.320.035, and 28A.605.030; adding new sections to chapter 28A.300 RCW; adding new sections to chapter 28A.310 RCW; adding a new section to chapter 28A.320 RCW; and creating a new section.

BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF WASHINGTON:

NEW SECTION.  Sec. 2.  A new section is added to chapter 28A.300 RCW to read as follows:

The definitions in this section apply throughout sections 3 through 9 of this act unless the context clearly requires otherwise.

(1) "Directory information" has the meaning assigned in the federal family educational rights and privacy act and corresponding regulations.

(2)(a) "Personally identifiable student-level data" means any information collected by the office of the superintendent of public instruction, any state or local educational agency or institution, the board of directors of a school district, or any third-party service provider or contractor on behalf of the foregoing related to a particular identified or identifiable student in Washington, including, but not limited to:

(i) The student's name;

(ii) The name of the student's parent or other family members;

(iii) The address of the student or student's family;

(iv) A personal identifier, such as the student's social security number, or student number;

(v) Other indirect identifiers, such as the student's date of birth, place of birth, and mother's maiden name;

(vi) Other information that, alone or in combination, is linked or linkable to a specific student that would allow a reasonable person, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty; or

(vii) Information requested by a person who the educational agency or institution reasonably believes knows the identity of the student to whom the education record relates.

(b) Personally identifiable student-level data does not include any anonymous and aggregated data that cannot be used to link specific information to a particular student.

(3) "School enhancement products and services" means school-related products and services that are customarily offered under the direction or for the benefit of the public agency, organization, or school community, such as school photography, yearbooks, graduation products, and class rings.

(4) "Targeted advertising" means presenting advertisements to a student where the advertisement is selected based on information obtained or inferred from that student's online behavior, usage of applications, or personally identifiable data. Targeted advertising does not include advertising to a student at an online location based upon that student's current visit to that location or single search query without collection and retention of a student's online activities over time or across different web sites or applications.

NEW SECTION.  Sec. 3.  A new section is added to chapter 28A.300 RCW to read as follows:

The superintendent of public instruction, or any employee or contractor of the superintendent, shall not collect, retain, or use in any manner, student biometric information unless it is necessary to implement an individualized education program or plan developed under section 504 of the rehabilitation act of 1973. For the purposes of this section, "biometric information" means a record of one or more measurable biological or behavioral characteristics that can be used for automated recognition of an individual. Examples include fingerprints; retina and iris patterns; voiceprints; DNA sequence; facial characteristics; and handwriting.

Sec. 4.  RCW 28A.300.500 and 2007 c 401 s 2 are each amended to read as follows:

(1) The office of the superintendent of public instruction is authorized to establish a longitudinal student data system for and on behalf of school districts in the state. The primary purpose of the data system is to better aid research into programs and interventions that are most effective in improving student performance, better understand the state's public educator workforce, and provide information on areas within the educational system that need improvement.

(2) The confidentiality of personally identifiable student data shall be safeguarded consistent with the requirements of the federal family educational rights privacy act and applicable state laws. Consistent with the provisions of these federal and state laws, data may be disclosed for educational purposes and studies, including but not limited to:

(a) Educational studies authorized or mandated by the state legislature;

(b) Studies initiated by other state educational authorities and authorized by the office of the superintendent of public instruction, including analysis conducted by the education data center established under RCW 43.41.400; and

(c) Studies initiated by other public or private agencies and organizations and authorized by the office of the superintendent of public instruction.

(3) The office of the superintendent of public instruction shall grant parents and legal guardians access to any student record that is a record of a child of the parent or a child in the care of the legal guardian, including records that contain personally identifiable data, unless the student is age eighteen or older.

(4) Any public agency or organization or any private contractor or vendor, that is authorized by the office of the superintendent of public instruction to access student-level data shall adhere to all federal and state laws protecting student data and safeguarding the confidentiality and privacy of student records. All public agencies or organizations and private contractors or vendors, that receive personally identifiable student-level data from the office of the superintendent of public instruction and to the extent they are providing services to the office of the superintendent of public instruction shall ensure the following:

(((4))) (6) Nothing in this section precludes the office of the superintendent of public instruction from collecting and distributing aggregate data about students or student-level data without personally identifiable information.

Sec. 5.  RCW 28A.300.507 and 2009 c 548 s 203 are each amended to read as follows:

(1) A K-12 data governance group shall be established within the office of the superintendent of public instruction to assist in the design and implementation of a K-12 education data improvement system for financial, student, and educator data. It is the intent that the data system reporting specifically serve requirements for teachers, parents, superintendents, school boards, the office of the superintendent of public instruction, the legislature, and the public.

(2) The K-12 data governance group shall include representatives of the education data center, the office of the superintendent of public instruction, the legislative evaluation and accountability program committee, the professional educator standards board, the state board of education, and school district staff, including information technology staff. Additional entities with expertise in education data may be included in the K-12 data governance group.

(3) The K-12 data governance group shall:

(a) Develop a detailed data security plan and procedures to govern the use and maintenance of data systems, including ensuring the use of appropriate administrative, physical, and technical safeguards for electronic and physical personally identifiable student-level data at the state level; and develop a model plan consistent with this chapter for school districts to use to safeguard personally identifiable student-level data at the school district level;

(b) Identify the critical research and policy questions that need to be addressed by the K-12 education data improvement system;

(((b))) (c) Identify reports and other information that should be made available on the internet in addition to the reports identified in subsection (5) of this section;

(((c))) (d) Create a comprehensive needs requirement document detailing the specific information and technical capacity needed by school districts and the state to meet the legislature's expectations for a comprehensive K-12 education data improvement system as described under RCW 28A.655.210;

(((d))) (e) Conduct a gap analysis of current and planned information compared to the needs requirement document, including an analysis of the strengths and limitations of an education data system and programs currently used by school districts and the state, and specifically the gap analysis must look at the extent to which the existing data can be transformed into canonical form and where existing software can be used to meet the needs requirement document;

(((e))) (f) Focus on financial and cost data necessary to support the new K-12 financial models and funding formulas, including any necessary changes to school district budgeting and accounting, and on assuring the capacity to link data across financial, student, and educator systems; and

(((f))) (g) Define the operating rules and governance structure for K-12 data collections, ensuring that data systems are flexible and able to adapt to evolving needs for information, within an objective and orderly data governance process for determining when changes are needed and how to implement them. Strong consideration must be made to the current practice and cost of migration to new requirements. The operating rules should delineate the coordination, delegation, and escalation authority for data collection issues, business rules, and performance goals for each K-12 data collection system, including:

(i) Defining and maintaining standards for privacy and confidentiality;

(ii) Setting data collection priorities;

(iii) Defining and updating a standard data dictionary;

(iv) Ensuring data compliance with the data dictionary;

(v) Ensuring data accuracy; and

(vi) Establishing minimum standards for school, student, financial, and teacher data systems. Data elements may be specified "to the extent feasible" or "to the extent available" to collect more and better data sets from districts with more flexible software. Nothing in RCW 43.41.400, this section, or RCW 28A.655.210 should be construed to require that a data dictionary or reporting should be hobbled to the lowest common set. The work of the K-12 data governance group must specify which data are desirable. Districts that can meet these requirements shall report the desirable data. Funding from the legislature must establish which subset data are absolutely required.

(4)(a) The K-12 data governance group shall provide updates on its work as requested by the education data center and the legislative evaluation and accountability program committee.

(b) The work of the K-12 data governance group shall be periodically reviewed and monitored by the educational data center and the legislative evaluation and accountability program committee.

(5) To the extent data is available, the office of the superintendent of public instruction shall make the following minimum reports available on the internet. The reports must either be run on demand against current data, or, if a static report, must have been run against the most recent data:

(a) The percentage of data compliance and data accuracy by school district;

(b) The magnitude of spending per student, by student estimated by the following algorithm and reported as the detailed summation of the following components:

(i) An approximate, prorated fraction of each teacher or human resource element that directly serves the student. Each human resource element must be listed or accessible through online tunneling in the report;

(ii) An approximate, prorated fraction of classroom or building costs used by the student;

(iii) An approximate, prorated fraction of transportation costs used by the student; and

(iv) An approximate, prorated fraction of all other resources within the district. District-wide components should be disaggregated to the extent that it is sensible and economical;

(c) The cost of K-12 basic education, per student, by student, by school district, estimated by the algorithm in (b) of this subsection, and reported in the same manner as required in (b) of this subsection;

(d) The cost of K-12 special education services per student, by student receiving those services, by school district, estimated by the algorithm in (b) of this subsection, and reported in the same manner as required in (b) of this subsection;

(e) Improvement on the statewide assessments computed as both a percentage change and absolute change on a scale score metric by district, by school, and by teacher that can also be filtered by a student's length of full-time enrollment within the school district;

(f) Number of K-12 students per classroom teacher on a per teacher basis;

(g) Number of K-12 classroom teachers per student on a per student basis;

(h) Percentage of a classroom teacher per student on a per student basis; and

(i) The cost of K-12 education per student by school district sorted by federal, state, and local dollars.

(6) The superintendent of public instruction shall submit a preliminary report to the legislature by November 15, 2009, including the analyses by the K-12 data governance group under subsection (3) of this section and preliminary options for addressing identified gaps. A final report, including a proposed phase-in plan and preliminary cost estimates for implementation of a comprehensive data improvement system for financial, student, and educator data shall be submitted to the legislature by September 1, 2010.

(7) All reports and data referenced in this section and RCW 43.41.400 and 28A.655.210 shall be made available in a manner consistent with the technical requirements of the legislative evaluation and accountability program committee and the education data center so that selected data can be provided to the legislature, governor, school districts, and the public.

(8) Reports shall contain data to the extent it is available. All reports must include documentation of which data are not available or are estimated. Reports must not be suppressed because of poor data accuracy or completeness. Reports may be accompanied with documentation to inform the reader of why some data are missing or inaccurate or estimated.

NEW SECTION.  Sec. 6.  A new section is added to chapter 28A.310 RCW to read as follows:

(1) Any public agency or organization or any private contractor or vendor, that is authorized by the educational service district board to access student-level data must adhere to all federal and state laws protecting student data and safeguarding the confidentiality and privacy of student records. All public agencies or organizations and private contractors or vendors, that receive personally identifiable student-level data from the educational service district and to the extent they are providing services to the educational service district shall ensure the following:

(a) All personally identifiable student-level data is used solely for the purpose for which the disclosure was intended;

(b) No personally identifiable student-level data is sold or used for secondary purposes such as marketing or targeted advertising purposes;

(c) All personally identifiable student-level data, including backup copies, is destroyed when it is no longer required for the purposes for which it was disclosed, or upon agreement or contract termination, or project completion;

(d) A record is kept of any requests for access to the personally identifiable student-level data;

(e) No personally identifiable student-level data is disclosed to any other individual or entity without the prior written consent of the parent, legal guardian, or student if the student is age eighteen or older unless the entity is an educational agency or institution that abides by the data security requirements of this section and the federal family educational rights and privacy act and corresponding regulations;

(f) The provisions of this subsection (1) shall not apply to use or disclosure of personally identifiable student-level data by a private contractor or vendor to a service provider, provided the private contractor or vendor:

(i) Prohibits the service provider from using any personally identifiable student-level data for any purpose other than providing the contracted service to, or on behalf of, the private contractor or vendor for the educational purposes for which such data was originally disclosed to the private contractor or vendor;

(ii) Prohibits the service provider from disclosing any personally identifiable student-level data provided by the private contractor or vendor to subsequent third parties unless the disclosure is otherwise permitted by this section; and

(iii) Requires the service provider to comply with the requirements of this section.

(2) Any public agency or organization that possesses personally identifiable student-level data shall take special precautions to avoid accidental disclosure of the data, including encryption whenever feasible. Private contractors or vendors shall employ industry standard methods to ensure security of all personally identifiable student-level data that they receive, store, use, and transmit.

(3) Nothing in this section precludes the educational service district from collecting and distributing aggregate data about students or student-level data without personally identifiable information.

(4) Nothing in this section precludes the educational service district from releasing directory information for the purpose of making available to parents and students school enhancement products and services as authorized by the educational service district, as long as any outside party receiving directory information for these purposes is prohibited from secondary use or sale of the information and is required to comply with all other provisions of this section.

(5) Nothing in this section prohibits the use of personally identifiable student-level data for adaptive learning, personalized learning, or customized education.

(6) Nothing in this section may be construed to impede the ability of students to download, export, or otherwise save or maintain their own student data or documents.

(7) The definitions in section 2 of this act apply in this section.

NEW SECTION.  Sec. 7.  A new section is added to chapter 28A.310 RCW to read as follows:

No educational service district board, educational service district, employee, or contractor may collect, retain, or use in any manner, student biometric information unless it is necessary to implement an individualized education program or plan developed under section 504 of the rehabilitation act of 1973. For the purposes of this section, "biometric information" means a record of one or more measurable biological or behavioral characteristics that can be used for automated recognition of an individual. Examples include fingerprints; retina and iris patterns; voiceprints; DNA sequence; facial characteristics; and handwriting.

Sec. 8.  RCW 28A.320.035 and 1997 c 267 s 1 are each amended to read as follows:

(1)(a) The board of directors of a school district may contract with other school districts, educational service districts, public or private organizations, agencies, schools, or individuals to implement the board's powers and duties. The board of directors of a school district may contract for goods and services, including but not limited to contracts for goods and services as specifically authorized in statute or rule, as well as other educational, instructional, and specialized services. When a school district board of directors contracts for educational, instructional, or specialized services, the purpose of the contract must be to improve student learning or achievement.

(((2))) (b) A contract under ((subsection (1) of)) this section may not be made with a religious or sectarian organization or school where the contract would violate the state or federal Constitution.

NEW SECTION.  Sec. 9.  A new section is added to chapter 28A.320 RCW to read as follows:

No school district board of directors, school, employee, or contractor may collect, retain, or use in any manner, student biometric information unless it is necessary to implement an individualized education program or plan developed under section 504 of the rehabilitation act of 1973. For the purposes of this section, "biometric information" means a record of one or more measurable biological or behavioral characteristics that can be used for automated recognition of an individual. Examples include fingerprints; retina and iris patterns; voiceprints; DNA sequence; facial characteristics; and handwriting.

Sec. 10.  RCW 28A.605.030 and 1997 c 119 s 1 are each amended to read as follows:

(1) The parent or guardian of a student who is or has been in attendance at a school has the right to review all education records of the student. A school may not release the education records of a student without the written consent of the student's parent or guardian, except as authorized by RCW 28A.600.475 and the family educational and privacy rights act of 1974, 20 U.S.C. Sec. 1232g.

(2) The board of directors of each school district shall establish a procedure for:

(((1))) (a) Granting the request by a parent or guardian for access to the education records of his or her child that provides that:

(iii) If the records are provided in a nonelectronic format, then the school district may impose a reasonable charge to cover the actual costs directly incident to the copying; and

(((2))) (b) Prohibiting the release of student information without the written consent of the student's parent or guardian, after the parent or guardian has been informed what information is being requested, who is requesting the information and why, and what will be done with the information.

(3) The procedure adopted by the school district must be in compliance with the family educational and privacy rights act of 1974, 20 U.S.C. Sec. 1232g.

--- END ---