AN ACT Relating to privacy and security of personally identifiable student information; amending RCW 28A.300.500, 28A.300.507, 28A.320.035, and 28A.605.030; adding a new section to chapter 28A.300 RCW; adding a new section to chapter 28A.310 RCW; adding a new section to chapter 28A.320 RCW; and creating a new section.

BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF WASHINGTON:

NEW SECTION.  Sec. 2.  A new section is added to chapter 28A.300 RCW to read as follows:

The superintendent of public instruction, or any employee or contractor of the superintendent, shall not collect, retain, or use in any manner, student biometric information. For the purposes of this section, "biometric information" includes, but is not limited to, a fingerprint or hand scan, a retina or iris scan, a voice print, or a facial geometry scan of a student.

Sec. 3.  RCW 28A.300.500 and 2007 c 401 s 2 are each amended to read as follows:

(1) The office of the superintendent of public instruction is authorized to establish a longitudinal student data system for and on behalf of school districts in the state. The primary purpose of the data system is to better aid research into programs and interventions that are most effective in improving student performance, better understand the state's public educator workforce, and provide information on areas within the educational system that need improvement.

(2) The confidentiality of personally identifiable student data shall be safeguarded consistent with the requirements of the federal family educational rights privacy act and applicable state laws. Consistent with the provisions of these federal and state laws, data may be disclosed for educational purposes and studies, including but not limited to:

(a) Educational studies authorized or mandated by the state legislature;

(b) Studies initiated by other state educational authorities and authorized by the office of the superintendent of public instruction, including analysis conducted by the education data center established under RCW 43.41.400; and

(c) Studies initiated by other public or private agencies and organizations and authorized by the office of the superintendent of public instruction.

(3) The office of the superintendent of public instruction shall grant parents and legal guardians access to any student record that is a record of a child of the parent or a child in the care of the legal guardian, including records that contain personally identifiable data, unless the student is age eighteen or older. Personally identifiable student-level data must not be disclosed to any other third party unless the disclosure is necessary to meet a legitimate need for the data to support the individual's professional role.

(4) Any public agency or organization or any private contractor or vendor, that is authorized by the office of the superintendent of public instruction to access student-level data shall adhere to all federal and state laws protecting student data and safeguarding the confidentiality and privacy of student records. All public agencies or organizations and private contractors or vendors, that receive personally identifiable student-level data shall ensure the following:

(((4)))(5) Nothing in this section precludes the office of the superintendent of public instruction from collecting and distributing aggregate data about students or student-level data without personally identifiable information.

Sec. 4.  RCW 28A.300.507 and 2009 c 548 s 203 are each amended to read as follows:

(1) A K-12 data governance group shall be established within the office of the superintendent of public instruction to assist in the design and implementation of a K-12 education data improvement system for financial, student, and educator data. It is the intent that the data system reporting specifically serve requirements for teachers, parents, superintendents, school boards, the office of the superintendent of public instruction, the legislature, and the public.

(2) The K-12 data governance group shall include representatives of the education data center, the office of the superintendent of public instruction, the legislative evaluation and accountability program committee, the professional educator standards board, the state board of education, and school district staff, including information technology staff. Additional entities with expertise in education data may be included in the K-12 data governance group.

(3) The K-12 data governance group shall:

(a) Develop a detailed data security plan and procedures to govern the use and maintenance of data systems, including ensuring the use of appropriate administrative, physical, and technical safeguards for electronic and physical personally identifiable student-level data at the state level; and develop a model plan for school districts to use to safeguard personally identifiable student-level data at the school district level;

(b) Identify the critical research and policy questions that need to be addressed by the K-12 education data improvement system;

(((b)))(c) Identify reports and other information that should be made available on the internet in addition to the reports identified in subsection (5) of this section;

(((c)))(d) Create a comprehensive needs requirement document detailing the specific information and technical capacity needed by school districts and the state to meet the legislature's expectations for a comprehensive K-12 education data improvement system as described under RCW 28A.655.210;

(((d)))(e) Conduct a gap analysis of current and planned information compared to the needs requirement document, including an analysis of the strengths and limitations of an education data system and programs currently used by school districts and the state, and specifically the gap analysis must look at the extent to which the existing data can be transformed into canonical form and where existing software can be used to meet the needs requirement document;

(((e)))(f) Focus on financial and cost data necessary to support the new K-12 financial models and funding formulas, including any necessary changes to school district budgeting and accounting, and on assuring the capacity to link data across financial, student, and educator systems; and

(((f)))(g) Define the operating rules and governance structure for K-12 data collections, ensuring that data systems are flexible and able to adapt to evolving needs for information, within an objective and orderly data governance process for determining when changes are needed and how to implement them. Strong consideration must be made to the current practice and cost of migration to new requirements. The operating rules should delineate the coordination, delegation, and escalation authority for data collection issues, business rules, and performance goals for each K-12 data collection system, including:

(i) Defining and maintaining standards for privacy and confidentiality;

(ii) Setting data collection priorities;

(iii) Defining and updating a standard data dictionary;

(iv) Ensuring data compliance with the data dictionary;

(v) Ensuring data accuracy; and

(vi) Establishing minimum standards for school, student, financial, and teacher data systems. Data elements may be specified "to the extent feasible" or "to the extent available" to collect more and better data sets from districts with more flexible software. Nothing in RCW 43.41.400, this section, or RCW 28A.655.210 should be construed to require that a data dictionary or reporting should be hobbled to the lowest common set. The work of the K-12 data governance group must specify which data are desirable. Districts that can meet these requirements shall report the desirable data. Funding from the legislature must establish which subset data are absolutely required.

(4)(a) The K-12 data governance group shall provide updates on its work as requested by the education data center and the legislative evaluation and accountability program committee.

(b) The work of the K-12 data governance group shall be periodically reviewed and monitored by the educational data center and the legislative evaluation and accountability program committee.

(5) To the extent data is available, the office of the superintendent of public instruction shall make the following minimum reports available on the internet. The reports must either be run on demand against current data, or, if a static report, must have been run against the most recent data:

(a) The percentage of data compliance and data accuracy by school district;

(b) The magnitude of spending per student, by student estimated by the following algorithm and reported as the detailed summation of the following components:

(i) An approximate, prorated fraction of each teacher or human resource element that directly serves the student. Each human resource element must be listed or accessible through online tunneling in the report;

(ii) An approximate, prorated fraction of classroom or building costs used by the student;

(iii) An approximate, prorated fraction of transportation costs used by the student; and

(iv) An approximate, prorated fraction of all other resources within the district. District-wide components should be disaggregated to the extent that it is sensible and economical;

(c) The cost of K-12 basic education, per student, by student, by school district, estimated by the algorithm in (b) of this subsection, and reported in the same manner as required in (b) of this subsection;

(d) The cost of K-12 special education services per student, by student receiving those services, by school district, estimated by the algorithm in (b) of this subsection, and reported in the same manner as required in (b) of this subsection;

(e) Improvement on the statewide assessments computed as both a percentage change and absolute change on a scale score metric by district, by school, and by teacher that can also be filtered by a student's length of full-time enrollment within the school district;

(f) Number of K-12 students per classroom teacher on a per teacher basis;

(g) Number of K-12 classroom teachers per student on a per student basis;

(h) Percentage of a classroom teacher per student on a per student basis; and

(i) The cost of K-12 education per student by school district sorted by federal, state, and local dollars.

(6) The superintendent of public instruction shall submit a preliminary report to the legislature by November 15, 2009, including the analyses by the K-12 data governance group under subsection (3) of this section and preliminary options for addressing identified gaps. A final report, including a proposed phase-in plan and preliminary cost estimates for implementation of a comprehensive data improvement system for financial, student, and educator data shall be submitted to the legislature by September 1, 2010.

(7) All reports and data referenced in this section and RCW 43.41.400 and 28A.655.210 shall be made available in a manner consistent with the technical requirements of the legislative evaluation and accountability program committee and the education data center so that selected data can be provided to the legislature, governor, school districts, and the public.

(8) Reports shall contain data to the extent it is available. All reports must include documentation of which data are not available or are estimated. Reports must not be suppressed because of poor data accuracy or completeness. Reports may be accompanied with documentation to inform the reader of why some data are missing or inaccurate or estimated.

NEW SECTION.  Sec. 5.  A new section is added to chapter 28A.310 RCW to read as follows:

No educational service district board of directors, employee, or contractor may collect, retain, or use in any manner, student biometric information. For the purposes of this section, "biometric information" includes, but is not limited to, a fingerprint or hand scan, a retina or iris scan, a voice print, or a facial geometry scan of a student.

Sec. 6.  RCW 28A.320.035 and 1997 c 267 s 1 are each amended to read as follows:

(1)(a) The board of directors of a school district may contract with other school districts, educational service districts, public or private organizations, agencies, schools, or individuals to implement the board's powers and duties. The board of directors of a school district may contract for goods and services, including but not limited to contracts for goods and services as specifically authorized in statute or rule, as well as other educational, instructional, and specialized services. When a school district board of directors contracts for educational, instructional, or specialized services, the purpose of the contract must be to improve student learning or achievement.

(((2)))(b) A contract under ((subsection (1) of)) this section may not be made with a religious or sectarian organization or school where the contract would violate the state or federal Constitution.

NEW SECTION.  Sec. 7.  A new section is added to chapter 28A.320 RCW to read as follows:

No school district board of directors, employee, or contractor may collect, retain, or use in any manner, student biometric information. For the purposes of this section, "biometric information" includes, but is not limited to, a fingerprint or hand scan, a retina or iris scan, a voice print, or a facial geometry scan of a student.

Sec. 8.  RCW 28A.605.030 and 1997 c 119 s 1 are each amended to read as follows:

(1) The parent or guardian of a student who is or has been in attendance at a school has the right to review all education records of the student. A school may not release the education records of a student without the written consent of the student's parent or guardian, except as authorized by RCW 28A.600.475 and the family educational and privacy rights act of 1974, 20 U.S.C. Sec. 1232g.

(2) The board of directors of each school district shall establish a procedure for:

(((1)))(a) Granting the request by a parent or guardian for access to the education records of his or her child that provides that:

(iii) If the records are provided in a nonelectronic format, then the school district may impose a reasonable charge to cover the actual costs directly incident to the copying; and

(((2)))(b) Prohibiting the release of student information without the written consent of the student's parent or guardian, after the parent or guardian has been informed what information is being requested, who is requesting the information and why, and what will be done with the information.

(3) The procedure adopted by the school district must be in compliance with the family educational and privacy rights act of 1974, 20 U.S.C. Sec. 1232g.

--- END ---