(1) School service providers must maintain a comprehensive information security program that is reasonably designed to protect the security, privacy, confidentiality, and integrity of student personal information. The information security program should make use of appropriate administrative, technological, and physical safeguards.

(2) School service providers must delete student personal information within a reasonable period of time if the relevant educational institution requests deletion of the data under the control of the educational institution unless:

(a) The school service provider has obtained student consent or the consent of the student's parent or guardian to retain information related to that student; or

(b) The student has transferred to another educational institution and that educational institution has requested that the school service provider retain information related to that student.