HB2645 - 512R

Be it enacted by the Legislature of the State of Arizona:

Section 1. Section 15-249.01, Arizona Revised Statutes, is amended to read:

START_STATUTE15-249.01. Data governance commission; membership; terms; duties; definition

A. The data governance commission is established in the department of education consisting of:

1. The chief technology managers, or the managers' designees, of each of the universities under the jurisdiction of the Arizona board of regents.

2. The chief technology manager, or the manager's designee, of a community college district located in a county with a population of eight hundred thousand persons or more who has expertise in technology and who is appointed by the governor.

3. The chief technology manager, or the manager's designee, of a community college district located in a county with a population of less than eight hundred thousand persons who has expertise in technology and who is appointed by the governor.

4. The chief executive officer of the Arizona early childhood development and health board or the chief executive officer's designee.

5. An officer or employee of a school district located in a county with a population of eight hundred thousand persons or more who has expertise in technology and who is appointed by the governor.

6. An officer or employee of a school district located in a county with a population of less than eight hundred thousand persons who has expertise in technology and who is appointed by the governor.

7. An officer or employee of a charter school located in a county with a population of eight hundred thousand persons or more who has expertise in technology and who is appointed by the president of the senate.

8. An officer or employee of a charter school located in a county with a population of less than eight hundred thousand persons who has expertise in technology and who is appointed by the speaker of the house of representatives.

9. Two representatives of the business community, one of whom is appointed by the president of the senate and one of whom is appointed by the speaker of the house of representatives.

10. The director of the department of administration or the director's designee.

11. The superintendent of public instruction or the superintendent's designee.

B. The initial appointed members shall assign themselves by lot to terms of two, three and four years in office. All subsequent appointed members of the commission shall serve four‑year terms. The chairperson shall notify the governor, the speaker of the house of representatives and the president of the senate on appointments of these terms. Members of the commission shall elect a chairperson from among the members of the commission. Members of the commission shall not receive compensation. The department of education shall provide adequate staff support for the commission.

C. The commission shall identify, examine and evaluate the needs of public institutions that provide instruction to pupils in preschool programs, kindergarten programs, grades one through twelve and postsecondary programs in Arizona and shall:

1. Establish guidelines related to the following:

(a) Managed data access.

(b) Technology.

(d) Adequacy of training.

(e) Adequacy of data model implementation.

(f) Prioritization of funding opportunities.

(g) Resolution of data conflicts.

(h) The form and format of data elements that are required for state and federal reporting and interagency data sharing.

2. Provide recommendations on technology spending.

3. Provide analyses and recommendations of the following:

(a) The control of data confidentiality and data security for stored data and data in transmission.

(b) Access privileges and access management.

(d) Data standards for stored data and data in transmission, including rules for definition, format, source, provenance, element level and contextual integrity.

(e) Documentation standards for data elements and systems components.

(f) Data archival and retrieval management systems, including change control and change tracking.

(g) Publication of standard and ad hoc reports for state and local level use on student achievement.

(h) Publication of implementation timelines and progress.

4. establish, PUBLISH AND MAKE PUBLICLY AVAILABLE ON THE DEPARTMENT'S WEBSITE A DATA INVENTORY AND DICTIONARY OR INDEX OF DATA ELEMENTS WITH DEFINITIONS OF INDIVIDUAL STUDENT DATA FIELDS IN THE EDUCATION DATA SYSTEM, INCLUDING any individual student data element:

(a) that is REQUIRED TO BE REPORTED BY STATE AND FEDERAL EDUCATION law.

(b) that HAS BEEN PROPOSED FOR INCLUSION IN THE EDUCATION DATA SYSTEM WITH A STATEMENT REGARDING THE PURPOSE OR REASON FOR THE PROPOSED COLLECTION.

5. REVIEW AND APPROVE DATA ELEMENTS TO BE INCLUDED IN THE EDUCATION DATA SYSTEM PURSUANT TO SECTION 15-1045. ANY proposed NEW STUDENT DATA COLLECTION must BE ANNOUNCED TO THE GENERAL PUBLIC AND POSTED FOR A REVIEW AND COMMENT PERIOD OF AT LEAST sixty DAYS.

4. 6. Ensure that the guidelines and recommendations adopted pursuant to this subsection reduce duplication and administrative requirements for public schools, postsecondary institutions and public agencies.

5. 7. Submit an annual report on or before December 1 regarding the commission's activities to the governor, the speaker of the house of representatives and the president of the senate. The data governance commission shall provide copies of this report to the secretary of state. The report prescribed in this paragraph must include:

(a) ANY NEW DATA ELEMENTS PROPOSED FOR INCLUSION IN THE EDUCATION DATA SYSTEM.

(b) CHANGES TO EXISTING DATA COLLECTIONS REQUIRED FOR ANY REASON, INCLUDING CHANGES TO FEDERAL REPORTING REQUIREMENTS.

(c) AN EXPLANATION OF ANY EXCEPTIONS GRANTED BY THE DEPARTMENT DURING THE YEAR REGARDING THE RELEASE OF STUDENT LEVEL OR REDACTED DATA to any federal agency or another state or a local agency located in another state PURSUANT TO SECTION 15-1045, SUBSECTION E.

(d) THE RESULTS OF ANY PRIVACY OR SECURITY AUDIT CONDUCTED WITHIN THE Previous YEAR. THE REPORT may NOT INCLUDE ANY INFORMATION THAT WOULD POSE A THREAT TO THE SECURITY OR THE CONFIDENTIALITY OF THE EDUCATION DATA SYSTEM OR THE SECURE TRANSMISSION OF DATA BETWEEN SCHOOL DISTRICTS, CHARTER SCHOOLS AND THE DEPARTMENT.

D. FOR THE PURPOSES OF THIS SECTION, "EDUCATION DATA SYSTEM" HAS THE SAME MEANING PRESCRIBED IN SECTION 15-1041. END_STATUTE

Sec. 2. Section 15-1041, Arizona Revised Statutes, is amended to read:

START_STATUTE15-1041. Student accountability information system; definitions

A. The student accountability information system is established to enable school districts, joint technical education districts and charter schools to transmit student level data and school finance data electronically through the internet to the department of education for the purposes of complying with the statutory obligations of the department of education and the state board of education.

B. In this article, unless the context otherwise requires:

1. "AGGREGATEd DATA" MEANS DATA COLLECTED OR REPORTED AT THE GROUP, COHORT, SCHOOL, school DISTRICT, CHARTER school OR STATE LEVEL.

2. "EDUCATION DATA SYSTEM" MEANS THE STUDENT ACCOUNTABILITY INFORMATION SYSTEM ESTABLISHED BY this SECTIOn, OR ITS SUCCESSOR SYSTEM, AND THE EDUCATION LEARNING AND ACCOUNTABILITY SYSTEM ESTABLISHED pursuant to SECTION 15-249, OR ITS SUCCESSOR SYSTEM, AND those systems' RESPECTIVE COMPONENTS.

3. "REDACTED DATA" MEANS A DATA SET IN WHICH PERSONALLY IDENTIFIABLE INFORMATION HAS BEEN REMOVED OR that HAS BEEN OTHERWISE ALTERED TO PREVENT THE IDENTIFICATION OF INDIVIDUAL STUDENT DATA THROUGH FURTHER ANALYSIS.

4. "STUDENT LEVEL DATA" MEANS ALL DATA ELEMENTS THAT ARE COMPILED AND SUBMITTED FOR EACH INDIVIDUAL STUDENT IN THIS STATE AND THAT ARE NECESSARY FOR THE COMPLETION OF THE REQUIREMENTS by THE DEPARTMENT OF EDUCATION AND THE STATE BOARD OF EDUCATION RELATING TO THE CALCULATION OF FUNDING FOR PUBLIC EDUCATION, THE DETERMINATION OF STUDENT ACADEMIC PROGRESS AS MEASURED BY STUDENT TESTING PROGRAMS IN THIS STATE and STATE AND FEDERAL REPORTING AND OTHER DUTIES PRESCRIBED TO THE DEPARTMENT OF EDUCATION OR THE STATE BOARD OF EDUCATION BY LAW. STUDENT LEVEL DATA DOES NOT INCLUDE DATA ELEMENTS that are RELATED TO STUDENT BEHAVIOR, DISCIPLINE, CRIMINAL HISTORY, MEDICAL HISTORY, RELIGIOUS AFFILIATION, PERSONAL PHYSICAL DESCRIPTORS OR FAMILY INFORMATION and that are NOT AUTHORIZED BY THE PARENT OR GUARDIAN OF THE PUPIL OR OTHERWISE REQUIRED BY LAW.

5. "UNIQUE PUPIL IDENTIFIER" MEANS THE METHOD OF IDENTIFYING EACH INDIVIDUAL STUDENT ESTABLISHED BY THE DEPARTMENT PURSUANT TO SECTION 15-1045. END_STATUTE

Sec. 3. Section 15-1042, Arizona Revised Statutes, is amended to read:

START_STATUTE15-1042. Timeline; student level data; confidentiality

A. The department of education shall notify school districts, joint technical education districts and charter schools of electronic data submission procedures and shall distribute a list of the specific student level data elements, including the statutory or regulatory reference for each data element, that school districts, joint technical education districts and charter schools are required to submit. The department of education shall not make any changes to the student level data elements to be collected unless the student level data element has been reviewed and adopted by the data governance commission established by section 15‑249.01.

B. Each school district, joint technical education district and charter school shall submit electronic data on a school by school basis, including student level data, to the department of education in order for the school district, joint technical education district or charter school to receive monies for the cost of educating students pursuant to this title.

C. The department of education shall grant a school district, joint technical education district or charter school an extension to the deadline for the submission of student level data or may provide for an alternative method for the submission of student level data if the school district, joint technical education district or charter school proves that good cause exists for the extension, and the school district, joint technical education district or charter school shall continue to receive monies for the cost of educating students pursuant to this title. The request for an extension of the deadline for the submission of student level data pursuant to this subsection shall include a justification for the extension and the status of current efforts towards complying with the submission of student level data.

D. c. A pupil or the parent or guardian of a pupil shall not be required to submit data that does not relate to the provision of educational services or assistance to the pupil.

E. D. Unless otherwise prescribed, school districts, joint technical education districts and charter schools shall begin to report new data elements on July 1 of the year that follows the effective date of the law that requires the collection of the data.

F. E. Student level data items submitted to the department of education by school districts, joint technical education districts and charter schools pursuant to this section shall not be used to adjust funding levels or calculate the average daily membership for the purpose of funding school districts at any time other than the fortieth, one hundredth and two hundredth days of the school year.

G. F. A school district, joint technical education district or charter school is not required to submit student level data to the department of education more often than once every twenty school days.

H. G. Notwithstanding subsection J of this section, The student level data shall include reasons for the withdrawal if reasons are provided by the withdrawing pupil or the pupil's parent or guardian. For the purposes of this subsection, the department of education shall include in the specific student level data elements that school districts, joint technical education districts and charter schools are required to submit data relating to students who withdraw from school because the student is pregnant or because the student is the biological parent of a child.

I. H. All student level data collected pursuant to this section is confidential and is not a public record. The data collected may be used for aggregate research and reporting and for providing access of student level data to school districts, joint technical education districts, charter schools, community colleges and universities under the jurisdiction of the Arizona board of regents.

J. For the purposes of this section, "student level data" means all data elements that are compiled and submitted for each student in this state and that are necessary for the completion of the statutory requirements of the department of education and the state board of education relating to the calculation of funding for public education, the determination of student academic progress as measured by student testing programs in this state, state and federal reporting requirements and other duties prescribed to the department of education or the state board of education by law. Student level data does not include data elements related to student behavior, discipline, criminal history, medical history, religious affiliation, personal physical descriptors or family information not authorized by the parent or guardian of the pupil or otherwise required by law. END_STATUTE

Sec. 4. Section 15-1043, Arizona Revised Statutes, is amended to read:

START_STATUTE15-1043. Student level data; confidentiality; data requests

A. Any disclosure of educational records compiled by the department of education pursuant to this article shall comply with the family educational rights and privacy act (20 United States Code section 1232g).

B. Student level data may not be updated unless the change is authorized by the school district, joint technical education district or charter school.

C. The department of education shall adopt policies and procedures to allow access of student level data for currently enrolled students to school districts, joint technical education districts and charter schools, subject to section 15‑1045, subsection D.

D. THE DEPARTMENT SHALL DEVELOP CRITERIA FOR THE APPROVAL OF DATA REQUESTS FROM STATE AND LOCAL AGENCIES, THE LEGISLATURE AND RESEARCHERS IF THE DEPARTMENT DETERMINES that THE REQUEST QUALIFIES FOR AN EXCEPTION UNDER THE FAMILY EDUCATIONAL RIGHTS AND PRIVACY ACT of 1974 (20 UNITED STATES CODE SECTION 1232g). STUDENT LEVEL DATA must REMAIN REDACTED AT ALL TIMES UNLESS the sharing of student level data is SPECIFICALLY ALLOWED BY LAW. END_STATUTE

Sec. 5. Repeal

Section 15-1044, Arizona Revised Statutes, is repealed.

Sec. 6. Section 15-1045, Arizona Revised Statutes, is amended to read:

START_STATUTE15-1045. Education data system; pupil privacy; unique pupil identifier; security plan; fees

A. Any collection, maintenance or disclosure of pupil educational records compiled by the department of education in an education database of pupil records data system shall comply with the family educational rights and privacy act of 1974 (20 United States Code section 1232g).

B. The department of education shall maintain the database in the following manner:

1. The use of the information is limited to comply with statutory obligations.

2. Personally identifiable information is confidential and is not public record.

3. Proper security measures are employed to ensure the confidentiality and integrity of the education database.

4. Data is secured from breaches and identity theft through implementation of protections and standards.

B. Personally identifiable information and student level data contained in the education data system is confidential and is not a public record.

C. The department of education shall create a unique pupil identifier for each pupil in the education data system. The pupil identifier in the education database is unique, may not be identifiable by anyone other than officials maintaining the education database data system and shall not be the pupil's social security number or any variation of the pupil's social security number.

D. THE DEPARTMENT of education SHALL DEVELOP, PUBLISH AND MAKE PUBLICLY AVAILABLE POLICIES AND PROCEDURES TO COMPLY WITH ALL RELEVANT STATE AND FEDERAL PRIVACY LAWS, INCLUDING THE FAMILY EDUCATIONAL RIGHTS AND PRIVACY ACT of 1974 (20 UNITED STATES CODE SECTION 1232g). THE POLICIES must REQUIRE THAT:

1. ACCESS TO STUDENT LEVEL DATA IN THE EDUCATION DATA SYSTEM BE RESTRICTED TO:

(a) THE AUTHORIZED STAFF OF THE DEPARTMENT WHO REQUIRE ACCESS TO PERFORM ASSIGNED DUTIES AS REQUIRED BY LAW, BY INTERAGENCY DATA SHARING AGREEMENTS OR OTHER LEGAL OBLIGATIONS.

(b) SCHOOL DISTRICT AND CHARTER SCHOOL ADMINISTRATORS, TEACHERS AND PERSONNEL WHO REQUIRE ACCESS TO PERFORM ASSIGNED DUTIES.

(c) STUDENTS AND THE PARENTS OR LEGAL GUARDIANS of students, EXCEPT THAT access by STUDENTS, PARENTS OR LEGAL GUARDIANS must be limited to DATA ABOUT that student.

(d) THE AUTHORIZED STAFF OF OTHER STATE AGENCIES IN THIS STATE OR POLITICAL SUBDIVISIONS OF THIS STATE AS REQUIRED BY LAW OR as prescribed BY INTERAGENCY DATA SHARING AGREEMENTS PURSUANT TO this section.

2. THE DEPARTMENT USE ONLY AGGREGATED DATA THAT DOES NOT CONTAIN PERSONALLY IDENTIFIABLE INFORMATION IN PUBLIC REPORTS AND IN RESPONSE TO PUBLIC RECORDS REQUESTS, EXCEPT AS PROVIDED IN SUBSECTION E OF THIS SECTION.

3. STUDENTS, PARENTS and legal guardians BE NOTIFIED OF PRIVACY rights concerning EDUCATIONAL RECORDS UNDER FEDERAL AND STATE LAW.

E. UNLESS OTHERWISE ALLOWED BY LAW and SUBJECT TO SECTION 15-1043, THE DEPARTMENT of education may NOT TRANSFER STUDENT LEVEL DATA DEEMED CONFIDENTIAL UNDER THIS ARTICLE TO ANY FEDERAL AGENCY OR ANY STATE OR LOCAL AGENCY.

F. THE DEPARTMENT SHALL DEVELOP AND IMPLEMENT A DETAILED SECURITY PLAN THAT INCLUDES:

1. PROCEDURES FOR AUTHORIZING ACCESS TO THE EDUCATION DATA SYSTEM AND TO STUDENT LEVEL DATA.

2. STANDARDS FOR COMPLIANCE WITH FEDERAL AND STATE PRIVACY LAWS AND REGULATIONS.

3. PRIVACY AND SECURITY AUDITS.

4. PLANNING FOR A POSSIBLE BREACH OF DATA SECURITY, INCLUDING NOTIFICATION PROCEDURES TO ENTITIES that OWN DATA THAT MAY BE AFFECTED by the data breach.

5. DATA RETENTION AND DESTRUCTION POLICIES that are CONSISTENT WITH GUIDELINES ADOPTED BY THE ARIZONA STATE LIBRARY, ARCHIVES AND PUBLIC RECORDS.

6. INFORMATION TECHNOLOGY INDUSTRY STANDARD BEST PRACTICES FOR DATA SECURITY TO ENSURE THE CONFIDENTIALITY AND INTEGRITY OF THE EDUCATION DATA SYSTEM.

g. THE DEPARTMENT of education SHALL ENSURE THAT ANY CONTRACTS WITH PRIVATE VENDORS GOVERNING DATABASES, ASSESSMENTS OR INSTRUCTIONAL SUPPORTS THAT INCLUDE STUDENT LEVEL DATA INCLUDE EXPRESS PROVISIONS THAT SAFEGUARD PRIVACY AND SECURITY AND INCLUDE PENALTIES FOR NONCOMPLIANCE.

h. SCHOOL DISTRICTS AND CHARTER SCHOOLS SHALL NOT REPORT THE FOLLOWING STUDENT LEVEL DATA TO THE DEPARTMENT of education:

1. JUVENILE DELINQUENCY RECORDS.

2. CRIMINAL RECORDS, EXCEPT THAT INCIDENT DATA REQUIRED TO BE REPORTED FOR SCHOOL SAFETY PURPOSES must BE REPORTED.

3. MEDICAL AND HEALTH RECORDS.

4. STUDENT BIOMETRIC INFORMATION.

i. SCHOOL DISTRICTS AND CHARTER SCHOOLS SHALL NOT COLLECT THE FOLLOWING DATA FOR ANY PUPIL:

1. POLITICAL AFFILIATION.

2. RELIGIOUS AFFILIATION.

3. BIOMETRIC INFORMATION, EXCEPT AS PROVIDED IN SECTION 15-109.

4. FIREARMS OWNERSHIP.

j. THE SUPERINTENDENT of public instruction SHALL APPOINT A CHIEF PRIVACY OFFICER, WHO SHALL ASSUME PRIMARY RESPONSIBILITY FOR THE AGENCY PRIVACY POLICY. THE CHIEF PRIVACY OFFICER SHALL:

1. ENSURE that THE USE OF TECHNOLOGIES SUSTAINs, AND DOes NOT ERODE, PRIVACY PROTECTIONS.

2. ENSURE THAT STUDENT LEVEL DATA CONTAINED IN THE EDUCATION DATA SYSTEM IS HANDLED IN FULL COMPLIANCE WITH THIS SECTION AND OTHER APPLICABLE STATE AND FEDERAL LAWS.

3. IN CONJUNCTION WITH THE CHIEF DATA OFFICER, EVALUATE LEGISLATIVE AND REGULATORY PROPOSALS INVOLVING COLLECTION, USE AND DISCLOSURE OF STUDENT DATA BY THE DEPARTMENT.

4. IN CONJUNCTION WITH THE CHIEF DATA OFFICER, CONDUCT A PRIVACY IMPACT ASSESSMENT ON PROPOSED RULES OF THE DEPARTMENT IN GENERAL, AND THE PROPOSED RULES OF THE DEPARTMENT ON THE PRIVACY OF STUDENT DATA, INCLUDING THE TYPE OF PERSONAL INFORMATION COLLECTED AND THE NUMBER OF STUDENTS AFFECTED.

5. COORDINATE WITH THE ATTORNEY GENERAL AND CHIEF DATA OFFICER TO ENSURE THAT PROGRAMS, POLICIES AND PROCEDURES AFFECTING CIVIL RIGHTS, CIVIL LIBERTIES AND PRIVACY CONSIDERATIONS ARE ADDRESSED IN AN INTEGRATED AND COMPREHENSIVE MANNER.

6. ESTABLISH AND OPERATE A PROCESS FOR PARENTS TO FILE COMPLAINTS OF POSSIBLE PRIVACY VIOLATIONS, INCLUDING COMPLAINTS MADE PURSUANT TO SECTION 15-142, SUBSECTION C, AND TO PROVIDE REDRESS procedures.

7. ENSURE THAT ALL PRIVACY‑RELATED INCIDENTS ARE PROPERLY REPORTED, INVESTIGATED AND MITIGATED AS APPROPRIATE.

8. WORK WITH THE CHIEF DATA OFFICER TO PROVIDE TRAINING, EDUCATION AND OUTREACH TO BUILD A CULTURE OF PRIVACY THROUGHOUT THE DEPARTMENT.

9. Conduct INVESTIGATIONS AND submit REPORTS REGARDING THE ADMINISTRATION OF PROGRAMS AND OPERATIONS OF THE DEPARTMENT REGARDING PRIVACY MATTERS. The chief privacy officer has ACCESS TO ALL RECORDS, REPORTS, AUDITS, REVIEWS, DOCUMENTS, PAPERS, RECOMMENDATIONS AND OTHER MATERIALS AVAILABLE TO THE DEPARTMENT THAT ARE NECESSARY TO COMPLETE THE CHIEF PRIVACY OFFICER'S RESPONSIBILITIES.

k. THE CHIEF INFORMATION OFFICER OF THE DEPARTMENT SHALL APPOINT A CHIEF DATA OFFICER. THE CHIEF DATA OFFICER SHALL:

1. COORDINATE WITH THE CHIEF PRIVACY OFFICER TO FULFILL THE REQUIREMENTS OF THIS SECTION.

2. ESTABLISH POLICIES AND PROCEDURES TO ENSURE THE EFFICIENT AND SECURE COLLECTION, STORAGE, MAINTENANCE AND DISPOSITION OF ALL DATA COLLECTED IN THE EDUCATION DATA SYSTEM ACCORDING TO APPLICABLE LAWS.

3. ESTABLISH DEPARTMENT POLICIES NECESSARY FOR IMPLEMENTING FAIR INFORMATION PRACTICE PRINCIPLES TO ENHANCE PRIVACY PROTECTIONS.

4. WORK WITH THE CHIEF PRIVACY OFFICER AND OTHER OFFICIALS IN ENGAGING STAKEHOLDERS ABOUT THE QUALITY, USEFULNESS, OPENNESS AND PRIVACY OF DATA.

5. in coordination with the chief information officer, ESTABLISH AND OPERATE A DEPARTMENT PRIVACY INCIDENT RESPONSE PROGRAM.

l. THE DEPARTMENT MAY ASSESS FEES FOR requests for THE PRODUCTION OF DATA PURSUANT TO SECTION 15-1043, OR FOR THE ASSEMBLY OF DATA THAT IS OTHERWISE CONFIDENTIAL AND that is NOT A PUBLIC RECORD INTO AGGREGATED REPORTS that are NOT ALREADY AVAILABLE FROM THE DEPARTMENT.

m. A STUDENT'S PARENT OR legal GUARDIAN MAY REQUEST TO REVIEW A COPY OF THE STUDENT'S EDUCATIONAL RECORD, INCLUDING DATA SUBMITTED TO THE EDUCATION DATA SYSTEM, USING THE PROCESS PRESCRIBED IN SECTION 15-102. END_STATUTE

Sec. 7. Repeal

Section 41-3016.23, Arizona Revised Statutes, is repealed.