TITLE XV
EDUCATION

CHAPTER 189
SCHOOL BOARDS, SUPERINTENDENTS, TEACHERS, AND TRUANT OFFICERS; SCHOOL CENSUS

Student and Teacher Information Protection and Privacy

Section 189:66

    189:66 Data Inventory and Policies Publication. –
I. The department shall create, maintain, and make publicly available an annually-updated index of data elements containing definitions of individual student personally-identifiable data fields or fields identified in RSA 189:68 currently in the SLDS or any other database maintained by the department, or added or proposed to be added thereto, including:
(a) Any individual student personally-identifiable data required to be reported by state or federal law.
(b) Any individual student personally-identifiable data which has been proposed for inclusion in the SLDS with a statement explaining the purpose or reason for the proposed collection.
(c) Any individual student personally-identifiable data that the department collects or maintains.
(d) Any data identified in RSA 189:68.
II. The department shall develop a detailed data security plan to present to the state board and the commissioner of the department of information technology. The plan shall include:
(a) Privacy compliance standards.
(b) Privacy and security audits.
(c) Breach planning, notification, and procedures.
(d) Data retention and disposition policies.
III. The security plan shall:
(a) Require notification as soon as practicable to:
(1) Any teacher or student whose personally identifiable information could reasonably be assumed to have been part of any data security breach, consistent with the legitimate needs of law enforcement or any measures necessary to determine the scope of the breach and restore the integrity of the data system; and
(2) The governor, state board, senate president, speaker of the house of representatives, chairperson of the senate committee with primary jurisdiction over education, chairperson of the house committee with primary jurisdiction over education, and commissioner of the department of information technology.
(b) Require the department to issue an annual data security breach report to the governor, state board, senate president, speaker of the house of representatives, chairperson of the senate committee with primary jurisdiction over education, chairperson of the house committee with primary jurisdiction over education, and commissioner of the department of information technology. The breach report shall also be posted to the department's public Internet website and shall not include any information that itself would pose a security threat to a database or data system. The report shall include:
(1) The name of the organization reporting the breach.
(2) Any types of personal information that were or are reasonably believed to have been the subject of a breach.
(3) The date, estimated date, or date range of the breach.
(4) A general description of the breach incident.
(5) The estimated number of students and teachers affected by the breach, if any.
(6) Information about what the reporting organization has done to protect individuals whose information has been breached.
IV. The department and each local education agency shall make publicly available students' and parents' rights under the Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. section 1232g, et seq., and applicable state law including:
(a) The right to inspect and review the student's education records within 14 days after the day the school receives a request for access.
(b) The right to request amendment of a student's education records that the parent or eligible student believes are inaccurate, misleading, or otherwise in violation of the student's privacy rights under FERPA.
(c) The right to provide written consent before the school discloses student personally identifiable data from the student's education records, provided in applicable state and federal law.
(d) The right to file a complaint with the Family Policy Compliance Office in the United States Department of Education concerning alleged failures to comply with the requirements of FERPA.
V. The department shall establish minimum standards for privacy and security of student and employee data, based on best practices, for local education agencies. Each local education agency shall develop a data and privacy governance plan which shall be presented to the school board for review and approval by June 30, 2019. The plan shall be updated annually and presented to the school board. The plan shall include:
(a) An inventory of all software applications, digital tools, and extensions. The inventory shall include users of the applications, the provider, purpose, publisher, privacy statement, and terms of use.
(b) A review of all software applications, digital tools, and extensions and an assurance that they meet or exceed standards set by the department.
(c) Policies and procedures for access to data and protection of privacy for students and staff including acceptable use policy for applications, digital tools, and extensions.
(d) A response plan for any breach of information.
(e) A requirement for a service provider to meet or exceed standards for data protection and privacy.

Source. 2014, 68:1. 2015, 136:1, eff. Aug. 11, 2015. 2018, 252:1, 2, eff. Aug. 11, 2018. 2020, 37:15, 16, eff. July 29, 2020.