RELATES TO: KRS 61.931, 61.932, 61.933
NECESSITY, FUNCTION, AND CONFORMITY: KRS 156.070 authorizes the
Kentucky Board of Education (KBE) to promulgate administrative regulations
necessary for the efficient management, control, and operation of the schools
and programs under its jurisdiction. KRS 61.932(1)(b) specifically requires the
KBE to promulgate administrative regulations establishing requirements and
standards for the reasonable security and breach investigation procedures and
practices established and implemented by public school districts. This
administrative regulation establishes the requirements and standards for school
district reasonable security and breach investigation procedures and
practices.
Section 1. Definitions.
(1) "Personal information" is defined by KRS 61.931(6).
(2) "Reasonable security
and breach investigation procedures and practices" is defined by KRS 61.931(8).
Section 2.
Best Practice Guide for School District Personal Information Reasonable
Security. The department shall at least annually provide school districts best
practice guidance for personal information reasonable security. The current
department guidance is provided in the Data Security and Breach Notification
Best Practice Guide, which is incorporated by reference into this
administrative regulation. School districts shall not be required to adopt the
security practices included in this guidance.
Section 3. Annual Public School District
Acknowledgement of Best Practices. Each public school district shall review and
consider, in light of the needs of reasonable security, the most recent best
practice guidance, including the Data Security and Breach Notification Best
Practice Guide, for personal information reasonable security. Each public
school district shall acknowledge to its own local board during a public board
meeting prior to August 31 of each year, that the district has reviewed this
guidance and implemented the best practices that meet the needs of personal
information reasonable security in that district.
Section 4. Annual Department Acknowledgement
of Best Practices. The department shall review and consider, in light of the
needs of reasonable security, the most recent best practice guidance for
personal information reasonable security. The department shall acknowledge to
the KBE, by August 31 of each year, that the department has reviewed this
guidance and implemented the best practices that meet the needs of personal
information reasonable security for the department.
Section 5. Data Breach Notification to the
Department. Any public school district that determines or is notified of a
security breach relating to personal information collected, maintained, or
stored by the school district or by a nonaffiliated third party on behalf of
the school district shall provide the notification of the security breach to
the department required by KRS 61.933, pursuant to the procedure included in
the Data Security and Breach Notification Best Practice Guide.
Section 6. Incorporation by Reference.
(1) "Data Security and Breach Notification
Best Practice Guide", September 2015, is incorporated by reference.
(2) This material may be inspected, copied,
or obtained, subject to applicable copyright law, at the Department of
Education, 500 Mero Street, First Floor, Capital Plaza Tower, Frankfort,
Kentucky 40601, Monday through Friday, 8 a.m. to 4:30 p.m.
