Okla. Admin. Code § 210:1-3-8.1 - Student Data Accessibility, Transparency and Accountability Act

(a) Definitions. The following words and terms, when used in this Section, shall have the following meaning:

(1) "Personally Identifiable Information" shall have the meaning set forth in 34 C.F.R. § 99.3;

(2) "School official" shall mean the officials within an educational agency or institution, including, but not limited to teachers, who are determined by the agency or institution to have legitimate educational interests in Personally Identifiable Information pursuant to the provisions of 34 C.F.R. § 99.31(a)(1);

(3) "Student data" shall have the meaning set forth in 70 O.S. § 3-168(A)(7).

(b) Annual inventory of student data collection. The State Board of Education shall create and/or update and publish a data inventory and dictionary or an index of individual student data elements with definitions of individual student data fields currently collected by the State Department of Education in its student data system.

(1) The inventory or index required to be created and published by this subsection shall include:

(A) Any student data required to be reported by state and federal education mandates;

(B) Any student data, if any, which have been proposed for inclusion in the student data system with a statement regarding the purpose or reason for the proposed collection; and

(C) Any student data, if any, that the State Department of Education collects or maintains with no current purpose or reason.

(2) The inventory or index required to be created and published by this subsection shall identify which student data elements were collected by the State Department of Education on or before July 1, 2013. All data elements identified as a student data element collected by the State Department of Education on or before July 1, 2013 shall be considered an "existing collection of student data" exempt from the provisions of (c) of this Section pertaining to collection of "new student data."

(c) Collection of new student data - limits. New collections of student data shall be subject to the following procedures:

(1) For purposes of this subsection, a "new collection of student data" shall mean any new data object (i.e., category of student data) added to the student information system.

(2) Any new collection of student data proposed for addition to the State Department of Education student data system shall be identified and submitted to the State Board of Education for approval no later than December 1 of the year prior to the school year for which the new data collection is proposed to be added.

(3) Any new collection of student data proposed for addition to the State Department of Education student data system shall be submitted to the Governor and the Legislature within one year from the date of approval by the State Board of Education, in accordance with the provisions of 70 O.S. § 3-168(C)(7). Until approved by the Governor and the Legislature, any proposed new data collection shall be considered provisional, provided that any proposed new data collection not approved by the Governor and the Legislature by the end of the next legislative session shall be deemed to expire and shall no longer be required by the State Department of Education.

(d) Disclosure or transfer of student data - limits. All requests for disclosure and/or transfer of student data collected and maintained by the State Department of Education, including, but not limited to Open Records Act requests and research requests, are subject to the following procedures:

(1) Confidentiality of student data. All data which falls within the definition of "student data" set forth in 70 O.S. § 3-168(A)(7) is hereby deemed confidential pursuant to 70 O.S. § 3-168(C). Accordingly, "student data" are not subject to disclosure by the State Department of Education unless:

(A) The student data are aggregated and any Personally Identifiable Information has been removed in accordance with the procedures set forth in (3) of this subsection;

(B) The student data are otherwise approved for release, sharing, and/or disclosure by the State Board of Education in accordance with the procedures set forth in (4) of this subsection; or

(C) The student data does not have prior approval of the State Board of Education for release, sharing, and/or disclosure, but the release of requested data to the requester does not violate provisions of the Family Education Rights and Privacy Act (FERPA) at 20 U.S.C. § 1232g et seq. or accompanying regulations at 34 C.F.R. Part 99, and the release is limited to one of the following purposes:

(i) Facilitating a student transfer out of state, or assisting a school or school district with locating an out-of-state transfer;

(ii) Facilitating a student's application to an out-of-state institution of higher education or professional training program;

(iii) Registration for a national or multistate assessment taken by a student;

(iv) Facilitating a student's voluntary participation in a program for which transfer of that student's data are a condition and/or requirement of the student's participation;

(v) The Department enters into a contract that governs databases, assessments, special education, or instruction supports with an out-of-state vendor;

(vi) Compliance with federal reporting requirements for students classified as "migrants."

(2) Authorized access to confidential student data. Access to confidential student data in the State Department of Education student information system shall be restricted to:

(A) Employees of the State Department of Education who have been authorized by the Superintendent of Public Instruction to access confidential student data;

(B) Contractors of the State Department of Education who require such access to perform their assigned duties, including staff and contractors from the Information Services Division of the Office of Management and Enterprise Services (OMES) who have been assigned to the State Department of Education, provided that all such individuals shall comply with the terms set forth in the contract governing use and handling of student data;

(C) District administrators, teachers, personnel or other "school officials" under direct control of a school in which the student has been enrolled or in which the student has applied for transfer or enrollment and who require access to confidential student data in order to perform their assigned duties;

(D) A student and/or parents or legal guardians of the student with rights to inspect a student's own records in accordance with rights afforded by state or federal law;

(E) The authorized staff of any other State of Oklahoma agencies as authorized by law and in accordance with the terms of interagency data sharing agreements; and

(F) The authorized staff of any other entity as necessary to fulfill the purposes set forth in 70 O.S. § 3-168(C)(3) or as otherwise approved by the State Board of Education to access or share student data in accordance with terms of interagency data-sharing agreements.

(3) Requests for release of student data. In accordance with the provisions of 70 O.S. § 3-168(C)(2)(c), all requests for release, disclosure, and/or transfer, of confidential student data shall be denied unless the data or dataset requested for release meets one of the following conditions:

(A) The request is from an individual or entity specifically authorized to access confidential student data pursuant to 70 O.S. § 3-168(C)(2)(a) or (d) ( 2 ) of this Section;

(B) The requested data or dataset has been approved for release to the requester by the State Board of Education in accordance with the policies and procedures set forth in (4) of this subsection; or

(C) The requested data or dataset meets all of the following criteria:

(i) The requested data meets the definition of "aggregate data" set forth in 70 O.S. § 3-168(A)(4); and

(ii) All data that falls within the definition of "Personally Identifiable Information" set forth in 34 C.F.R. 99.3 has been removed, suppressed, and/or redacted as necessary to ensure no Personally Identifiable Information is included in the student data requested for release;

(4) Policies and procedures governing approval of release, sharing and/or disclosure of confidential student data by the State Board of Education. The State Department of Education shall develop a detailed data security plan that complies with the provisions of 70 O.S. § 3-168(C)(4) and includes internal policies and procedures governing agency responses to requests for release and/or sharing of confidential student data to persons not authorized to access confidential student data in accordance with (2) of this subsection. Such internal policies and procedures shall meet all of the following requirements:

(A) The policies and procedures shall prohibit release of all data or datasets containing Personally Identifiable Information of one or more students unless all of the following conditions are met:

(i) The release complies with the provisions of the Family Education Rights and Privacy Act (FERPA) at 20 U.S.C. § 1232g et seq. and accompanying regulations at 34 C.F.R. Part 99; and

(ii) Approval for the release has been obtained from the State Board of Education.

(B) The policies and procedures shall set forth the requirements of all written agreements necessary to comply with the requirements of 34 C.F.R. § 99.31.

Notes

Okla. Admin. Code § 210:1-3-8.1

Adopted by Oklahoma Register, Volume 31, Issue 24, September 2, 2014, eff. 9/12/2014 Amended by Oklahome Register, Volume 33, Issue 23, August 15, 2016, eff. 8/25/2016