AN ACT relative to data security in schools.


SPONSORS: Rep. Cordelli, Carr. 4; Rep. T. Wolf, Hills. 7; Rep. Kurk, Hills. 2; Rep. Ladd, Graf. 4; Rep. V. Sullivan, Hills. 16; Rep. Ferreira, Hills. 28; Rep. Seidel, Hills. 28


COMMITTEE: Education






This bill requires each local education agency to:


I.  Develop a data security plan.


II.  Make publicly available students' and parents' rights under the Family Educational Rights and Privacy Act.


III.  Requires school districts that use digital badges to obtain the written consent of a student's parent or legal guardian.


IV.  Modifies certain requirements for contracting with operators of Internet websites.


Explanation: Matter added to current law appears in bold italics.

Matter removed from current law appears [in brackets and struckthrough.]

Matter which is either (a) all new or (b) repealed and reenacted appears in regular type.

In the Year of Our Lord Two Thousand Eighteen


AN ACT relative to data security in schools.


Be it Enacted by the Senate and House of Representatives in General Court convened:


1  Student and Teacher Information Protection; Data Inventory Security Plan.  Amend RSA 189:66, II to read as follows:

II.  The department shall develop a detailed data security plan to present to the state board, the legislative oversight committee established in RSA 193-C:7, and the commissioner of the department of information technology.  Each local education agency shall develop a detailed data security plan and policies for student information and privacy protection approved by the school board.  The department of information technology may provide guidance and best practices for the plans.  The security plan shall include:

(a)  Privacy compliance standards.

(b)  Privacy and security audits.

(c)  Breach planning, notification, and procedures.

(d)  Data retention and disposition policies.

2  Student and Teacher Information Protection; Data Inventory Security Plan.  Amend the introductory paragraph of RSA 189:66, IV to read as follows:

IV.  The department and each local education agency shall make publicly available students' and parents' rights under the Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. section 1232g, et seq., and applicable state law including:

3  New Subparagraph; Student Online Personal Information; Definitions; Digital Badges.  Amend RSA 189:68-a, I by inserting after subparagraph (d) the following new subparagraph:

(e)  "Digital Badges" means digital credentials or indicators that convey an array of skills, interests, competencies, and achievements.

4  New Paragraph; Student Online Personal Information.  Amend RSA 189:68-a by inserting after paragraph I the following new paragraph:

I-a.  The department or local education agency shall inter into a contract approved by the appropriate board with each operator.  The department or the department of information technology may provide guidance and best practices for the contracts.

5  Student Online Personal Information.  Amend RSA 189:68-a, II(b)(2) to read as follows:

(2)  Delete a student's covered information as soon as specified by the contract if the school or district requests deletion of data under the control of the school or district or upon termination of the contract unless the operator receives consent to retain the covered information from the student or, for a student under 18 years of age, the parent or legal guardian of such student.

6  New Paragraphs; Student Online Personal Information.  Amend RSA 189:68-a by inserting after paragraph II the following new paragraphs:

II-a.  No school shall enter into a contract with an operator or implement the use of digital badges without the approval of the school board.

II-b.  Any school district that uses digital badges for students shall adopt a policy for notifying a parent or legal guardian of such use and shall require the written consent of the parent or legal guardian for the student's participation.

7  Effective Date.  This act shall take effect 60 days after its passage.