SB1209 - 542R

Be it enacted by the Legislature of the State of Arizona:

Section 1. Section 15-249.01, Arizona Revised Statutes, is amended to read:

START_STATUTE15-249.01. Data governance commission; membership; terms; duties; annual report; commission termination

A. The data governance commission is established in the department of education consisting of:

1. The chief technology managers, or the managers' designees, of each of the universities under the jurisdiction of the Arizona board of regents.

2. The chief technology manager, or the manager's designee, of a community college district located in a county with a population of eight hundred thousand persons or more who has expertise in technology and who is appointed by the governor.

3. The chief technology manager, or the manager's designee, of a community college district located in a county with a population of less than eight hundred thousand persons who has expertise in technology and who is appointed by the governor.

4. The chief executive officer of the Arizona early childhood development and health board or the chief executive officer's designee.

5. An officer or employee of a school district located in a county with a population of eight hundred thousand persons or more who has expertise in technology and who is appointed by the governor.

6. An officer or employee of a school district located in a county with a population of less than eight hundred thousand persons who has expertise in technology and who is appointed by the governor.

7. An officer or employee of a charter school located in a county with a population of eight hundred thousand persons or more who has expertise in technology and who is appointed by the president of the senate.

8. An officer or employee of a charter school located in a county with a population of less than eight hundred thousand persons who has expertise in technology and who is appointed by the speaker of the house of representatives.

9. Two representatives of the business community, one of whom is appointed by the president of the senate and one of whom is appointed by the speaker of the house of representatives.

10. The director of the department of administration or the director's designee.

11. The superintendent of public instruction or the superintendent's designee.

12. A county school superintendent who is appointed by the governor.

B. The initial appointed members shall assign themselves by lot to terms of two, three and four years in office. All subsequent appointed members of the commission shall serve four‑year terms. The chairperson shall notify the governor, the speaker of the house of representatives and the president of the senate on appointments of these terms. Members of the commission shall elect a chairperson from among the members of the commission. Members of the commission shall not receive compensation. The department of education shall provide adequate staff support for the commission.

C. The commission shall identify, examine and evaluate the needs of public institutions that provide instruction to pupils in preschool programs, kindergarten programs, grades one through twelve and postsecondary programs in Arizona and shall:

1. Establish guidelines related to the following:

(a) Managed data access.

(b) Technology.

(d) Adequacy of training.

(e) Adequacy of data model implementation.

(f) Prioritization of funding opportunities.

(g) Resolution of data conflicts.

(h) The form and format of data elements that are required for state and federal reporting and interagency data sharing.

2. Provide recommendations on technology spending.

3. Provide analyses and recommendations of the following:

(a) The control of data confidentiality and data security for stored data and data in transmission.

(b) Access privileges and access management.

(d) Data standards for stored data and data in transmission, including rules for definition, format, source, provenance, element level and contextual integrity.

(e) Documentation standards for data elements and systems components.

(f) Data archival and retrieval management systems, including change control and change tracking.

(g) Publication of standard and ad hoc reports for state and local level use on student achievement.

(h) Publication of implementation timelines and progress.

4. Ensure that the guidelines and recommendations adopted pursuant to this subsection reduce duplication and administrative requirements for public schools, postsecondary institutions and public agencies.

5. Submit an annual report on or before December 1 regarding the commission's activities to the governor, the speaker of the house of representatives and the president of the senate. The data governance commission shall provide copies of this report to the secretary of state.

D. The commission established by this section ends on July 1, 2020 2026 pursuant to section 41‑3103. END_STATUTE

Sec. 2. Section 15-1043, Arizona Revised Statutes, is amended to read:

START_STATUTE15-1043. Student level data; allowable disclosure; policies

A. Any disclosure of educational records compiled by the department of education pursuant to this article shall comply with the family educational rights and privacy act (20 United States Code section 1232g).

B. Student level data may not be updated unless the change is authorized by the school district, career technical education district or charter school.

C. The department of education shall adopt policies and procedures to both:

1. Allow access of student level data for currently enrolled students to all of the following:

(a) School districts. ,

(b) Career technical education districts. and

2. Allow access of student level data to all of the following:

(a) County school superintendents for students currently enrolled in school districts located in their county of jurisdiction.

(b) The state board of education for students currently enrolled in a school district or charter school in this state.

(c) The state board for charter schools for students currently enrolled in charter schools sponsored by the state board for charter schools.

d. The department of education shall develop, publish, and make publicly available policies and procedures to comply with the family educational rights and privacy act (20 united states code 1232g), and other relevant privacy laws and policies, including policies that manage access to personally identifiable information to be implemented by the department of education, the county school superintendents, the state board of education and the state board for charter schools pursuant to this section and as defined by interagency data-sharing agreements. The policies and procedures must comply with all of the following:

1. Contain a detailed data security plan that includes all of the following:

(a) guidelines for authorizing access to the systems housing student level data and to individual student data, including guidelines for authenticating authorized access.

(b) privacy compliance standards.

(d) security breach planning, notice, and procedures.

(e) data retention and disposition policies, which must include specific criteria for identifying when and how the data will be destroyed.

(f) guidance for school districts, charter schools and staff regarding data use.

(g) consequences for security breaches.

(h) staff training regarding the guidelines.

2. Ensure that written agreements involving the disclosure of student level data to the department of education, the county school superintendents, the state board of education and the state board for charter schools must comply with all of the following:

(a) meet the minimum conditions prescribed by the family educational rights and privacy act for exceptions to written parental consent as outlined in 20 united states code section 1232g(b) and (h) through (j) and 34 code of federal regulations section 99.31.

(b) specify the purpose, scope and duration of the study or studies and the information to be disclosed.

(c) require the organization to use personally identifiable information from educational records only to meet the purpose or purposes of the study as stated in the written agreement.

(d) require the organization to conduct the study in a manner that does not allow access to the personally identifiable data of parents and students by anyone other than representatives of the organization with legitimate interests.

(e) require the organization to destroy all personally identifiable information when the information is no longer needed for the purposes for which the study was conducted and to specify the time period in which the information must be destroyed.

3. Ensure that any work products from the aforementioned use of student level data by the department of education, the county superintendents, the state board of education or the state board for charter schools are not in conflict with any state and federal reporting that meets state and federal law.

4. Provide access to student level data through an online platform within the parameters of federal law and pursuant to the written agreements with the consent of the required parties. END_STATUTE