The Arizona Revised Statutes have been updated to include the revised sections from the 56th Legislature, 1st Regular Session. Please note that the next update of this compilation will not take place until after the conclusion of the 56th Legislature, 2nd Regular Session, which convenes in January 2024.
This online version of the Arizona Revised Statutes is primarily maintained for legislative drafting purposes and reflects the version of law that is effective on January 1st of the year following the most recent legislative session. The official version of the Arizona Revised Statutes is published by Thomson Reuters.
15-1043. Student level data; allowable disclosure; policies
A. Any disclosure of educational records compiled by the department of education pursuant to this article shall comply with the family educational rights and privacy act (20 United States Code section 1232g).
B. Student level data may not be updated unless the change is authorized by the school district, career technical education district or charter school.
C. The department of education shall adopt policies and procedures to both:
1. Allow access of student level data for currently enrolled students to all of the following:
(a) School districts.
(b) Career technical education districts.
(c) Charter schools.
2. Allow access of student level data to all of the following:
(a) County school superintendents for students currently enrolled in a school district located in the superintendent's county of jurisdiction.
(b) The state board of education for students currently enrolled in a school district or charter school in this state.
(c) The state board for charter schools for students currently enrolled in a charter school sponsored by the state board for charter schools.
D. The department of education shall develop, publish and make publicly available policies and procedures to comply with the family educational rights and privacy act of 19 (20 United States Code section 1232g) and other relevant privacy laws and policies, including policies that manage access to personally identifiable information, to be implemented by the department of education, county school superintendents, the state board of education and the state board for charter schools pursuant to this section and as prescribed by interagency data-sharing agreements. The policies and procedures must comply with all of the following:
1. Contain a detailed data security plan that includes all of the following:
(a) Guidelines for authorizing access to the systems housing student level data and to individual student data, including guidelines for authenticating authorized access.
(b) Privacy compliance standards.
(c) Privacy and security audits.
(d) Security breach planning, notice and procedures.
(e) Data retention and disposition policies, which must include specific criteria for identifying when and how the data will be destroyed.
(f) Guidance for school districts, charter schools and staff regarding data use.
(g) Consequences for security breaches.
(h) Staff training regarding the guidelines.
2. Ensure that written agreements involving the disclosure of student level data to the department of education, county school superintendents, the state board of education and the state board for charter schools comply with all of the following:
(a) Meet the minimum conditions prescribed by the family educational rights and privacy act for exceptions to written parental consent as outlined in 20 United States Code section 1232g(b) and (h) through (j) and 34 Code of Federal Regulations section 99.31.
(b) Specify the purpose, scope and duration of the disclosure and the information to be disclosed.
(c) Require the organization to use personally identifiable information from educational records only to meet the purpose or purposes of the disclosure as stated in the written agreement.
(d) Require the organization to conduct the disclosure in a manner that does not allow access to the personally identifiable information of parents and students by anyone other than representatives of the organization with legitimate interests.
(e) Require the organization to destroy all personally identifiable information when the information is no longer needed for the purposes for which the disclosure was conducted and to specify the time period in which the information must be destroyed.
3. Ensure that any work products from the use of student level data by the department of education, county school superintendents, the state board of education or the state board for charter schools are not in conflict with any state and federal reporting that meets state and federal law.
4. Provide access to student level data through an online platform within the parameters of federal law and pursuant to the written agreements with the consent of the required parties.
E. This section does not apply to a homeschool student with an affidavit on file pursuant to section 15-802.