|
15102358D Be it enacted by the General Assembly of Virginia: 1. That the Code of Virginia is amended by adding in Chapter 14 of Title 22.1 an article numbered 4.1, consisting of sections numbered 22.1-286.1, 22.1-286.2, and 22.1-286.3, as follows: §22.1-286.1. Definitions. For the purposes of this article: "Department" means the Virginia Department of Education. "Education agency" means the Department, Board, or any other state-level pre-kindergarten through grade 12 education-related agency or entity, including any education-related foundation or nonprofit entity established by Virginia statute or which derives its authority from Virginia statute. "Eligible student" means a student who has reached the age of majority. "Institution" means any public preschool, elementary school, or secondary school in the Commonwealth. "Personally identifiable information" has the same meaning as provided in the federal Family Educational Rights and Privacy Act (20 U.S.C. §1232g) and related federal regulations. "Scholastic record" has the same meaning as provided in subsection A of §22.1-289. "Student database" means any location, including a computer system, where scholastic records containing the personally identifiable information of preschool, elementary school, or secondary school students in the Commonwealth are maintained. "Written consent" means consent that is signed by an eligible student or, in the case of a student who has not reached the age of majority, the student's parent at least six months before maintenance or disclosure of scholastic records containing any of the student's personally identifiable information, is dated on the day it was signed, identifies the recipient of the relevant information, states the purpose of the disclosure, and states that the disclosed information shall only be used for the stated purpose and shall not be used or disclosed for any other purpose. §22.1-286.2. Scholastic records; personally identifiable information; student databases. A. No education agency, school board, or institution shall collect or pursue a grant that would require the collection of: 1. DNA, fingerprint, retina, or iris pattern information or any other information about personal psychological characteristics of any student; 2. The religious affiliation, beliefs, or practices of a student, his family, or any member of his family; 3. The political affiliation, beliefs, or practices of a student, his family, or any member of his family; 4. The sexual orientation or beliefs about sexual orientation of a student, his family, or any member of his family; or 5. Information about the usage or ownership of guns by a student, his family, or any member of his family. B. No education agency, school board, or institution shall maintain or enter into a contract with a third party for the maintenance of scholastic records containing personally identifiable information in a student database without written consent unless maintenance of such information is: 1. Required by state or federal law; 2. Permitted pursuant to Article 5 (§22.1-287 et seq.); 3. Administratively required for the education agency, school board, or institution to properly perform its duties under the law and is relevant to and necessary for delivery of services; or 4. Designed to support a study of students or former students, provided that the personally identifiable information of a former student is maintained no longer than five years after the date of his last enrollment at an institution. C. Each education agency, school board, and institution shall publicly and conspicuously disclose on its website and through annual electronic notification to the chairs of the Senate Committee on Education and Health and the House Committee on Education the existence and character of any personally identifiable information contained in scholastic records maintained pursuant to subsection B, including: 1. The name and location of the student database where such information is maintained; 2. The legal authority that authorizes the establishment and existence of the student database; 3. The principal purpose or purposes for which the information is intended to be used; 4. The categories of students for whom scholastics records are maintained in the student database; 5. The categories of scholastic records maintained in the student database; 6. Each anticipated disclosure of any portion of the scholastic records contained in the student database, including the categories of recipients and the purpose of such disclosure; 7. Its policies and practices regarding storage, retrievability, access controls, retention, and disposal of the records; 8. Its title and business address or the title and business address of the official who is responsible for the student database; 9. The title and business address of any contractor or other outside party maintaining a student database for or on behalf of the education agency, school board, and institution; 10. The procedures whereby eligible students or parents can be notified at their request if the student database contains scholastic records of the student; 11. The procedures whereby eligible students or parents may request to gain access to the student's scholastic records that are maintained in the student database and contest the content of such records; and 12. The categories of sources of records in the student database. D. Except as otherwise provided in this section, access to personally identifiable information contained in a scholastic record in any student database maintained by an education agency, school board, or institution shall be limited to the authorized representatives of such entity who require such access to perform their assigned duties. Any such authorized representative designated to conduct any audit, evaluation, or compliance or enforcement activity related to the educational programs of the education agency, school board, or institution shall be under the direct control of such entity. E. No education agency, school board, or institution shall disclose without written consent student personally identifiable information contained in scholastic records to any contractor, consultant, or other third party (i) to whom the education agency, school board, or institution has outsourced its services or functions or (ii) that studies for or on behalf of the education agency, school board, or institution to develop, validate, or administer predictive tests or administer student-aid programs unless: 1. The education agency, school board, or institution first publicly and conspicuously discloses on its website and through electronic notification to the chairs of the Senate Committee on Education and Health and the House Committee on Education the existence and character of any contracts or agreements by which it intends to disclose student personally identifiable information contained in scholastic records, including: a. The name and location of the student database where any student personally identifiable information would be maintained; b. The principal purpose or purposes for which the information is intended to be used; c. The categories of individuals whose scholastic records would be disclosed; d. The categories of scholastic records maintained; e. Expected uses of the scholastic records disclosed; f. The policies and practices of the recipient regarding storage, retrievability, access controls, retention, and disposal of the records; g. The title and business address of the education agency, school board, or institution or the title and business address of the official who is responsible for the contract or agreement; h. The title and business address of the third party responsible for maintaining scholastic records pursuant to agreement or contract; i. The procedures whereby eligible students or parents may request to gain access to the student's scholastic records that are maintained by the third party and contest the content of such records; and j. The categories of sources of records in the student database containing scholastic records; and 2. The third party: a. Performs a service or function for which the education agency, school board, or institution would otherwise use its own employees; b. Is under the direct control of the education agency, school board, or institution with respect to the use and maintenance of scholastic records; c. Limits internal access to scholastic records to those individuals who are determined to have legitimate educational interests; d. Does not use the scholastic records for any purpose other than those explicitly authorized in its contract with the education agency, school board, or institution; e. Does not disclose any student personally identifiable information to any other party; f. Maintains reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of student personally identifiable information in its custody; g. Has sufficient administrative and technical procedures to monitor continuously the security of personally identifiable information in its custody; h. Conducts a security audit annually and provides the results of such audit to the education agency, school board, or institution; i. With respect to personally identifiable information contained in a scholastic record stored in a student database that is accessed over the Internet or other public network, protects such data through a secure encrypted protocol, ensures that access through a web browser uses at a minimum Hypertext Transfer Protocol Secure (https) and ensures that access through other means shall use the industry standard encryption technologies applicable to the most sensitive component of the record, including the technology or methodology specified by the Secretary of the U.S. Department of Health and Human Services pursuant to subsection H 2 of §13402 of P.L. 111-5 in cases in which the personally identifiable information concerns a student's physical, mental, or psychological health; j. Provides the education agency, school board, or institution with an acceptable breach-remediation plan before initial receipt of education records; k. Reports to the education agency, school board, or institution all suspected or actual breaches of student personally identifiable information contained in scholastic records as soon as possible but not later than 48 hours after a suspected or actual breach was known or would have been known by exercising reasonable diligence; l. In the event of an unauthorized disclosure or breach of student personally identifiable information, pays all costs and liabilities incurred by the education agency, school board, or institution related to the unauthorized disclosure or breach, including the costs of responding to inquiries about the unauthorized disclosure or breach, notifying students whose personally identifiable information was disclosed or breached about the unauthorized disclosure or breach, mitigating the effects of the unauthorized disclosure or breach, and investigating the cause or consequences of the unauthorized disclosure or breach; and m. Destroys or returns to the education agency, school board, or institution all student personally identifiable information in its custody upon request or at the termination of the contract, whichever occurs first. F. No education agency, school board, or institution shall disclose personally identifiable information contained in scholastic records without written consent to: 1. Any party for a commercial use, including marketing products or services; creating individual, household, or group profiles; or providing services, except as provided in subsection E; 2. Any non-education government agency, including the Virginia Department of Labor and Industry, or to any party that intends to use or disclose the information for the purpose of workforce development or economic planning; or 3. Any governmental or private entity outside the Commonwealth except: a. To an out-of-state school to which a student has transferred; b. To an out-of-state program in which a student voluntarily participates and for which such disclosure is a condition or requirement of participation; or c. When a student is classified as a migrant for federal reporting purposes. G. No education agency, school board, or institution shall disclose student information, whether or not personally identifiable, contained in scholastic records to the U.S. Department of Education without the express approval of the Senate Committee on Education and Health and the House Committee on Education. H. No education agency, school board, or institution shall append to scholastic records student personally identifiable information obtained from federal or state education agencies through data matches without written consent unless such data matches are explicitly mandated in federal or state statute and administratively required for the education agency, school board, or institution to properly perform its duties under the law and are relevant to and necessary for delivery of services. I. Nothing in this section shall be construed to limit the administrative use of scholastic records by a person acting exclusively in his capacity as an employee of an education agency, school board, or institution. §22.1-286.3. Violations. A. Each violation of any provision of §22.1-286.2 by any third party that is subject to the provisions of this article shall be punishable by a civil penalty of up to $5,000 and may result in such party's permanent disqualification from access to education records as determined by an education agency, school board, or institution. B. Each violation involving a different individual student shall be considered a separate violation for purposes of civil penalties pursuant to subsection A. C. The Attorney General shall have the authority to enforce compliance with this article. D. Nothing in this section shall be construed to create a private right of action against an education agency, school board, or institution. |