North Carolina Has a New Education Privacy Law

A new education privacy bill was signed into law earlier this month, and became effective immediately.  Formally titled "An Act to Ensure the Privacy and Security of Student Educational Records," (Senate Bill 815, Session Law 2014-50) contains a number of privacy-related provisions.  This post summarizes some of the key aspects of the Act.

Prohibited Information
 
The new statute prohibits schools from collecting or storing the following categories of data:

• biometric information
• political affiliation
• religion
• voting history 

The term "biometric information" does not appear to be defined by the Act nor in the larger Article or Chapter.  I assume it covers fingerprints, retina scans, and DNA records.  (It is not perfectly clear to me where the line is drawn, however, between "biometric information" and other identifying information.)
 

Restrictions on Information Disclosure

The Act also prohibits schools from sharing "personally identifiable student data," which includes, but is not limited to, the following:

• A student's name
• The name of the student's parent or other family member
• An address of the student or student's family
• A personal identifier, such as the student's Social Security number or unique student identifier
• Other indirect identifiers, such as the student's date of birth, place of birth, and mother's maiden name
• Other information that, alone or in combination, would allow a reasonable person to identify the student with reasonable certainty
• Other information requested by a person who the Department of Public Instruction or local school administrative unit reasonably believes knows the identity of the student to whom the education record relates

However, "personally identifiable student information" does not include "directory information" if the local board of education has provided parents with notice of an opportunity to opt out of the disclosure of that information [consistent with the Family Educational Rights and Privacy Act ("FERPA," 20 U.S.C. § 1232g)].

image dcJohn / foter.com

Parental Rights and Notices


The Act requires local school boards to provide parents, on an annual basis, with information about how state and federal privacy laws and regulations apply to school records and student data, including parental rights and opt-out opportunities relating to disclosure of directory information (as provided under FERPA) and surveys (covered by the Protection of Pupil Rights Amendment, 20 U.S.C. § 1232h).

New Rules and Procedures

The statute requires the State Board of Education to create more clearly defined rules and procedures for the safeguarding and use of student data.  Among other things, the statute requires the State Board of Education to develop a detailed data security plan that includes the following:

• Guidelines for authorizing access to the student data system and to individual student data, including guidelines for authentication of authorized access
• Privacy compliance standards
• Privacy and security audits
• Breach planning, notification, and procedures
• Data retention and disposition policies
• Data security policies, including electronic, physical, and administrative safeguards such as data encryption and training of employees

Covered Schools

The statute adds language to Article 29 of Chapter 115C of the General Statutes, which applies to public elementary and secondary schools.  Therefore, private schools, colleges, and universities appear to be unaffected.  

Widespread Support

The bill arose from a recommendation by the Joint Legislative Oversight Committee on Information Technology, and was unanimously approved  by both houses of the General Assembly.  

More Information

You can read the full text of the new statute here.