(1) The department shall assign to each student who is enrolled in a public school a unique student identifier that must neither be nor include the social security number of a student in whole or in sequential part.
(2) (a) The department shall develop a process to consider and review all outside requests for student personally identifiable information, other than aggregate student information already publicly available, by individuals not employed by the state who seek to conduct research using school system data or student personally identifiable information already collected by the department. The department shall implement the process subject to approval by the state board.
(b)
(I) Before allowing an individual to receive student personally identifiable information for research purposes, the department must enter into an agreement with the individual that includes the entity that sponsors the individual or with which the individual is affiliated. At a minimum, the agreement must include the items specified in section 22-16-104 (1)(f) and require the individual to comply with the requirements specified in sections 22-16-109 (1), (2), and (3)(b) and 22-16-110 (1) and (3) that are imposed on school service contract providers.
(II) The provisions of this paragraph (b) do not apply to an individual who is seeking only aggregate student information. For each request for aggregate student information, the department shall determine whether the size of the group, cohort, or institution is too small to preserve the anonymity of the individuals included in the data, in which case the student data does not qualify as aggregate data.
(III) Notwithstanding the provisions of subparagraph (I) of this paragraph (b), an individual who conducts research through an institution of higher education may demonstrate to the department compliance with the institution review board practices and requirements, as regulated by federal law, in lieu of the terms specified in section 22-16-104 (1)(f).
(c) The department may enter into a data-sharing agreement with a public institution of higher education to allow the sharing of student personally identifiable information for the purpose of satisfying requirements imposed on the public institution of higher education by the institution's accrediting body. At a minimum, the data-sharing agreement must include the items specified in section 22-16-104 (1)(f) and require the public institution of higher education to comply with the requirements specified in sections 22-16-109 (1), (2), and (3)(b) and 22-16-110 (1) and (3) that are imposed on school service contract providers. For purposes of these requirements, the accrediting body is considered a subcontractor of the public institution of higher education.
(3) (a) The department shall not require a local education provider to provide student personally identifiable information that is not required by state or federal law; except that it may require student personally identifiable information not mandated by state or federal law that is associated with a grant proposal, or the department may ask a local education provider to voluntarily submit data or information as a condition of receiving a benefit, such as grant funding or special designations.
(b) Unless required by state or federal law, the department shall not collect:
(I) Juvenile delinquency records;
(II) Criminal records;
(III) Medical and health records;
(IV) Student social security numbers;
(V) Student biometric information; and
(VI) Information concerning the political affiliations or the beliefs or attitudes of students and their families.
(c) Unless otherwise approved by the state board, the department shall not transfer student personally identifiable information to a federal, state, or local agency or other entity, which agency or entity is outside of the state, except under the following circumstances:
(I) If a student transfers to an education entity in state or out of state or if a school or school district seeks help in locating a student who transfers out of state;
(II) If a student seeks to enroll in or to attend an out-of-state institution of higher education or training program;
(III) If a student participates in a program or assessment for which a data transfer is a condition of participation;
(IV) If a student is classified as "migrant" for federal reporting purposes;
(V) If the department enters into a contract with an out-of-state vendor or researcher that affects databases, assessments, special education, or instructional support related to an audit or evaluation of federal- or state-supported education programs; for the enforcement of or compliance with federal legal requirements that relate to those programs; or for conducting studies for or on behalf of the department to develop, validate, or administer predictive tests, administer student aid programs, or improve instruction; or
(VI) If the disclosure is to comply with a judicial order or lawfully issued subpoena or in connection with a health or safety emergency.
(d) The department shall not sell, trade, gift, or monetize student personally identifiable information for commercial use or investment interests.
(4) The department shall publish and maintain on its website a list of all of the entities or individuals, including but not limited to vendors, individual researchers, research organizations, institutions of higher education, and government agencies, that the department contracts with or has agreements with and that hold student personally identifiable information and a copy of each contract or agreement. The list must include:
(a) The name of the entity or individual. In naming an individual, the list must include the entity that sponsors the individual or with which the individual is affiliated, if any. If the individual is conducting research at an institution of higher education, the list may include the name of the institution of higher education and a contact person in the department that is associated with the research in lieu of the name of the researcher.
(b) The purpose and scope of the contract or agreement;
(c) The duration of the contract or agreement;
(d) The types of student personally identifiable information that the entity or individual holds under the contract or agreement;
(e) The use of the student personally identifiable information under the contract; and
(f) The length of time for which the entity or individual may hold the student personally identifiable information.
(5) (a) The department shall ensure that the terms of each contract that the department enters into or renews with a school service contract provider on and after August 10, 2016, at a minimum, require the contract provider to comply with the requirements in sections 22-16-108 to 22-16-110. If the contract provider commits a material breach of the contract that involves the misuse or unauthorized release of student personally identifiable information, the department shall determine whether to terminate the contract in accordance with a policy adopted by the state board. At a minimum, the policy must require the state board, within a reasonable time after the department identifies the existence of a material breach, to hold a public hearing that includes discussion of the nature of the material breach, an opportunity for the contract provider to respond concerning the material breach, public testimony, and a decision as to whether to direct the department to terminate or continue the contract.
(b) The department shall ensure that the terms of each contract or other agreement that the department enters into or renews on and after August 10, 2016, which contract or agreement includes access to or use of student personally identifiable information by an individual or entity other than a contract provider, at a minimum, require the individual or entity to comply with the requirements in sections 22-16-109 (1), (2), and (3)(b) and 22-16-110 (1) and (3). If the individual or entity commits a material breach of the contract or agreement that involves the misuse or unauthorized release of student personally identifiable information, the department shall determine whether to terminate the contract or agreement in accordance with the state board policy described in paragraph (a) of this subsection (5).
(c) Notwithstanding any provision of law to the contrary, on and after August 10, 2016, the department shall not enter into or renew:
(I) A contract with a school service contract provider that refuses to accept the terms specified in paragraph (a) of this subsection (5) or that has substantially failed to comply with one or more of the requirements in sections 22-16-108 to 22-16-110; or
(II) A contract or other agreement, which includes access to or use of student personally identifiable information, with an individual or entity other than a contract provider, that refuses to accept the terms specified in paragraph (b) of this subsection (5) or that has substantially failed to comply with one or more of the requirements in section 22-16-109 (1), (2), or (3)(b) or 22-16-110 (1) or (3).