(1) The department shall develop data security guidance that may be used by local education providers. The department's data security guidance must include:
(a) Guidance for authorizing access to the student data system and to student personally identifiable information, including guidance for authenticating authorized access;
(b) Privacy compliance standards;
(c) Best practices for privacy and security audits;
(d) Security breach planning, notice, and procedures;
(e) Data retention and destruction procedures;
(f) Data collection and sharing procedures;
(g) Recommendations that any contracts that affect databases, assessments, or instructional supports that include student personally identifiable information and are outsourced to vendors include express provisions that safeguard privacy and security and include penalties for noncompliance;
(h) Best security practices for privacy when using online education services, including websites and applications;
(i) Guidance for contracts involving the outsourcing of educational services;
(j) Guidance for contracts involving online education services;
(k) Guidance for publishing a list of vendors that local education providers contract with that hold student personally identifiable information;
(l) Consequences for security breaches; and
(m) Examples of staff training regarding the procedures.
(2) Based on the data security guidance adopted pursuant to subsection (1) of this section, on or before March 1, 2017, the department shall create and make available to local education providers a sample student information privacy and protection policy. The department shall annually review the sample policy and revise it as necessary to ensure that it remains current and adequate to protect the privacy of student personally identifiable information in light of advances in data technology and dissemination. At a minimum, the sample policy must include protocols for:
(a) Creating and maintaining a student data index;
(b) Retaining and destroying student personally identifiable information;
(c) Using student personally identifiable information for purposes internal to a local education provider;
(d) Preventing breaches in the security of student personally identifiable information and for responding to any security breaches that occur;
(e) Contracting with school service contract providers and using school services provided by school service on-demand providers;
(f) Disclosing student personally identifiable information to school service contract providers, school service on-demand providers, or other third parties;
(g) Notifying parents regarding collection of, retention of, and access to student personally identifiable information; and
(h) Providing training in student information security and privacy to employees of a local education provider.
(3) The department shall prepare and make available to local education providers sample contract language for use in contracting with school service contract providers. The department shall update the sample contract language as necessary to ensure that it remains current and adequate to protect the privacy of student personally identifiable information in light of advances in data technology and dissemination.
(4) The department shall identify and make available to local education providers resources that the local education providers may use in training employees with regard to student information security and privacy. At the request of a local education provider, the department shall provide training related to student information security and privacy.
(5) If the department receives notice that a local education provider has ceased using a school service on-demand provider for reasons described in section 22-16-107 (3), the department shall post the notice on the department's website. The department shall also post any written response from an on-demand provider that the local education provider may submit. The department shall post the notices and written responses for twenty-four months following the date received.