1Amending the act of March 10, 1949 (P.L.30, No.14), entitled "An
2act relating to the public school system, including certain
3provisions applicable as well to private and parochial
4schools; amending, revising, consolidating and changing the
5laws relating thereto," in preliminary provisions,
6prohibiting the release of certain student data and library

8The General Assembly of the Commonwealth of Pennsylvania
9hereby enacts as follows:

10Section 1. The act of March 10, 1949 (P.L.30, No.14), known
11as the Public School Code of 1949, is amended by adding a
12section to read:

13Section 123. Student Data and Library Data.--(a) The State
14Board of Education shall, with respect to students in
15prekindergarten through grade twelve:

16(1) Create and make publicly available a data inventory of
17individual student-level unit data required to be reported by
18Federal or State education mandates.

19(2) Develop and publish policies and procedures to comply

1with the Family Educational Rights and Privacy Act of 1974
2(Public Law 90-247, 20 U.S.C. § 1232g) and other relevant
3privacy laws and policies, including, but not limited to:

4(i) Access to unit and de-identified data shall be
5restricted to the authorized staff of the Department of
6Education who require such access to perform their assigned

8(ii) The Department of Education shall use only aggregate
9data in public reports.

10(iii) The Department of Education shall develop criteria for
11the approval of research and data requests from State and local
12agencies, the General Assembly, researchers and the public.
13Unless otherwise approved by the State Board of Education to
14release unit or de-identified data in specific instances, the
15Department of Education may only use aggregate data in the
16release of data in response to research and data requests.

17(iv) Notification to students and parents regarding their
18rights under Federal and State law.

19(3) Unless otherwise approved by the State Board of
20Education, the Department of Education may not transfer unit or
21de-identified data to any Federal, State or local agency or
22other organization or entity outside of this Commonwealth, with
23the following exceptions:

24(i) A student transfers out of this Commonwealth or a school
25district seeks help with locating an out-of-State transfer.

26(ii) A student leaves this Commonwealth to attend an out-of-
27State institution of higher education or training program.

28(iii) A student registers for or takes a national or
29multistate assessment.

30(iv) A student voluntarily participates in a program for

1which such a data transfer is a condition or requirement of

3(v) The Department of Education enters into a contract that
4governs databases, assessments or instructional supports with an
5out-of-State vendor.

6(vi) A student is classified as "migrant" for Federal
7reporting purposes.

8(4) Develop a detailed data security plan that includes:

9(i) Guidelines for authorizing access to the student data
10system and to individual student data including guidelines for
11authentication of authorized access.

12(ii) Privacy compliance standards.

13(iii) Privacy and security audits.

14(iv) Breach notification and procedures.

15(v) Data retention and disposition policies.

16(5) Ensure routine and ongoing compliance by the Department
17of Education with the Family Educational Rights and Privacy Act
18of 1974, other relevant privacy laws and policies and the
19privacy and security policies and procedures developed under the
20authority of this section, including the performance of
21compliance audits.

22(6) Ensure that any contracts that govern databases,
23assessments or instructional supports include unit or de-
24identified data, and are outsourced to private vendors that
25include express provisions that safeguard privacy and security
26and include penalties for noncompliance.

27(7) Notify the Governor and the General Assembly annually of
28the following:

29(i) New student data proposed for inclusion in a State
30student data system.

1(ii) An explanation of any exceptions granted by the State
2Board of Education in the past year regarding the release or
3out-of-State transfer of unit or de-identified data.

4(iii) The results of any and all privacy compliance and
5security audits completed in the past year.

6(b) (1) Any library in this Commonwealth which is in whole
7or in part supported by public funds, including, but not limited
8to, public, academic, school or special libraries, and having
9records indicating which of its documents or other materials,
10regardless of format, have been loaned to or used by an
11identifiable individual or group shall not disclose such records
12to any person except to:

13(i) persons acting within the scope of their duties in the
14administration of the library;

15(ii) persons authorized to inspect such records, in writing,
16by the individual or group; or

17(iii) By order of a court of law.

18(2) The requirements of this subsection shall not prohibit
19middle and elementary school libraries from maintaining a system
20of records that identifies the individual or group to whom
21library materials have been loaned even if such system permits a
22determination, independent of any disclosure of such information
23by the library, that documents or materials have been loaned to
24an individual or group.

25(3) All registration information of minors collected by a
26library in this Commonwealth which is supported in whole or in
27part by public funds including, but not limited to, public,
28academic, school or special libraries shall not be disclosed to
29any person except:

30(i) Persons acting only within the legitimate scope of their

1duties in the administration of the library.

2(ii) Persons authorized to inspect such records, in writing,
3by the individual.

4(iii) By order of a court of law.

5(4) Any suspicious requests for records of minors that may
6be indicative of criminal intent shall be reported immediately
7to appropriate law enforcement authorities.

8(5) For purposes of this subsection, "registration
9information" includes any information required of a minor in
10order to become eligible to borrow books and to utilize library
11services and other materials.

12(c) As used in this section, the following words and phrases
13shall have the meanings given to them in this subsection unless
14the context clearly indicates otherwise:

15"Aggregate data." Data collected or reported at the group,
16cohort or institutional level.

17"De-identified data." A dataset in which parent and student
18identifying information, including any State-assigned student
19identifier, has been removed.

20"Student data." The unit data relating to student
21performance, including, but not limited to:

22(1) National and State assessment results.

23(2) Course taking and completion and credits earned.

24(3) Course grades and grade point average.

25(4) Date of birth, grade level and expected graduation
26date/graduation cohort.

27(5) Degree, diploma or credential attainment.

28(6) Enrollment.

29(7) Attendance and mobility.

30(8) Discipline reports limited to objective information

1sufficient to produce the Federal Title IV Annual Incident

3(9) Remediation.

4(10) Special education data.

5(11) Demographic data.

6The term does not include juvenile delinquency records, criminal
7records, medical and health records and student Social Security

9"Unit data." Data collected or reported at the individual
10student level.

11Section 2. This act shall take effect in 60 days.