Part I.
Changes the title of GS Chapter 116E to the “NC Longitudinal Data System” (currently, titled as the Education Longitude System). Adds CJIS, HIPAA, IDEA, and public school to GS 116E-1 (definitions provision of the chapter). Modifies the definition of System to clarify that it refers to the NC Longitudinal Data System including components referred to as the NC Longitudinal Data Service (Service). Changes references from “local school administrative unit” to “public school” in term unique student identifier or UID. Makes technical changes.
Removes language limiting the linkage of student data and workforce data in the System to no longer than five years from the described start date in GS 116E-2 (System purpose).
Modifies the powers and duties of the Governmental Data Analytics Center (Center) in GS 116E-4 as follows. Removes requirement that the Center designate a compliance timeline for electronic transcripts, as described. Requires the Center to publish the data inventory. Expands the Center’s compliance laws to include the IDEA, HIPAA, CJIS, and the Internal Revenue Code. Requires the Center to develop and implement policies to also comply with those laws in addition to any other privacy measures relevant to the data available to the System (currently, just other privacy measures and FERPA). Makes conforming change. Moves the System’s administrative location from the Department of Public Instruction (DPI) to the Department of Information Technology (DIT) in GS 116E-5. Now requires the System to serve as a data broker for the entire Department of Commerce (DOC) instead of just its Division of Employment Security. Requires the System and recipients of data in fulfillment of approved data requests to use only aggregated data in public reports (currently, requires the System to use only aggregate data in the release of data in reports and in response to data requests). Instructs that ownership of all data collected and maintained by the System remains with the contributors to the System and that management and disclosure of data by the System does not change the data’s ownership. Makes conforming changes.
Requires in GS 116E-6 (concerning data sharing by public schools, charter schools, institutions of higher education and State agencies) that all sharing supported by the System comply with all applicable federal and State data and data privacy laws and regulations. Makes conforming change.
Part II.
Finds that it is in the best interest of the State for DIT to lead the State’s cybersecurity efforts comprehensively rather than having State agencies handle cybersecurity individually in a fragmentary way. For the 2025-27 fiscal biennium, specifies that of the funds available in the IT Reserve, DIT can use up to $25 million each fiscal year to enhance DIT capabilities in four specified areas, including State agency adherence to plans and policies related to cybersecurity incidents, security alerts, advisory responses, security awareness, and agency cybersecurity training protocols and monitoring and assessing State agency adherence to risk assessment policies, as described. For the 2025-27 fiscal biennium, specifies that of the funds available in the IT Reserve, DIT can use up to $3.8 million each fiscal year to support the further development and integration of the NC HealthConnex system, as specified.
Requires, in GS 143B-1378, for the State CIO to consider an agency’s noncompliance with cybersecurity plans and standards when reviewing agency requests under IT Projects and Management (Part 3 of Article 15 of GS Chapter 143B) and IT Procurement (Part 4 of same). Changes section title from “Assessment of agency compliance with cybersecurity standards” to “Assessment of agency compliance with cybersecurity standards; reporting requirements.”
Finds that it is in the best interests of the State for DIT to assess duplication in enterprise information technology spending across State agencies to identify opportunities for cost-savings and increased efficiency in information technology resource allocation. Tasks DIT with selecting a third-party vendor for the 2025-26 fiscal year to assist in a comprehensive assessment of enterprise information technology spending across all State agencies to determine areas of duplication and inefficiency, to include at least five specified areas of spending. Requires State agencies to provide all data, reports, and assistance requested by DIT to facilitate its assessment. On or before October 1, 2026, requires DIT to submit a report to the specified NCGA committee and division along with the Office of the State Auditor on its assessment, including the four specified topics.
Requires the Office of State Budget and Management and the Office of the State Controller to establish information technology-specific fund codes within each State agency's existing budget codes no later than December 1, 2025, to assist DIT in its responsibility to monitor budgeting for IT matters. Requires the State CIO to work with the Office of State Controller and the Office of State Budget and Management to develop an implementation plan and to submit the plan to the specified NCGA committee and division by September 1, 2026.
Removes (1) the long-range IT Plan and (2) cloud-based utility computing as subjects covered under the CIO’s biennial State IT Plan required by GS 143B-1330. Amends GS 115C-150.11(c), as enacted by Section 3J.1(a) of SL 2024-57, to exclude IT (was, included) as one of the matters for which the Department of Administration is tasked to provide each school with support.
Effective July 1, 2025.
Part III.
Specifies except as otherwise provided, effective July 1, 2025.
Statutes affected: Filed: 143B-1378, 143B-1330