Bill Summary – FastDemocracy

PRINTER'S NO.    2522
                     THE GENERAL ASSEMBLY OF PENNSYLVANIA
                         HOUSE BILL
                         No. 1987
                                               Session of
                                                 2024
     INTRODUCED BY RYNCAVAGE, N. NELSON, KENYATTA AND DALEY,
        JANUARY 31, 2024
     REFERRED TO COMMITTEE ON EDUCATION, JANUARY 31, 2024
                                    AN ACT
 Amending the act of March 10, 1949 (P.L.30, No.14), entitled "An
    act relating to the public school system, including certain
    provisions applicable as well to private and parochial
    schools; amending, revising, consolidating and changing the
    laws relating thereto," in preliminary provisions, providing
    for student data security.
    The General Assembly of the Commonwealth of Pennsylvania
 hereby enacts as follows:
    Section 1.    The act of March 10, 1949 (P.L.30, No.14), known
 as the Public School Code of 1949, is amended by adding a
 section to read:
    Section 130.    Student Data Security.--(a)   The department
 shall develop, in consultation with the Office of Information
 Technology, and update regularly, but no less than annually, a
 model data security plan for the protection of student data held
 by a school entity.
    (b)    The model student data security plan shall include:
    (1)    Guidelines for access to student data and student data
 systems, including guidelines for authentication of authorized
 access.
    (2)   Privacy compliance standards.
    (3)   Privacy and security audits.
    (4)   Procedures to follow in the event of a breach of student
 data.
    (5)   Data retention and disposition policies.
    (c)   The model plan and any updates shall be made available
 to all school entities.
    (d)   The department shall designate a chief data security
 officer, with any State money as made available, to assist a
 school entity, upon request, with the development and
 implementation of a student data security plan and to develop
 best practice recommendations regarding the use, retention and
 protection of student data.
    (e)   The department shall convene a working group to assist
 with the development of initial instructions, procedures,
 services, security assessments, best practices and security
 measures required by this section for the development of a model
 student data security plan. The working group shall include the
 Secretary of Education, the chief information officer,
 representatives from school entities across this Commonwealth
 and other parties deemed necessary by the department.
    (f)   The working group shall compile a report on or before
 December 1, 2025, on the cost of developing and implementing a
 model student data security plan. The working group shall submit
 the report to the chair and minority chair of the Appropriations
 Committee of the Senate, the chair and minority chair of the
 Appropriations Committee of the House of Representatives, the
 chair and minority chair of the Education Committee of the
 Senate and the chair and minority chair of the Education
 Committee of the House of Representatives.
20240HB1987PN2522                  - 2 -
    (g)     As used in this section, the following words and phrases
 shall have the meanings given to them in this subsection unless
 the context clearly indicates otherwise:
    "Department."     The Department of Education of the
 Commonwealth.
    "Personally identifiable information."     The term includes,
 but is not limited to:
    (1)     The student's name.
    (2)     The name of the student's parent or other family
 members.
    (3)     The address of the student or student's family.
    (4)     A personal identifier, such as the student's Social
 Security number, student number or biometric record.
    (5)     Other indirect identifiers, such as the student's date
 of birth, place of birth and mother's maiden name.
    (6)     Other information that, alone or in combination, is
 linked or linkable to a specific student that would allow a
 reasonable person in the school community, who does not have
 personal knowledge of the relevant circumstances, to identify
 the student with reasonable certainty.
    (7)     Information requested by a person who the educational
 agency or institution reasonably believes knows the identity of
 the student to whom the education record relates.
    "School entity."     A school district, intermediate unit, area
 career and technical school, charter school, cyber charter
 school or regional charter school.
    "Student data."     Personally identifiable information from
 student records of a school entity.
    Section 2.     This act shall take effect in 60 days.
20240HB1987PN2522                     - 3 -
Statutes/Laws affected: 
Printer's No. 2522: P.L.30, No.14