Securing Personal Student Data in the State of Idaho

Idaho’s Student Data Accessibility, Transparency & Accountability Act, otherwise known as SB 1372, is a student data protection and privacy law that was passed in 2014. Under SB 1372, the Idaho State Board of Education, Idaho Public School Districts, and the various teachers and school personnel that work within such settings, are required to take a number of measures to ensure that the personal information of the students they serve remains both accessible to applicable parties, as well as protected from unauthorized use. Furthermore, the law also establishes the specific types of covered information that are protected from disclosure.

How is student data defined under the law?

Under Idaho’s Student Data Accessibility, Transparency & Accountability Act, student data is defined as “data collected and/or reported at the individual student level included in a student’s educational record.” Alternatively, the law defines aggregate data as “data collected and/or reported at the group, cohort, or institutional level. Aggregate data shall not include personally identifiable information. The minimum number of students shall be determined by the state board of education.” Moreover, the term data system refers to “the state’s elementary, secondary, and postsecondary longitudinal data systems.”

What are the duties of educators under the law?

The duties and responsibilities that the Idaho State Board of Education has as it concerns safeguarding the personal data of students that are enrolled in K-12 institutions within the state include but are not limited to:

• The Idaho State Board of Education is responsible for both creating and publishing a data inventory, index, or dictionary containing the data elements that will be collected from students, as well as definitions for these data elements. This information must also be made publicly available.
• The Idaho State Board of Education is responsible for developing and publishing student data security measures and policies that are in accordance with both the Family Educational Rights and Privacy Act or FERPA as well as other relevant legislation within the state. This information must also be made available to the general public.
• Access to all student longitudinal data systems within the state must be limited to students and their parents or guardians, educators, school administrators, authorized personnel, and private vendors that provide services to students.
• In the event that the Idaho State Board of Education is required to disclose the personal information of a student in response to a public records request or report, they must ensure that only aggregated data is disclosed.
• The Idaho State Board of Education is required to ensure that all educational institutions within the state, including school districts, primary and secondary schools, and other similar settings, enter into contracts that both regulate and govern the personal data that students disclose in connection with assessments, special education or instructional support services, and databases, among a variety of other educational objectives.

What data elements are protected under the law?

Some of the data elements concerning K-12 students within the state of Idaho that are protected from unauthorized access, use, and disclosure include:

• State and national assessment results.
• Social security numbers.
• Credential attainment information.
• Course grades and grade point averages.
• Degrees and diplomas.
• Attendance and mobility information.
• Email addresses.
• Physical addresses.
• First and last names.
• Telephone numbers.
• Dates of birth.
• Biometric information.
• Transcript information.

What are the penalties for violating the law?

As it pertains to the enforcement of the law, the provisions of Idaho’s Student Data Accessibility, Transparency & Accountability Act are enforceable by the Idaho state attorney general. With this being said, the Idaho state attorney general has the authority to impose a number of sanctions and punishments against educators, school personnel, and associated third parties that are found to be in violation of the law. Most notably, individuals that fail to comply with the law are subject to a civil penalty of up to $50,000, in instances where a school is found to have failed to protect the privacy of their students, or a school district has not made their privacy and security policies available to the general public, among other infractions.

Idaho’s Student Data Accessibility, Transparency & Accountability Act serves as the primary means by which parents of school-aged children within the state can go about securing the privacy of their respective children. What’s more, as individuals that fail to adhere to the provisions of the law can be fined up to $50,000, educational institutions within the state have more than enough incentive to ensure that they uphold the rights of students and their parents under the law. As such, in the event that a student’s personal information is disclosed for a non-educational reason, the parents of the said student will have the means to seek justice.