new text begin Subdivision 1. new text end

new text begin SIS contracts; requirements; prohibitions. new text end

new text begin (a) Any contract or other
agreement between an educational institution and an SIS provider under which the SIS
provider sells, leases, provides, operates, or maintains an SIS for the benefit of the educational
institution shall expressly direct the SIS provider to:
new text end

new text begin (1) establish, implement, and maintain appropriate security measures, consistent with
department guidelines and current best practices, to protect educational data and personally
identifiable student information the SIS provider creates, sends, receives, stores, or transmits
to operate the SIS;
new text end

new text begin (2) affirm that all data stored on the SIS is the property of the educational institution
and is not the property of the SIS provider and contain the notice requirements in section
13.05, subdivision 11, when the contract is with a public educational institution;
new text end

new text begin (3) establish and implement policies and procedures to respond to data breaches involving
an unauthorized person or entity acquiring or accessing personally identifiable student
information on the SIS that, at a minimum:
new text end

new text begin (i) require the SIS provider to provide notice to all affected parties, including parents,
guardians, eligible students, teachers, and school administrators, within 14 days after
discovering the breach by United States mail or e-mail, or if the SIS provider has insufficient
or out-of-date contact information for ten or more individuals, the SIS provider must provide
substitute individual notice by posting the notice on its Web site for at least 90 days:
new text end

new text begin (A) briefly describing the breach, including a description of the educational data the
unauthorized person or entity acquired or accessed, or is reasonably believed to have acquired
or accessed;
new text end

new text begin (B) informing the affected parties about the educational data the SIS provider maintains
on the student;
new text end

new text begin (C) describing the steps affected individuals should take to protect themselves from
potential harm;
new text end

new text begin (D) briefly describing what the SIS provider is doing to investigate the breach, mitigate
the harm, and prevent further breaches; and
new text end

new text begin (E) providing contact information for the SIS provider so affected individuals may obtain
more information; and
new text end

new text begin (ii) satisfy all other applicable notice requirements;
new text end

new text begin (4) permanently delete all data stored on the SIS and destroy all nondigital records
containing any educational data retrieved from the SIS within 30 days after the educational
institution terminates the SIS provider's contract, except where:
new text end

new text begin (i) the SIS provider and the person authorized to sign an opt-in agreement under
subdivision 2 direct the SIS provider to retain educational data, specifically identified data,
or nondigital records for a student's benefit; or
new text end

new text begin (ii) before deleting the stored data, the educational institution directs the terminated SIS
provider to transfer data stored on the SIS to another designated SIS provider at the
educational institution's expense; and
new text end

new text begin (5) comply with all obligations and restrictions applicable to SIS providers in sections
125B.30 to 125B.36.
new text end

new text begin (b) A contract or other agreement under paragraph (a) shall expressly prohibit the SIS
provider from:
new text end

new text begin (1) analyzing, interacting with, sharing, or transferring any educational data or personally
identifiable student information the educational institution transmits to the SIS except as
allowed by the opt-in agreement in subdivision 2, paragraph (b);
new text end

new text begin (2) selling any educational data or personally identifiable student information stored on
or retrieved from the SIS unless the SIS is sold as part of a sale or merger of the SIS
provider's business and the new purchaser or controlling person or entity is subject to sections
125B.30 to 125B.36 and any existing contract or agreement binding successors and assigns;
new text end

new text begin (3) using any educational data or personally identifiable student information stored on
or retrieved from the SIS for marketing or advertising directed at a student, parent, guardian,
or school employee, except under an opt-in agreement signed under subdivision 2; and
new text end

new text begin (4) using any educational data or personally identifiable student information stored on
or retrieved from the SIS to develop a profile of a student or group of students for a
commercial or noneducational purpose.
new text end

new text begin Subd. 2. new text end

new text begin Opt-in agreements. new text end

new text begin (a) A valid opt-in agreement shall specifically identify:
new text end

new text begin (1) the educational data on a student contained in the SIS, including student attendance
and disciplinary records, that the SIS provider may access, analyze, interact with, share, or
transfer;
new text end

new text begin (2) the SIS provider authorized to access, analyze, interact with, share, or transfer
educational data in the SIS and what the SIS provider is authorized to do with that educational
data, including allowing:
new text end

new text begin (i) the SIS provider to analyze or interact with the educational data or personally
identifiable student information to meet a contractual obligation to the educational institution
to analyze or interact with the data for an educational purpose;
new text end

new text begin (ii) the educational institution to determine, and document in writing, that sharing specific
educational data or personally identifiable student information is needed to safeguard
students' health or safety;
new text end

new text begin (iii) the SIS provider to de-identify or aggregate educational data or personally identifiable
student information at the request of the educational institution to:
new text end

new text begin (A) enable the educational institution to comply with federal, state, or local reporting
and data-sharing requirements; or
new text end

new text begin (B) undertake education research; or
new text end

new text begin (iv) the SIS provider to access the data to test and improve the value and performance
of the SIS for the educational institution and the SIS provider permanently deletes any
copied data and any data analysis within 60 days after creating the copy or the data analysis;
new text end

new text begin (3) the educational purpose for the SIS to access the educational data; and
new text end

new text begin (4) the individual student subject to the opt-in agreement.
new text end

new text begin (b) The opt-in agreement is valid only if signed by:
new text end

new text begin (1) a parent or guardian, if the student is under age 18; or
new text end

new text begin (2) an eligible student.
new text end

new text begin (c) An opt-in agreement signed under this subdivision may include a provision to
authorize an SIS provider to share or transfer educational data if:
new text end

new text begin (1) the purpose of the transfer is to benefit:
new text end

new text begin (i) an operational, administrative, analytical, or educational function of the educational
institution, including education research; or
new text end

new text begin (ii) the student's education;
new text end

new text begin (2) the opt-in agreement specifically identifies:
new text end

new text begin (i) the educational data to be shared or transferred;
new text end

new text begin (ii) when and with whom the educational data will be shared or transferred; and
new text end

new text begin (iii) the anticipated benefits to the educational institution or student; and
new text end

new text begin (3) the SIS provider includes a record of the educational data to be shared or transferred
prior to the opt-in agreement being signed.
new text end

new text begin (d) Any person or entity that accesses or possesses any educational data or personally
identifiable student information from an SIS provider is subject to the same restrictions and
obligations under this section as the SIS provider providing the educational data or personally
identifiable student information to that person or entity.
new text end

new text begin (e) An opt-in agreement is invalid if it grants general authority to access, analyze, interact
with, share, or transfer educational data or personally identifiable student information in an
SIS.
new text end

new text begin (f) Except as authorized in this section, no SIS provider, school employee, or other
person or entity that receives educational data or personally identifiable student information,
directly or indirectly, from an SIS under an opt-in agreement may share, sell, or otherwise
transfer the information to another person or entity consistent with the requirements in
section 13.05, subdivision 11.
new text end

new text begin (g) A parent, guardian, or eligible student under paragraph (b) may revoke the agreement
at any time by transmitting written notice to the educational institution. The educational
institution must notify the SIS provider within 14 days after receiving the revocation notice.
new text end

new text begin (h) An SIS provider that accesses, analyzes, interacts with, shares, or transfers educational
data or personally identifiable student information to another person or entity must show it
acted under an opt-in agreement signed under this subdivision.
new text end

new text begin (i) An educational institution must not withhold an educational benefit from or penalize
a student, parent, or guardian who does not sign or who revokes an opt-in agreement.
new text end

new text begin (j) An opt-in agreement must be renewed at least annually.
new text end

new text begin Subd. 3. new text end

new text begin School employees. new text end

new text begin (a) Subject to written authority from the educational
institution, and for purposes of this subdivision, school employees may access and interact
with educational data and personally identifiable student information on an SIS to perform
their professional duties. To access or interact with educational data or personally identifiable
student information on an SIS, a school employee must receive periodic training to ensure
the school employee understands and can comply with the requirements of this section.
new text end

new text begin (b) A school employee may transfer educational data to the employing educational
institution or another trained school employee only if:
new text end

new text begin (1) the school employee has completed periodic and at least annual training in data
practices under this subdivision and section 125B.35, and for compliance with section
121A.065 and the federal Family Educational Rights and Privacy Act (FERPA);
new text end

new text begin (2) the school employee is a teacher transferring educational data to a district-approved
software application for classroom record keeping or management purposes;
new text end

new text begin (3) any third party with access to the software application is expressly prohibited from
reviewing or interacting with the transferred data; and
new text end

new text begin (4) the teacher deletes the data transferred to the software application within 30 days
after the teacher no longer uses the data for classroom record keeping or management
purposes.
new text end

new text begin Subd. 4. new text end

new text begin Parent or guardian access to educational data. new text end

new text begin (a) Consistent with state and
federal data practices law as applied to this subdivision, a parent, guardian, or eligible
student, upon transmitting a written request to an educational institution, may inspect and
review the student's educational data and personally identifiable student information stored
on an SIS. An educational institution must give parents, guardians, and eligible students an
opportunity to correct or remove inaccurate educational data.
new text end

new text begin (b) The right of a parent or guardian to review a minor student's educational record or
other personally identifiable student information does not apply where:
new text end

new text begin (1) the minor student supplied health information to the educational institution; and
new text end

new text begin (2) the responsible authority determines that withholding the data is in the minor student's
best interest under sections 13.02, subdivision 8, and 144.29.
new text end

new text begin (c) When a student is age 18 or older, the rights of a parent or guardian under this
subdivision terminate and the eligible student assumes those rights.
new text end

new text begin (d) An educational institution must:
new text end

new text begin (1) review and respond to requests made under this subdivision within five days after
receiving the request; and
new text end

new text begin (2) provide a parent, guardian, or eligible student a hearing if the educational institution
denies the parent, guardian, or eligible student's request to correct or remove inaccurate
information and, if the school does not amend the record after the hearing, allow the parent,
guardian, or eligible student to insert a statement in the record contesting the information.
new text end

new text begin Subd. 5. new text end

new text begin Requirements for deleting data in an SIS. new text end

new text begin An educational institution must
permanently delete all educational data and personally identifiable student information on
a student stored in an SIS within one school year after a student graduates, withdraws, or
is expelled from the educational institution. This provision does not apply to:
new text end

new text begin (1) a student's name and Social Security number;
new text end

new text begin (2) a student's transcript, graduation record, letters of recommendation, and other
information required by a postsecondary institution for admission to the institution or by a
potential employer;
new text end

new text begin (3) educational data and personally identifiable student information that is part of an
ongoing disciplinary, administrative, or judicial action or proceeding;
new text end

new text begin (4) de-identified educational data retained at the request of the educational institution
for education research or analysis; and
new text end

new text begin (5) educational data or personally identifiable student information required by law or a
judicial order or warrant to be retained.
new text end

new text begin Subd. 6. new text end

new text begin Requirements for deleting physical or digital copies of educational data.
new text end

new text begin Within 180 days of receiving notice under subdivision 7, an SIS provider or other third
party possessing or controlling educational data or other personally identifiable student
information related to a student's graduation, withdrawal, or expulsion from an educational
institution must permanently destroy or delete all physical or digital copies of the data. This
provision does not apply to:
new text end

new text begin (1) educational data or personally identifiable student information that is part of an
ongoing disciplinary, administrative, or judicial action or proceeding;
new text end

new text begin (2) aggregated or de-identified educational data obtained for education research;
new text end

new text begin (3) educational data or personally identifiable student information required by law or a
judicial order or warrant to be retained; and
new text end

new text begin (4) specifically identified educational data or personally identifiable student information,
where:
new text end

new text begin (i) the person authorized to sign a valid opt-in agreement under subdivision 2, paragraph
(b), requests the data be retained; and
new text end

new text begin (ii) the SIS provider and educational institution agree to retain the data.
new text end

new text begin Subd. 7. new text end

new text begin Notice to SIS provider and third parties. new text end

new text begin Within 90 days, an educational
institution must notify its SIS provider when a student graduates, withdraws, or is expelled
from school, and the SIS provider then must immediately notify any third party it allowed
to access that student's education record or personally identifiable student information of
the student's changed status.
new text end

new text begin Subd. 8. new text end

new text begin Access under law, judicial warrant, or audit. new text end

new text begin Except as provided under this
section, no person or entity, other than an educational institution, school employee, or SIS
provider shall access or interact with an SIS or SIS data unless authorized by law, under a
judicial warrant, or as part of an educational institution audit.
new text end

new text begin Subd. 9. new text end

new text begin Directory information permitted. new text end

new text begin Consistent with section 13.32, subdivision
5, an educational institution may provide directory information to a vendor providing
photographs, class rings, yearbooks or student publications, memorabilia, or other similar
goods or services to students if the vendor agrees in writing:
new text end

new text begin (1) not to sell or transfer the data to any other person or entity;
new text end

new text begin (2) to use the data solely for the purpose for which it was provided; and
new text end

new text begin (3) to destroy the data after using the data for its intended purpose.
new text end

new text begin Subd. 10. new text end

new text begin Interaction with other law. new text end

new text begin Nothing in this section supersedes or otherwise
changes the classification of data in chapter 13, or limits any law that enhances privacy
protections to students or otherwise restricts access to students' educational records or
personally identifiable student information.
new text end

new text begin Subdivision 1. new text end

new text begin General rule; contract. new text end

new text begin (a) When an educational institution or one-to-one
device provider provides a student with a technological device in a one-to-one program, no
school employee or one-to-one device provider, or their agent, may access or track the
student's one-to-one device, activity, or data, either remotely or in person, except as consistent
with this section.
new text end

new text begin (b) Any contract or other agreement between an educational institution and a one-to-one
device provider for a one-to-one provider to provide one-to-one devices for the benefit of
the educational institution shall:
new text end

new text begin (1) affirm that the student's educational data on the devices are the property of the student
and the educational institution and not the property of the one-to-one device provider;
new text end

new text begin (2) contain the notice requirements in section 13.05, subdivision 11, when the contract
is with a public educational institution; and
new text end

new text begin (3) prohibit the sale, sharing, or use of educational data or personally identifiable student
information in violation of sections 125B.30 to 125B.36.
new text end

new text begin Subd. 2. new text end

new text begin Exceptions. new text end

new text begin No school employee or one-to-one device provider, or their agent,
may access any data such as the browser, keystroke, or location history the student inputs
into, stores upon, or sends or receives on the student's one-to-one device, nor may the school
employee or one-to-one device provider analyze, interact with, share, or transfer such data
except when:
new text end

new text begin (1) the data is de-identified or aggregate data;
new text end

new text begin (2) the school employee accessing the data:
new text end

new text begin (i) is the student's teacher;
new text end

new text begin (ii) is receiving or reviewing the information for an educational purpose consistent with
the teacher's professional duties; and
new text end

new text begin (iii) does not use the information or permit another person or entity to use the information
for any other purpose;
new text end

new text begin (3) a school employee or one-to-one device provider, or their agent, is authorized to
access the educational data under an opt-in agreement under subdivision 9;
new text end

new text begin (4) a school employee reasonably suspects the student violated or is violating a law or
a school rule and data on the one-to-one device contains evidence of the suspected violation,
subject to the following limitations:
new text end

new text begin (i) before searching a student's one-to-one device, the school employee must document
the basis for the reasonable suspicion and notify the student and the student's parent or legal
guardian of the suspected violation and what data will be accessed in searching for evidence
of the violation. An educational institution, consistent with other law, may seize a student's
one-to-one device to prevent the student from deleting data pending parent notification if:
new text end

new text begin (A) the prenotification seizure period does not exceed 48 hours; and
new text end

new text begin (B) the school employee securely stores the one-to-one device on educational institution
property and does not access it during the prenotification seizure period;
new text end

new text begin (ii) searches of a student's one-to-one device are strictly limited to finding evidence of
the suspected violation and must immediately cease when the school employee finds evidence
of the suspected violation. A school employee who copies, shares, or transfers any data or
any other student information unrelated to the suspected violation violates this item; and
new text end

new text begin (iii) when a student is suspected of illegal conduct, no school employee or law
enforcement official may search the one-to-one device without first securing a judicial
warrant under clause (5) even if the student is also suspected of violating another law or
school rule;
new text end

new text begin (5) a school employee or law enforcement official reasonably suspects the student
engaged in or is engaging in illegal conduct, reasonably suspects data on the student's
one-to-one device contain evidence of the suspected illegal conduct, and secures a judicial
warrant to search the device;
new text end

new text begin (6) doing so is needed to update or upgrade a one-to-one device's software, or protect
the device from cyber threats, and access is limited to that purpose;
new text end

new text begin (7) doing so is needed to respond to an imminent threat to life or safety and access is
limited to that purpose. Within 72 hours of accessing a student's data on a one-to-one device
under this clause, the school employee or law enforcement official who accessed the
one-to-one device must provide a written description of the precise threat allowing access
and the data accessed to the educational institution and the eligible student, parent, or
guardian; or
new text end

new text begin (8) the information sent from the one-to-one device is posted on a Web site that:
new text end

new text begin (i) is accessible to the general public; or
new text end

new text begin (ii) is accessible to a specific school employee granted written permission by the eligible
student, parent, or guardian to view the content.
new text end

new text begin Subd. 3. new text end

new text begin Use of location tracking technology. new text end

new text begin No law enforcement official, school
employee, or one-to-one device provider, or their agent, may use a student's one-to-one
device's location tracking technology to track a one-to-one device's real-time or historical
location unless:
new text end

new text begin (1) such use is ordered under a judicial warrant;
new text end

new text begin (2) a parent, guardian, or the student to whom the one-to-one device was provided notifies
a school employee or law enforcement official that the one-to-one device is missing or
stolen; or
new text end

new text begin (3) doing so is needed to respond to an imminent threat to life or safety and access is
limited to that purpose. Within 72 hours of accessing the location tracking technology of a
student's one-to-one device, the school employee or law enforcement official who accessed
the one-to-one device must provide a written description of the precise threat allowing
access and the data and features accessed to the educational institution and the eligible
student, parent, or guardian.
new text end

new text begin Subd. 4. new text end

new text begin No access to audio or video receiving, transmitting, or recording functions;
exceptions. new text end

new text begin No school employee or one-to-one device provider, or their agent, may activate
or access any audio or video receiving, transmitting, or recording function on a student's
one-to-one device unless:
new text end

new text begin (1) the student initiates a video chat or audio chat with the school employee or one-to-one
device provider;
new text end

new text begin (2) the activation or access is ordered under a judicial warrant; or
new text end

new text begin (3) doing so is needed to respond to an imminent threat to life or safety and access is
limited to that purpose. Within 72 hours of accessing the audio or video receiving,
transmitting, or recording functions of a student's one-to-one device, the school employee
or law enforcement official who accessed the one-to-one device must provide a written
description of the precise threat allowing access and the data and features accessed to the
educational institution and the eligible student, parent, or guardian.
new text end

new text begin Subd. 5. new text end

new text begin No access to student's password-protected software, Web site accounts, or
applications; exceptions. new text end

new text begin No school employee or their agent may use a one-to-one device,
or require a student to use a one-to-one device in their presence, to view the student's
password-protected software, Web site accounts, or applications except when:
new text end

new text begin (1) the school employee is a teacher;
new text end

new text begin (2) the student is enrolled in and participating in a class taught by the teacher; and
new text end

new text begin (3) viewing of the one-to-one device serves an educational purpose in that class.
new text end

new text begin Subd. 6. new text end

new text begin Prohibited uses of educational data. new text end

new text begin No one-to-one device provider or its
agent may use any educational data stored on or retrieved from a one-to-one device in a
manner inconsistent with an opt-in agreement under subdivision 9 or to:
new text end

new text begin (1) market or provide advertising directed at a student, parent, guardian, or school
employee, except under an opt-in agreement signed under subdivision 9; or
new text end

new text begin (2) develop a student profile for any commercial or other noneducational purpose.
new text end

new text begin Subd. 7. new text end

new text begin Training required. new text end

new text begin Notwithstanding other provisions in this section, to
supervise, direct, or participate in a one-to-one program, or to access any one-to-one device
or its data, a school employee must receive periodic and at least annual training under section
125B.35 to ensure the school employee understands and complies with the provisions of
this section, section 121A.065, and the federal Family Educational Rights and Privacy Act
(FERPA).
new text end

new text begin Subd. 8. new text end

new text begin No sharing of personally identifiable student information; exceptions. new text end

new text begin No
school employee or one-to-one device provider that obtains or receives educational data
from a one-to-one device may transfer the information except:
new text end

new text begin (1) to another trained school employee and the employee accesses the information as
part of the employee's professional duties; or
new text end

new text begin (2) where a one-to-one device provider is authorized access under an opt-in agreement
signed under subdivision 9.
new text end

new text begin Subd. 9. new text end

new text begin Opt-in agreements. new text end

new text begin (a) For purposes of this section, and to the extent applicable,
a valid opt-in agreement must comply with the requirements in section 125B.32, subdivision
2, and must specifically identify:
new text end

new text begin (1) the educational data on the one-to-one device to which access is granted;
new text end

new text begin (2) the school employee or one-to-one device provider authorized to access, analyze,
and interact with the educational data on the one-to-one device;
new text end

new text begin (3) the educational purpose for which the school employee or one-to-one device provider
will access, analyze, and interact with the educational data on the one-to-one device; and
new text end

new text begin (4) the individual student subject to the opt-in agreement.
new text end

new text begin (b) The opt-in agreement is valid only if signed by:
new text end

new text begin (1) a parent or guardian, if the student is under age 18; or
new text end

new text begin (2) an eligible student.
new text end

new text begin (c) An opt-in agreement is invalid if it grants a one-to-one device provider:
new text end

new text begin (1) general authority to access a student's one-to-one device; or
new text end

new text begin (2) authority to collect all educational data or personally identifiable student information
generated by or used in connection with a specific program or application.
new text end

new text begin (d) A parent, guardian, or eligible student under paragraph (b) may revoke an opt-in
agreement at any time by transmitting written notice to an educational institution. An
educational institution must notify all affected parties within 14 days after receiving the
revocation notice.
new text end

new text begin (e) A one-to-one device provider that accesses, analyzes, or interacts with educational
data or personally identifiable student information on a one-to-one device must show it
acted under an opt-in agreement signed under this subdivision.
new text end

new text begin (f) An educational institution must not withhold a one-to-one device or a related
educational benefit, or punish a student, parent, or guardian based upon:
new text end

new text begin (1) a decision by an eligible student, parent, or guardian to not sign, or to revoke, an
opt-in agreement; or
new text end

new text begin (2) a student's refusal to open, close, or maintain an e-mail account or other electronic
communication or social media account with a specific service provider.
new text end

new text begin (g) A one-to-one device provider violates paragraph (f), clause (1), if it requires an
eligible student, parent, or guardian to agree to give the provider access to personally
identifiable student information as a condition of receiving access to the one-to-one device.
new text end

new text begin (h) An opt-in agreement must be renewed at least annually.
new text end

new text begin Subd. 10. new text end

new text begin No sale, sharing, or transfer of personally identifiable student information;
exception. new text end

new text begin No school employee or one-to-one device provider, or their agent, who receives
or collects educational data or personally identifiable student information from a one-to-one
device may share, sell, or otherwise transfer such data to another person or entity unless,
in the case of a one-to-one device provider, the information is sold as part of a sale or merger
of the one-to-one device provider's business. Any entity buying educational data or personally
identifiable student information is subject to the same restrictions and obligations under
this section as the one-to-one device provider that acquired or sold the educational data or
personally identifiable student information.
new text end

new text begin Subd. 11. new text end

new text begin Direct access prohibited; exceptions. new text end

new text begin Only a student, student's parent or
guardian, educational institution, school employee, or one-to-one device provider subject
to the limitations of this section may access, review, or interact with a one-to-one device
and its data, unless access is otherwise authorized under law, by a judicial warrant, or with
the express permission of the parent, guardian, or eligible student to whom the one-to-one
device is issued.
new text end

new text begin Subd. 12. new text end

new text begin Return of one-to-one device; data deletion. new text end

new text begin When a student permanently
returns a one-to-one device to the educational institution or to the one-to-one device provider
who provided it, the educational institution or one-to-one device provider must permanently
delete all data stored on the one-to-one device without otherwise accessing the data on the
one-to-one device and must return the one-to-one device to its default factory settings within
180 days of receiving the one-to-one device.
new text end

new text begin Subd. 13. new text end

new text begin Personally identifiable educational data; general exceptions. new text end

new text begin The provisions
of this section on collecting and using educational data or personally identifiable student
information do not apply to a student's information collected by a software program, Web
site, or application that is incidental to the use of that software program, Web site, or
application that was not:
new text end

new text begin (1) preloaded on the one-to-one device unless approved by the district for educational
purposes;
new text end

new text begin (2) the target of a link preloaded on the one-to-one device; and
new text end

new text begin (3) promoted, marketed, or advertised in connection with issuing the one-to-one device.
new text end

new text begin Subdivision 1. new text end

new text begin Training required. new text end

new text begin Every school district must conduct annual training
sessions for administrative staff, IT directors, teachers, and any other individual with access
to educational data to ensure compliance with the federal Family Educational Rights and
Privacy Act (FERPA) and to prevent any unauthorized access, disclosure, or misuse of
educational data, as defined in United States Code, title 20, section 1232g, and Code of
Federal Regulations, title 34, part 99.
new text end

new text begin Subd. 2. new text end

new text begin Best practices. new text end

new text begin Training sessions under subdivision 1 shall include discussion
and materials on FERPA best practices, which may include but are not limited to:
new text end

new text begin (1) maintaining awareness of relevant data privacy laws;
new text end

new text begin (2) maintaining awareness of all online educational services used in the district;
new text end

new text begin (3) maintaining policies to evaluate and approve online educational services;
new text end

new text begin (4) using written contracts governing the use of educational data;
new text end

new text begin (5) maintaining transparency with students and their parents or legal guardians; and
new text end

new text begin (6) considering when parental consent may be appropriate or required under applicable
law.
new text end