2017 - 2018 LEGISLATURE
February 17, 2017 - Introduced by
Joint Legislative Council. Referred to
Committee on Education.
1An Act to create
115.285 of the statutes; relating to: responsibilities of state
2superintendent related to privacy and security of pupil data.
Analysis by the Legislative Reference Bureau
This bill is explained in the Notes provided by the Joint Legislative Council in
The people of the state of Wisconsin, represented in senate and assembly, do
enact as follows:
Joint Legislative Council Prefatory note: This bill was prepared for the Joint
Legislative Council Study Committee on School Data. The bill establishes duties of the
State Superintendent regarding privacy and security of pupil data. The bill requires the
Superintendent to provide guidance and training to school districts and schools in
implementing and administering a data privacy and security plan and in complying with
state and federal laws governing privacy and security of pupil data, including parental
complaint procedures and other provisions of the federal Family Educational Rights and
Privacy Act and the Wisconsin Pupil Records Law. The bill also requires the
Superintendent to take certain steps to engage with members of the public and
governmental officials regarding data privacy and security issues.
115.285 of the statutes is created to read:
4115.285 Privacy of pupil data. (1) Definition
. In this section:
(a) “Parental choice program” means either or both of the programs under ss. 2
118.60 and 119.23.
(b) “Pupil data” means all of the following:
1. Information contained in education records, as defined in 34 CFR 99.3
2. Information contained in pupil records, as defined in s. 118.125 (1) (d).
6(2) Compliance with laws governing privacy of pupil data.
The state 7
superintendent shall provide guidance and training to school districts and charter 8
schools in complying with state and federal privacy or security laws, including 9
parental complaint procedures and other provisions of the federal Family 10
Educational Rights and Privacy Act, 20 USC 1232g
, and s. 118.125. To the extent 11
private schools participating in a parental choice program are required to comply 12
with these state and federal privacy and security laws, the state superintendent 13
shall provide the same guidance and training to these private schools.
14(3) Data privacy and security plan
. (a) The state superintendent shall work 15
in collaboration with the department of administration to develop all of the following:
1. A data privacy and security plan for the protection of pupil data collected by 17
the department. The state superintendent shall administer the plan prepared under 18
2. A model data privacy and security plan for the protection of pupil data 20
collected or maintained by a school, school district, charter school, or private school 21
participating in a parental choice program. The state superintendent shall provide 22
guidance on the implementation and administration of a data privacy and security 23
plan to the extent that the department has expertise.
(b) The state superintendent shall include all of the following in each plan 2
required under this subsection:
1. Guidelines for access to pupil data and to the student information system 4
under s. 115.383 and the longitudinal data system of student information under s. 5
115.297, including guidelines for authentication of individuals authorized to access 6
pupil data and these pupil data systems.
2. Procedures for data privacy and security audits.
3. Procedures to ensure that incidents involving the unauthorized disclosure 9
of pupil data are reported to relevant stakeholders, investigated, and mitigated, as 10
4. Data security training protocols and policies, including technical, physical, 12
and administrative safeguards against unauthorized access or disclosure.
5. Data retention and disposition policies.
6. A process for evaluating and updating the data privacy and security plan on 15
at least an annual basis.
16(4) Stakeholder engagement
. The state superintendent shall engage with 17
members of the public and governmental officials regarding the quality, usefulness, 18
openness, privacy, and security of pupil data. In collaboration with cooperative 19
educational service agencies and other relevant stakeholders, the state 20
superintendent shall develop and promote best practices regarding the quality, 21
usefulness, openness, privacy, and security of pupil data.