The department of education shall:

(1) Create, publish and make publicly available a data inventory and dictionary or index of data elements with definitions of individual student data fields currently in the student data system along with the purpose or reason for inclusion in the data system;

Terms Used In Tennessee Code 49-1-703

  • Aggregate data: means data collected or reported at the group, cohort or institutional level. See Tennessee Code 49-1-702
  • Contract: A legal written agreement that becomes binding when signed.
  • Data system: means the body of student data collected by the department of education. See Tennessee Code 49-1-702
  • De-identified data: means a student dataset in which parent and student identifying information, including the personal identification number, has been removed. See Tennessee Code 49-1-702
  • Department: means the department of education. See Tennessee Code 49-1-702
  • FERPA: means the federal Family Educational Rights and Privacy Act (20 U. See Tennessee Code 49-1-702
  • Record: means information that is inscribed on a tangible medium or that is stored in an electronic or other medium and is retrievable in a perceivable form. See Tennessee Code 1-3-105
  • State: when applied to the different parts of the United States, includes the District of Columbia and the several territories of the United States. See Tennessee Code 1-3-105
  • State board: means the state board of education. See Tennessee Code 49-1-702
  • Student data: includes :
    (i) State and national assessment results, including information on untested public school students. See Tennessee Code 49-1-702
  • Subpoena: A command to a witness to appear and give testimony.
  • Teacher data: means personal summative and evaluation scores, the access to which is limited to the department, LEA administrators, local boards of education or those with direct supervisory authority who require such access to perform their assigned duties. See Tennessee Code 49-1-702
  • United States: includes the District of Columbia and the several territories of the United States. See Tennessee Code 1-3-105
  • Year: means a calendar year, unless otherwise expressed. See Tennessee Code 1-3-105
(2) Develop, publish and make publicly available policies and procedures to comply with FERPA, § 10-7-504 and other relevant privacy laws and policies. These policies and procedures shall, at a minimum, require that:

(A) Access to student and de-identified data in the student data system is restricted to:

(i) The authorized staff of the department and the department’s contractors who require access to perform their assigned duties;
(ii) LEA administrators, teachers, school personnel and the LEA’s contractors who require access to perform their assigned duties;
(iii) Students and their parents; provided, however, that a student or the student’s parents may only access the student’s individual data;
(iv) The authorized staff of other state agencies as permitted by law; provided, however, that within sixty (60) days of providing such access, the department shall provide notice of the release to the state board, the education committee of the senate, and the education administration committee of the house of representatives, and post such notice on the department’s website;
(v) Parties conducting research for or on behalf of the department or an LEA; provided, that such access is granted in compliance with FERPA and other relevant state and federal privacy laws and policies and that the department shall provide notice of the release to the state board, the education committee of the senate, and the education administration committee of the house of representatives, and post such notice on the department’s website;
(vi) Appropriate entities in compliance with a lawfully issued subpoena or court order; or
(vii) Appropriate officials in connection with an interagency audit or evaluation of a federal or state supported education program;
(B) The department uses only aggregate data in public reports or in response to public record requests in accordance with subdivision (3);
(C)

(i) The commissioner develops criteria for the approval of research and data requests from state and local agencies, the general assembly, researchers and the public; provided, however, that:

(a) Unless otherwise approved by the state board or permitted in this part, student data maintained by the department shall remain confidential; and
(b) Unless otherwise permitted in this part or approved by the state board to release student or de-identified data in specific instances, the department may only use aggregate data in the release of data in response to research and data requests;
(ii) Unless otherwise approved in this part or by the state board, the department shall not transfer student or de-identified data deemed confidential under subdivision (2)(C)(i)(a) to any federal agency or other organization or entity outside the state, except when:

(a) A student transfers out of state or an LEA seeks help with locating an out-of-state transfer;
(b) A student leaves the state to attend an out-of-state institution of higher education or training program;
(c) A student registers for or takes a national or multistate assessment;
(d) A student voluntarily participates in a program for which such data transfer is a condition or requirement of participation;
(e) The department enters into a contract that governs databases, assessments, special education or instructional supports with an out-of-state vendor; or
(f) A student is classified as “migrant” for federal reporting purposes; and
(D) Students and parents are notified of their rights under federal and state law;
(3) Develop a detailed data security plan that includes:

(A) Guidelines for authorizing access to the teacher data system and to individual teacher data including guidelines for authentication of authorized access;
(B) Guidelines for authorizing access to the student data system and to individual student data including guidelines for authentication of authorized access;
(C) Privacy compliance standards;
(D) Privacy and security audits;
(E) Breach planning, notification and procedures; and
(F) Data retention and disposition policies;
(4) Ensure routine and ongoing compliance by the department with FERPA, § 10-7-504, other relevant privacy laws and policies, and the privacy and security policies and procedures developed under the authority of this part, including the performance of compliance audits;
(5) Ensure that any contracts that govern databases, assessments or instructional supports that include student or de-identified data and are outsourced to private vendors include express provisions that safeguard privacy and security and include penalties for noncompliance; and
(6) Notify the governor and the general assembly within sixty (60) days of the following:

(A) Any new student data fields included in the state student data system;
(B) Changes to existing data collections required for any reason, including changes to federal reporting requirements made by the United States department of education;
(C) Any exceptions granted by the state board in the past year regarding the release or out-of-state transfer of student or de-identified data accompanied by an explanation of each exception; and
(D) The results of any and all privacy compliance and security audits completed in the past year. Notifications regarding privacy compliance and security audits shall not include any information that would itself pose a security threat to the state or local student information systems or to the secure transmission of data between state and local systems by exposing vulnerabilities.
  Previous section
Next section  
 Part 7 Contents