2025 SESSION

INTRODUCED

25104475D

SENATE BILL NO. 1111

Offered January 8, 2025

Prefiled January 7, 2025

A BILL to amend the Code of Virginia by adding in Article 5 of Chapter 14 of Title 22.1 a section numbered 22.1-289.01:1, relating to public schools; student support services; student personal information and data security; registration; requirements; grants; report.

—————

Patron—Williams Graves

—————

Referred to Committee on Education and Health

—————

Be it enacted by the General Assembly of Virginia:

1. That the Code of Virginia is amended by adding in Article 5 of Chapter 14 of Title 22.1 a section numbered 22.1-289.01:1 as follows:

§ 22.1-289.01:1. Student support services; student support agencies; student personal information and data security; requirements.

A. As used in this section:

"Adaptive learning" means an instructional method using data-driven techniques and strategies to adjust and personalize learning experiences and instructional program implementation to meet individual student needs, better utilize available educational resources, and more effectively adapt to dynamic or unexpected situations in the educational environment.

"Aggregate data" means statistics composed of data collected from multiple sources relating to a variety of broad classes, groups, or properties such that the specific information of any individual within those broader classes, groups, or properties is indistinguishable for the purpose of creating a summary or overview of data that is representative of a larger group.

"Customized education" means a tailored approach to education programming that adapts instruction or the educational environment to improve equality in learning outcomes, address barriers to education within diverse contexts, and acknowledge needs and demands specific to the geographical region or specific demographics or groups.

"Personal profile" does not include account information that is collected and retained by a student support agency and remains under control of a student, parent, or elementary or secondary school.

"Secure data transfer" means a method of transmitting data, including personally identifiable information, through the use of certain technical and organizational measures and protocols, including data encryption and authentication, to ensure that the integrity and confidentiality of such data is not compromised during such transfer and is only accessible by authorized recipients and does not compromise the integrity or confidentiality of such data.

"Student personal information" means information collected through a student support program that identifies a currently or formerly enrolled individual student or is linked to information that identifies a currently or formerly enrolled student.

"Student support agency" means a nonprofit organization registered with the Commonwealth to provide certain student support programs to students enrolled in a public elementary or secondary school.

"Student support program" means a program administered for the purpose of providing direct services to at-risk students, including housing stabilization, case management, tutoring or instructional support, youth mentoring and development, or summer enrichment services.

"Targeted advertising" means advertising that is presented to a student and selected on the basis of information obtained or inferred over time from such student's online behavior, use of applications, or sharing of student personal information.

B. Each student support agency shall, in order to provide a student support program to students enrolled in a public elementary or secondary school, register with the Department. In order to register and maintain registration with the Department, each student support agency shall:

1. Provide at the time of registration and once every three years thereafter or upon request of the Department (i) documentation establishing the agency's nonprofit status; (ii) a copy of the agency's (a) privacy policy and procedures, (b) background check policy and procedures, and (c) mandated reporting policy and procedures; and (iii) a description of each student support program that such agency provides;

2. Agree to provide at least 30 days' notice to the Department prior to the cessation of providing any student support program to public school students in the Commonwealth;

3. Comply with the provisions of subsections D and E; and

4. Register with the Department in accordance with the provisions of subsection C.

C. The Department shall be responsible for administering and overseeing the registration of any student support agency, in accordance with the provisions of subsection B. In administering and overseeing the registration of any student support agency, the Department shall:

1. Develop a registration process;

2. Establish and maintain a registry of each registered student support agency;

3. Develop policies and procedures for the secure disposal of student personal information after the cessation of any registered student support agency's provision of student support programs to any student enrolled in public elementary or secondary school or upon such student's graduation or transfer from the school division;

4. Develop and implement compliance monitoring and enforcement mechanisms to ensure that each student support agency complies with the provisions of this section, any Department policies established in accordance with this section, and any other applicable state or federal law or regulation, including any policies and procedures necessary for the implementation and administration of the annual audit required pursuant to subsection I;

5. Develop a model memorandum of understanding and guidelines and policies for the implementation of such memorandum of understanding to facilitate and establish requirements and limitations relating to the exchange of student personal information between student support agencies and school boards in the Commonwealth. Such model memorandum of understanding shall:

a. Act as template for the memorandum of understanding that, pursuant to subdivision D 7, each student support agency shall enter into with the applicable school board of any public elementary or secondary school through which it seeks to provide any student support program;

b. Contain specific authorizations of the applicable school board relating to the transmission, collection, and use of student personal information by the student support agency; and

c. Require the signed consent of the parent of any student or, in the case of a student who is 18 years of age or older, any student who participates in student support programs to the transmission of student personal information between school boards and the student support agency and to the transmission, collection, and use of such specific student's personal information as authorized pursuant to this subdivision;

6. Develop and make available to each student support program upon registration standard consent forms and procedures to be used by such student support programs to obtain the necessary consent from the parent of any student or, in the case of a student who is 18 years of age or older, any student, in accordance with the provisions of this section;

7. Develop and make available to each school board and each student support program upon registration guidelines on recommended information and data security programs, systems, and protocols and best practices relating to information and data security;

8. Develop and implement policies and procedures for mediating any disputes or disagreements that may arise between a school board or public elementary or secondary school and any student support agency that operates a student support program in accordance with this section;

9. Develop and maintain in a publicly accessible webpage on the Department's website through which the parent of any student participating in any student support program in accordance with this section can access the annual compliance report submitted by each student support agency to the Department pursuant to subdivision D 13;

10. With such funds as are appropriated for such purpose, establish and administer a grant program through which any student support agency with an annual budget that does not exceed $500,000 shall be eligible to receive, upon application, a grant to be used to fund data security upgrades, training for staff, and third-party audits. Any moneys collected from fines imposed for violations of this section pursuant to subsection I shall be deposited into a fund dedicated to and used solely for the purpose of administering such grant program. The Department shall award grants on a competitive basis and prioritize grant awards to agencies that serve high-need populations or demonstrate significant financial need. The Department shall (i) review and select applications for award of a grant within 90 days of the date on which applications are submitted; (ii) develop any guidelines and policies deemed necessary or appropriate for the administration of such grant program; and (iii) annually submit to the Senate Committee on Education and Health and the House Committee on Education and post in a publicly accessible location on its website a report on the activities of the grant program for the preceding year detailing the number of grants awarded, total amount of grant funds awarded, and any measurable outcomes demonstrating the success of the grant program achieved by grant recipients; and

11. Collaborate with the Virginia Information Technologies Agency to develop and provide to any student support agency that operates a student support program in accordance with this section (i) free or reduced-price cybersecurity training; (ii) access to encryption tools, software, or programs; and (iii) templates for the privacy policies required pursuant to subdivision D 3 and compliance reports required pursuant to subdivision D 13.

D. Each student support agency that operates a student support program in accordance with this section shall:

1. Conform to the provisions of the federal Family Educational Rights and Privacy Act (20 U.S.C. § 1232g) (FERPA);

2. Annually notify the parent of each student or, in the case of a student who is 18 years of age or older, the student, of the student's rights under FERPA and the provisions of this section;

3. Maintain a privacy policy relating to the security of student personal information that may be collected by the student support agency and provide prompt and prominent notice of any changes or updates made to such privacy policy to the applicable school board and to the parents of each student or, in the case of a student who is 18 years of age or older, each student receiving any support services through any such student support program;

4. Provide clear and accessible information to the applicable school board, to be distributed to each student or the parent of each student, detailing (i) the types of student personal information the student support agency collects through the provision of any student support program, (ii) how it maintains and transmits any student personal information collected in a manner that ensures the security, integrity, and confidentiality of such information; (iii) the uses for which any student personal information is collected by the student support agency; and (iv) the student support agency's privacy policy relating to the security of student personal information;

5. Maintain a comprehensive information security program that is reasonably designed to protect the security, privacy, confidentiality, and integrity of student personal information and makes use of appropriate administrative, technological, and physical safeguards;

6. Establish policies and procedures for facilitating access to and correction of student personal information collected, maintained, used, or shared by a student support agency, either directly or through a student's school or teacher, by the parent of each student or, in the case of a student who is 18 years of age or older, each student receiving student support services through the applicable student support program;

7. Execute a memorandum of understanding, in accordance with the memorandum of understanding developed by the Department pursuant to subdivision C 5;

8. Collect, maintain, and use student personal information only (i) with the informed consent of the parent of each student or, in the case of a student who is 18 years of age or older, each student, receiving support services through the applicable student support program and (ii) for the purposes authorized pursuant to the memorandum of understanding executed in accordance with subdivision 7;

9. Require any successor nonprofit organization with which the student support agency shall exchange any student personal information to comply with the agency's privacy policies and procedures, the provisions of FERPA, and the provisions of this section;

10. Upon request of the parent of any student or, in the case of a student who is 18 years of age or older, any student securely dispose of all student personal information within 30 days of receiving the request;

11. Except as provided in subdivision 10, retain student personal information on behalf of each student from whom student personal information was collected pursuant to this section for three years after such student graduated, aged out of, transferred from, or otherwise left the applicable school division;

12. In the event that the student support agency closes without any successor nonprofit organization, provide for the secure data transfer of any student personal information collected pursuant to this section to the school board of the school division in which each such student is or was enrolled, to be retained by the school board as a part of the student's scholastic record in accordance with § 22.1-289; and

13. Annually submit to the Department a compliance report (i) detailing (a) basic security measures the student support agency took to ensure compliance with the provisions of this section for the immediately preceding school year and (b) any known security breaches or other relevant incidents and (ii) summarizing (a) Program participation and student and parent outcomes for the immediately preceding school year and (b) any program goals for the forthcoming school year.

E. No student support agency that operates a student support program in accordance with this section shall knowingly:

1. Use or share or permit any affiliated platform or partner organization to use or share any student personal information for the purpose of targeted advertising or for any other purpose that is not essential to the provision of student support programs or otherwise authorized or permitted by this section;

2. Use or share any student personal information to create a personal profile of any student other than for student support programs without the consent of the parent of the student or, in the case of a student who is 18 years of age or older, the student;

3. Transfer or transmit any student personal information except as provided by this section; or

4. Retain any student personal information in violation of the provisions of subsection B.

F. Nothing in this section shall be construed to prohibit any student support agency from:

1. Using student personal information for adaptive learning or customized education purposes;

2. Using student personal information for maintaining, developing, supporting, improving, or evaluating the applicable student support program;

3. Using aggregate data collected in whole or in part from student personal information collected through providing any student support program for assessing student population needs and student support program performance;

4. Providing recommendations to any student through a student support program relating to employment, education, or purposes relating to learning or postsecondary achievement provided that any such recommendations are not in whole or in part determined by or based on consideration from a third party;

5. Disclosing student personal information (i) as necessary to comply with applicable state or federal law or regulation; (ii) to protect against liability; or (iii) to protect the security or integrity of the applicable student support program; or

6. Disclosing student personal information for the purpose of coordinating student support services with a governmental entity, provided that the student support agency, pursuant to a contract with the governmental entity, (i) prohibits such governmental entity from using any such student personal information for any purpose other than providing a student support service through or on behalf of the student support agency; (ii) prohibits such governmental entity from disclosing to any third party any student personal information provided by the student support agency, except to the extent such disclosure is permitted by subdivision D 8; and (iii) requires the governmental entity to comply with the provisions of this section, any policies and procedures developed in accordance with this section, or any other applicable federal or state law or regulation.

G. Each school board that enters into a memorandum of standing with a student support agency to provide student support programs to students enrolled therein, pursuant to subdivision D 7, shall transmit any of the student personal information, as authorized by the memorandum of understanding, to the student support agency within one calendar week of the date on which the school board receives from the parent of such student or, in the case of a student who is 18 years of age or older, the student's signed consent to the memorandum of understanding, pursuant to subdivision C 5 c and, upon receiving any request for additional student personal information thereafter, within one calendar week of the date upon which any such request was received, provided that the transmission of any such requested student personal information is permitted in accordance with the provisions of this section. However, in any case designated by the Department as an exceptional case, such requirement shall be waived and the transmission of such student personal information may be delayed. Upon designating any case as an exceptional case, the Department shall notify the requesting party of the delay and provide in such notification a timeline for the transmission of such student personal information The Department shall develop guidelines for determining whether a case should be designated as an exceptional case and for handling such exceptional cases.

H. Nothing in this section shall be construed to prohibit any school board from:

1. Establishing policies and procedures relating to the protection of student personal information that are more comprehensive than those required by the provisions of this section;

2. Requesting or receiving student personal information from any student support agency with which it has a memorandum of understanding, pursuant to subdivision D 7, for the purpose of coordinating any applicable student support programs; or

3. Establishing a regional collaboration network with one or more school board that governs a contiguous school division and one or more student support agency providing any student support programs pursuant to this section for the purpose of facilitating resource sharing, providing compliance assistance, and collaborating to improve the efficiency and reduce the cost of delivering any such student support programs.

I. The Department shall annually conduct an audit of at least five percent of the student support agencies registered pursuant to this section to ensure compliance with the provisions of this section. In conducting such annual audit, the Department shall prioritize those registered student support agencies that (i) handle large volumes of student personal information or (ii) have previous documented violations of the provision of this section. Any student support agency that fails such audit (a) shall have no more than 60 days to implement corrective actions and (b) may face a fine of up to $10,000 for a first-time violation and up to $50,000 for subsequent violations. The Department may remove a student support agency from the registry that, either through the Department's annual audit or otherwise, is found in violation of the provisions of this section in a manner which, in the Department's discretion, involved a substantial and unreasonable risk to student personal information. Upon removal from the registry, any such student support agency shall immediately cease the provision of any student support programs to any students enrolled in the applicable school division and shall dispose of any student personal information in accordance with the provisions of this section. Any such student support agency may reapply to register with the Department provided that (i) at least one year has passed since such student's support agency's removal from the registry in accordance with this section and (ii) such student support agency includes in its application verification that it has resolved the situation resulting in the violation that resulted in its removal from the registry and detail its plans for preventing any subsequent violation.

J. In the case of any data breach or unauthorized disclosure of any student personal information transmitted or collected by a student support agency in accordance with this section, such student support agency shall take immediate corrective action and promptly provide notice to the parent of each student or, in the case of a student who is 18 years of age or older, each student who was affected by such breach or unauthorized disclosure and to the applicable school board. Such notice shall be made (i) in writing to the residence of each such student or to the school board which, upon receipt of such notice, shall provide the notice directly to the student or his parent; (ii) by telephone; (iii) through e-mail; or (iv) upon demonstration by the student support agency that providing notice pursuant to clauses (i), (ii), or (iii) would be unduly burdensome due to cost or inability to obtain the requisite contact information for each affected individual in a reasonable amount of time, substitute notice by posting such notice conspicuously on the website of the student support agency and providing it to any major local and state news media.

K. No school board or public elementary or secondary school shall be liable for any civil damages for any acts or omissions resulting from any student support agency's noncompliance with the provisions of this section.

2. That the Department of Education shall (i) by the beginning of the 2026–2027 school year, develop and fully implement the registry of student support agencies, required pursuant to subdivision C 3 of § 22.1-289.01:1 of the Code of Virginia, as created by this act, and shall develop and make available to each school board the model memorandum of understanding, required pursuant to subdivision C 5 of § 22.1-289.01:1 of the Code of Virginia, as created by this act; (ii) by the beginning of the 2027–2028 school year, begin administering the grant program in accordance with subdivision C 10 of § 22.1-289.01:1 of the Code of Virginia, as created by this act, and collaborating with the Virginia Information Technologies Agency to develop and provide the cybersecurity tools, software, programs, and training in accordance with subdivision C 11 of § 22.1-289.01:1 of the Code of Virginia, as created by this act; and (iii) by the beginning of the 2028–2029 school year, conduct the first annual audit of any registered student support agencies in accordance with subsection I of § 22.1-289.01:1 of the Code of Virginia, as created by this act.