The state board of education shall:
Unless otherwise approved in this part or by the state board, the department shall not transfer student or de-identified data deemed confidential under subdivision (2)(C)(i)(a ) to any federal agency or other organization or entity outside the state, except when:
A student transfers out of state or an LEA seeks help with locating an out-of-state transfer;
A student leaves the state to attend an out-of-state institution of higher education or training program;
Students and parents are notified of their rights under federal and state law;
Develop a detailed data security plan that includes:
Guidelines for authorizing access to the teacher data system and to individual teacher data including guidelines for authentication of authorized access;
Guidelines for authorizing access to the student data system and to individual student data including guidelines for authentication of authorized access;
Privacy compliance standards;
Privacy and security audits;
Breach planning, notification and procedures; and
Data retention and disposition policies;
Ensure routine and ongoing compliance by the department with FERPA, § 10-7-504, other relevant privacy laws and policies, and the privacy and security policies and procedures developed under the authority of this part, including the performance of compliance audits;
Ensure that any contracts that govern databases, assessments or instructional supports that include student or de-identified data and are outsourced to private vendors include express provisions that safeguard privacy and security and include penalties for noncompliance; and
Notify the governor and the general assembly within sixty (60) days of the following:
Any new student data fields included in the state student data system;
Changes to existing data collections required for any reason, including changes to federal reporting requirements made by the United States department of education;
Any exceptions granted by the state board in the past year regarding the release or out-of-state transfer of student or de-identified data accompanied by an explanation of each exception; and
The results of any and all privacy compliance and security audits completed in the past year. Notifications regarding privacy compliance and security audits shall not include any information that would itself pose a security threat to the state or local student information systems or to the secure transmission of data between state and local systems by exposing vulnerabilities.