The Department, in consultation with the Department of Information Technology and county boards, shall develop and update best practices for county boards to:
(1) Manage and maintain data privacy and security practices in the processing of student data and personally identifiable information across the county board’s information technology and records management systems;
(2) Develop and implement:
(i) A data privacy and security incident response plan;
(ii) A breach notification plan; and
(iii) Procedures and requirements for allowing access to student data and personally identifiable information for a legitimate research purpose; and
(3) Publish information annually on:
(i) Types of student data and personally identifiable information processed by the county board, the protocols for processing student data, and the rationales for selecting processing protocols;
(ii) Contracted services that involve sharing student data between a county board and a school service contract provider; and
(iii) Procedures and rationales for vetting and selecting Internet sites, services, and applications.