Data Privacy and Security

State of Oklahoma Information Security Policy, Procedures, Guidelines (PDF)
The contents of this document include the minimum Information Security Policy, as well as procedures, guidelines and best practices for the protection of the information assets of the State of Oklahoma (State). The Policy, as well as the procedures, guidelines and best practices apply to all state agencies. As such, they apply equally to all State employees, contractors or any entity that deals with State information.

Parent and Student Rights Under State and Federal Student Privacy Laws Governing Student Educational Records and Student Data

Download PDF version here

I.    The Student Data Accessibility, Transparency and Accountability Act of 2013 (70 O.S. § 3-168)

Although the State Department of Education does not maintain student educational records (student educational records are maintained by public schools and school districts), the State Department of Education collects data from public schools and schools districts on individual students for a variety of purposes, including, but not limited to, compliance with federal and state laws and regulations pertaining to accountability for student learning and expenditures of public funds. 

The Student Data Accessibility, Transparency and Accountability Act of 2013 establishes limitations on who can access data of individual public school students in the State Department of Education student data system and certain requirements for the State Board of Education to report the types of student data collected from public schools in the student data system.  Those requirements are:

1. The State Board of Education has created and published an inventory of elements of student data collected in the student data system that includes:

• A list of types of data collected for each individual public school student by the State Department of Education for the purpose of meeting reporting requirements of federal or state law;
• A list of types of data collected for each individual public school student that the State Department of Education proposes for addition to the student data system with a statement regarding the purpose or reason for the proposed collection; and
• A list of types of data collected for each individual public school student that the State Department of Education collects with no current purpose or reason. 

2. Access to data of individual students in the State Department of Education student data system is restricted to the following individuals/entities:

• The authorized staff of the State Department of Education and the Department's contractors who require such access to perform their assigned duties, including staff and contractors from the Information Services Division of the Office of Management and Enterprise Services assigned to the Department;
• District administrators, teachers and school personnel who require such access to perform their assigned duties;
• Students and their parents, and
• The authorized staff of other state agencies in Oklahoma as required by law and/or defined by interagency data-sharing agreements.

3. Data of individual students is confidential, and absent approval of the State Board of Education, the State Department of Education may only release data if the data has been aggregated and otherwise complies with the provisions of The Family Educational Rights and Privacy Act (FERPA).

4. The State Department of Education has developed a detailed data security plan that includes:

• Guidelines for authorizing access to the student data system and to individual student data including guidelines for authentication of authorized access;
• Privacy compliance standards;
• Privacy and security audits;
• Breach planning, notification and procedures, and
• Data retention and disposition policies.

5. The State Department of Education must ensure routine and ongoing compliance by the State Department of Education with FERPA, other relevant privacy laws and policies, and the privacy and security policies and procedures developed under the authority of this act, including the performance of compliance audits.

II.  The Family Educational Rights and Privacy Act (FERPA)

The Family Educational Rights and Privacy Act (FERPA) affords parents and students who are 18 years of age or older ("eligible students") certain rights with respect to the student's education records that are maintained by the local school district. These rights are:

1. The right to inspect and review the student's education records within 45 days after the day the student's school receives a request for access.

Parents or eligible students should submit a written request to the school principal (or the official designated by the school for purposes of processing FERPA requests) that identifies the records they wish to inspect. The school official will make arrangements for access and notify the parent or eligible student of the time and place where the records may be inspected.

2. The right to request the amendment of the student’s education records that the parent or eligible student believes are inaccurate, misleading, or otherwise in violation of the student’s privacy rights under FERPA.

Parents or eligible students who wish to ask the student's school to amend a record should write the school principal (or other official designated by the school), clearly identify the part of the record they want changed, and specify why it should be changed. If the school decides not to amend the record as requested by the parent or eligible student, the school will notify the parent or eligible student of the decision and of their right to a hearing regarding the request for amendment. Additional information regarding the hearing procedures will be provided to the parent or eligible student when notified of the right to a hearing.

3. The right to provide written consent before the school discloses personally identifiable information (PII) from the student's education records, except to the extent that FERPA authorizes disclosure without consent.

One exception, which permits disclosure without consent, is disclosure to school officials with legitimate educational interests. A school official is a person employed by the school as an administrator, supervisor, instructor, or support staff member (including health or medical staff and law enforcement unit personnel) or a person serving on the school board. A school official also may include a volunteer or contractor outside of the school who performs an institutional service of function for which the school would otherwise use its own employees and who is under the direct control of the school with respect to the use and maintenance of PII from education records, such as an attorney, auditor, medical consultant, or therapist; a parent or student volunteering to serve on an official committee, such as a disciplinary or grievance committee; or a parent, student, or other volunteer assisting another school official in performing his or her tasks. A school official has a legitimate educational interest if the official needs to review an education record in order to fulfill his or her professional responsibility.

Upon request, the student's school may disclose education records without consent to officials of another school district in which a student seeks or intends to enroll, or is already enrolled if the disclosure is for purposes of the student’s enrollment or transfer. FERPA requires a school district to make a reasonable attempt to notify the parent or student of the records request unless it states in its annual notification that it intends to forward records on request.

FERPA permits the disclosure of PII from students’ education records, without consent of the parent or eligible student, if the disclosure meets certain conditions found in §99.31 of the FERPA regulations. Except for disclosures to school officials, disclosures related to some judicial orders or lawfully issued subpoenas, disclosures of directory information, and disclosures to the parent or eligible student, §99.32 of the FERPA regulations requires the school to record the disclosure. Parents and eligible students have a right to inspect and review the record of disclosures. A school may disclose PII from the education records of a student without obtaining prior written consent of the parents or the eligible student in the following circumstances:

• To other school officials, including teachers, within the educational agency or institution whom the school has determined to have legitimate educational interests. This includes contractors, consultants, volunteers, or other parties to whom the school has outsourced institutional services or functions, provided that the conditions listed in §99.31(a)(1)(i)(B)(1) - (a)(1)(i)(B)(2) are met. (§99.31(a)(1))

• To officials of another school, school system, or institution of postsecondary education where the student seeks or intends to enroll, or where the student is already enrolled if the disclosure is for purposes related to the student’s enrollment or transfer, subject to the requirements of §99.34. (§99.31(a)(2))

• To authorized representatives of the U. S. Comptroller General, the U. S. Attorney General, the U.S. Secretary of Education, or State and local educational authorities, such as the State educational agency in the parent or eligible student’s State (SEA). Disclosures under this provision may be made, subject to the requirements of §99.35, in connection with an audit or evaluation of Federal- or State-supported education programs, or for the enforcement of or compliance with Federal legal requirements that relate to those programs. These entities may make further disclosures of PII to outside entities that are designated by them as their authorized representatives to conduct any audit, evaluation, or enforcement or compliance activity on their behalf. (§§99.31(a)(3) and 99.35)

• In connection with financial aid for which the student has applied or which the student has received, if the information is necessary to determine eligibility for the aid, determine the amount of the aid, determine the conditions of the aid, or enforce the terms and conditions of the aid. (§99.31(a)(4))

• To State and local officials or authorities to whom information is specifically allowed to be reported or disclosed by a State statute that concerns the juvenile justice system and the system’s ability to effectively serve, prior to adjudication, the student whose records were released, subject to §99.38. (§99.31(a)(5))

• To organizations conducting studies for, or on behalf of, the school, in order to: (a) develop, validate, or administer predictive tests; (b) administer student aid programs; or (c) improve instruction. (§99.31(a)(6))

• To accrediting organizations to carry out their accrediting functions. (§99.31(a)(7))

• To parents of an eligible student if the student is a dependent for IRS tax purposes. (§99.31(a)(8))

• To comply with a judicial order or lawfully issued subpoena. (§99.31(a)(9))

• To appropriate officials in connection with a health or safety emergency, subject to §99.36. (§99.31(a)(10)

• Information the school has designated as “directory information” under §99.37. (§99.31(a)(11))

4. The right to file a complaint with the U.S. Department of Education concerning alleged failures by the [School] to comply with the requirements of FERPA.

The name and address of the Office that administers FERPA are:

    Family Policy Compliance Office
    U.S. Department of Education
    400 Maryland Avenue, SW
    Washington, DC 20202