Bill > SB378

This bill establishes new provisions for student data privacy and protection within Pennsylvania's education system, outlining powers and duties for the Department of Education and imposing penalties for violations. It mandates that only essential student data be collected, safeguarded, and that student and parent privacy rights be honored. The bill defines key terms such as "student data," which includes a wide range of personal and academic information, and "educational entity," encompassing public schools, charter schools, and career and technical schools. It designates a Chief Data Privacy Officer within the Department of Education to oversee policy, develop model privacy plans, and investigate compliance. Educational entities are required to adopt security policies, designate a student data manager, and create data governance plans. The bill clarifies data ownership, giving students the right to their own data, and requires annual written notices to parents and students about data disclosure conditions. It restricts the disclosure of student data unless authorized in writing, required by law, necessary for emergencies, or ordered by a court, and prohibits selling student data for financial gain. The bill also addresses the collection and use of biometric identifiers, prohibits targeted marketing using student data except for educational purposes, and grants students and parents the right to review and correct educational records. Third parties contracting with educational entities must adhere to strict data usage, security, and notification requirements, including reporting data breaches within 24 hours. Penalties for non-compliance include civil and administrative fines, with a maximum of $1,000,000 annually for administrative penalties.