Kentucky Administrative Regulations
Title 702 - EDUCATION AND WORKFORCE DEVELOPMENT CABINET - BOARD OF EDUCATION, DEPARTMENT OF EDUCATION - OFFICE OF DISTRICT SUPPORT SERVICES
Chapter 1 - General Administration
Section 702 KAR 1:170 - School district data security and breach procedures
Current through Register Vol. 51, No. 3, September 1, 2024
RELATES TO: KRS 61.931, 61.932, 61.933
NECESSITY, FUNCTION, AND CONFORMITY: KRS 156.070 authorizes the Kentucky Board of Education (KBE) to promulgate administrative regulations necessary for the efficient management, control, and operation of the schools and programs under its jurisdiction. KRS 61.932(1)(b) specifically requires the KBE to promulgate administrative regulations establishing requirements and standards for the reasonable security and breach investigation procedures and practices established and implemented by public school districts. This administrative regulation establishes the requirements and standards for school district reasonable security and breach investigation procedures and practices.
Section 1. Definitions.
Section 2. Best Practice Guide for School District Personal Information Reasonable Security. The department shall at least annually provide school districts best practice guidance for personal information reasonable security. The current department guidance is provided in the Data Security and Breach Notification Best Practice Guide, which is incorporated by reference into this administrative regulation. School districts shall not be required to adopt the security practices included in this guidance.
Section 3. Annual Public School District Acknowledgement of Best Practices. Each public school district shall review and consider, in light of the needs of reasonable security, the most recent best practice guidance, including the Data Security and Breach Notification Best Practice Guide, for personal information reasonable security. Each public school district shall acknowledge to its own local board during a public board meeting prior to August 31 of each year, that the district has reviewed this guidance and implemented the best practices that meet the needs of personal information reasonable security in that district.
Section 4. Annual Department Acknowledgement of Best Practices. The department shall review and consider, in light of the needs of reasonable security, the most recent best practice guidance for personal information reasonable security. The department shall acknowledge to the KBE, by August 31 of each year, that the department has reviewed this guidance and implemented the best practices that meet the needs of personal information reasonable security for the department.
Section 5. Data Breach Notification to the Department. Any public school district that determines or is notified of a security breach relating to personal information collected, maintained, or stored by the school district or by a nonaffiliated third party on behalf of the school district shall provide the notification of the security breach to the department required by KRS 61.933, pursuant to the procedure included in the Data Security and Breach Notification Best Practice Guide.
Section 6. Incorporation by Reference.
STATUTORY AUTHORITY: KRS 61.932(1)(b), 156.070
