How Is This Bill Enforced
Verbatim statutory text on the left; plain-language analysis and a per-section checklist on the right. Numbered markers cross-link to the matching checklist row.
(a) 1 The departmentDepartment"Department." The Department of Education of the Commonwealth.Section 135(g) shall develop, in consultation with the Office of Information Technology, and update regularly, but no less than annually, a model data security plan for the protection of student dataStudent data"Student data." Personally identifiable information from student records of a school entity.Section 135(g) held by a school entitySchool entity"School entity." A school district, intermediate unit, area career and technical school, charter school, cyber charter school or regional charter school.Section 135(g).
(b) 1 The model student dataStudent data"Student data." Personally identifiable information from student records of a school entity.Section 135(g) security plan shall include: (1) Guidelines for access to student dataStudent data"Student data." Personally identifiable information from student records of a school entity.Section 135(g) and student dataStudent data"Student data." Personally identifiable information from student records of a school entity.Section 135(g) systems, including guidelines for authentication of authorized access. (2) Privacy compliance standards. (3) Privacy and security audits. (4) Procedures to follow in the event of a breach of student dataStudent data"Student data." Personally identifiable information from student records of a school entity.Section 135(g). (5) Data retention and disposition policies.
Subsections (a) and (b) impose the bill's core mandate on the Department of Education: it must develop and maintain a model data security plan for student data held by school entities, updating it at least annually. The plan must address five enumerated components — access and authentication guidelines, privacy compliance standards, privacy and security audits, breach response procedures, and data retention and disposition policies. This is a government-directed planning obligation; it does not directly regulate school entities or private vendors.
(c) 2 The model plan and any updates shall be made available to all school entities.
Subsection (c) requires the Department to make the model plan and all updates available to all school entities. This is a distribution obligation on the Department — it does not require school entities to adopt or implement the plan.
(d) 3 The departmentDepartment"Department." The Department of Education of the Commonwealth.Section 135(g) shall designate a chief data security officer, with any State money as made available, to assist a school entitySchool entity"School entity." A school district, intermediate unit, area career and technical school, charter school, cyber charter school or regional charter school.Section 135(g), upon request, with the development and implementation of a student dataStudent data"Student data." Personally identifiable information from student records of a school entity.Section 135(g) security plan and to develop best practice recommendations regarding the use, retention and protection of student dataStudent data"Student data." Personally identifiable information from student records of a school entity.Section 135(g).
Subsection (d) requires the Department to designate a chief data security officer to assist school entities, upon request, with developing and implementing student data security plans and to develop best practice recommendations for student data use, retention, and protection. Funding is contingent on state money being made available.
(e) 4 The departmentDepartment"Department." The Department of Education of the Commonwealth.Section 135(g) shall convene a working group to assist with the development of initial instructions, procedures, services, security assessments, best practices and security measures required by this section for the development of a model student dataStudent data"Student data." Personally identifiable information from student records of a school entity.Section 135(g) security plan. The working group shall include the Secretary of Education, the chief information officer, representatives from school entities across this Commonwealth and other parties deemed necessary by the departmentDepartment"Department." The Department of Education of the Commonwealth.Section 135(g).
Subsection (e) requires the Department to convene a working group to develop initial instructions, procedures, services, security assessments, best practices, and security measures for the model student data security plan. Membership must include the Secretary of Education, the chief information officer, representatives from school entities across Pennsylvania, and other parties the Department deems necessary.
(f) 5 The working group shall compile a report on or before December 1, 2026, on the cost of developing and implementing a model student dataStudent data"Student data." Personally identifiable information from student records of a school entity.Section 135(g) security plan. The working group shall submit the report to the chair and minority chair of the Appropriations Committee of the Senate, the chair and minority chair of the Appropriations Committee of the House of Representatives, the chair and minority chair of the Education Committee of the Senate and the chair and minority chair of the Education Committee of the House of Representatives.
Subsection (f) requires the working group to compile and submit a report on the cost of developing and implementing a model student data security plan to the chairs and minority chairs of the Senate and House Appropriations and Education Committees by December 1, 2026.
(g) As used in this section, the following words and phrases shall have the meanings given to them in this subsection unless the context clearly indicates otherwise: "DepartmentDepartment"Department." The Department of Education of the Commonwealth.Section 135(g)." The Department of Education of the Commonwealth. "Personally identifiable informationPersonally identifiable information"Personally identifiable information." The term includes, but is not limited to: (1) The student's name. (2) The name of the student's parent or other family members. (3) The address of the student or student's family. (4) A personal identifier, such as the student's Social Security number, student number or biometric record. (5) Other indirect identifiers, such as the student's date of birth, place of birth and mother's maiden name. (6) Other information that, alone or in combination, is linked or linkable to a specific student that would allow a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty. (7) Information requested by a person who the educational agency or institution reasonably believes knows the identity of the student to whom the education record relates.Section 135(g)." The term includes, but is not limited to: (1) The student's name. (2) The name of the student's parent or other family members. (3) The address of the student or student's family. (4) A personal identifier, such as the student's Social Security number, student number or biometric record. (5) Other indirect identifiers, such as the student's date of birth, place of birth and mother's maiden name. (6) Other information that, alone or in combination, is linked or linkable to a specific student that would allow a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty. (7) Information requested by a person who the educational agency or institution reasonably believes knows the identity of the student to whom the education record relates. "School entitySchool entity"School entity." A school district, intermediate unit, area career and technical school, charter school, cyber charter school or regional charter school.Section 135(g)." A school district, intermediate unit, area career and technical school, charter school, cyber charter school or regional charter school. "Student dataStudent data"Student data." Personally identifiable information from student records of a school entity.Section 135(g)." Personally identifiable informationPersonally identifiable information"Personally identifiable information." The term includes, but is not limited to: (1) The student's name. (2) The name of the student's parent or other family members. (3) The address of the student or student's family. (4) A personal identifier, such as the student's Social Security number, student number or biometric record. (5) Other indirect identifiers, such as the student's date of birth, place of birth and mother's maiden name. (6) Other information that, alone or in combination, is linked or linkable to a specific student that would allow a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty. (7) Information requested by a person who the educational agency or institution reasonably believes knows the identity of the student to whom the education record relates.Section 135(g) from student records of a school entitySchool entity"School entity." A school district, intermediate unit, area career and technical school, charter school, cyber charter school or regional charter school.Section 135(g).
Subsection (g) defines the key terms used throughout Section 135: Department (the Department of Education), personally identifiable information (an expansive, non-exhaustive list including names, addresses, identifiers, biometric records, and linkable information), school entity (school districts, intermediate units, career and technical schools, charter schools, and cyber charter schools), and student data (personally identifiable information from school entity student records).
This act shall take effect in 60 days.
Section 2 provides that the act takes effect 60 days after enactment. No specific effective date can be computed until the bill is signed into law.