TITLE 6 PRIMARY
AND SECONDARY EDUCATION
CHAPTER 19 PUBLIC
SCHOOL ACCOUNTABILITY
PART 5 STUDENT
IDENTIFICATION SYSTEM AND ACCOUNTABILITY DATA SYSTEM:
SECURITY MEASURES
6.19.5.1 ISSUING AGENCY: Public Education Department
[6.19.5.1 NMAC - N, 12-30-04]
6.19.5.2 SCOPE: This rule applies to all school districts and public schools, including charter schools.
[6.19.5.2 NMAC - N, 12-30-04]
6.19.5.3 STATUTORY AUTHORITY: Paragraph (1) of Subsection B of Section 22-2-1, Paragraph (1) of Subsection A of Section 22-2C-11, and Subsection I of Section 22-2C-11 NMSA 1978
[6.19.5.3 NMAC - N, 12-30-04]
6.19.5.4 DURATION: Permanent
[6.19.5.4 NMAC - N, 12-30-04]
6.19.5.5 EFFECTIVE DATE: December 30, 2004, unless a later date is cited at the end of a section.
[6.19.5.5 NMAC - N, 12-30-04]
6.19.5.6 OBJECTIVE: The rule establishes security measures that shall be adhered to in the implementation of the system designed to address the requirement that the public education department issue a state identification number for each public school student for use in the accountability data system.
[6.19.5.6 NMAC - N, 12-30-04]
6.19.5.7 DEFINITIONS:
A. “Accountability data system (“ADS”)” means that system through which data from each public school and each school district is compiled and reviewed.
B. “Accountability data system coordinator (“ADS coordinator”)” means that employee designated by the public education department (“PED”) as the point of contact for the implementation of ADS.
C. “FERPA” means the Family Educational Rights and Privacy Act of 1974, codified at 20 United States Code 1232g, and the implementing regulations at 34 Code of Federal Regulations Part 99.
D. “Need to know” means the determination made by the local school district superintendent or charter school administrator that an employee granted access to the student identification system in the performance of the employee’s official duties has a legitimate educational reason for accessing individual student records. This determination must be made subsequent to the beginning of each school year.
E. “Student identification number” means that unique and consistent number assigned to each student enrolled in the New Mexico public school system for whom data is reported to the accountability data system.
F. “Student information system” means that collective system designed and implemented by a local school district or charter school to record individual student information.
[6.19.5.7 NMAC - N, 12-30-04]
6.19.5.8 SECURITY MEASURES: LOCAL SCHOOL DISTRICT AND CHARTER SCHOOL
REQUIREMENTS:
A. Each local school board and each charter school must develop and implement a student information system security policy that addresses the following minimum components:
(1) establishes requirements for the issuance of passwords to ensure system integrity (for example, the policy may specify the number of characters to be used, require that at least three (3) different types of characters be used, and preclude the use of spaces);
(2) requires the use of password protected screensavers with time-out;
(3) prohibits sharing of passwords;
(4) establishes an internal system for tracking and identifying individuals with access to the student identification system, the type of access authorized, and the date, time, and location of any access; and
(5) ensures that access is immediately terminated upon cessation of an individual’s authority for access.
B. Each local school board and each charter school shall regularly review and, as appropriate, revise its student information system security policy.
C. The local school district or charter school may not use the student identification number on student identification cards or display or utilize the student identification number within any other identification system that is not part of the student identification system.
D. Local school district superintendents and charter school administrators shall inform employees to whom access to the student identification system is approved of the requirements of FERPA and the implementing regulations to FERPA. If the local school district superintendent or charter school administrator has reason to believe that the requirements of FERPA have not been adhered to by an employee having access to the student identification system, the superintendent or administrator shall immediately cancel the individual’s access authorization.
E. Breach of security: The local superintendent or administrator of a charter school shall immediately notify the PED’s ADS coordinator if the superintendent or administrator has reason to believe that a breach of security has occurred with respect to the student identification system.
[6.19.5.8 NMAC - N, 12-30-04]
6.19.5.9 SECURITY MEASURES: PUBLIC EDUCATION DEPARTMENT:
A. The PED shall, at least annually, assess and strengthen as appropriate the system designed to prevent unauthorized access to the student identification system.
B. The PED shall install and utilize appropriate intrusion detection systems to collect information from a variety of vantage points within its computer systems and networks and analyze this information for symptoms of security breaches.
C. The PED shall, on an annual basis, delete all user identification numbers and passwords, subject to the following:
(1) The PED shall inform local school superintendents and administrators of charter schools at least twenty (20) days in advance of the deletion date.
(2) The PED shall inform local school district superintendents and administrators of charter schools of the procedures and timelines for reactivating user identification numbers and passwords.
[6.19.5.9 NMAC - N, 12-30-04]
History of 6.19.5 NMAC: [Reserved]