All About

Why North Carolina's Student Data Privacy Act Matters for Your School

All About North Carolina's Student Data Privacy Act (G.S. 115C-402.5) is a critical compliance obligation for K-12 IT Directors in North Carolina. This statute establishes specific security requirements to protect personally identifiable student information (PII).

Quick Overview of G.S. 115C-402.5:

• What it does: Sets security requirements for the state's student data system.
• Who must comply: The State Board of Education, Department of Public Instruction, local school districts, and their vendors.
• Key requirements: A comprehensive data security plan, strict access controls, a public data inventory, and robust vendor contracts.
• Prohibited data: Collection of biometric information, political affiliation, religion, and voting history is forbidden.
• Penalties: Non-compliant vendors face penalties, while schools risk legal liability and loss of federal funding.

Enacted in 2014, G.S. 115C-402.5 goes beyond the federal baseline set by FERPA by mandating specific technical safeguards and prohibiting certain data collection. For IT Directors, this requires a comprehensive data security plan that includes employee training, breach notification procedures, data encryption, and strict vendor management.

The stakes are high, as schools store sensitive data like social security numbers, health records, and academic performance. A breach can lead to identity theft for students and significant financial and reputational damage for a district. Understanding and implementing G.S. 115C-402.5 is essential for protecting students, maintaining funding, and building trust with your community.

All About North Carolina’s Student Data Privacy Act (G.S. 115C-402.5) glossary:

• All About Florida’s Student Data Privacy Act (FS 1002.222)
• All About Georgia’s Student Data Privacy, Accessibility, and Transparency Act
• Iowa Student Data Privacy Act

All About North Carolina's Student Data Privacy Act (G.S. 115C-402.5): Core Requirements

To manage student data in North Carolina, you must understand what All About North Carolina's Student Data Privacy Act (G.S. 115C-402.5) requires. This law creates clear rules for how the State Board of Education, the Department of Public Instruction, and local school districts must safeguard student information, focusing on transparency, accessibility, and accountability.

What Data is Protected vs. Prohibited?

G.S. 115C-402.5 protects Personally Identifiable Student Data (PII), which is any information that could identify a specific student. This includes obvious identifiers like a name or Social Security number, as well as indirect identifiers like a date of birth or mother's maiden name. The law uses a "reasonable person" standard: if someone in the community could identify a student from the data, it's considered PII.

Directory information (e.g., name, participation in activities, awards) is an exception and can be shared publicly. However, if a parent opts out of this disclosure, that information becomes protected PII for their child.

The law explicitly prohibits collecting four types of data in the student data system:

• Biometric information (fingerprints, retina scans)
• Political affiliation
• Religious affiliation
• Voting history

Key Definitions in the Act

• Student Data System: The central information management platform used by the State Board of Education and Department of Public Instruction.
• Aggregate Student Data: Information compiled in a way that prevents identifying individual students (e.g., school-wide test pass rates).
• De-identified Student Data: Data where all PII has been removed, so it cannot be traced back to a specific student.
• Family Educational Rights and Privacy Act (FERPA): The federal privacy law that G.S. 115C-402.5 builds upon. It grants parents rights to access and control their child's education records.
• Personally Identifiable Information (PII): The umbrella term for any data that can identify a student, triggering all protection requirements.

Data Security Plans Under All About North Carolina's Student Data Privacy Act (G.S. 115C-402.5)

G.S. 115C-402.5 mandates a comprehensive, written data security plan. The State Board of Education develops this plan, and local districts must align their practices. Key components include:

• Access Authorization Guidelines: Clear procedures for who can access student data, under what circumstances, and how access is granted and revoked.
• Privacy Compliance Standards: Benchmarks to ensure all practices align with state and federal laws like FERPA and G.S. 115C-402.5.
• Privacy and Security Audits: Mandatory, regular reviews by independent parties to identify and fix vulnerabilities.
• Breach Planning and Notification: A detailed strategy for detecting, containing, and investigating a breach, as well as notifying affected individuals per North Carolina's Identity Theft Protection Act.
• Data Retention and Disposition Policies: Rules for how long student data is kept and how it is securely destroyed when no longer needed.
• Data Security Policies: Technical and human safeguards, including data encryption (at rest and in transit), firewalls, and physical security.

A critical and often overlooked requirement is comprehensive employee training for everyone who handles student data. Technology alone is not enough. Your staff is the first line of defense against phishing and social engineering. Regular, engaging training on security practices is not just a compliance checkbox—it's essential for building a strong security culture.

Want to see how vulnerable your school currently is to phishing attacks? We offer a free phishing audit that shows you exactly where your risks are. It's a proactive step toward fulfilling the training requirements of G.S. 115C-402.5 and protecting your school.

Managing Data Access, Transfers, and Research

All About North Carolina's Student Data Privacy Act (G.S. 115C-402.5) sets clear boundaries on who can access student data, how it can be transferred, and how it can be used for research.

Who Can Access Personally Identifiable Student Data?

Access to PII is restricted to those with a legitimate educational need. The law permits access for:

• Authorized state staff from the State Board of Education and Department of Public Instruction (DPI) performing official duties.
• Authorized public school personnel (teachers, administrators, counselors) based on their specific roles and the "need to know" principle.
• Students and their parents or legal guardians, as guaranteed by FERPA.
• Authorized researchers who meet specific criteria and complete a formal approval process.
• Authorized staff of other state agencies under formal data-sharing agreements.

Rules for Outsourcing and Data Transfers

Schools rely on third-party vendors, and G.S. 115C-402.5 provides guidelines for protecting data when it leaves your direct control.

Any contract with a private contractor involving student data must include express provisions for privacy and security. These contracts must define what the vendor can do with the data, what security measures are required, and how long they can retain it. Crucially, contracts must also include penalties for noncompliance to ensure vendors are held accountable.

The Act generally prohibits the unauthorized transfer of PII out of state, with exceptions for when a student enrolls in a school outside North Carolina or when a local unit needs help locating a formerly enrolled student.

How Research Requests are Handled

The Act balances educational research with student privacy through a structured approval process. The NCDPI Research Review Committee evaluates all requests based on criteria developed by the State Board of Education.

Researchers seeking record-level or identifiable data must submit a Research Data Request Form and demonstrate a legitimate research purpose. They must agree to strict data security and destruction protocols. To minimize risk, NCDPI often provides de-identified data sets through partners like the North Carolina Education Research Data Center (NCERDC) at Duke University. This allows valuable research to proceed while keeping student identities protected.

Compliance in the Broader Legal Landscape

All About North Carolina's Student Data Privacy Act (G.S. 115C-402.5) operates within a web of federal and state laws. IT Directors must ensure compliance with all of them.

How G.S. 115C-402.5 Works with FERPA and the Parents' Bill of Rights

G.S. 115C-402.5 does not replace federal laws but adds more specific protections.

• FERPA (Family Educational Rights and Privacy Act) is the federal foundation, granting parents rights to inspect, amend, and control the disclosure of their child's education records. The Federal FERPA Guidelines provide detailed information. G.S. 115C-402.5 builds on this by mandating specific technical security measures, prohibiting certain data collection, and requiring detailed vendor contracts.
• Senate Bill 49 (Parents' Bill of Rights) expands parental rights regarding their child's education and privacy. It requires schools to obtain affirmative parental consent (opt-in) before administering protected information surveys on sensitive topics like political beliefs, mental health, or religious practices. It also reinforces restrictions on collecting biometric data without written parental consent and strengthens parental notification requirements for health services and changes to a student's records, such as name or pronoun usage.

G.S. 115C-402.15 requires local boards to provide annual notification to parents about all these rights, ensuring they are informed and empowered.

Responsibilities for Local Schools and Annual Reporting

While the state sets the framework, local school units have key responsibilities:

• Annual Parental Notification: Local boards must inform parents each year of their rights under FERPA and state law, including the right to inspect records, request corrections, and opt out of directory information disclosure.
• Managing Vendor Contracts: Local schools must apply the principles of G.S. 115C-402.5 to their own vendor contracts, ensuring robust clauses for data privacy, security, breach notification, and penalties for noncompliance.
• Public Data Inventories: Maintaining a local inventory of collected data helps ensure transparency and good data governance.
• Annual Reporting: The State Board of Education and DPI must report annually to the Governor and General Assembly about any new or changed data collections in the state student data system, ensuring legislative oversight.

Notification Steps for Schools Under All About North Carolina’s Student Data Privacy Act (G.S. 115C-402.5)

When a data breach occurs, schools must follow specific notification steps outlined in the North Carolina Identity Theft Protection Act (NCGS Chapter 75, Article 2A), which applies to all government entities, including schools.

A security breach is defined as the unauthorized access and acquisition of unencrypted personal information that creates a material risk of harm. If encrypted data is stolen along with the key, it also counts as a breach.

If a breach occurs, schools must:

1. Notify Affected Individuals: This must be done without unreasonable delay. The notice must be clear and describe the incident, the type of information involved, the school's response, and advice for staying vigilant. Notice can be delivered by mail, or electronically with prior consent.
2. Notify the Attorney General's Office: Schools must report the breach to the Consumer Protection Division of the NC Attorney General's Office, detailing the incident, the number of people affected, and the steps taken.
3. Notify Consumer Reporting Agencies: If more than 1,000 individuals are notified, schools must also inform major credit reporting agencies (Equifax, Experian, TransUnion).

Having a clear, practiced breach response plan, as mandated by G.S. 115C-402.5, is critical to managing an incident effectively.

Frequently Asked Questions about NC's Student Data Privacy Act

Here are answers to common questions about All About North Carolina's Student Data Privacy Act (G.S. 115C-402.5).

What is the main difference between G.S. 115C-402.5 and FERPA?

Think of FERPA as the federal floor for student privacy, focusing on parental rights to access, amend, and control the disclosure of education records. G.S. 115C-402.5 is the state-level structure built on that floor. It is more prescriptive, mandating a specific data security plan, prohibiting the collection of certain data (like biometrics and political affiliation), and requiring detailed vendor contract safeguards with penalties. You must comply with both.

Can parents opt out of all data collection for their child?

No, but they have significant control. Parents can opt out of the disclosure of directory information (e.g., name in a yearbook). They must opt in (give affirmative consent) for their child to take protected information surveys on sensitive topics. However, parents cannot opt out of the collection of essential data required for educational purposes, such as grades, attendance records, and test scores, which are necessary for the school to function and meet legal requirements.

What happens if a school's software vendor has a data breach?

The school, as the data owner, remains ultimately responsible. G.S. 115C-402.5 requires your vendor contracts to include express provisions for data security and penalties for noncompliance. If a vendor has a breach, your school is responsible for ensuring that all notification duties under North Carolina's Identity Theft Protection Act are met. This includes notifying affected families, the North Carolina Attorney General's Office, and, if necessary, consumer reporting agencies.

This highlights the importance of thorough vendor vetting and strong contracts. However, many breaches start with a simple phishing email. To see how vulnerable your staff might be, consider a free phishing audit to identify risks before an attack occurs.

Conclusion

All About North Carolina's Student Data Privacy Act (G.S. 115C-402.5), along with FERPA and the Parents' Bill of Rights, creates a comprehensive privacy ecosystem for student data. It mandates security plans, access controls, and robust vendor management to keep student information safe.

However, laws and policies are only as effective as the people implementing them. For K-12 IT Directors, the real work is building a proactive security culture. This includes regular audits, practiced breach response plans, and strong vendor oversight.

We've learned that the most sophisticated technology can be defeated by a single employee clicking a malicious link. This is why G.S. 115C-402.5 specifically requires employee training. The human element is your greatest vulnerability and your strongest defense.

At CyberNut, we provide automated, gamified micro-trainings designed for K-12 schools to build phishing awareness without adding to your workload.

Don't wait for a breach to find your weaknesses. Find out how vulnerable your school is with a free phishing audit. It’s a fast, clear way to assess your risk.

Protecting student data is about honoring the trust families place in you. For more insights on strengthening your school's cybersecurity, explore our cybersecurity resources.