SB500

Senate Bill 500, the 'Student Data Vendor Security Act,' establishes a framework for the protection and management of student data shared with third-party vendors by Arkansas public education entities. The bill defines two categories of vendors: 'school service contract providers' (those with formal, negotiated contracts) and 'school service on-demand providers' (those operating under standard, non-negotiable terms). It mandates that local education agencies (LEAs) include specific privacy and security provisions in all contracts involving student personally identifiable information (PII). LEAs are required to maintain and periodically update lists of these vendors and provide them to parents upon request. The bill imposes transparency requirements on vendors, requiring them to explain what data they collect and how it is used, and it mandates that vendors notify LEAs of any unauthorized data release or misuse. Additionally, the bill prohibits school service contract providers from using or sharing student PII for purposes outside of those authorized by the contract or parental consent. The legislation also provides mechanisms for LEAs to investigate breaches, terminate contracts, and restrict the use of non-compliant vendors.