PENNSYLVANIA, February 26 - (6) Prepare an annual report for submission to the

General Assembly on activities of the department that affect

privacy, including complaints of privacy violations, internal

controls and other related matters.

(7) Consult and coordinate with other representatives of

the department and the Commonwealth and other persons

regarding the quality, usefulness, openness and privacy of

data and the implementation of this chapter.

(8) Establish and operate a privacy incident response

program to ensure that each data-related incident involving

the department is properly reported, investigated and

mitigated.

(9) Establish a model process and policy for a student

and a student's parent or legal guardian if the student is

under 18 years of age to file a complaint regarding a

violation of data privacy or an inability to access, review

or correct the student's student data or other information

contained in the student's educational record.

(10) Provide training, guidance, technical assistance

and outreach to build a culture of data privacy protection

and data security among educational entities and third

parties.

(c) Investigations.--The chief data privacy officer may

investigate issues of compliance with this chapter or another

data privacy or security law concerning a matter related to this

chapter. In conducting the investigation, the chief data privacy

officer shall:

(1) Have access to all records, reports, audits,

reviews, documents, papers, recommendations and other

materials available to the educational entity or third party

20250SB0378PN0240 - 10 -

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30