The Department, in consultation with the Department of Information Technology and county boards, shall develop and update best practices for county boards to:

(1) Manage and maintain data privacy and security practices in the processing of student data and personally identifiable information across the county board’s information technology and records management systems;

(2) Develop and implement:

(i) A data privacy and security incident response plan;

(ii) A breach notification plan; and

(iii) Procedures and requirements for allowing access to student data and personally identifiable information for a legitimate research purpose; and

(3) Publish information annually on:

(i) Types of student data and personally identifiable information processed by the county board, the protocols for processing student data, and the rationales for selecting processing protocols;

(ii) Contracted services that involve sharing student data between a county board and a school service contract provider; and

(iii) Procedures and rationales for vetting and selecting Internet sites, services, and applications.