You are here

The State Board of Education Obligations Under the Student Data Transparency and Security Act

The State Board of Education Obligations Under the Student Data Transparency and Security Act

According to the Student Data Transparency and Security Act (HB 16-1423; C.R.S. 22-16-101 et. seq), the State Board of Education shall:

Create, publish and make publicly available a Data Inventory and Dictionary (See the Data Dictionary.) or Index of Data Elements with definitions of individual Student Data Fields used in the Student Data System including:

  • Individual Student Personally Identifiable Information that School Districts and Public Schools are required to report by State and Federal Education Mandates
  • Individual Student Personally Identifiable Information that is proposed for inclusion in the Student Data System with a statement regarding the purpose or reason for the proposed collection and the use of the collected data

Develop, publish and make publicly available Policies and Procedures to comply with the Federal "Family Educational Rights and Privacy Act of 1974" and other relevant Privacy Laws and Policies, including but not limited to Policies that restrict access to Student Personally Identifiable Information in the Student Data System to: 

  • The authorized Staff of the Department of Education that require access to perform assigned or contractual duties, including Staff and Contractors from the Office of Information and Technology that are assigned to the Department
  • The Department of Education's Contractors (listed below) that require access to perform assigned or contractual duties
  • School District Administrators, Teachers, and School Personnel who require access to perform assigned duties
  • Students and their Parents
  • The authorized Staff of other State Agencies, including Public Institutions of Higher Education, as required by Law or defined by Inter-Agency Data-Sharing Agreements

Develop user-friendly information for the Public related to the Department of Education's Data-Sharing Agreements.  *As mandated by Law, Data-Sharing Agreements will be posted on the Department of Education's website.  (See the page displaying CDE Agreements and Contracts.)   

Develop a detailed Data Security Plan that includes:

  • Guidance for authorizing access to the Student Data System and to individual Student Personally Identifiable Information, including guidance for authenticating authorized access
  • Privacy compliance standards
  • Privacy and security audits
  • Security breach planning, notice, and procedures
  • Student Personally Identifiable Information retention and destruction Policies, which must include specific requirements for identifying when and how the Student Personally Identifiable Information will be destroyed
  • Guidance for School Districts and Staff regarding Student Personally Identifiable Information use
  • Consequences for security breaches
  • Staff training regarding the Policies

Ensure routine and ongoing compliance by the Department with the Federal "Family Educational Rights and Privacy Act of 1974", 20 U.S.C. sec. 1232g, other relevant Privacy Laws and Policies, and the Privacy and Security Policies and Procedures developed under the State Board of Education, including the performance of compliance audits.

Ensure that Agreements involving the disclosure of Student Personally Identifiable Information for research conducted on behalf of The Department of Education to develop, validate, or administer predictive tests; administer student aid programs; or improve instruction must: 

  • Specify the purpose, scope, and duration of the Study or Studies and the information to be disclosed
  • Require the Entity, and any Subcontractors or Employees of the Entity, to use Student Personally Identifiable Information from Education Records only to meet the purpose or purposes of the Study as stated in the written Agreement
  • Require the Entity, and any Subcontractors or Employees of the Entity, to conduct the Study in a manner that does not permit access to the Student Personally Identifiable Information of Parents and Students by anyone other than representatives of the Entity with legitimate interests
  • Require the Entity, and any Subcontractors or Employees of the Entity, Entity, and any Subcontractors or Employees of the Entity, to destroy all Student Personally Identifiable Information when the information is no longer needed for the purposes for which the Study was conducted and to specify the time period in which the information must be destroyed
  • Require the Entity, and any Subcontractor or Employees of the Entity, to comply with the requirements around the use of data, data security and data destruction directives for School Service Contract Providers

Develop requirements that any Department Contracts that affect databases, assessments, or instructional supports that include Student or Personally Identifiable Information and are outsourced to Vendors include express provisions that safeguard privacy and security, including specifying that Student Personally Identifiable Information may be used only for the purpose specified in the Contract and must be destroyed when no longer needed for the purpose specified in the Contract; specifying the time period in which the information must be destroyed; prohibiting further disclosure of the Student Personally Identifiable Information or its use for commercial purposes that are outside the scope of the Contract; and specifying penalties for noncompliance, which must include termination of the Contract .

Promulgate rules as necessary to implement the provisions of this Article.