You are here

The Department of Education Obligations Under the Student Data Transparency and Security Act

The Department of Education Obligations Under the Student Data Transparency and Security Act

According to the Student Data Transparency and Security Act (HB 16-1423; C.R.S. 22-16-101 et. seq), the Department of Education shall:

Assign to each Student who is enrolled in a Public School a Unique Student Identifier that must neither be nor include the Social Security Number of a Student in whole or in sequential part

Develop a process to consider and review all outside request for Student Personally Identifiable Information, other than aggregate student information already publicly available, by Individuals not Employed by the State who seek to conduct research using School System Data or Student Personally Identifiable Information already collected by the Department of Education 

Have the State Board of Education approve all outside request for Student Personally Identifiable Information 

Before allowing an individual to receive Student Personally Identifiable Information for research purposes, the Department of Education must enter into an Agreement with the Individual that includes the Entity that sponsors the Individual or with which the Individual is affiliated.  (See the Obligations of School Service Contract Providers Page for the agreement requirements.)

For each request for aggregate Student Information, the Department of Colorado shall determine whether the size of the group, cohort, or institution is too small to preserve the anonymity of the Individuals included in the data, in which the Student Data does not qualify as aggregate data.  See the Colorado Department of Education's Disclosure Avoidance Policy and Instruction on specific Disclosure Avoidance methods (Coming Soon!) for more information.

An Individual who conducts research through an Institution of Higher Education may demonstrate to the Department of Education compliance with the Institution Review Board practices and requirements as required by Federal Law in lieu of the Agreement requirements outlined on the Obligations of School Service Contract Providers Page.    

The Department of Education may enter into a Data-Sharing Agreement with a Public Institution of Higher Education to allow the sharing of Student Personally Identifiable Information for the purpose of satisfying requirements imposed on the Public Institution of Higher Education by the Institution's Accrediting Body.  The Accrediting Body is considered a Subcontractor of the Public Institution of Higher Education.  (See the Obligations of School Service Contract Providers Page for the agreement requirements.)   

The Department of Education shall not require a Local Education Provider to provide Student Personally Identifiable Information that is not required by State or Federal Law; except that it may require Student Personally Identifiable Information not mandated by State or Federal Law that is associated with a grant proposal or the Department of Education may ask a Local Education Provider to voluntarily submit data or information as a condition of receiving a benefit, such as grant funding or special designations.  

Unless required by State or Federal law, the Department of Education shall not collect:

  • Juvenile Delinquency Records
  • Criminal Records
  • Medical and Health Records
  • Student Social Security Numbers
  • Student Biometric Information 
  • Information concerning the Political Affiliations or the Beliefs or Attitudes of Students and their Families

Unless otherwise approved by the State Board of Education, the Department of Education shall not transfer Student Personally Identifiable Information to a Federal, State, or Local Agency or other Entity, which Agency or Entity is outside of the State, except under the following circumstances:

  • If a Student transfers to an Education Entity in state or out-of-state or if a School or School Districts seeks help in locating a Student who transfers out of state
  • If a Student seeks to enroll in or to attend an out-of-state Institution of Higher Education or Training Program
  • If a Student participates in a program or assessment for which a data transfer is a condition of participation
  • If a Student is classified as "migrant" for Federal reporting purposes
  • If the Department of Education enters into a Contract with an out-of-state Vendor, or Researcher that affects Databases, Assessments, Special Education, or Instructional Support related to an audit or evaluation of Federal- or State-supported education programs; for the enforcement of or compliance with Federal legal requirements that relate to those Programs; or for conducting Studies for or on behalf of the Department of Education to develop, validate, or administer predictive tests, administer student aid programs, or improve instruction
  • If the disclosure is to comply with a Judicial Order or lawfully issued Subpoena or in connection with a Health or Safety Emergency

The Department of Education shall not sell, trade, gift, or monetize Student Personally Identifiable Information for commercial use or investment interests.  

The Department of Education shall publish and maintain on its Website a list of all the Entities or Individuals, including but not limited to Vendors, Individual Researchers, Research Organizations, Institutions of Higher Education and Government Agencies that the Department of Education contracts with or has Agreements with and that hold Student Personally Identifiable Information and a copy of each Contract or Agreement.  (See the page displaying CDE Agreements and Contracts.)  

The list must include:

  • The name of the Entity or Individual.  In naming an Individual, the list must include the Entity that sponsors the Individual or with which the Individual is affiliated, if any.  If the Individual is conducting research at an Institution of Higher Education, the list may include the name of the Institution of Higher Education and a Contact Person in the Department that is associated with the research in lieu of the name of the Researcher.
  • The purpose and scope of the Contract or Agreement
  • The duration of the Contract or Agreement
  • The types of Student Personally Identifiable Information that the Entity or Individual holds under the Contract or Agreement
  • The use of the Student Personally Identifiable Information under the Contract
  • The length of time for which the entity or individual may hold the Student Personally Identifiable Information

The Department of Education shall ensure that the terms of each contract that the Department of Education enters into or reviews with a School Service Contract Provider on and after the effective date of this law meets the data transparency, data security, and data destruction requirements for School Service Contract Providers.  (See the Obligations of School Service Contract Providers Page for the agreement requirements.)   If the Contract Providers commits a material breach of the Contract that involves the misuse or unauthorized release of Student Personally Identifiable Information, The Department of Education shall determine whether to terminate the Contract in accordance with a policy adopted by the State Board of Education.  At a minimum, the Policy must require the State Board of Education, within a reasonable time after the Department of Educations identifies the existence of a material breach, to hold a public hearing that includes discussion of the nature of the material breach, an opportunity for the Contract Provider to respond concerning the material breach, public testimony, and a decision as to whether to direct the Department of Education to terminate or continue the Contract. 

The Department of Education shall ensure that the terms of each Contract or other Agreement that The Department of Educations enters into or renews on and after the effective date of this law, which contract or agreement includes access to or use of Student Personally Identifiable Information by an individual or entity other than a Contract Provider, as a minimum, require the individual or entity to comply with the use of data, data security, and data destruction requirements for School Service Contract Providers.  Click here to go to the Page listing the Obligations for School Service Contract Providers.  If the individual or entity commits a material breach of the Contract or Agreement that involves the misuse or unauthorized release of Student Personally Identifiable Information, the Department of Education shall determine whether to terminate the Contract or agreement in the State Board Policy.  

Notwithstanding an provision of law to the contrary, on and after the effective date of this law, the Department of Educational shall not enter into or renew:

The Department of Education shall develop data security guidance that may be used by Local Education Providers.  The Department of Education data security guidance must include:

  • Guidance for authorizing access to the student data system and to Student Personally Identifiable Information including guidance for authenticating authorized access
  • Privacy compliance standards
  • Best practices for privacy and security audits
  • Security breach planning, notice, and procedures
  • Data retention and destruction procedures
  • Data collection and sharing procedures
  • Recommendations that any contracts that affect databases, assessments, or instructional supports that include Student Personally Identifiable Information and are outsourced to vendors include express provisions that safeguard privacy and security and include penalties for noncompliance
  • Best security practices for privacy when using online education services, including websites and applications
  • Guidance for contracts involving the outsourcing of educational services
  • Guidance for publishing a list of vendors that Local Education Providers contract with that hold student personally identifiable information
  • Consequences for security breaches
  • Examples of staff training regarding the procedures

Based on the data security guidance adopted on or before March 1, 2017, the Department of Education shall create and make available to Local Education Providers a Sample Student Information Privacy and Protection Policy.  (See the Sample Privacy and Security Policies Page.)  The Department shall annually review the Sample Policy and revise it as necessary to ensure that it remains current and adequate to protect the privacy of Student Personally Identifiable Information in light of advances in data technology and dissemination.  At a minimum, the Sample Policy must include protocols for: 

  • Creating and maintaining a Student Data Index
  • Retaining and destroying Student Personally Identifiable Information
  • Using Student Personally Identifiable Information for purposes internal to a Local Education Provider
  • Preventing breaches in the security of Student Personally Identifiable Information and for responding to any security breaches that occur
  • Contracting with school service contract providers and using school services provided by School Service On-Demand providers
  • Disclosing Student Personally Identifiable Information to School Service Contract Providers, School Service On-Demand Providers, or other third parties
  • Notifying parents regarding collection of, retention of, and access to Student Personally Identifiable Information 
  • Providing training in student information security and privacy to employees of a local education provider

The Department of Education shall prepare and make available to Local Education Providers sample contract language for use in contracting with School Service Contract Providers. (See the Current Contract Template (DOC).)  This new Contract template includes the terms required by the Student Data Transparency and Security Act (C.R.S. 22-16-101 et. al.), and any Contract entered into or renewed after August 10, 2016 that involves PII will contain this new privacy and security language. The Department of Education shall update the sample contract language as necessary to ensure that it remains current and adequate to protect the privacy of Student Personally Identifiable Information in light of advances in data technology and dissemination.

The Department of Education shall identify and make available to Local Education Providers resources that the Local Education Providers may use in training employees with regard to Student information security and privacy.  At the request of a Local Education Provider, the Department shall provide training related to student information security and privacy.

If the Department of Educations receives notice that a Local Education Provider has ceased using a School Service On-Demand Provider for reasons described on the Obligations of Local Education Providers Page around data collection and the data security policy, the Department of Education shall post the notice on the Department of Education's website.  The Department of Education shall also post any written response from an On-Demand Provider that the Local Education Provider many submit.  The Department of Education shall post the notices and written responses for twenty-four months following the date received.