Results Matter and Data Privacy and Security

CDE must follow all data privacy and security laws and regulations. The Department requires that all Results Matter participants adhere to the following guidelines:

Federal, State, and Local Laws and Policies

Be aware and follow your district/program’s data privacy and cyber-security policies. Each public local education agency is required to develop their own policy per the Colorado Student Data Transparency and Security Act, HB 16-1423. Read CDE guidance to school districts on data privacy.

Staff with Legitimate Educational Interests Only

Student assessment records are confidential private student records and should be treated accordingly. Assessment data is to be accessed only by school or agency officials for legitimate educational purposes.

Privacy and Security Measures

• Only access assessment tools from a private, password-protected computer or mobile device.
• Consider using a virtual private network (VPN), especially when accessing public WiFi.
• Change your password regularly (recommended every 6 months) using a strong password with special characters and numbers.
• Never share your user account or password with anyone else.
• Never allow devices to “remember” or store your password.
• Log off the system and close your browser after each session.
• Upload documentation gathered with the documentation apps daily.
• Close documentation apps on mobile devices after each session.
• Associate your user account with a private, professional email address that only you can access.

Email and Personally Identifiable Information

Avoid emailing personally identifiable information (PII). Email is typically unencrypted and therefore not secure. Instead, use a secure file sharing service. CDE has secure options for programs to share information about multiple children such as when you and CDE staff are troubleshooting records. For more information, please contact Results Matter staff. A phone call to CDE is permissible and may be more efficient when you only need to communicate about a few children.

When using unencrypted email, carefully check subject lines and any previous message content to make sure that no sensitive information (e.g., assessment results, funding sources, IEP/OSEP status) will be sent. For example, if you send an email with a child’s name in relation to a case about OSEP exiting, even with no other information, you have already identified that child on an IEP. And if the email server is hacked, it could be considered a disclosure of PII.

Student assessment records are confidential private student records and should be treated accordingly. Assessment data is to be accessed only by school or agency officials for legitimate educational purposes.