2016 Colorado Revised Statutes
Title 22 - Education
General and Administrative
Article 16 - Student Data Transparency and Security
§ 22-16-104. State board of education - duties - rules

(1) The state board shall:

(a) Create, publish, and make publicly available a data inventory and dictionary or index of data elements with definitions of individual student data fields used in the student data system including:

(I) Individual student personally identifiable information that school districts and public schools are required to report by state and federal education mandates; and

(II) Individual student personally identifiable information that is proposed for inclusion in the student data system with a statement regarding the purpose or reason for the proposed collection and the use of the collected data;

(b) Develop, publish, and make publicly available policies and procedures to comply with the federal "Family Educational Rights and Privacy Act of 1974", 20 U.S.C. sec. 1232g, and other relevant privacy laws and policies, including but not limited to policies that restrict access to student personally identifiable information in the student data system to:

(I) The authorized staff of the department that require access to perform assigned or contractual duties, including staff and contractors from the office of information and technology that are assigned to the department;

(II) The department's contractors that require access to perform assigned or contractual duties that comply with the requirements specified in paragraph (g) of this subsection (1);

(III) School district administrators, teachers, and school personnel who require access to perform assigned duties;

(IV) Students and their parents; and

(V) The authorized staff of other state agencies, including public institutions of higher education, as required by law or defined by interagency data-sharing agreements;

(c) Develop user-friendly information for the public related to the department's data-sharing agreements that is posted on the department's website as provided in section 22-16-105 (4);

(d) Develop a detailed data security plan that includes:

(I) Guidance for authorizing access to the student data system and to individual student personally identifiable information, including guidance for authenticating authorized access;

(II) Privacy compliance standards;

(III) Privacy and security audits;

(IV) Security breach planning, notice, and procedures;

(V) Student personally identifiable information retention and destruction policies, which must include specific requirements for identifying when and how the student personally identifiable information will be destroyed;

(VI) Guidance for school districts and staff regarding student personally identifiable information use;

(VII) Consequences for security breaches; and

(VIII) Staff training regarding the policies;

(e) Ensure routine and ongoing compliance by the department with the federal "Family Educational Rights and Privacy Act of 1974", 20 U.S.C. sec. 1232g, other relevant privacy laws and policies, and the privacy and security policies and procedures developed under the authority of this article, including the performance of compliance audits;

(f) Ensure that agreements involving the disclosure of student personally identifiable information for research conducted on behalf of the department to develop, validate, or administer predictive tests; administer student aid programs; or improve instruction must:

(I) Specify the purpose, scope, and duration of the study or studies and the information to be disclosed;

(II) Require the entity, and any subcontractors or employees of the entity, to use student personally identifiable information from education records only to meet the purpose or purposes of the study as stated in the written agreement;

(III) Require the entity, and any subcontractors or employees of the entity, to conduct the study in a manner that does not permit access to the student personally identifiable information of parents and students by anyone other than representatives of the entity with legitimate interests;

(IV) Require the entity, and any subcontractors or employees of the entity, to destroy all student personally identifiable information when the information is no longer needed for the purposes for which the study was conducted and to specify the time period in which the information must be destroyed; and

(V) Require the entity, and any subcontractors or employees of the entity, to comply with the requirements specified in sections 22-16-109 (1), (2), and (3) (b) and 22-16-110 (1) and (3) that are imposed on school service contract providers;

(g) Develop requirements that any department contracts that affect databases, assessments, or instructional supports that include student personally identifiable information and are outsourced to vendors include express provisions that safeguard privacy and security, including specifying that student personally identifiable information may be used only for the purpose specified in the contract and must be destroyed when no longer needed for the purpose specified in the contract; specifying the time period in which the information must be destroyed; prohibiting further disclosure of the student personally identifiable information or its use for commercial purposes that are outside the scope of the contract; and specifying penalties for noncompliance, which must include termination of the contract as required in section 22-16-105 (5); and

(h) Promulgate rules as necessary to implement the provisions of this article.