You are here
Data Privacy and Security
We know your visit has a purpose! And although the newly rearranged content might seem like an intentional interference to your aim, please be patient, and take a look around! The Data Privacy Office has committed a significant amount of time to our site's reorg with YOU in mind! We are striving to provide a better experience by (hopefully) easing navigation - having it be intuitive with a sensible flow. After you've given it a shot, if you feel like we totally missed the mark, let us know! Email us! We are happy to explore your suggestions for improvement! We are committed to Customer Service.
CDE’s Data Privacy Week
January 20 – January 24
A matter of law…
(Multiple Laws affecting the Privacy of Coloradans are featured on this page: The Student Data Transparency and Security Act, FERPA, and The Data Breach Notification Law. If you're not immediately seeing what you're looking for, scroll down!)
The Student Data Transparency and Security Act
Effective August 10, 2016, the Student Data Transparency and Security Act (PDF) (HB 16-1423; C.R.S.22-16-101 et seq.), brought statewide attention to Student Data Privacy. The purpose of this Law is to increase the transparency and security of all Student Personally Identifiable Information (Student PII) that the Colorado Department of Education (CDE) and Local Education Providers (LEPs) collect and maintain. The Law aims to maximize trust in the use of student data in the elementary and secondary education system, by having vendors contracting with schools or educational agencies in Colorado contractually agree to comply with certain requirements if they are to collect information from students.
Obligations Under the Law
The Law is broken down to outline the obligations of:
- The State Board of Education
- The Department of Education
- Local Education Providers
- School Service Contract Providers
The Law's Exceptions
The law does not prohibit the use of Student Personally Identifiable Information to:
- Use adaptive learning or design personalized or customized education
- Maintain, develop, support, improve, or diagnose a School Service Contract Provider's website, online service, online application, or mobile application
- Provide recommendations for school, educational, or employment purposes within a School Service, so long as the response is not determined in whole or in part by payment or other consideration from a third party
- Respond to a student's request for information or for feedback so long as the information or response is not determined in whole or in part by payment or other consideration from a third party
- Identify for the student, only with the written consent of the student or the student's parent, institutions of higher education or scholarship providers that are seeking students who meet specific criteria, regardless of whether the identified institutions of higher education or scholarship providers provide consideration to the School Services Contract Provider
- Produce and distribute, free or for consideration, student class photos and yearbooks only to the public education entity, students, parents, or individuals authorized by parents
- Provide for the student, only with the express written consent of the student or the student's parent given in response to clear and conspicuous notice, access to employment opportunities, educational scholarships or financial aid, or postsecondary education opportunities, regardless of whether the School Services Contract Provider receives consideration from one or more third parties in exchange for the Student Personally Identifiable Information. This exception applies only to School Services Contract Providers that provide nationally recognized assessments that postsecondary institutions of higher education use in making admissions decisions.
This law does not:
- Impose a duty on a providers of an interactive computer service to review or enforce compliance with this law by School Service Contract Providers or School Service On-Demand Providers
- Impede the ability of a student to download, export, or otherwise save or maintain his or her own Student Personally Identifiable Information or documents
- Limit internet service providers from providing internet connectivity to public schools or to students and their families
- Prohibit a School Service Contract Provider from marketing education products directly to parents so long as the marketing does not result from the use of Student Personally Identifiable Information obtained by the School Service Contract Provider as a result of providing its website, online service, online application, or mobile application or
- Impose a duty on a Provider of an electronic store, gateway, marketplace, or other means of purchasing or downloading software or applications to review or enforce compliance with this law on that software or those applications
(3) THE REQUIREMENTS SPECIFIED IN SECTIONS 22-16-108 TO PAGE 25-HOUSE BILL 16-1423 22-16-110 APPLY TO SCHOOL SERVICE CONTRACT PROVIDERS THAT ENTER INTO OR RENEW CONTRACTS WITH PUBLIC EDUCATION ENTITIES ON OR AFTER THE EFFECTIVE DATE OF THIS ARTICLE.
The Law also defines a Parent's Rights.
- The parent of a student enrolled by a Local Education Provider has the right
- To inspect and review his or her child's Student Personally Identifiable Information maintained by the Local Education Provider
- To request from the Local Education Provider a paper or electronic copy of his or her child's Student Personally Identifiable Information, including Student Personally Identifiable Information maintained by a School Service Contract Provider. If a parent requests an electronic copy of the parent's child's Student Personally Identifiable Information, the Local Education Provider shall provide an electronic copy of the Student Personally Identifiable Information unless the Local Education Provider does not maintain Student Personally Identifiable Information in electronic format and reproducing the Student Personally Identifiable Information in an electronic format would be unduly burdensome.
- To request corrections to factually inaccurate Student Personally Identifiable Information maintained by a Local Education Provider. After receiving a request for correction that documents the factual inaccuracy, the Local Education Provider that mains the Student Personally Identifiable Information shall correct the factual inaccuracy and confirm the correction to the parent within a reasonable amount of time.
- The governing board of each Local Education Provider shall adopt a policy for hearing complaints from parents regarding the Local Education Provider's Compliance with the requirements of this article. At a minimum, the policy must provide a parent the opportunity to submit information to the governing board and receive a hearing by the governing board and must require the governing board to take action on the parent's complain within sixty days after the hearing.
- If a Local Education Provider does not comply with the requirements specified in this article, a student's parent may submit a complaint to the governing board of the Local Education Provider in accordance with the complaint policy adopted by the governing board of each Local Education Provider
At the Heart of the Law: Student Personally Identifiable Information
At the heart of this Law is Student PII (Personally Identifiable Information). PII, as defined by this Law is information that, alone or in combination, personally identifies an individual student or the student's parent or family, and that is collected, maintained, generated, or inferred by a public education entity, either directly or through a school service, or by a school service contract provider or school service on-demand provider.
Our Commitment to Privacy Encompasses Staff
The Colorado Department of Education (CDE) is often asked to provide data about individual students or school district employees. Since 1963, Colorado Legislation has been protecting the privacy of these individuals. Colorado Revised Statute 22-2-111(3) states that ...all papers filed in the department of education which contain personal information...are classified as confidential in nature...It is unlawful for any officer, employee or other person to divulge, or to make known in any way, any such personal information without the written consent of said applicant, employee, teacher or pupil...
The Law's Influence on CDE Actions
The Colorado Department of Education (CDE) collects and uses data to analyze student performance and inform educational improvements at the policy, state board and classroom level. To review the data the Colorado Department of Education collects, please visit the Data Collections Page. Resources in SchoolView provide information for Colorado educators to advance student learning through a focus on standards, assessments and educator effectiveness.
The Colorado Department of Education's commitment to an individual's privacy protection necessitates an arduous process for PII Requests. See the Data Request Page for details.
In addition to the Student Data Transparency and Security Act (HB 16-1423; C.R.S.22-16-101 et seq.), Colorado Schools and Parents also rely heavily upon the Privacy Guidance offered by FERPA (Family Education Rights and Privacy Act). FERPA, a Federal Law, was enacted by Congress in 1974 (November 19, 1974) to protect the privacy of students and their parents. The act is designed to ensure that students and parents of students may obtain access to the student's educational records and challenge the content or release of such records to third parties.
FERPA Fundamentals (link includes a number of FERPA resources)
- FERPA outlines the rights of parents or eligible students to inspect their education records for factual accuracy, and relates the procedures around amending education records.
- FERPA relays the conditions in which disclosure of information is permissible.
Under FERPA, LEPs must have parent consent to transfer student PII to a third party, unless one of the FERPA exceptions apply. Below are fun and short videos from the Utah State Board of Education on what each exception means.
- FERPA Exception - Directory Information (YouTube 3:24m)
- FERPA Exception - Studies Exception (YouTube 2:41m)
- FERPA Exception - Audit or Evaluation (YouTube 2:17m)
- FERPA Exception - School Official (YouTube 1:28m)
- The Other FERPA Exceptions (YouTube 14:39m)
Support for Parents Around FERPA
- A Parent's Guide to Student Data Privacy (PDF) - created by ConnectSafely, Future of Privacy Forum and the PTA
- Family Educational Rights and Privacy Act (FERPA) - General Guidance for Parents
- About the Family Policy Compliance Office (FPCO) - Information about FERPA Compliance and Enforcement
FERPA Training Videos for Teachers - Produced by the Utah State Board of Education
- FERPA Basics (YouTube 3:32m)
- Parental Rights (YouTube 1:30m)
- Exceptions Overview (YouTube 1:57m)
- FERPA and Technology (YouTube 2:19m)
- Websites and Apps for the Classroom (YouTube 3:35m)
- Data Security Basics for the Classroom (YouTube 4:05m)
- Storing Educational Records Safely (YouTube 3:35m)
- Malware Attacks on Schools (YouTube 2:27m)
The Data Breach Notification Law
The most recent Privacy legislation to have an impact on Student Privacy is the Data Breach Notification Law (PDF) (HB 18-1128; effective September 1, 2018). This Law amends the Colorado Revised Statutes Title 6 Consumer and Commercial Affairs portion of the Colorado Consumer Protection Act (CCPA) of September 1, 2006 (§6-1-713 et seq.).