You are here

Local Education Providers Obligations Under the Student Data Transparency and Security Act

The Local Education Providers Obligations Under the Student Data Transparency and Security Act

According to the Student Data Transparency and Security Act (HB 16-1423; C.R.S. 22-16-101 et. seq), the Local Education Providers shall:

Post and maintain on its website clear information that is understandable by a layperson explaining the data elements of Student Personally Identifiable Information that the Local Education Provider collects and maintains in the Local Education Provider's data system, not including the Student Personally Identifiable Information that the Local Education Provider transmits to the Department of Education.  The list must explain how the Local Education Providers uses and shares the Student Personally Identifiable Information.  The Local Education Provider shall include on its website a link to the Data Inventory and Dictionary or Index of Data Elements that the State Board of Education publishes.  See the Data Dictionary.

Each Local Education Provider shall post and maintain on its website a list of the School Service Contract Providers the Local Education Provider contracts with and a copy of each contract.

Each Local Education Provider shall ensure that the terms of each contract that the Local Education Providers enters into or renews with a School Service Contract Provider on and after the effective date of this law, at a minimum, require the Contract Provider to comply with the requirements outlined on the Obligations of the School Service Contract Providers page around data transparency, data security and data destruction.

If the Contract Provider commits a material breach of the contract that involves the misuse or unauthorized release of Student Personally Identifiable Information, the Local Education Provider shall determine whether to terminate the contract in accordance with a policy adopted by the governing body of the Local Education Provider.  At a minimum, the policy must require the governing body, within a reasonable time after the Local Education Provider identifies the existence of a material breach, to hold a public hearing that includes discussion of the nature of the material breach, an opportunity for the Contract Provider to respond concerning the material breach, public testimony, and a decision as to whether to direct the Local Education Provider to terminate or continue the contract.

On or after the effective date of this law, a Local Education Provider shall not enter into or renew a contract with a School Service Contract Provider that refuses to accept the terms outlined on the Obligations of the School Service Contract Providers page around data transparency, data security and data destruction.

Each Local Education Provider shall post on its website, to the extent practicable, a list of the School Service On-Demand Providers that the Local Education Provider or an employee of the Local Education Provider uses for School Services.  At a minimum, the Local Education Providers shall update the list of School Service On-Demand Providers at the beginning and mid-point of each school year.  The Local Education Provider, upon the request of a Parent, shall assist the parent in obtaining the Data Privacy Policy of a School Service On-Demand Provider that the Local Education Provider or an employee of the Local Education Provider uses.  

If a Parent has evidence demonstrating that a School Service On-Demand Provider that the Local Education Provider or an employee of the Location Education Provider uses does not substantially comply with the On-Demand Provider's Privacy Policy or does not meet the requirements specified under what a School Service Contract Provider shall not do, and the data security and data destruction requirements of a School Service Contract Provider, the Parent my notify the Location Education Provider and provide the evidence for the Parent's conclusion.

If a Local Education Provider has evidence demonstrating that a School Service On-Demand Provider does not substantially comply with the On-Demand Provider's privacy policy or does not meet the requirements specified under what a School Service Contract Provider shall not do, and the data security and data destruction requirements of a School Service Contract Provider, the Local Education Provider is strongly encouraged to cease using or refuse to use the School Service On-Demand Provider and prohibit employees of the Local Education Provider from using the On-Demand Provider.  The Local Education Provider shall notify the On-Demand Provider that it is ceasing or refusing to use the On-Demand Provider, and the On-Demand Provider may submit a written response to the Local Education Provider.  The Local Education Provider shall publish and maintain on its website a list of any School Service On-Demand Providers that it ceases using or refuses to use, with any written responses that it receives from the On-Demand Providers.  The Local Education Provider shall notify the Department if it ceases using an On-Demand Provider and provide a copy of any written response the On-Demand Provider may submit.

Each Local Education Provider that uses On-Demand School Service Providers shall post on its website a notice to On-Demand Providers that, if the Local Education Provider ceases using or refuses to use an On-Demand School Service Providers, the Local Education Provider will post on its website the name of the On-Demand Provider, with any written response that the On-Demand Provider may submit, and will notify the Department of Education, which will post on its website the On-Demand Provider's name and any written response.

On or before December 31, 2017, each Local Education Provider shall adopt a Student Information Privacy and Protection Policy that, at a minimum, encompasses the guidance offered by the Department of Education to support Local Education Providers.  The Local Education Provider shall annually review the Policy and revise it as necessary to ensure that it remains current and adequate to protect Student Personally Identifiable Information privacy in light of advances in data technology and dissemination.  

A Local Education Provider that is a small Rural School District shall adopt the Student Information Privacy and Protection Policy by July 1, 2018.

Each Local Education Provider shall make copies of the Student Information Privacy and Protection Policy available upon request to the Parent of a Student enrolled by the Local Education Provider and shall post a current copy of the Student Information Privacy Protection Policy on the Local Education Provider's website.