School Service Contract Providers Obligations Under the Student Data Transparency and Security Act

The School Service Contract Providers Obligations Under the Student Data Transparency and Security Act

According to the Student Data Transparency and Security Act (HB 16-1423; C.R.S. 22-16-101 et. seq), the School Service Contract Providers shall:

Provide clear information that is understandable by a layperson explaining the data elements of Student Personally Identifiable Information that the School Service Contract Provider collects, the learning purpose for which the School Service Contract Provider collects the Student Personally Identifiable Information, and how the School Service Contract Provider uses and shares the Student personally Identifiable Information.  The information must include all Student Personally Identifiable Information that the School Service Contract Provider collects regardless of whether it is initially collected or ultimately held individually or in the aggregate.  The School Service Contract Provider shall provide the information to each Public Education Entity that the School Service Contract Provider contracts with in a format that is easily accessible through a website, and the public education entity shall post the information in its website.  The School Service Contract Provider shall update the information as necessary to maintain accuracy.  

Each School Service Contract Provider shall provide clear notice to each Public Education Entity that it contracts with before making material changes to its Privacy Policy for School Services.

Each School Service Contract Provider shall facilitate access to and correction of any factually inaccurate Student Personally Identifiable Information by a contracting Local Education Provider in response to a request for correction that the Local Education Provider receives and responds to.

Upon discovering the misuse or unauthorized release of Student Personally Identifiable Information held by the Contract Provider, a Subcontractor of the Contract Provider, or a subsequent Subcontractor, the Contract Provider shall notify the contracting Public Education Entity as soon as possible, regardless of whether the misuse or unauthorized release is a result of a material breach of the terms of the contract.  

A School Service Contract Provider may collect, use, and share Student Personally Identifiable Information only for the purposes authorized in the contract between the School Service Contract Provider and a Public Education Entity or with the consent of the Student who is the subject of the information or the Student's Parent.

A School Service Contract Provider must obtain the consent of the Student or the Student's Parent before using Student Personally Identifiable Information in a manner that is materially inconsistent with the School Service Contract Provider's Privacy Policy or materially inconsistent with the Contract between the School Service Contract Provider and the Public Education Entity that applies to the collection of the Student Personally Identifiable Information.  

A School Service Contract Provider shall not:

Sell Student Personally Identifiable Information except that this prohibition does not apply to the purchase, merger, or other type of acquisition of a School Service Contract Provider, or any assets of a School Service Contract Provider, by another Entity, so long as the Successor Entity continues to be subject to the provisions of this law with respect to Student Personally Identifiable Information that the School Service Contract Provider acquired while subject to the provisions of this law

Use or share Student Personally Identifiable Information for purposes of targeted advertising to students

Use Student Personally Identifiable Information to create a Personal Profile of a Student other than for supporting purposes authorized with the contracting Public Education Entity or with the consent of the Student or the Student's Parent  

A school service contract provider may use or disclose student personally identifiable information to:

Ensure legal or regulatory compliance or to take precautions against liability

Respond to or participate in the judicial process

Protect the safety of users or others on the School Service Contract Provider's Website, Online Service, Online Application or Mobile Application

Investigate a matter related to public safety

If a School Service Contract Provider uses or discloses Student Personally Identifiable Information as allowed in the instances listed above, the Contract Provider shall notify the contracting Public Education Entity as soon as possible after the use or disclosure of the information.

A School Service Contract Provider may use, or disclosure Student Personally Identifiable Information to, a Subcontractor only if the School Service Contract Provider contractually requires the Subcontractor to comply with the obligations of School Service Contract Providers under data transparency, data security, data destruction and the exceptions.  The provisions outlined apply to the ability of an initial or subsequent Subcontractor to further subcontract.  If a Public Education Entity determines that an initial or subsequent Subcontractor has committed a material breach of the Contract that involves the misuse or unauthorized release of Student Personally Identifiable Information, the Public Education Entity shall comply with the terms in the Contract related to a material breach, except that the Public Education Entity is not required to consider terminating the Contract if the School Service Contract Provider terminates the Contract with the Subcontractor as soon as possible after the Contract Provider knows or has reason to know of the initial or subsequent Subcontractor's material breach.

A Student may consent to the use, sharing, or retention of the Student's Student Personally Identifiable Information only if the Student is at least eighteen years of age or legally emancipated.

Each School Service Contract provider shall maintain a comprehensive Information Security Program that is reasonably designed to protect the security, privacy, confidentiality, and integrity of Student Personally Identifiable Information.  The Information Security Program must make use of appropriate administrative, technological, and physical safeguards.  

During the term of a Contract between a School Service Contract Provider and a Public Education Entity, if the contracting Public Education Entity requests destruction of a Student's Student Personally Identifiable Information collected, generated, or inferred as a result of the Contract, the contracting School Service Contract Provider shall destroy information as soon as practicable after the date of the request unless:

The School Service Contract Provider obtains the consent of the Student or the Student's Parent to retain the Student's Student Personally Identifiable Information

The Student has transferred to another Public Education Entity and the receiving Public Education Entity has requested that the School Service Contract Provider retain the Student's Student Personally Identifiable Information

Following the termination or conclusion of a Contract between a School Service Contract Provider and a Public Education Entity, the School Service Contract Provider shall, within the time period specified in the Contract, destroy all Student Personally Identifiable Information collected, generated, or inferred as a result of the Contract.  If the Contract does not specify a period for destruction of Student Personally Identifiable Information, the Contract Provider shall destroyed the information when the information is no longer needed for the purpose of the Contract between the Contract Provider and the Public Education Entity.  The Contract Provider shall notify the Public Education Entity of the date upon which all of the Student Personally Identifiable Information is destroyed.