§ 22-16-107. Local education provider - data collection - data security policy

CO Rev Stat § 22-16-107 (2018) (N/A)
Copy with citation
Copy as parenthetical citation

(1) (a) Each local education provider shall post and maintain on its website clear information that is understandable by a layperson explaining the data elements of student personally identifiable information that the local education provider collects and maintains in the local education provider's data system, not including the student personally identifiable information that the local education provider transmits to the department. The list must explain how the local education provider uses and shares the student personally identifiable information. The local education provider shall include on its website a link to the data inventory and dictionary or index of data elements that the state board publishes as required in section 22-16-104 (1)(a).

(b) Each local education provider shall post and maintain on its website a list of the school service contract providers that the local education provider contracts with and a copy of each contract.

(2) (a) Each local education provider shall ensure that the terms of each contract that the local education provider enters into or renews with a school service contract provider on and after August 10, 2016, at a minimum, require the contract provider to comply with the requirements in sections 22-16-108 to 22-16-110. If the contract provider commits a material breach of the contract that involves the misuse or unauthorized release of student personally identifiable information, the local education provider shall determine whether to terminate the contract in accordance with a policy adopted by the governing body of the local education provider. At a minimum, the policy must require the governing body, within a reasonable time after the local education provider identifies the existence of a material breach, to hold a public hearing that includes discussion of the nature of the material breach, an opportunity for the contract provider to respond concerning the material breach, public testimony, and a decision as to whether to direct the local education provider to terminate or continue the contract.

(b) On and after August, 10, 2016, a local education provider shall not enter into or renew a contract with a school service contract provider that refuses to accept the terms specified in paragraph (a) of this subsection (2) or that has substantially failed to comply with one or more of the requirements in sections 22-16-108 to 22-16-110.

(3) (a) Each local education provider shall post on its website, to the extent practicable, a list of the school service on-demand providers that the local education provider or an employee of the local education provider uses for school services. At a minimum, the local education provider shall update the list of school service on-demand providers at the beginning and mid-point of each school year. The local education provider, upon the request of a parent, shall assist the parent in obtaining the data privacy policy of a school service on-demand provider that the local education provider or an employee of the local education provider uses.

(b) If a parent has evidence demonstrating that a school service on-demand provider that the local education provider or an employee of the local education provider uses does not substantially comply with the on-demand provider's privacy policy or does not meet the requirements specified in section 22-16-109 (2) or 22-16-110 (1), the parent may notify the local education provider and provide the evidence for the parent's conclusion.

(c) If a local education provider has evidence demonstrating that a school service on-demand provider does not substantially comply with the on-demand provider's privacy policy or does not meet the requirements specified in section 22-16-109 (2) or 22-16-110 (1), the local education provider is strongly encouraged to cease using or refuse to use the school service on-demand provider and prohibit employees of the local education provider from using the on-demand provider. The local education provider shall notify the on-demand provider that it is ceasing or refusing to use the on-demand provider pursuant to this paragraph (c), and the on-demand provider may submit a written response to the local education provider. The local education provider shall publish and maintain on its website a list of any school service on-demand providers that it ceases using or refuses to use for the reasons described in this paragraph (c), with any written responses that it receives from the on-demand providers. The local education provider shall notify the department if it ceases using an on-demand provider for the reasons described in this paragraph (c) and provide a copy of any written response the on-demand provider may submit.

(d) Each local education provider that uses on-demand school service providers shall post on its website a notice to on-demand providers that, if the local education provider ceases using or refuses to use an on-demand school service provider pursuant to paragraph (c) of this subsection (3), the local education provider will post on its website the name of the on-demand provider, with any written response that the on-demand provider may submit, and will notify the department, which will post on its website the on-demand provider's name and any written response.

(4) (a) On or before December 31, 2017, each local education provider shall adopt a student information privacy and protection policy that, at a minimum, addresses the issues specified in section 22-16-106 (1). The local education provider shall annually review the policy and revise it as necessary to ensure that it remains current and adequate to protect student personally identifiable information privacy in light of advances in data technology and dissemination.

(b) Notwithstanding the provisions of paragraph (a) of this subsection (4), a local education provider that is a small rural school district shall adopt the student information privacy and protection policy by July 1, 2018.

(c) Each local education provider shall make copies of the student information privacy and protection policy available upon request to the parent of a student enrolled by the local education provider and shall post a current copy of the student information privacy protection policy on the local education provider's website.