State board of education - duties - rules.

Checkout our iOS App for a better way to browser and research.

(1) The state board shall:

(a) Create, publish, and make publicly available a data inventory and dictionary or index of data elements with definitions of individual student data fields used in the student data system including:

  1. Individual student personally identifiable information that school districts and publicschools are required to report by state and federal education mandates; and

  2. Individual student personally identifiable information that is proposed for inclusionin the student data system with a statement regarding the purpose or reason for the proposed collection and the use of the collected data;

(b) Develop, publish, and make publicly available policies and procedures to comply with the federal "Family Educational Rights and Privacy Act of 1974", 20 U.S.C. sec. 1232g, and other relevant privacy laws and policies, including but not limited to policies that restrict access to student personally identifiable information in the student data system to:

  1. The authorized staff of the department that require access to perform assigned orcontractual duties, including staff and contractors from the office of information and technology that are assigned to the department;

  2. The department's contractors that require access to perform assigned or contractualduties that comply with the requirements specified in paragraph (g) of this subsection (1);

  3. School district administrators, teachers, and school personnel who require access toperform assigned duties;

  4. Students and their parents; and

  5. The authorized staff of other state agencies, including public institutions of highereducation, as required by law or defined by interagency data-sharing agreements;

  1. Develop user-friendly information for the public related to the department's datasharing agreements that is posted on the department's website as provided in section 22-16-105 (4);

  2. Develop a detailed data security plan that includes:

  1. Guidance for authorizing access to the student data system and to individual studentpersonally identifiable information, including guidance for authenticating authorized access;

  2. Privacy compliance standards;

  3. Privacy and security audits;

  4. Security breach planning, notice, and procedures;

  5. Student personally identifiable information retention and destruction policies, whichmust include specific requirements for identifying when and how the student personally identifiable information will be destroyed;

  6. Guidance for school districts and staff regarding student personally identifiable information use;

  7. Consequences for security breaches; and

  8. Staff training regarding the policies;

  1. Ensure routine and ongoing compliance by the department with the federal "FamilyEducational Rights and Privacy Act of 1974", 20 U.S.C. sec. 1232g, other relevant privacy laws and policies, and the privacy and security policies and procedures developed under the authority of this article, including the performance of compliance audits;

  2. Ensure that agreements involving the disclosure of student personally identifiableinformation for research conducted on behalf of the department to develop, validate, or administer predictive tests; administer student aid programs; or improve instruction must:

  1. Specify the purpose, scope, and duration of the study or studies and the informationto be disclosed;

  2. Require the entity, and any subcontractors or employees of the entity, to use studentpersonally identifiable information from education records only to meet the purpose or purposes of the study as stated in the written agreement;

  3. Require the entity, and any subcontractors or employees of the entity, to conduct thestudy in a manner that does not permit access to the student personally identifiable information of parents and students by anyone other than representatives of the entity with legitimate interests;

  4. Require the entity, and any subcontractors or employees of the entity, to destroy allstudent personally identifiable information when the information is no longer needed for the purposes for which the study was conducted and to specify the time period in which the information must be destroyed; and

  5. Require the entity, and any subcontractors or employees of the entity, to complywith the requirements specified in sections 22-16-109 (1), (2), and (3)(b) and 22-16-110 (1) and (3) that are imposed on school service contract providers;

  1. Develop requirements that any department contracts that affect databases, assessments, or instructional supports that include student personally identifiable information and are outsourced to vendors include express provisions that safeguard privacy and security, including specifying that student personally identifiable information may be used only for the purpose specified in the contract and must be destroyed when no longer needed for the purpose specified in the contract; specifying the time period in which the information must be destroyed; prohibiting further disclosure of the student personally identifiable information or its use for commercial purposes that are outside the scope of the contract; and specifying penalties for noncompliance, which must include termination of the contract as required in section 22-16-105 (5); and

  2. Promulgate rules as necessary to implement the provisions of this article.

Source: L. 2016: Entire article added, (HB 16-1423), ch. 355, p. 1460, § 1, effective August 10.

Editor's note: This section is similar to former § 22-2-309 (3) as it existed prior to 2016. 22-16-105. Department of education - duties. (1) The department shall assign to each student who is enrolled in a public school a unique student identifier that must neither be nor include the social security number of a student in whole or in sequential part.

(2) (a) The department shall develop a process to consider and review all outside requests for student personally identifiable information, other than aggregate student information already publicly available, by individuals not employed by the state who seek to conduct research using school system data or student personally identifiable information already collected by the department. The department shall implement the process subject to approval by the state board.

(b) (I) Before allowing an individual to receive student personally identifiable information for research purposes, the department must enter into an agreement with the individual that includes the entity that sponsors the individual or with which the individual is affiliated. At a minimum, the agreement must include the items specified in section 22-16-104

(1)(f) and require the individual to comply with the requirements specified in sections 22-16-109 (1), (2), and (3)(b) and 22-16-110 (1) and (3) that are imposed on school service contract providers.

  1. The provisions of this paragraph (b) do not apply to an individual who is seekingonly aggregate student information. For each request for aggregate student information, the department shall determine whether the size of the group, cohort, or institution is too small to preserve the anonymity of the individuals included in the data, in which case the student data does not qualify as aggregate data.

  2. Notwithstanding the provisions of subparagraph (I) of this paragraph (b), an individual who conducts research through an institution of higher education may demonstrate to the department compliance with the institution review board practices and requirements, as regulated by federal law, in lieu of the terms specified in section 22-16-104 (1)(f).

(c) The department may enter into a data-sharing agreement with a public institution of higher education to allow the sharing of student personally identifiable information for the purpose of satisfying requirements imposed on the public institution of higher education by the institution's accrediting body. At a minimum, the data-sharing agreement must include the items specified in section 22-16-104 (1)(f) and require the public institution of higher education to comply with the requirements specified in sections 22-16-109 (1), (2), and (3)(b) and 22-16-110 (1) and (3) that are imposed on school service contract providers. For purposes of these requirements, the accrediting body is considered a subcontractor of the public institution of higher education.

(3) (a) The department shall not require a local education provider to provide student personally identifiable information that is not required by state or federal law; except that it may require student personally identifiable information not mandated by state or federal law that is associated with a grant proposal, or the department may ask a local education provider to voluntarily submit data or information as a condition of receiving a benefit, such as grant funding or special designations.

(b) Unless required by state or federal law, the department shall not collect:

  1. Juvenile delinquency records;

  2. Criminal records;

  3. Medical and health records;

  4. Student social security numbers;

  5. Student biometric information; and

  6. Information concerning the political affiliations or the beliefs or attitudes of students and their families.

(c) Unless otherwise approved by the state board, the department shall not transfer student personally identifiable information to a federal, state, or local agency or other entity, which agency or entity is outside of the state, except under the following circumstances:

  1. If a student transfers to an education entity in state or out of state or if a school orschool district seeks help in locating a student who transfers out of state;

  2. If a student seeks to enroll in or to attend an out-of-state institution of higher education or training program;

  3. If a student participates in a program or assessment for which a data transfer is acondition of participation;

  4. If a student is classified as "migrant" for federal reporting purposes;

  5. If the department enters into a contract with an out-of-state vendor or researcher thataffects databases, assessments, special education, or instructional support related to an audit or evaluation of federal- or state-supported education programs; for the enforcement of or compliance with federal legal requirements that relate to those programs; or for conducting studies for or on behalf of the department to develop, validate, or administer predictive tests, administer student aid programs, or improve instruction; or

  6. If the disclosure is to comply with a judicial order or lawfully issued subpoena or inconnection with a health or safety emergency.

(d) The department shall not sell, trade, gift, or monetize student personally identifiable information for commercial use or investment interests.

(4) The department shall publish and maintain on its website a list of all of the entities or individuals, including but not limited to vendors, individual researchers, research organizations, institutions of higher education, and government agencies, that the department contracts with or has agreements with and that hold student personally identifiable information and a copy of each contract or agreement. The list must include:

  1. The name of the entity or individual. In naming an individual, the list must includethe entity that sponsors the individual or with which the individual is affiliated, if any. If the individual is conducting research at an institution of higher education, the list may include the name of the institution of higher education and a contact person in the department that is associated with the research in lieu of the name of the researcher.

  2. The purpose and scope of the contract or agreement;

  3. The duration of the contract or agreement;

  4. The types of student personally identifiable information that the entity or individualholds under the contract or agreement;

  5. The use of the student personally identifiable information under the contract; and

  6. The length of time for which the entity or individual may hold the student personallyidentifiable information.

(5) (a) The department shall ensure that the terms of each contract that the department enters into or renews with a school service contract provider on and after August 10, 2016, at a minimum, require the contract provider to comply with the requirements in sections 22-16-108 to 22-16-110. If the contract provider commits a material breach of the contract that involves the misuse or unauthorized release of student personally identifiable information, the department shall determine whether to terminate the contract in accordance with a policy adopted by the state board. At a minimum, the policy must require the state board, within a reasonable time after the department identifies the existence of a material breach, to hold a public hearing that includes discussion of the nature of the material breach, an opportunity for the contract provider to respond concerning the material breach, public testimony, and a decision as to whether to direct the department to terminate or continue the contract.

  1. The department shall ensure that the terms of each contract or other agreement thatthe department enters into or renews on and after August 10, 2016, which contract or agreement includes access to or use of student personally identifiable information by an individual or entity other than a contract provider, at a minimum, require the individual or entity to comply with the requirements in sections 22-16-109 (1), (2), and (3)(b) and 22-16-110 (1) and (3). If the individual or entity commits a material breach of the contract or agreement that involves the misuse or unauthorized release of student personally identifiable information, the department shall determine whether to terminate the contract or agreement in accordance with the state board policy described in paragraph (a) of this subsection (5).

  2. Notwithstanding any provision of law to the contrary, on and after August 10, 2016,the department shall not enter into or renew:

  1. A contract with a school service contract provider that refuses to accept the termsspecified in paragraph (a) of this subsection (5) or that has substantially failed to comply with one or more of the requirements in sections 22-16-108 to 22-16-110; or

  2. A contract or other agreement, which includes access to or use of student personallyidentifiable information, with an individual or entity other than a contract provider, that refuses to accept the terms specified in paragraph (b) of this subsection (5) or that has substantially failed to comply with one or more of the requirements in section 22-16-109 (1), (2), or (3)(b) or 22-16-110 (1) or (3).

Source: L. 2016: Entire article added, (HB 16-1423), ch. 355, p. 1463, § 1, effective August 10.

Editor's note: This section is similar to former § 22-2-309 (4), (5), and (6) as it existed prior to 2016.


Download our app to see the most-to-date content.