School service contract provider - data security - data destruction.

  1. Law
  2. Colorado Revised Statutes
  3. Education
  4. Student Data Transparency and Security
  5. School service contract provider - data security - data destruction.

Checkout our iOS App for a better way to browser and research.

(1) Each school service contract provider shall maintain a comprehensive information security program that is reasonably designed to protect the security, privacy, confidentiality, and integrity of student personally identifiable information. The information security program must make use of appropriate administrative, technological, and physical safeguards.

(2) During the term of a contract between a school service contract provider and a public education entity, if the contracting public education entity requests destruction of a student's student personally identifiable information collected, generated, or inferred as a result of the contract, the contracting school service contract provider shall destroy the information as soon as practicable after the date of the request unless:

  1. The school service contract provider obtains the consent of the student or the student's parent to retain the student's student personally identifiable information; or

  2. The student has transferred to another public education entity and the receiving public education entity has requested that the school service contract provider retain the student's student personally identifiable information.

(3) Following the termination or conclusion of a contract between a school service contract provider and a public education entity, the school service contract provider shall, within the time period specified in the contract, destroy all student personally identifiable information collected, generated, or inferred as a result of the contract. If the contract does not specify a period for destruction of student personally identifiable information, the contract provider shall destroy the information when the information is no longer needed for the purpose of the contract between the contract provider and the public education entity. The contract provider shall notify the public education entity of the date upon which all of the student personally identifiable information is destroyed.

Source: L. 2016: Entire article added, (HB 16-1423), ch. 355, p. 1473, § 1, effective August 10.


Download our app to see the most-to-date content.