NOTE: The governor signed this measure on 6/6/2014. HOUSE BILL 14-1294 BY REPRESENTATIVE(S) Murray, Court, Exum, Hamner, Mitsch Bush, Pettersen, Schafer, Tyler, Williams, Young, Conti, Labuda, Rosenthal, Saine; also SENATOR(S) Steadman and Jahn, Crowder, Guzman, Heath, Herpin, Hill, Kefalas, Kerr, King, Lambert, Lundberg, Marble, Newell, Nicholson, Rivera, Schwartz, Todd, Zenzinger, Carroll. Concerning student data collection privacy protections administered by the department of education. Be it enacted by the General Assembly of the State of Colorado: SECTION 1. Legislative declaration. (1) The general assembly hereby finds and declares that the privacy of Colorado citizens is of the utmost importance, and protecting their privacy is a top priority for the lawmakers of this state. The notion of privacy has vastly changed with technological advancement, developments such as "the cloud", and the exponential growth of social media popularity. Although this has changed the public perception of privacy, it remains imperative that personal information stay confidential unless otherwise chosen on an individual basis. The privacy of our children is critically important, especially in regard to their K-12 educational experience and the student data collected during this time. Schools are a safe environment, and an important component of maintaining security is ensuring student privacy and protecting student data. Despite the importance of protecting the privacy of our children, Colorado law is not currently clear on how student data is to be handled. As such, transparency in data collection and security is crucial. It is critical that parents have the opportunity to understand how student data is collected, where the data is stored, and how and why the data is utilized. (2) For this reason, the general assembly finds that it is the duty of the Colorado department of education to publish an index of utilized data elements as well as privacy policies regarding accessibility to the data and notices of student and parent rights. (3) Furthermore, the general assembly finds that the department of education must have a detailed data security plan regarding the protection and confidentiality of all Colorado student data, whether the data is stored inside or outside the state, and must create a data security template for school districts to use to create their own data security plans. SECTION 2. In Colorado Revised Statutes, add 22-2-309 as follows: 22-2-309. Student data - accessibility - transparency - accountability - definitions. (1) This section shall be known and may be cited as the "Student Data Protection, Accessibility, Transparency, and Accountability Act of 2014". (2) As used in this section, unless the context otherwise requires: (a) "Aggregate data" means data collected and reported at the group, cohort, or institutional level. (b) "Data system" means the Colorado state department of education student data system. (c) "Personally identifiable data" means a dataset that is linked to a specific student or the student's parent or legal guardian and that would allow a reasonable person in the school community, who does not have knowledge of the relevant circumstances, to identify the student, parent, or legal guardian with reasonable certainty. (d) "State-assigned statewide student identifier" means the unique student identifier assigned by the department to each student that must neither be nor include the social security number of a student in whole or in sequential part. (e) (I) "Student data" means data that is collected and stored by the department at the individual student level and included in a student's educational record. (II) "Student data" includes: (A) State-administered assessment results, including participation information; (B) Courses taken and completed, credits earned, and other transcript information; (C) Course grades and grade point average; (D) Grade level and expected graduation year; (E) Degree, diploma, credential attainment, or other school exit information; (F) Attendance and mobility information between and within Colorado school districts; (G) Special education data and special education discipline reports limited to objective information that is sufficient to produce the federal Title IV Annual Incident Report; (H) Date of birth, full name, gender, race, and ethnicity; and (I) Program participation information required by state or federal law. (3) The state board shall: (a) Create, publish, and make publicly available a data inventory and dictionary or index of data elements with definitions of individual student data fields currently used in the student data system including: (I) Individual student data that school districts and schools are required to report by state and federal education mandates; and (II) Individual student data that is proposed for inclusion in the student data system with a statement regarding the purpose or reason for the proposed collection; (b) Develop, publish, and make publicly available policies and procedures to comply with the federal "Family Educational Rights and Privacy Act of 1974", 20 U.S.C. sec. 1232g, and other relevant privacy laws and policies, including but not limited to policies that restrict access to personally identifiable data in the student data system to: (I) The authorized staff of the department that require access to perform assigned or contractual duties, including staff and contractors from the office of information and technology that are assigned to the department; (II) The department's contractors that require access to perform assigned or contractual duties that comply with the requirements specified by paragraph (g) of this subsection (3); (III) School district administrators, teachers, and school personnel who require access to perform assigned duties; (IV) Students and their parents; and (V) The authorized staff of other state agencies, including public institutions of higher education, as required by law or defined by interagency data-sharing agreements; (c) Develop user-friendly information for the public related to the department's data-sharing agreements; (d) Develop a detailed data security plan that includes: (I) Guidelines for authorizing access to the student data system and to individual student data, including guidelines for authenticating authorized access; (II) Privacy compliance standards; (III) Privacy and security audits; (IV) Security breach planning, notice, and procedures; (V) Data retention and disposition policies which must include specific criteria for identifying when and how the data will be destroyed; (VI) Guidance for school districts and staff regarding data use; (VII) Consequences for security breaches; and (VIII) Staff training regarding the policies; (e) Ensure routine and ongoing compliance by the department with the federal "Family Educational Rights and Privacy Act of 1974", 20 U.S.C. sec. 1232g, other relevant privacy laws and policies, and the privacy and security policies and procedures developed under the authority of this section, including the performance of compliance audits; (f) Ensure that agreements involving the disclosure of student data for research conducted on behalf of the department to develop, validate, or administer predictive tests; administer student aid programs; or improve instruction must: (I) Specify the purpose, scope, and duration of the study or studies and the information to be disclosed; (II) Require the organization to use personally identifiable information from education records only to meet the purpose or purposes of the study as stated in the written agreement; (III) Require the organization to conduct the study in a manner that does not permit access to the personally identifiable data of parents and students by anyone other than representatives of the organization with legitimate interests; and (IV) Require the organization to destroy all personally identifiable information when the information is no longer needed for the purposes for which the study was conducted and to specify the time period in which the information must be destroyed; (g) Develop requirements that any department contracts that affect databases, assessments, or instructional supports that include student or personally identifiable data and are outsourced to private vendors include express provisions that safeguard privacy and security, including specifying that personally identifiable data may only be used for the purpose specified in the contract and prohibiting further disclosure of that data or its use for commercial purposes, and include penalties for noncompliance; and (h) Adopt rules to implement the provisions of this section. (4) The department shall develop a process to consider and review all outside requests for state data, other than aggregate student information already publicly available, by individuals not employed by the state who wish to conduct research using student or school system data already collected by the department. (5) (a) The department shall not require a school district to provide any data that is not required by state or federal law; except that it may require data not mandated by state or federal law that is associated with a grant proposal or a district local education agency may be asked to voluntarily submit data in order to receive a benefit, such as grant funding or special designations. (b) Unless required by state or federal law, the department shall not collect: (I) Juvenile delinquency records; (II) Criminal records; (III) Medical and health records; (IV) Student social security numbers; and (V) Student biometric information. (c) Unless otherwise approved by the state board, the department shall not transfer student or personally identifiable data to a federal, state, or local agency or other entity outside of the state, except under the following circumstances: (I) If a student transfers to an education entity in state or out of state or if a school or school district seeks help in locating a student who transfers out of state; (II) If a student seeks to enroll in or to attend an out-of-state institution of higher education or training program; (III) If a student participates in a program or assessment for which such a data transfer is a condition of participation; (IV) If a student is classified as "migrant" for federal reporting purposes; (V) If the department enters into a contract with an out-of-state vendor that affects databases, assessments, special education, or instructional support related to an audit or evaluation of federal- or state-supported education programs, for the enforcement of or compliance with federal legal requirements that relate to those programs, or for conducting studies for or on behalf of the department to develop, validate, or administer predictive tests, administer student aid programs, or improve instruction; or (VI) If the disclosure is to comply with a judicial order or lawfully issued subpoena or in connection with a health or safety emergency. (d) The department shall not sell, trade, gift, or monetize student data for commercial use or investment interests. (6) The department shall publish a list of vendors that the department contracts with that hold student data. (7) The department shall develop data security guidance that may be used by local education agencies. The department's data security guidance must include: (a) Guidance for authorizing access to the student data system and to individual student data, including guidance for authenticating authorized access; (b) Privacy compliance standards; (c) Privacy and security audits; (d) Security breach planning, notice, and procedures; (e) Data retention and disposition procedures; (f) Data collection and sharing procedures; (g) Recommendations that any contracts that affect databases, assessments, or instructional supports that include student or personally identifiable data and are outsourced to private vendors include express provisions that safeguard privacy and security and include penalties for noncompliance; (h) Best security practices for privacy when using on-line education services, including web sites and applications; (i) Guidance for contracts involving the outsourcing of educational services; (j) Guidance for contracts involving on-line education services; and (k) Guidance for publishing a list of vendors that local education agencies contracts with that hold student data. (l) Consequences for security breaches; and (m) Staff training regarding the procedures. SECTION 3. Act subject to petition - effective date. This act takes effect at 12:01 a.m. on the day following the expiration of the ninety-day period after final adjournment of the general assembly (August 6, 2014, if adjournment sine die is on May 7, 2014); except that, if a referendum petition is filed pursuant to section 1 (3) of article V of the state constitution against this act or an item, section, or part of this act within such period, then the act, item, section, or part will not take effect unless approved by the people at the general election to be held in November 2014 and, in such case, will take effect on the date of the official declaration of the vote thereon by the governor. ________________________________________________________ Mark Ferrandino Morgan Carroll SPEAKER OF THE HOUSE PRESIDENT OF OF REPRESENTATIVES THE SENATE ____________________________ ____________________________ Marilyn Eddins Cindi L. Markwell CHIEF CLERK OF THE HOUSE SECRETARY OF OF REPRESENTATIVES THE SENATE APPROVED________________________________________ _________________________________________ John W. Hickenlooper GOVERNOR OF THE STATE OF COLORADO