Colorado s Data Privacy Law. September 29, 2017

Similar documents
Data Privacy May 24, 2016

Understanding the K-12 General Education Funding Program

STATE OF COLORADO CONTRACT

RECEIVED #87 -Amended. 9:2iv Colorado Secretary of State. Be it Enacted by the People of the State of Colorado:

EXHIBIT C Data Protection Addendum Meeker School District August 7, 2017

DATA PRIVACY I. POLICY DEFINITIONS

DEC ? #93-Final RECEIVED

Financing Education In Minnesota A Publication of the Minnesota House of Representatives Fiscal Analysis Department

BOARD OF EDUCATION OF THE EASTERN CAMDEN COUNTY REGIONAL SCHOOL DISTRICT COUNTY OF CAMDEN

Borough of Woodcliff Lake School District

Initiative # 93 INITIAL FISCAL IMPACT STATEMENT

State Aid. School Funding Reform Act of 2008

NBT Online Banker Terms and Conditions

BOARD OF EDUCATION OF THE BOROUGH OF LAUREL SPRINGS SCHOOL DISTRICT COUNTY OF CAMDEN

Financing Education In Minnesota A Publication of the Minnesota House of Representatives Fiscal Analysis Department

THE CITY OF EDMONTON PROJECT AGREEMENT VALLEY LINE LRT STAGE 1. Schedule 18. Freedom of Information and Protection of Privacy

Citizens Federal Savings and Loan Association 110 N Main Street Bellefontaine OH citizensfederalsl.com

BOARD OF EDUCATION OF THE BOROUGH OF SOMERDALE SCHOOL DISTRICT COUNTY OF CAMDEN

SCHOOL DISTRICT OF BUENA REGIONAL AUDITORS MANAGEMENT REPORT ON ADMINISTRATIVE FINDINGS FINANCIAL, COMPLIANCE AND PERFORMANCE JUNE 30, 2016

MEMORANDUM OF UNDERSTANDING BETWEEN HENNEPIN COUNTY AND DELANO PUBLIC SCHOOLS

BOARD OF EDUCATION OF THE EDGEWATER PARK TOWNSHIP SCHOOL DISTRICT COUNTY OF BURLINGTON

FirstB2B Agreement. 5. Statements. All transfers made with the Service will appear on Customer s account.

SCHOOL DISTRICT OF THE BOROUGH OF WEST WILDWOOD

OCR Phase II Audit Protocol Breach Notification. HIPAA COW Spring Conference 2017 Page 1 Boerner Consulting, LLC

Connexus Credit Union Online and Mobile Banking Service Agreement and Disclosures

CENTURYLINK ELECTRONIC AND ONLINE PAYMENT TERMS AND CONDITIONS

STATE OF NEW JERSEY HOMELESS MANAGEMENT INFORMATION SYSTEM COLLABORATIVE Participation Agreement

FY SUMMARY BUDGET

Legal Compliance Education and Awareness. Privacy Act (Commonwealth)

IV:07:11 IDENTITY THEFT PREVENTION POLICY SECTION 1: BACKGROUND

Budgeting Caveats. Setting Your Budget. Budget Development Calendar. Budget Development Calendar. Process, Timeline, Staffing & Decision Making

Are You Prepared for the California Consumer Privacy Act?

DATA PROTECTION ADDENDUM

User Conferences 2019

PO Box Providence, RI Toll Free Phone: ONLINE BANKING DISCLOSURE & AGREEMENT

Preliminary Recommended Budget for School Year. School Board Meeting June 22, 2011

Township of Berkeley Heights School District

DATA PROCESSING ADDENDUM

Public Expenditure Tracking in Pakistan s Education Sector. March, 2010 Institute of Social and Policy Sciences (I-SAPS) Islamabad

SCHOOL DISTRICT CITY OF SOMERS POINT OF THE. Auditor s Management Report For the Fiscal Year Ended June 30, 2016

ALABAMA TEACHERS CREDIT UNION BILL PAY USER AGREEMENT

06 Supplementa l Capital Construction, Technology, and Maintenance Fund. 22 Government al Designated Grants Fund

Financial Services Executive Summary

Advia Credit Union 24 Hour Online, Text and Mobile Banking Access Agreement

Matawan Aberdeen Regional School District

KCSP Data Protection Policy

Request for Proposals. For. Billings Public Library Shelving Part A: Steel Library Shelving Part B: Compact Mobile Shelving

HIPAA Privacy Compliance Checklist

Consumer Federation of America Best Practices for Identity Theft Services. March 10, 2011

CBSA PRIVACY POLICY. Canadian Business Strategy Association Page 1

To: Our Clients and Friends January 25, 2013

HostGator - Education Scholarship Contest Official Rules

Summary of New Cash Management Rules for Direct Title IV Disbursements General effective date: July 1, 2016

UNIFORM COMPLAINT POLICY AND PROCEDURES

ASTRAZENECA GLOBAL POLICY DATA PRIVACY

BOARD OF EDUCATION HOLLAND TOWNSHIP AUDITORS MANAGEMENT REPORT ON ADMINISTRATIVE FINDINGS, FINANCIAL, COMPLIANCE AND PERFORMANCE

Borough of South Plainfield School District

Mobile Banking Services Agreement

THE AFFORDABLE CARE ACT: NAVIGATORS

CITY OF ASBURY PARK SCHOOL DISTRICT. Asbury Park, New Jersey County of Monmouth

District Name: FORT WORTH ISD District Number: Accountability Rating: Met Standard

HAMILTON TOWNSHIP BOARD OF EDUCATION AUDITOR'S MANAGEMENT REPORT ON ADMINISTRATIVE FINDINGS -FINANCIAL, COMPLIANCE AND PERFORMANCE

Online Banking Agreement and Disclosures

o The words "You" and "Your" mean a South Shore Bank Home Banking customer.

CITY OF UNION CITY SCHOOL DISTRICT AUDITOR S MANAGEMENT REPORT ON ADMINISTRATIVE FINDINGS FINANCIAL, COMPLIANCE AND PERFORMANCE JUNE 30, 2017

Shaping our Future Together. Northfield Sanbornton Tilton

Borough of North Plainfield School District

BUSINESS ASSOCIATE AGREEMENT

THE CITY AND COUNTY OF SAN FRANCISCO SECTION 125 CAFETERIA PLAN HIPAA PRIVACY POLICIES & PROCEDURES

INSURANCE INDUSTRY: Regulatory Issues October 21, Faith M. Williams. Bricker & Eckler LLP

METUCHEN SCHOOL DISTRICT MANAGEMENT REPORT ON ADMINISTRATIVE FINDINGS FINANCIAL, COMPLIANCE AND PERFORMANCE JUNE 30, 2017

Proposed Budget. Recommended for Adoption August 11, Honoring the past, celebrating the present, preparing for the future

Initiative #93 Funding for Public Schools. Amendment? proposes amending the Colorado Constitution and Colorado statutes to:

Guidelines for the Use of Marching Band Booster Organizations in the Collection and Disbursement of Student Fees

Proposed Budget. Recommended for Adoption August 11, Honoring the past, celebrating the present, preparing for the future

Debit / ATM Card Application

Borough of Manville School District

Calculating IDEA Part B Subgrant Base Payment Adjustments: The Mechanics and CIFR Calculators. April 26, 2018

TTCU FEDERAL CREDIT UNION

EWING TOWNSHIP BOARD OF EDUCATION MERCER COUNTY, NEW JERSEY FINANCIAL, COMPLIANCE AND PERFORMANCE FISCAL YEAR ENDED JUNE 30, 2016

CHANGE OF OWNERSHIP GLOBAL ENTERPRISE & SERVICES AND CONSUMER TRANSFER REQUESTS

City of Albuquerque Procurement Contract

Budget/Curriculum Update. School Board Workshop April 29, 2009

IMPLEMENTATION GUIDE: SCHOOL SITE ACQUISITION CHARGE

e Services Agreement Disclosures

CONSENT ORDER. WHEREAS, in 2013, the New York State Department offinancial Services (the

New. To comply with HIPAA notice requirements, all Providence covered entities shall follow, at a minimum, the specifications described below.

Personal Online User Agreement

Advertising in this newsletter does not imply endorsement by Poudre School District.

School District of Philadelphia Budget 101: Understanding the District s Budget. April 17, 2018

American Express Business Credit Card Card Member Agreement

CHAPTER I: STATE BOARD OF EDUCATION SUBCHAPTER o: MISCELLANEOUS PART 675 PROVIDERS OF SUPPLEMENTAL EDUCATIONAL SERVICES SUBPART A: GENERAL PROVISIONS

USE Credit Union Online Bill Payment

Chapter XX Health Reform

STUDENT ACTIVITY ACCOUNTS PROCEDURES FOR OPERATIONS SEEKONK PUBLIC SCHOOLS

Union Savings Bank Electronic Communications Disclosure

For the purpose of these General Terms and Conditions, the below-specified terms shall have the following meaning:

MIGRANT EDUCATION - STATE GRANT PROGRAM. U. S. Department of Education. N. C. Department Of Public Instruction

Budget. Enrollment Debt Service March 13, 2017

GSA - CARB 03/14/2017 CARB ATCM CERTIFICATION SERVICE TERMS

Transcription:

Colorado s Data Privacy Law September 29, 2017

Overview Colorado s Student Data Transparency and Security Act (C.R.S. 22-16- 101 et.al.) was signed into law in June, 2016 Adds to existing laws pertaining to the collection, management, storage, and sharing of Student Personally Identifiable Information (PII) The purpose of this law is to increase transparency and security of all Student PII that CDE and Local Education Providers (LEPs) collect and maintain Law places new restraints on service providers and places obligations for contracts with these providers The law is relatively new and there are still questions on what the law means and how to comply The following is not to be construed as legal advice or a formal legal opinion. You should consult with your legal staff before making any decisions based on this or any other legal matter. 10/6/2017 2

Key Definitions Student PII "Student Personally Identifiable Information (PII) means information that, alone or in combination, personally identifies an individual student or the student's parent or family, and that is collected, maintained, generated, or inferred by a Public Education Entity, either directly or through a School Service, or by a School Service Contract Provider or School Service On-Demand Provider. This definition is more broad than FERPA s definition Alone or in combination means that not just name, SASID, and etc. are PII but any information that is specific enough to identify an individual student For example, both of these are PII: Jill Stacey is directly identifiable A white female who is CDE s data privacy analyst is indirectly identifiable 10/6/2017 3

Key Definitions School Service "School Service" means an internet website, online service, online application, or mobile application that: is designed and marketed primarily for use in a preschool, elementary school, or secondary school; is used at the direction of teachers or other employees of a LEP; and collects, maintains, or uses Student PII. "School Service" does not include an internet website, online service, online application, or mobile application that is designed and marketed for use by individuals or entities generally, even if it is also marketed to a United States preschool, elementary school, or secondary school. This definition does not include all your vendors This law does not apply to any vendors who are not providing a School Service However, treating all vendors with access to PII the same is a best practice 10/6/2017 4

Key Definitions School Service Providers "School Service On-Demand Provider" or "On-Demand Provider" means an entity, other than a Public Education Entity, that provides a School Service on occasion to a Public Education Entity, subject to agreement by the Public Education Entity, or an employee of the Public Education Entity, to standard, non-negotiable terms and conditions of service established by the providing entity. "School Service Contract Provider" or "Contract Provider" means an entity, other than a Public Education Entity or an Institution of Higher Education, that enters into a formal, negotiated contract with a Public Education Entity to provide a School Service. 10/6/2017 5

Service Providers Decision Tree CDE s full Fact Sheet 10/6/2017 6

Timelines for Required Tasks August 10, 2016 LEPs must update any contracts with Contract Providers entered into or renewed after this date December 31, 2017 - Each LEP shall adopt a Student Information Privacy and Protection Policy July 1, 2018 - Each LEP that is a Small Rural School District shall adopt a Student Information Privacy and Protection Policy The additional time for small rurals only applies to the privacy policy All other tasks in the law have no specific due date, but you should be working towards compliance * A Small Rural School District is defined as a school district that the Department identifies as rural, based on the geographic size of the school district and the distance of the school district from the nearest large, urbanized area, and that enrolls fewer than one thousand students in kindergarten through twelfth grade. 10/6/2017 7

Contracts with School Service Contract Providers Contracts with School Service Contract Providers entered into or renewed after August 10, 2016 must include law s requirements Contract Providers must: Post on their website information explaining the PII they collect and how that data is used and shared and also provide this information to the LEP Provide notice before making material changes to its privacy policy Provide access to and correction of any factually inaccurate information Notify the LEP of any material breach of the contract by them or by their subcontractors that results in the misuse or unauthorized access to PII Maintain a comprehensive information security program CDE has a sample LEP contract template Destroy PII upon request or upon the termination of the contract according to the timelines established by the contract or when PII is no longer needed 10/6/2017 8

Providers Obligations cont. Contract Providers cannot: Sell PII Use PII for the purposes of targeted advertising Use PII to create a personal profile of the student outside of the requirements of the contract A Contract Provider can only share PII with a subcontractor provided that they contractually obligate the subcontractor to comply with the requirements of this law A Provider can only collect, use, or share PII for the purposes stated in the contract 10/6/2017 9

Breaches by School Service Contract Providers If a Contract Provider commits a material breach of the contract that involves the misuse or unauthorized release of PII, the LEP shall determine whether to terminate the contract This decision will be made in accordance with a policy adopted by the governing body of the LEP At a minimum, the policy must require the LEP s governing body to hold a public hearing (within a reasonable amount of time) that includes discussion of: The nature of the material breach The Contract Provider s response to the breach Public testimony A decision as to whether to direct the LEP to terminate or continue the contract CASB has a sample Contract Provider breach policy 10/6/2017 10

Transparency in Data Collection Post on your website clear information explaining the PII you collect and maintain and how you use and share PII LEPs do not need to include in their list the PII sent to CDE but must post a link to CDE s data dictionary Post a list of the School Service Contract Providers used and a copy of each contract For vendors that CDE contracts with for LEPs (Pearson, Amplify, etc.), they are covered by CDE s contract terms and LEPs can link to our contracts Post a list of the On-Demand Providers used and update it at the start and middle of each school year You will need to assist a parent in obtaining the data privacy policy of a On-Demand Provider upon request Some districts link to the privacy policy in their list of On-Demand Providers 10/6/2017 11

Non-Compliance by On-Demand Providers A parent can provide you with evidence that an On-Demand Provider is not complying with their privacy policy or the law Specifically, the On-Demand Providers cannot: Sell PII Use or share PII for targeted advertising to students Use SPII to create a personal profile of the student (other than for the purposes of the contract) The On-Demand Provider must maintain a comprehensive information security program LEP is strongly encouraged to cease using the On-Demand Provider You must notify the On-Demand Provider that you are ceasing to use them and they can submit a written response You will need to post a list of these On-Demand Providers and the written responses You must send this information to CDE and we will also post this information You must also post a notice on your website to On-Demand Providers explaining this process CDE s On-Demand Provider Transparency page 10/6/2017 12

Privacy and Protection Policy LEPs shall adopt a Student Information Privacy and Protection Policy A LEP that is a Small Rural School District* has additional time to comply with this specific obligation Each LEP shall provide copies of the Student Information Privacy and Protection Policy to parents and shall post the policy on its website CASB has a sample Board level privacy policy and CDE has sample procedures documents that can assist with implementation The student data privacy policy must contain the following topics: Creating and maintaining a student data index Retaining and destroying Student PII Proper use of PII Data breach prevention and response Contracting with School Service Contract Providers and using On- Demand Provider Services Disclosing Student PII to third parties Notifying parents regarding the collection of, retention of and access to Student PII Providing training in information security and privacy to employees * A Small Rural School District is defined as a school district that the Department identifies as rural, based on the geographic size of the school district and the distance of the school district from the nearest large, urbanized area, and that enrolls fewer than one thousand students in kindergarten through twelfth grade. 10/6/2017 13

CDE s Privacy and Security Implementation Policies CDE s sample policies are not required and LEPs do not need to implement all or even any of these 10/6/2017 14

Parent Rights and Complaints The parent of a student enrolled by a LEP has the right: To inspect and review his or her child's PII To request a paper or electronic copy of his or her child's PII To request corrections to factually inaccurate PII The governing board of the LEP must have a policy for receiving complaints from parents regarding the LEP s compliance with the law The governing body must hold a hearing to discuss Action must be taken within sixty days after the hearing CASB has a sample Board parent complaint policy 10/6/2017 15

Questions? Guidance and support from CDE personnel: Marcia Bohannon bohannon_m@cde.state.co.us Jill Stacey - stacey_j@cde.state.co.us Corey Kispert kispert_c@cde.state.co.us

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback