HB 16-1423 Our responsibilities as a Local Education Provider - - PowerPoint PPT Presentation

HB 16-1423

Key Points: Student Data Transparency And Privacy Law

Our responsibilities as a Local Education Provider (LEP)

(1) Per law, we must now . . .

• Post on our website:

○ What student PII we collect and maintain, how it’s used, and how it’s shared ○ A link to the state’s data inventory and dictionary ○ A list of new or renewing (after 8/10/2016) school service contract providers ○ A list of all the contracts with school service contract providers

Who will do this in LPSD

• The Director of Tech, the Public Information Officer, and the Ed Tech

and Tech Services teams will work together to: ○ Update Schoolwires to with central office’s list of student PII we collect, maintain, use, and share ○ Link to the state’s data inventory and dictionary on Schoolwires ○ List new or renewing (after 8/10/2016) school service contract providers and their contracts on Schoolwires

(2) We must . . .

• Make sure that school service contract providers have a

comprehensive information security program that is: ○ “...reasonably designed to protect the security, privacy, confidentiality, and integrity” of student PII. ○ The information security program must make use of appropriate administrative, technological, and physical safeguards.”

Who will do this in LPSD

• The Director of Technology and the District’s legal counsel will make

sure that school service contract providers have a comprehensive information security program. ○ This happens by negotiating contracts with vendors and ensuring they adopt our Data Privacy Addendum. ○ Each contract typically takes 1-4 weeks to negotiate as many vendors are not based in Colorado and are unfamiliar with the law.

(3) We must . . .

• To the extent practical, list all on-demand service providers, along

with their privacy policies, on our website

• Notify on-demand service providers, if they violate their own privacy

policies, that we won’t be continuing to use them. Then, we must . . . ○ Give providers a chance to send us a written response ○ Keep a list of violators on our website and post their responses with the list, and share this with CDE

Who will do this in LPSD

• The Director of Tech, the Public Information Officer, and Tech Services

team will work together to: ○ List the on-demand service providers and their privacy policies on the website. ○ Handle the management of on-demand service providers who are found in violation of their own privacy policies

(4) We also must . . .

• Have a Student Information Privacy and Protection Policy by

December 31, 2017 ○ Post the policy on our website ○ Review and revise the policy as necessary

• Have a policy for hearing complaints from parents regarding our

compliance with this law. This policy must: ○ Give parents a chance to submit their complaint to the BOE ○ Give parents a hearing in front of the BOE ○ Must require that the BOE take action within 60 days

Who will do this in LPSD

• The Superintendent and Administration Cabinet will partner with the

Board of Education create / update our policies to be compliant with the new law by December 31, 2017.

• The Board of Education will hear parent complaints as per these

policies after December 31, 2017.

The Rights of Parents

Our parents may . . .

• Our parents have the right to:

○ Inspect and review student PII maintained by us (to the extent practicable) ○ To request a copy of the student PII ○ To request corrections if student PII is factually inaccurate. This needs to be corrected within a reasonable amount of time and the parent needs to be notified of the correction.

• If we don’t comply with this law, the parent/guardian may submit a

complaint to our BOE.

Who will support this in LPSD

• The Superintendent and Administration Cabinet will partner with

the district’s legal counsel, the district registrar, and the Tech Services department to create the framework for this process.

• Principals and teachers will need to follow this process closely

and inform central office when they are contracting with or using tech tools containing student PII.

The responsibilities of School Service Contract Providers

School service contract providers must . . .

• Provide us with clear information that we can post on our websites,

explaining: ○ What student PII they collect ○ Why they collect it ○ How they use and share it

• Use student PII only for what the contract authorizes OR, outside of

that, with consent from (18+) student or parents

• Destroy a student’s PII ASAP (if we request it) or once the contract is
• ver

Who will support this in LPSD

• The Director of Technology, the Educational Technology and Tech

Services Teams, and the Finance Department will partner to ensure that we get this information in a timely fashion from vendors.

School service contract providers must NOT . . .

• Sell student PII
• Use or share student PII for targeted advertising
• Use student PII to create a student profile (unless that’s the purpose of

the contract)

School service contract providers may use student PII . . .

• For adaptive / personalized learning
• For internal research and development
• To provide recommendations, access or information regarding

school, education, employment, scholarships, financial aid, or postsecondary ed opportunities

• To respond to a student’s request for info or feedback
• To produce or distribute student class photos or yearbooks

School service contract providers may also use student PII . . .

• To be compliant with the law
• To participate in the judicial process
• To protect safety of the users themselves or of other users of the

school service contract provider

• For a public safety investigation

Who will support this in LPSD

• The Director of Technology will work with the district’s legal counsel to

ensure that all vendors sign our Data Protection Addendum (DPA) that ensures that vendors understand what they may and may not do with student Personally Identifiable Information.

If a school service contract provider commits a material breach of contract . . .

• We must:
• Hold a public hearing
• Discuss the nature of the breach
• Give the contract provider a chance to respond
• Hear public testimony
• Decide whether to continue or terminate the contract
• This process must be written in policy by December 31, 2017.

Who will do this in LPSD

• The Board of Education will work with the Superintendent and with

Administration Cabinet to determine an appropriate process for the public hearing process according to the policies put in place after December 31, 2017.

The responsibilities of the Colorado Department of Education (CDE)

CDE must . . .

• Specify the why, for how long, and with whom student PII is used and

the safeguards in place for the PII security

• Develop a detailed Data Security Plan - including regular audits
• Make sure all its contracts are compliant with the law and explain the

consequences if there is a breach

CDE must supervise researchers by . . .

• Must enter an agreement with researchers before disclosing any PII
• Developing a process to consider and review all requests for student

PII by those outside Colorado who want to access student PII the department holds

• Keep student PII private if the “n” is too small to ensure student

anonymity

• CDE may not ask LEP’s to provide student PII not required by state or

federal law (unless required by a grant)

CDE must give us . . .

• Guidance involving:

○ Privacy compliance standards ○ Best practices for security and privacy audits ○ Security breach planning, notice, and procedures ○ Data collection, retention, sharing, and destruction procedures ○ Best online education security practices ○ Training regarding procedures and student PII security ○ Contracting ○ Preventing breaches

• A sample Student PII Privacy and Protection Policy by March 1, 2017

Definitions and Terminology

Definitions from 16-1423 (1)

• School Service: A website, online service, online or mobile app
• School services must be:

○ designed and marketed primarily for use in K-12, ○ used because teachers or other employees of the school direct students to use it, ○ collected, maintained, and used by teachers or other employees

• f the school
• School service on demand provider: An occasional contractor that

sometimes provides a school service

Definitions from 16-1423 (2)

• Student Personally Identifiable Information: Info alone or in combo

that personally identifies a student or the parent / family. ○ To qualify as PII under this law, the info needs to be collected, maintained, generated, or inferred by a public education entity. ○ The info may be held either directly by the district OR ○ through a school service, school service contract provider, or school service on demand provider.

Definitions from 16-1423 (3)

• Targeted advertising: Serving ads to a student based on their online

behavior over time, their use of apps, or their PII. ○ It doesn’t include ads that exist on a site that a student has visited, advertising generated from a request for info or feedback, or ○ ads that are served that are not based on a student’s online activities over time.

Definition from CDE: Student PII is . . .

Information that is collected, maintained, generated, or inferred and that, alone or in combination, personally identifies an individual student or the student's parent or family. Student Personally Identifiable Information includes, but is not limited to: 1. a student's name; 2. the name of a student's parent or other family member; 3. the address of a student or student's family; 4. a personal identifier such as a student's social security number, student number, or biometric record; 5.

• ther indirect identifiers such as a student's date of birth, place of birth, and mother's maiden name;

6. a student’s email address, cell phone number or any other information that allows physical or online contact with a student; 7. a student’s discipline or criminal records; 8. a student’s juvenile dependency records; 9. a student’s medical or health records including, without limitation, records regarding a student’s disabilities; a student’s socioeconomic information, political affiliations, or religion; 10. a student’s text messages, IP address, or online search activity; 11. a student’s photos and voice recordings; 12. a student’s food purchases; or geolocation information.

Definition from CDE: Student PII is . . .

Data that is collected and stored by CDE at the individual student level and is included in a student’s educational record and includes: 1. state-administered assessment results, including participation information, courses taken and completed, credits earned and other transcript information; 2. course grades and grade point average; 3. grade level and expected graduation year; 4. degree, diploma credential attainment or other school exit information; 5. attendance and mobility information between and within Colorado school districts; 6. special education data and special education discipline reports limited to object information that is sufficient to produce the federal Title IV annual incident report; 7. date of birth, full name, gender, race, and ethnicity; 8. and program participation information required by state or federal law.