You are here

Questions and Answers

Purpose

In order to maximize our transparency with parents and the public, we are setting up a web page dedicated to providing answers to common data privacy or security questions raised by parents, educators and the public.  This page will be periodically updated with new questions we receive and the appropriate answers.

Questions from December 16, 2016 Public Meeting

ESSA and Data Privacy

Q: How do we know that CDE is complying with FERPA? Is CDE’s standard of compliance self-reporting?

A: Yes, we rely on self-reporting since there are no external audits being conducted.  CDE seeks to be transparent in the “how” we implement the law and will continue to provide information regarding how we comply with FERPA and all relevant laws.

Q: Are any states doing independent audits of vendors and contracts?

A: We are not aware of any audits that are being conducted by state departments of education. 

Q: How do the privacy and reporting requirements for staff or principal data conflict with CORA?

A: Any CORA request must also comply with any other laws relating to the protection of data, including FERPA and others.  There are few laws related to the privacy or reporting requirements for staff or educator data but CDE works to comply with all of them.  While laws like FERPA and the Colorado Student Data Transparency and Security Act do not apply to educator data, CDE policy states that we shall protect educator data as well as student data.

Q: What is CDE’s timeline for training districts, teachers, etc.?

A: We are currently working with districts, other stakeholders, and internal staff to determine our training plan and timeline.  We recognize the need to provide districts and their staff with training and we will seek to do so as soon as resources permit.

Q: If the state applies for the grant described in Title II of ESSA, how will funds be awarded to districts?

A: Title II, Part A funds are distributed to eligible local education agencies on a formula basis as prescribed by federal law.  The U.S. Department of Education has not yet released application information for any of the grant programs in Title II, Part B as the United States Congress has not yet appropriated funds to any of these programs.  CDE will consult with the ESSA Committee of Practitioners regarding any possible applications for competitive grant programs under Title II, Part B.

Q: Is the guidance provided to districts around selecting software and tools “encouragement” or is there a compliance element?

A: LEPs are required to comply with all laws and we want to provide them with guidance that can assist with that.  CDE has already provided via our website guidance related to the use of online educational tools.  Because Colorado is a local-control state, LEPs will determine how to comply with any legal requirements. 

Q: Who is doing monitoring and enforcement related to vendors, privacy and security?

A: Ultimately, the LEPs decide which vendors they use and what is included in their evaluation processes.  Every district is different.  Some have a formal vetting system. Others are leaving it up to teachers.  CDE is working on how we can provide assistance to LEAs in this process.  There are no penalties in the Colorado Student Transparency and Security Act if districts do not comply, so for right now, we are trying to work collaboratively with districts.

Q: Is there a federal privacy and security group?

A: The Privacy Technical Assistance Center run by the US Department of Education provides a number of resources, including guidance on FERPA, guidance on how to use online tools and vendors, and so forth. 

Q: Does CDE work with CASB and CASE on developing guidance and other items?

A: We work with CASB and CASE and other education groups on a case by case basis. We are currently working with CASB regarding providing sample privacy and security policies to the LEPs.  We also work with the Colorado Association of Leaders in Educational Technology (CALET) group under CASE.

Q: Will there continue to be opportunities to opt out of the provisions of ESSA?

A: Yes, school districts will continue to be able to decline funds under the various ESSA programs.  In general, if a school district declines ESSA funds from a particular program, it is no longer obligated to meet the requirements of that program.

Q: Is there going to be any push from CDE on more data privacy legislation?

A: We have been told that the legislature would entertain clarifications or technical fixes to our data privacy laws in future years.  However, since the implementation of the Colorado Student Transparency and Security Act has just begun, there are no current plans to change current laws or add any new data privacy legislation.  

Q: Who provides services related to Individual Academic and Career Plans (ICAPs), and what about Naviance?

A: CDE does not have a contract with Naviance, or with other career planning vendors.  LEPs contract directly with those vendors for those services.  As such, CDE cannot speak with certainty about the different ways LEPs may be using these vendors. 

Q: Can parents can see the different agreements with Naviance?

A: Under the Colorado Student Data Transparency and Security Act, LEPs and CDE are required to post contracts with vendors online.  CDE is required to post all contracts and LEPs are required to post all contracts with School Service Contract Providers.  CDE currently posts our contracts here, but as mentioned above, we do not contract with Naviance.  We recommend contacting your district regarding contracts and other transparency efforts.

Q: Do the districts pick assessment vendors who evaluate beliefs or religious preferences? 

A: The assessment vendors that CDE has engaged do not conduct any evaluations of beliefs or religious preferences. We are prohibited by the Colorado Student Data Transparency and Security Act from collecting that data and we have no interest in evaluating any student’s or their family’s beliefs.  We cannot speak to the choices made by individual districts. 

Q: What about assessment vendors that CDE selects or recommends for districts? 

A: CDE has evaluated a number of vendors who provide assessments to the LEPs.  It is important to understand that unless CDE has entered in to a contract with an assessment vendor, then the vendors were only evaluated on the merits of their assessment methodologies and not based on their privacy or security controls.  We recommend that districts should review the vendors that CDE recommends in the same way that they would vet any other vendor, if there is no contract between CDE and the vendor.  

 

Questions from May 24, 2016 Public Meeting

Student Data Transparency and Security Act, Section 22-16-101 et. seq., C.R.S. (formerly known as HB 16-1423)

Q: What does the new Student Data Transparency and Security Act mean for districts?

A: Here are some of the requirements for Local Education Provider’s (LEPs) under the new law:

  • LEPs have to update their website to include transparency information.
  • LEPs will need to implement new contract language and new processes for School Service Contract Providers.
  • LEPs will need to create new processes for the management of On-Demand Providers.
  • LEPs will need to implement a Student Information Privacy and Protection Policy.
  • LEPs will need to create new processes for handling parent complaints.

Q: How will districts know what they are required to do in order to comply with the Student Data Transparency and Security Act​?

A: CDE will provide resource and guidance as well as training as Local Education Providers (LEPs) implement the requirements of the new law. 

Q: What is the timeline for data privacy training?

A: This bill is complex and CDE are working to determine what resources need to be provided and how best to provide them.  First efforts are focused on addressing the new contract requirements and privacy training requirements.  CDE is looking at develop a full training program through the next school year but will roll out resources and other materials as they become available.  A more detailed timeline will be presented to the Colorado State Board of Education at its August board meeting.

Q: Who is required to post data elements on their website(s) per the requirements of the Student Data Transparency and Security Act​?

A: CDE, Local Education Providers (or LEPs) and the School Service Contract Providers are all required to post the data that they collect on their website.

Q: When will CDE update current contracts with the new language required by the law? 

A:  Contracts will be updated once they expire and come up for renewal.

Vendors and Researchers using Personal Identifiable Information (PII)

Q: Does CDE audit vendors? Is CDE doing an audit of the researchers and verifying whether the data is being destroyed at the end of the research?

A: The department’s contracts allow CDE to audit vendors.  The research contracts include a requirement for the researcher to destroy the data when the research is concluded, CDE follows up with the researchers to confirm destruction.

Q: How does the Student Data Transparency and Security Act​ impact the online education bill HB 16-1222 also known as Supplemental Online Education & Blended Learning Resources?

A: The Supplemental Online Education & Blended Learning Resources bill creates a process for implementing optional online education programs.   Should LEPs decide to implement online education tools, those processes will be required to comply with the Student Data Transparency and Security Act, Section 22-16-101 et. seq., C.R.S..

Q: What is the definition of researcher?

A: Researcher is not a term defined in the law.  A person that wants to do research with data can request data from CDE provided that they are performing research on the behalf of the department or districts.  CDE examines each researcher through the research process outlined here.

Q: What are the consequences of vendor non-compliance – federal vs. state?

A: There are no consequences of vendor non-compliance under Federal law.  Under state law, the LEPs are strongly encouraged to terminate the vendor and CDE is required to terminate the contract based on the decision of the State Board of Education.

Q: What is research process? What criteria are being used to determine validity of research?

A: CDE relies on the vetting of other groups, most specifically the sponsoring Institutional Review Board (IRB) who determines the validity of the research from their perspective.  CDE looks at the research from an internal perspective to ensure that it meets CDE’s requirements and fits in with the strategic goals.

Q: When does requirement to destroy data apply?

A: The Student Data Transparency and Security Act states that data must be destroyed upon the termination or end of the contract or when the information is no longer needed for the purposes of the contract.  CDE’s research agreements require researchers to destroy all data at the end of the contract. 

Q: Who is the governing board (per Section 22-16-101 et. seq., C.R.S.)?

A: For the duties for CDE, the governing board is the Colorado State Board of Education.  For the duties imposed on the LEPs, it is the local district board of education for that LEP.

Q: When will the contract language be updated?  Will we revisit existing language, and when?

A: CDE will review the contracts when they expire and they will be updated with the required language from the law.  Contract templates are currently being updated to address the requirements of the law.   A more detailed timeline will be presented to the state board at its August board meeting.

Q: Will CDE be reaching out to districts for their feedback on training?

A: Yes.

Other Questions

Q: Does CDE’s contract language address the collection of metadata by vendors and the analysis of that metadata using algorithms?  Does the new Student Data Transparency and Security Act (Section 22-16-101 et. seq., C.R.S.) have any requirements regarding this practice?

A: The current contract language prohibits a vendor from:  “Using Covered Information, including persistent unique identifiers, created or gathered by the Contractor’s web site, service or application, to amass a profile about a public school student, except in furtherance of a public school purpose as determined by the State.” 

CDE is currently reviewing the law and determining how exactly the standard contract language used will change to comply with the Student Data Transparency and Security Act.   Primarily, the Student Data Transparency and Security Act will prohibit a School Service Contract Providers from using PII to “create a personal profile of a student other than for supporting purposes authorized by the contracting public education entity or with the consent of the student of the student’s parent”.  Personal profiles are most likely created by a computer program, which includes an algorithm. 

In addition, CDE does not limit its privacy protections to the express requirements of the law.  The law is viewed as a floor and contract language CDE uses already imposes stricter privacy protections and will continue to do so as new or renewed contracts are amended after the effective date of the bill. 

Regarding the transparency requirements for School Service Contract Providers, the Student Data Transparency and Security Act states that “each School Service Contract Provider shall provide clear information that is understandable by a layperson explaining the data elements of Student Personally Identifiable Information (PII) that the School Service Contract Provider collects, the learning purpose for which the School Service Contract Provider collects the Student PII, and how the School Service Contract Provider uses and shares the Student PII. The information must include all Student PII that the School Service Contract Provider collects regardless of whether it is initially collected or ultimately held individually or in the aggregate. The School Service Contract Provider shall provide the information to each Public Education Entity that it contracts with in a format that is easily accessible through a website, and the Public Education Entity shall post the information on its website. The School Service Contract Provider shall update the information as necessary to maintain accuracy.”

In addition, the Student Data Transparency and Security Act states that, “a School Service Contract Provider may collect, use, and share Student PII only for the purposes authorized in the contract between the School Service Contract Provider and a Public Education Entity or with the consent of the student who is the subject of the information or the student's parent.”

Q: Does CDE currently follow breach notification guidance from the Privacy Technical Assistance Center (PTAC) or Family Educational Rights and Privacy Act (FERPA) which was a part of a training session provided to districts at the end of May? 

A: CDE reviews and considers guidance from a variety of sources, including PTAC. Policies and procedures are developed to best protect student PII, regardless of the source.  CDE complies with the requirements of FERPA but there is no notification requirement in FERPA. 

Q:  Are districts required to comply with the guidance from Privacy Technical Assistance Center PTAC?

A: Districts are encouraged to comply with best practices in regards to breach response and notification but there is no requirement from law or from CDE to comply with the PTAC guidance.

Q: What is CDE's current definition of a breach?

A: CDE uses two terms for a possible loss of information.  The definitions are below.

An incident:

  • A security incident is an adverse event that may affect the confidentiality, integrity or availability of information, or an event that is a violation of security or privacy policies.

A breach:

  • A data breach is an incident where sensitive, protected, or confidential data is copied, transmitted, viewed, stolen, or used by an unauthorized party, or released to an untrusted environment.

Q: Does the new Student Data Transparency and Security Act outline the process for reporting vendors who have experienced a breach in contract that resulted in the misuse or unauthorized release of Student Personally Identifiable Information (PII)?  What are the consequences if a governing board did not or could not address the issue?

A: The law does not address next steps after the matter is taken to the governing board.

Q: Is there an intersection between HB 16-1222 regarding online learning programs and the new Student Data Transparency and Security Act?  Does CDE propose to keep online education and screen time a choice for Colorado parents or students?

A: HB 16-1222 states that, “each School District, Charter School, and BOCES may determine the extent to which it participates in the statewide plan.”  In addition, while CDE does have some involvement in the administration of this program, most of the work will be undertaken by the administering school district, charter school or BOCES and it will be up to each school or district to implement this program as it sees fit.  CDE recommends parents work with their local district to address any questions regarding online learning.

 Q: Who is the governing board responsible for receiving parent complaints outlined in the new Student Data Transparency and Security Act?  

A: Per the obligations of the new law, if a school or district does not comply with the requirements of the law, the parent can file a complaint with the governing board of the local education provider.  Neither CDE nor the State Board of Education will be the party responsible for receiving and addressing these complaints.

Q: Does CDE participate in a digital badges program? What additional information does CDE have on the badges program?

A: CDE has no intention or plans to participate in any digital badges program.  Since there is no involvement in current or future digital badges programs, CDE cannot comment on how those programs will be run.

 

Send your privacy and security questions to CDE. Email dataprivacy@cde.state.co.us.