Colorado Student Data Privacy Law

The State of Colorado recently passed legislation that will increase the digital security of student data.  The law will also require CDE, school districts, and online vendors increase transparency around data processes, retention, and sharing.   Jeffco has already begun much of this work by developing board policies, data governance practices, and measuring the security posture of our vendors whose products cost more than $3500.  This bill will actually make much of our work easier because it forces vendors and CDE to align with the work we have been doing for the past 2 years.  

Taking our current vetting process as an example.  We currently require all of our vendors to comply with our security terms.  We are typically the only district that requires these security terms to do business with vendors.  So it’s currently very inefficient because we have to introduce the terms, measure the vendors’ success, and then present that to the community.  If the bill passes the vendors will be responsible for being transparent with their security practices for everyone in the state, not just Jeffco, and we can simply focus on compliance with the state rules and being transparent with our community.  The same principle will apply with our state data sharing requirements.  

Jeffco's Work to Comply with the Bill

  • Jeffco’s data quality team has begun work to inventory data collected and maintained in the District’s Infinite Campus system.  The work begun in the 14/15 school year and is focused on ensuring that the data is consistent in the system and its dependent systems.  This work will expand to other systems and can be leveraged to create “user friendly” reports related to student data collection and access.  The data quality team will be able to create a website that complies with the bill during the 17/18 school year.  
  • Jeffco’s information security and purchasing teams created a purchasing process requiring vendors associated with $3500 and above purchases to comply with the District’s security policies.  The District’s security policies are currently more robust then the policies outlined in the bill.  This work began in the 14/15 school year and nearly 900 vendors have been reviewed to date. District staff will need to expand these efforts to purchases below the current $3500 threshold to be compliant with the bill.  This may require additional purchasing staff to manage contracts but security compliance measurements will be easier because the bill requires vendors to be more transparent with their security practices.  
  • Jeffco already denies and terminates contracts with vendors that are not in compliance with District security policies.  This work began with the purchasing processes in the 14/15 school year. 
  • Jeffco staff already maintain a website presenting approved and denied software titles to staff and the community.  The website currently covers titles over $3500 and will expand to titles below that threshold as the purchasing process expands.  A link to the website can be found here. 
  •  Jeffco staff currently facilitate conversations with parents around the security of our partners.  A great example of this work is the TDPAC committee.  The passage of the bill will help to ground future parent conversations because of the security requirements placed on the state and our cloud vendor partners. 
  • Jeffco staff have created an industry standard set of data governance, security, and privacy policies.  Those policies have been reviewed by the TDPAC committee during the 14/15 school year and are currently being implemented.