hb 16 1423 our responsibilities as a local education
play

HB 16-1423 Our responsibilities as a Local Education Provider - PowerPoint PPT Presentation

Key Points: Student Data Transparency And Privacy Law HB 16-1423 Our responsibilities as a Local Education Provider (LEP) (1) Per law, we must now . . . Post on our website: What student PII we collect and maintain, how its


  1. Key Points: Student Data Transparency And Privacy Law HB 16-1423

  2. Our responsibilities as a Local Education Provider (LEP)

  3. (1) Per law, we must now . . . ● Post on our website: ○ What student PII we collect and maintain, how it’s used, and how it’s shared ○ A link to the state’s data inventory and dictionary ○ A list of new or renewing (after 8/10/2016) school service contract providers ○ A list of all the contracts with school service contract providers

  4. Who will do this in LPSD ● The Director of Tech, the Public Information Officer, and the Ed Tech and Tech Services teams will work together to: ○ Update Schoolwires to with central office’s list of student PII we collect, maintain, use, and share ○ Link to the state’s data inventory and dictionary on Schoolwires ○ List new or renewing (after 8/10/2016) school service contract providers and their contracts on Schoolwires

  5. (2) We must . . . ● Make sure that school service contract providers have a comprehensive information security program that is: ○ “...reasonably designed to protect the security, privacy, confidentiality, and integrity” of student PII. ○ The information security program must make use of appropriate administrative, technological, and physical safeguards.”

  6. Who will do this in LPSD ● The Director of Technology and the District’s legal counsel will make sure that school service contract providers have a comprehensive information security program. ○ This happens by negotiating contracts with vendors and ensuring they adopt our Data Privacy Addendum. ○ Each contract typically takes 1-4 weeks to negotiate as many vendors are not based in Colorado and are unfamiliar with the law.

  7. (3) We must . . . ● To the extent practical, list all on-demand service providers, along with their privacy policies, on our website ● Notify on-demand service providers, if they violate their own privacy policies, that we won’t be continuing to use them. Then, we must . . . ○ Give providers a chance to send us a written response ○ Keep a list of violators on our website and post their responses with the list, and share this with CDE

  8. Who will do this in LPSD ● The Director of Tech, the Public Information Officer, and Tech Services team will work together to: ○ List the on-demand service providers and their privacy policies on the website. ○ Handle the management of on-demand service providers who are found in violation of their own privacy policies

  9. (4) We also must . . . ● Have a Student Information Privacy and Protection Policy by December 31, 2017 ○ Post the policy on our website ○ Review and revise the policy as necessary ● Have a policy for hearing complaints from parents regarding our compliance with this law. This policy must: ○ Give parents a chance to submit their complaint to the BOE ○ Give parents a hearing in front of the BOE ○ Must require that the BOE take action within 60 days

  10. Who will do this in LPSD ● The Superintendent and Administration Cabinet will partner with the Board of Education create / update our policies to be compliant with the new law by December 31, 2017. ● The Board of Education will hear parent complaints as per these policies after December 31, 2017.

  11. The Rights of Parents

  12. Our parents may . . . ● Our parents have the right to: ○ Inspect and review student PII maintained by us (to the extent practicable) ○ To request a copy of the student PII ○ To request corrections if student PII is factually inaccurate. This needs to be corrected within a reasonable amount of time and the parent needs to be notified of the correction. ● If we don’t comply with this law, the parent/guardian may submit a complaint to our BOE.

  13. Who will support this in LPSD ● The Superintendent and Administration Cabinet will partner with the district’s legal counsel, the district registrar, and the Tech Services department to create the framework for this process. ● Principals and teachers will need to follow this process closely and inform central office when they are contracting with or using tech tools containing student PII.

  14. The responsibilities of School Service Contract Providers

  15. School service contract providers must . . . ● Provide us with clear information that we can post on our websites, explaining: ○ What student PII they collect ○ Why they collect it ○ How they use and share it ● Use student PII only for what the contract authorizes OR, outside of that, with consent from (18+) student or parents ● Destroy a student’s PII ASAP (if we request it) or once the contract is over

  16. Who will support this in LPSD ● The Director of Technology, the Educational Technology and Tech Services Teams, and the Finance Department will partner to ensure that we get this information in a timely fashion from vendors.

  17. School service contract providers must NOT . . . ● Sell student PII ● Use or share student PII for targeted advertising ● Use student PII to create a student profile (unless that’s the purpose of the contract)

  18. School service contract providers may use student PII . . . ● For adaptive / personalized learning ● For internal research and development ● To provide recommendations, access or information regarding school, education, employment, scholarships, financial aid, or postsecondary ed opportunities ● To respond to a student’s request for info or feedback ● To produce or distribute student class photos or yearbooks

  19. School service contract providers may also use student PII . . . ● To be compliant with the law ● To participate in the judicial process ● To protect safety of the users themselves or of other users of the school service contract provider ● For a public safety investigation

  20. Who will support this in LPSD ● The Director of Technology will work with the district’s legal counsel to ensure that all vendors sign our Data Protection Addendum (DPA) that ensures that vendors understand what they may and may not do with student Personally Identifiable Information.

  21. If a school service contract provider commits a material breach of contract . . . ● We must: ● Hold a public hearing ● Discuss the nature of the breach ● Give the contract provider a chance to respond ● Hear public testimony ● Decide whether to continue or terminate the contract ● This process must be written in policy by December 31, 2017.

  22. Who will do this in LPSD ● The Board of Education will work with the Superintendent and with Administration Cabinet to determine an appropriate process for the public hearing process according to the policies put in place after December 31, 2017.

  23. The responsibilities of the Colorado Department of Education (CDE)

  24. CDE must . . . ● Specify the why, for how long, and with whom student PII is used and the safeguards in place for the PII security ● Develop a detailed Data Security Plan - including regular audits ● Make sure all its contracts are compliant with the law and explain the consequences if there is a breach

  25. CDE must supervise researchers by . . . ● Must enter an agreement with researchers before disclosing any PII ● Developing a process to consider and review all requests for student PII by those outside Colorado who want to access student PII the department holds ● Keep student PII private if the “n” is too small to ensure student anonymity ● CDE may not ask LEP’s to provide student PII not required by state or federal law (unless required by a grant)

  26. CDE must give us . . . ● Guidance involving: ○ Privacy compliance standards ○ Best practices for security and privacy audits ○ Security breach planning, notice, and procedures ○ Data collection, retention, sharing, and destruction procedures ○ Best online education security practices ○ Training regarding procedures and student PII security ○ Contracting ○ Preventing breaches ● A sample Student PII Privacy and Protection Policy by March 1, 2017

  27. Definitions and Terminology

  28. Definitions from 16-1423 (1) ● School Service: A website, online service, online or mobile app ● School services must be: ○ designed and marketed primarily for use in K-12 , ○ used because teachers or other employees of the school direct students to use it, ○ collected, maintained, and used by teachers or other employees of the school ● School service on demand provider: An occasional contractor that sometimes provides a school service

  29. Definitions from 16-1423 (2) ● Student Personally Identifiable Information: Info alone or in combo that personally identifies a student or the parent / family. ○ To qualify as PII under this law, the info needs to be collected, maintained, generated, or inferred by a public education entity. ○ The info may be held either directly by the district OR ○ through a school service, school service contract provider, or school service on demand provider.

Recommend


More recommend