Student Information Privacy and Protection Policy
Greeley-Evans School District 6 holds data transparency, privacy, and security in high regard and takes action to ensure that confidentiality of student information obtained, created and/or maintained by the district is handled securely in compliance with the Colorado Student Data Transparency and Security Act (HB 16-1423), the Family Educational Rights and Privacy Act of 1974 (FERPA) and the Children's Online Privacy Protection Act (COPPA).
- Definitions
- Access, collection and sharing within the district
- Outsourcing & disclosure to third parties
- Privacy & Security Standards
- Security breach or other unauthorized disclosure
- Records, retention, and destruction
- Staff training
- Parent/guardian complaints
- Parent/guardian requests to amend student education records
- Oversight, audits, and review
- Compliance with governing law and Board policy
- Safeguarding Personal Identifying Information
- Personally Identifiable Information (PII) Collected by Greeley-Evans School District 6 includes:
- Greeley-Evans School District 6 shares Personally Identifiable Information (PII) with:
- School Service Contract Provider Breach Policy
- Parent Rights and Complaint Policy
- Greeley-Evans School Board Policies
- Colorado Department of Education Data Privacy Policy
- Family Educational Rights & Privacy Act (FERPA)
Definitions
“Student education records” are those records that relate directly to a student. Student education records may contain, but not necessarily be limited to, the following information: identifying data; academic work completed; level of achievement (grades, standardized achievement test scores); attendance data; scores on standardized intelligence, aptitude and psychological tests; interest inventory results; health and medical information; family background information; teacher or counselor ratings and observations; reports of serious or recurrent behavior patterns any Individualized Education Program (IEP).
“Student personally identifiable information” or “student PII” means information that, alone or in combination, personally identifies an individual student or the student’s parent or family, and that is collected, maintained, generated, or inferred by the district, either directly or through a school service, or by a school service contract provider or school service on-demand provider.
“Security breach” means the unauthorized disclosure of student education records or student PII by a third party.
The following terms used in this policy shall be as defined by the Act: “school service,” “school service contract provider” and “school service on-demand provider.”
(JRCB*)
Access, collection and sharing within the district
The district shall follow applicable law and Board policy in the district’s access to, collection and sharing of student education records.
District employees shall ensure that confidential information in student education records is disclosed within the district only to officials who have a legitimate educational interest, in accordance with applicable law and Board policy.
(JRCB*)
Outsourcing & disclosure to third parties
District employees shall ensure that student education records are disclosed to persons and organizations outside the district only as authorized by applicable law and Board policy. The term “organizations outside the district” includes school service on-demand providers and school service contract providers.
Any contract between the district and a school service contract provider shall include the provisions required by the Act, including provisions that require the school service contract provider to safeguard the privacy and security of student PII and impose penalties on the school service contract provider for noncompliance with the contract.
In accordance with the Act, the district shall post the following on its website:
- a LIST OF THE SCHOOL SERVICE CONTRACT PROVIDERS that it contracts with and a copy of each contract; and
- to the extent practicable, a LIST OF THE SCHOOL SERVICE ON-DEMAND PROVIDERS that the district uses.
(JRCB*)
Privacy & Security Standards
The security of student education records maintained by the district is a high priority. The district shall maintain an authentication and authorization process to track and periodically audit the security and safeguarding of student education records.
(JRCB*)
Security breach or other unauthorized disclosure
Employees who disclose student education records in a manner inconsistent with applicable law and Board policy may be subject to disciplinary action, up to and including termination from employment. Any discipline imposed shall be in accordance with applicable law and Board policy.
Employee concerns about a possible security breach shall be reported immediately to the Superintendent. If the Superintendent is the person alleged to be responsible for the security breach, the staff member shall report the concern to the Board President.
When the district determines that a school service contract provider has committed a material breach of its contract with the district, and that such material breach involves the misuse or unauthorized release of student PII, the district shall follow this policy’s accompanying regulation in addressing the material breach. (See School Service Contract Provider Breach Policy below JRCB*-R)
Nothing in this policy or its accompanying regulation shall prohibit or restrict the district from terminating its contract with the school service contract provider, as deemed appropriate by the district and in accordance with the contract and the Act.
Records, retention, and destruction
The Board has approved the district's use of the COLORADO SCHOOL DISTRICT RECORDS MANAGEMENT MANUAL (records management manual) developed by the Colorado State Archives Department to assist the district in determining the appropriate retention period for various types of records. School district records regarding the district's organization, functions, policies, decisions, procedures, operations, or other activities may be considered public records subject to retention.
The district shall retain records for the time periods specified by the records management manual, as may be amended from time to time, unless a longer retention period is required by state or federal law. District employees and Board members shall be responsible for adhering to the records management manual.
Whenever the district is a party in litigation or reasonably anticipates being a party in litigation, Board members and district employees in possession of hard copy or electronic documents, email and/or other evidence relevant to the litigation or reasonably anticipated litigation shall retain all such documents, emails and other evidence until otherwise directed by the superintendent or designee.
Documents and other materials that are not "records" required to be retained by district policy, the records management manual, or state or federal law, and are not necessary to the functioning of the district, may be destroyed when no longer needed.
Routine digital files located in electronic storage provided to employees, whether locally or cloud-based, will be retained in the employee’s account for one year after the employee leaves the district. Routine digital files located in electronic storage provided to students, whether locally or cloud-based, will be retained for one year in the student’s account after the student leaves the district.
District employees may be subject to disciplinary action for violation of this policy.
(EHB)
Staff training
The district shall provide periodic in-service trainings to appropriate district employees to inform them of their obligations under applicable law and Board policy concerning the confidentiality of student education records.
(JRCB*)
Parent/guardian complaints
In accordance with this policy’s accompanying regulation, a parent/guardian of a district student may file a written complaint with the district if the parent/guardian believes the district has failed to comply with the Act.
(JRCB*)
Parent/guardian requests to amend student education records
Parent/guardian requests to amend his or her child’s education records shall be in accordance with the district’s procedures governing access to and amendment of student education records under FERPA, applicable state law and Board policy.
(JRCB*)
Oversight, audits, and review
The Superintendent or designee shall be responsible for ensuring compliance with this policy and its required privacy and security standards.
The district’s practices with respect to student data privacy and the implementation of this policy shall be periodically audited by the Superintendent or designee.
A privacy and security audit shall be performed by the district on an annual basis. Such audit shall include a review of existing user access to and the security of student education records and student PII.
The Superintendent or designee shall annually review this policy and accompanying regulation to ensure it remains current and adequate to protect the confidentiality of student education records in light of advances in data technology and dissemination. The Superintendent shall recommend revisions to this policy and/or accompanying regulation as deemed appropriate or necessary.
(JRCB*)
Compliance with governing law and Board policy
The district shall comply with FERPA and its regulations, the Act, and other state and federal laws governing the confidentiality of student education records. The district shall be entitled to take all actions and exercise all options authorized under the law.
In the event this policy or accompanying regulation does not address a provision in applicable state or federal law, or is inconsistent with or in conflict with applicable state or federal law, the provisions of applicable state or federal law shall control.
(JRCB*)
Safeguarding Personal Identifying Information
The Board is committed to protecting the confidentiality of personal identifying information (PII) obtained, created and/or maintained by the district. The Board directs district staff to safeguard PII in accordance with this policy, other Board policies concerning the creation, use, storage or destruction of PII, and applicable law.
The district shall implement and maintain reasonable security procedures appropriate to the nature of the PII to protect against unauthorized access, use, modification, disclosure or destruction. The district shall require third parties that create, maintain and/or obtain PII to also maintain reasonable security procedures appropriate to the nature of the PII designed to protect against unauthorized access, use, modification, disclosure or destruction.
The district shall ensure that records containing PII are appropriately destroyed when no longer needed and in such a manner as to make the PII unreadable or indecipherable, unless such record is required to be retained by applicable law.
In the event of a security breach, as that term is defined by state law, the district shall conduct a prompt investigation to determine the likelihood that personal information has been or will be misused and notify those Colorado residents affected by the breach, the Colorado Attorney General’s office and consumer reporting agencies, in accordance with the notification and timeline requirements of state law.
(EHC*)
Personally Identifiable Information (PII) Collected by Greeley-Evans School District 6 includes:
- Student Demographics
o Name
o Birthdate
o Race/Ethnicity
o Gender
o Primary Language
o English Language Proficiency Level
- Household Information
o Parent/Guardian Name(s)
o Physical Address(es)
o Parent/Guardian Phone Number(s) & Email Address(es)
o Communication Records
- School Enrollment Records
o State Assigned Student Identifier (SASID) and Locally Assigned Student Identifier (Student Number)
o School(s) & Grade Level(s) Attended
o Entry/Exit Date & Type
o Course Schedules, Fees, Locker Assignments
o Attendance Records
o Behavior Records
- Program Participation
o Title I
o Special Education/Gifted & Talented
o Free/Reduced Lunch Eligibility
o English Language Learner
o Migrant & Immigrant
o Concurrent Enrollment
o Career & Technical Education
- Academic Performance
o District, State, & Federal Assessment Results
o Grade Book Records
o Official Transcripts
o Courses Completed with Final Grades
- Health Record Information
o Conditions
o Immunizations
o Medications
o Vision & Hearing Screening Results
Greeley-Evans School District 6 protects Personally Identifiable Information (PII) with:
- Access Control
o Identity Management - Secure Authentication & Authorization
o Access Logging & Monitoring
o Vulnerability Testing
o Staff Security Awareness Trainings
- Encryption
o High-Level Data Encryption Methodology
o Multi-level Database Encryption
- Secure Transit of Data
o Secure File Transfer Protocol (SFTP)
o Hypertext Transfer Protocol with Secure Socket Layer (HTTPS)
Greeley-Evans School District 6 shares Personally Identifiable Information (PII) with:
LIST OF CONTRACT SERVICE PROVIDERS
LIST OF ON-DEMAND SERVICE PROVIDERS
We also provide this DATA INVENTORY AND DICTIONARY OF DATA ELEMENTS published by the Colorado Board of Education. The district uses the data in order to meet its INNOVATION2020 STRATEGIC PLAN goals and shares necessary personally identifiable information with carefully vetted third party service providers (see links below) using the most secure data transfer methods in accordance with current industry best practices. To view specific information on file for your child, please log into the INFINITE CAMPUS PARENT PORTAL.
In accordance with the Colorado Student Data Transparency and Security Act, C.R.S. Section 22-16-101 et seq., if Greeley-Evans School District 6 ceases using or refuses to use a school service on-demand provider pursuant to C.R.S. 22-16-107 (3) (c), the district shall post on its website the name of the on-demand provider, with any written response that the provider may submit, and will notify the Colorado Department of Education, which will post on its website the provider’s name and response.
School Service Contract Provider Breach Policy
Within a reasonable amount of time after the district determines that a school service contract provider has committed a material breach of its contract with the district, and that such material breach involves the misuse or unauthorized release of student PII, the Board shall make a decision regarding whether to terminate the district’s contract with the school service contract provider in accordance with the following procedure.
- The district shall notify the school service contract provider of the basis for its determination that the school service contract provider has committed a material breach of the contract and shall inform the school service contract provider of the meeting date that the Board plans to discuss the material breach.
- Prior to the Board meeting, the school service contract provider may submit a written response to the district regarding the material breach.
- The Board shall discuss the nature of the material breach at a regular or special meeting.
- At the Board meeting, a district representative shall first be entitled to present testimony or other evidence regarding the district’s findings of a material breach. The school service contract provider shall then have an opportunity to respond by presenting testimony or other evidence. If the school service contract provider is unable to attend the meeting, the Board shall consider any written response that the school service contract provider submitted to the district.
- If members of the public wish to speak to the Board regarding the material breach, they shall be allowed to do so, in accordance with the Board’s policy on public participation at Board meetings.
- The Board shall decide whether to terminate the contract with the school service contract provider within 30 days of the Board meeting and shall notify the school service contract provider of its decision. The Board’s decision shall be final.
-
(JRCB*-R)
Parent Rights and Complaint Policy
In accordance with the accompanying policy, the parent/guardian of a district student may file a written complaint with the Superintendent if the parent/guardian believes the district has failed to comply with the Student Data Transparency and Security Act (the Act).
- The parent/guardian’s complaint shall state with specificity each of the Act’s requirements that the parent/guardian believes the district has violated and its impact on his or her child.
- The Superintendent or designee shall respond to the parent/guardian’s written complaint within 30 calendar days of receiving the complaint.
- Within 10 calendar days of receipt of the district’s response, the parent/guardian may appeal to the Board. Such appeal must be in writing and submitted to the Secretary to the Board of Education.
- The Board shall review the parent’s complaint and the district’s response at a regular or special meeting. A district representative and the parent/guardian may make brief statements to the Board, but no new evidence or claims may be presented. The Board may choose to conduct the appeal in executive session, to the extent permitted by law.
- The Board shall make a determination regarding the parent/guardian’s complaint that the district failed to comply with the Act within 60 days of the Board meeting. The decision of the Board shall be final.
- This procedure shall not apply to parent/guardian concerns with his or her child’s education records. If the parent/guardian files a complaint regarding his or her child’s education records, the district shall follow its procedures governing access to and review of student education records, in accordance with FERPA, applicable state law and Board policy.
Nothing contained herein shall be interpreted to confer upon any person the right to a hearing independent of a Board policy, administrative procedure, statute, rule, regulation or agreement expressly conferring such right. The complaint and hearing procedures described in this regulation shall apply, unless the context otherwise requires and/or unless the requirements of another policy, procedure, statute, rule, regulation or agreement expressly contradicts any of these procedures, in which event the terms of the contrary policy, procedure, law, rule, regulation or agreement shall govern.
(JRCB*-R)
Greeley-Evans School Board Policies
The Board is committed to protecting the confidentiality of student information obtained, created and/or maintained by the district. Student privacy and the district’s use of confidential student information are protected by federal and state law, including the Family Educational Rights and Privacy Act (FERPA) and the Student Data Transparency and Security Act (the Act). The Board directs district staff to manage its student data privacy, protection and security obligations in accordance with this policy and applicable law.
STUDENT RECORDS/RELEASE OF INFORMATION ON STUDENTS
STUDENT RECORDS/RELEASE OF INFORMATION ON STUDENTS (NOTIFICATION TO PARENTS AND STUDENTS OF RIGHTS CONCERNING STUDENT SCHOOL RECORDS)
SHARING OF STUDENT RECORDS/INFORMATION BETWEEN SCHOOL DISTRICT AND STATE AGENCIES
PRIVACY AND PROTECTION OF CONFIDENTIAL STUDENT INFORMATION
STUDENT RECORDS/RELEASE OF INFORMATION ON STUDENTS (REVIEW, AMENDMENT AND HEARING PROCEDURES)
PRIVACY AND PROTECTION OF CONFIDENTIAL STUDENT INFORMATION
PRIVACY AND PROTECTION OF CONFIDENTIAL STUDENT INFORMATION (HEARING AND COMPLAINT PROCEDURES)
Colorado Department of Education Data Privacy Policy
In this age of data-driven decision making, data is foundational to the success of the process. Whether discussing student-achievement, program monitoring, education funding, accountability or any other education-related conversation, data is at the center of the discussion. The Colorado Department of Education (CDE) is required by state and federal law to collect and store student and educator records.
CDE DATA PRIVACY AND SECURITY - state and federal policies, data privacy and security procedures, guidance and resources
ED DATA PORTAL - Explore your state education agency’s data dictionary of elements collected.
COLORADO STUDENT DATA COLLECTION AND PROTECTION - What student information does CDE collect?
Family Educational Rights & Privacy Act (FERPA)
The Family Educational Rights and Privacy Act (FERPA), a federal law administered by the Department (20 U.S.C. § 1232g; 34 CFR Part 99), affords parents and “eligible students” (students who are at least 18 years old, or, in attendance at a postsecondary institution at any age) certain rights with respect to education records, such as the right to consent to the disclosure of personally identifiable information (PII) from the education records (except in certain circumstances). FERPA requires schools and districts to provide annual notification to parents and eligible students of their rights under FERPA, including:
- the right to inspect and review their education records, the right to seek to amend those records, the right to consent to disclosure of PII from those records (unless an exception applies), and the right to file a complaint with the Department regarding an alleged FERPA violation;
- the procedure for exercising the right to inspect and review education records, and the procedure for requesting amendment of those records; and
- the school’s or district’s criteria for determining who constitutes a “school official” and what constitutes a “legitimate educational interest.”