(1)(a) Each local education provider shall post and maintain on its website clear
information that is understandable by a layperson explaining the data elements of
student personally identifiable information that the local education provider
collects and maintains in the local education provider's data system, not including
the student personally identifiable information that the local education provider
transmits to the department. The list must explain how the local education provider
uses and shares the student personally identifiable information. The local education
provider shall include on its website a link to the data inventory and dictionary or
index of data elements that the state board publishes as required in section 22-16-104 (1)(a).
(b)Each local education provider
Free access — add to your briefcase to read the full text and ask questions with AI
(1) (a) Each local education provider shall post and maintain on its website clear
information that is understandable by a layperson explaining the data elements of
student personally identifiable information that the local education provider
collects and maintains in the local education provider's data system, not including
the student personally identifiable information that the local education provider
transmits to the department. The list must explain how the local education provider
uses and shares the student personally identifiable information. The local education
provider shall include on its website a link to the data inventory and dictionary or
index of data elements that the state board publishes as required in section 22-16-104 (1)(a).
(b) Each local education provider shall post and maintain on its website a list
of the school service contract providers that the local education provider contracts
with and a copy of each contract.
(2) (a) Each local education provider shall ensure that the terms of each
contract that the local education provider enters into or renews with a school
service contract provider on and after August 10, 2016, at a minimum, require the
contract provider to comply with the requirements in sections 22-16-108 to 22-16-110. If the contract provider commits a material breach of the contract that involves
the misuse or unauthorized release of student personally identifiable information,
the local education provider shall determine whether to terminate the contract in
accordance with a policy adopted by the governing body of the local education
provider. At a minimum, the policy must require the governing body, within a
reasonable time after the local education provider identifies the existence of a
material breach, to hold a public hearing that includes discussion of the nature of
the material breach, an opportunity for the contract provider to respond concerning
the material breach, public testimony, and a decision as to whether to direct the
local education provider to terminate or continue the contract.
(b) On and after August, 10, 2016, a local education provider shall not enter
into or renew a contract with a school service contract provider that refuses to
accept the terms specified in paragraph (a) of this subsection (2) or that has
substantially failed to comply with one or more of the requirements in sections 22-16-108 to 22-16-110.
(3) (a) Each local education provider shall post on its website, to the extent
practicable, a list of the school service on-demand providers that the local
education provider or an employee of the local education provider uses for school
services. At a minimum, the local education provider shall update the list of school
service on-demand providers at the beginning and mid-point of each school year.
The local education provider, upon the request of a parent, shall assist the parent in
obtaining the data privacy policy of a school service on-demand provider that the
local education provider or an employee of the local education provider uses.
(b) If a parent has evidence demonstrating that a school service on-demand
provider that the local education provider or an employee of the local education
provider uses does not substantially comply with the on-demand provider's privacy
policy or does not meet the requirements specified in section 22-16-109 (2) or 22-16-110 (1), the parent may notify the local education provider and provide the
evidence for the parent's conclusion.
(c) If a local education provider has evidence demonstrating that a school
service on-demand provider does not substantially comply with the on-demand
provider's privacy policy or does not meet the requirements specified in section 22-16-109 (2) or 22-16-110 (1), the local education provider is strongly encouraged to
cease using or refuse to use the school service on-demand provider and prohibit
employees of the local education provider from using the on-demand provider. The
local education provider shall notify the on-demand provider that it is ceasing or
refusing to use the on-demand provider pursuant to this paragraph (c), and the on-demand provider may submit a written response to the local education provider.
The local education provider shall publish and maintain on its website a list of any
school service on-demand providers that it ceases using or refuses to use for the
reasons described in this paragraph (c), with any written responses that it receives
from the on-demand providers. The local education provider shall notify the
department if it ceases using an on-demand provider for the reasons described in
this paragraph (c) and provide a copy of any written response the on-demand
provider may submit.
(d) Each local education provider that uses on-demand school service
providers shall post on its website a notice to on-demand providers that, if the local
education provider ceases using or refuses to use an on-demand school service
provider pursuant to paragraph (c) of this subsection (3), the local education
provider will post on its website the name of the on-demand provider, with any
written response that the on-demand provider may submit, and will notify the
department, which will post on its website the on-demand provider's name and any
written response.
(4) (a) On or before December 31, 2017, each local education provider shall
adopt a student information privacy and protection policy that, at a minimum,
addresses the issues specified in section 22-16-106 (1). The local education provider
shall annually review the policy and revise it as necessary to ensure that it remains
current and adequate to protect student personally identifiable information privacy
in light of advances in data technology and dissemination.
(b) Notwithstanding the provisions of paragraph (a) of this subsection (4), a
local education provider that is a small rural school district shall adopt the student
information privacy and protection policy by July 1, 2018.
(c) Each local education provider shall make copies of the student
information privacy and protection policy available upon request to the parent of a
student enrolled by the local education provider and shall post a current copy of
the student information privacy protection policy on the local education provider's
website.