Privacy

Trail

Click here for all DHE Policies and Procedures

The Department of Higher Education collects data on individuals for the purpose of evaluating or auditing state-supported programs. While the Department's data may be used as part of an audit by the State Auditor's Office, the data is typically used for evaluation. Evaluations and reports are produced by the Commission as part of its responsibility to report to the Governor, the General Assembly, and the public as to the effectiveness of the higher education system in carrying out the statewide goals of quality, access, and diversity.

In collecting and maintaining this data, the Department must follow the relevant state and federal statutes to protect and keep confidential the data of individuals on the database. The most pertinent state statute comes from new language introduced in 1985 by HB 1187:

23-1-108 (9) The state supported institutions of higher education shall provide the Commission with such data as the Commission deems necessary upon its formal request. Data for individual students or personnel shall not be divulged or made known in any way by the director of the Commission or by any Commission employee, except in accordance with judicial order or as otherwise provided by law. Any person who violates this subsection (9) commits a class 1 misdemeanor and shall be punished as provided in section 18-1-106, C.R.S. Such person shall, in addition thereto, be subject to removal or dismissal from public service on grounds of malfeasance in office.

The Colorado Open Records Law (24-72-201 through 24-72-205) also ensures that a description of the types of data maintained by the Commission will be available, and that copies of any data that personally identifies an individual will be accessible by that individual.

The pertinent federal statute is the Buckley Amendment, federal statute 20 U.S.C. Section 1232g, that protects the rights of students to insist that their educational records be kept confidential. An amendment in 1979 states that:

(5) Nothing in this section shall be construed to prohibit State and local educational officials from having access to student or other records which may be necessary in connection with the audit and evaluation of any federally or State-supported education program or in connection with the enforcement of the Federal legal requirements which relate to any such program, subject to the conditions specified in the proviso in paragraph (3). (20 U.S.C. Section1232g(b)(5))

The proviso referred to in the above paragraph is:

Provided, That except when collection of personally identifiable information is specifically authorized by Federal law, any data collected by such officials shall be protected in a manner which will not permit the personal identification of students and their parents by other than those officials, and such personally identifiable data shall be destroyed when no longer needed for such audit, evaluation, and enforcement of Federal legal requirements.

The proviso of the Buckley Amendment is usually interpreted to allow data on individuals to be collected from student records by a state agency for the purpose of constructing aggregated or summary reports, as long as students are still provided the same protections regarding their rights to privacy as are provided by the institutions providing the data.

The following procedures will be followed by the Commission to guarantee the protections of individual and institutional data:

  1. Personally identifiable information will not be disclosed to any other party or state agency, with the exception of the State Auditor's Office, which may use the data to select samples of students for audit purposes. Published reports will use aggregate data that does not identify individuals.

  2. All records collected by the Commission shall be protected in such a manner that affected individuals shall not be identifiable by persons other than appropriate officials. Data records that reside on line will contain no personally identifiable information. Social security numbers or other unique identifiers will only be used to request data corrections from the institution supplying the data, or to link records across data files as part of an analysis to produce aggregate or summary data records or reports.

  3. If individuals obtain copies of their data under the provisions of the Colorado Open Records Act and then request changes or corrections to the data, the Commission will refer the requests to the institutions that originally provided the data. If an institution makes a data correction, the Commission will correspondingly update its files.

  4. In order to protect the usage of the data, the Commission staff will provide governing boards whose data is being used with an opportunity to comment on data reports before they are released. Except in exceptional circumstances when a quick turnaround is necessary, this review period will be long enough to allow for a substantive response. In most cases, however, the Commission will respond to public inquiries from the published reports that have been previously reviewed by the institutions and governing boards; these types of responses, therefore, will not require further review.

  5. Computer files may be provided to Colorado public institutions or governing boards for research purposes, but only under the same restrictions of confidentiality and data security as apply to the Commission. In most cases, aggregate data files will be provided. If unit-record data is required for a special analysis, the file will have recoded student identification numbers that cannot be traced back to the individual students. Detailed financial aid data will not be provided for individual students, with or without student identification numbers. Requests may be made in writing for the inclusion of social security numbers; requests must be justified on the analytical requirements of the proposed study and must be approved by the Executive Director of the Commission. Any original reports or analyses produced from Commission supplied data that summarize data from institutions outside of the institution or governing board doing the analysis must be made publicly available, and the specific data and analytical methods used must be provided on request.

Data collection complies with the guidance and regulations set forth by the Family Educational Rights and Privacy Act (FERPA).