The Department of Higher Education collects data on individuals for the purpose of evaluating or auditing state-supported programs. While the Department's data may be used as part of an audit by the State Auditor's Office, the data is typically used for evaluation. Evaluations and reports are produced by the Department as part of its responsibility to report to the Governor, the General Assembly, and the public as to the effectiveness of the higher education system in carrying out the statewide goals of quality, access, and diversity.
In collecting and maintaining this data, the Department must follow the relevant state and federal statutes to protect and keep confidential the data of individuals on the database. The most pertinent state statute comes from new language introduced in 1985 by HB 1187:
23-1-108 (9) The state supported institutions of higher education shall provide the Commission with such data as the Commission deems necessary upon its formal request. Data for individual students or personnel shall not be divulged or made known in any way by the director of the Commission or by any Commission employee, except in accordance with judicial order or as otherwise provided by law. Any person who violates this subsection (9) commits a class 1 misdemeanor and shall be punished as provided in section 18-1-106, C.R.S. Such person shall, in addition thereto, be subject to removal or dismissal from public service on grounds of malfeasance in office.
The Colorado Open Records Law (24-72-201 through 24-72-205) also ensures that a description of the types of data maintained by the Department will be available, and that copies of any data that personally identifies an individual will be accessible by that individual.
The pertinent federal statute is the Buckley Amendment, federal statute 20 U.S.C. Section 1232g, that protects the rights of students to insist that their educational records be kept confidential. An amendment in 1979 states that:
(5) Nothing in this section shall be construed to prohibit State and local educational officials from having access to student or other records which may be necessary in connection with the audit and evaluation of any federally or State-supported education program or in connection with the enforcement of the Federal legal requirements which relate to any such program, subject to the conditions specified in the proviso in paragraph (3). (20 U.S.C. Section1232g(b)(5))
The proviso referred to in the above paragraph is:
Provided, That except when collection of personally identifiable information is specifically authorized by Federal law, any data collected by such officials shall be protected in a manner which will not permit the personal identification of students and their parents by other than those officials, and such personally identifiable data shall be destroyed when no longer needed for such audit, evaluation, and enforcement of Federal legal requirements.
The proviso of the Buckley Amendment is usually interpreted to allow data on individuals to be collected from student records by a state agency for the purpose of constructing aggregated or summary reports, as long as students are still provided the same protections regarding their rights to privacy as are provided by the institutions providing the data.
Colorado Revised Statute 6-1-713 (2017) requires appropriate destruction and disposal of documents containing personal identifying information (PII), ensures that the Department has reasonable security procedures and practices, and requires notice of data breach in the case of misuse of information about a Colorado Resident.
On May 20, 2020, Governor Jared Polis issued guidance to Colorado executive branch departments and agencies on data privacy. The Department’s handling of data privacy is consistent with this guidance.
The following procedures will be followed by the Department to guarantee the protections of individual and institutional data:
- Personally identifying information will not be disclosed to any other party or state agency, with the exception of the State Auditor's Office, which may use the data to select samples of students for audit purposes. Published reports will use aggregate data that does not identify individuals.
- All records collected by the Department shall be protected in such a manner that affected individuals shall not be identifiable by persons other than appropriate officials. Social security numbers or other unique identifiers will only be used to request data corrections from the institution supplying the data, or to link records across data files as part of an analysis to produce aggregate or summary data records or reports.
- If individuals obtain copies of their data under the provisions of the Colorado Open Records Act and then request changes or corrections to the data, the Department will refer the requests to the institutions that originally provided the data. If an institution makes a data correction, the Department will correspondingly update its files.
- In order to protect the usage of the data, the Department staff will provide governing boards whose data is being used with an opportunity to comment on data reports before they are released. Except in exceptional circumstances when a quick turnaround is necessary, this review period will be long enough to allow for a substantive response. In most cases, however, the Department will respond to public inquiries from the published reports that have been previously reviewed by the institutions and governing boards; these types of responses, therefore, will not require further review.
- Computer files may be provided to Colorado public institutions or governing boards for research purposes, but only under the same restrictions of confidentiality and data security as apply to the Department. In most cases, aggregate data files will be provided. If unit-record data is required for a special analysis, the file will have recoded student identification numbers that cannot be traced back to the individual students. Detailed financial aid data will not be provided for individual students, with or without student identification numbers. Requests may be made in writing for the inclusion of social security numbers; requests must be justified on the analytical requirements of the proposed study and must be approved by the Chief Research Officer of the Department. Any sharing of PII requires use of a signed data sharing agreement. Any original reports or analyses produced from Department supplied data that summarize data from institutions outside of the institution or governing board doing the analysis must be made publicly available, and the specific data and analytical methods used must be provided on request.
Data collection complies with the guidance and regulations set forth by the Family Educational Rights and Privacy Act (FERPA).