CDEC

Sabina Andersson

CDE

Marcia Bohannon

AG

Jud Cary

CDLE

Naim Razzak

Gov

Lydia Rogers

OSPB

Rebecca Tyus

CDHE

Michael Vente (Joining Late)

OIT

Josh Williams

Task

Description

Status

Establish Data Governance Council

Oversee and make decisions on data governance policies and procedures.

Complete

Develop Data Governance Charter

Define the roles, responsibilities, and decision-making authority of the data governance body.

In Progress

Define Data Ownership and Stewardship

Determine who owns the data and who is responsible for managing and ensuring its quality.

​

Create Data Access and Use Policies

Establish rules and procedures for who can access and use the data.

​

Implement Data Security and Privacy Measures

Protect the confidentiality and integrity of the data.

​

Establish Data Quality Standards

Ensure the accuracy, completeness, and consistency of the data.

​

Define Data Retention and Archiving Policies

Determine how long data should be kept and how it should be archived or disposed of.

​

Develop Data Sharing Agreements

Formalize agreements on how data will be shared, accessed, and used.

​

Implement Data Auditing and Monitoring Processes

Regularly assess data governance practices and identify areas for improvement.

​

Additional Considerations

Ensure interoperability, scalability, transparency, compliance, and address ethical concerns.

​

Statute/

Regulation/

Agreement

Impacted Domain

Agencies

Data Type

Description of Law/Agreement

Barrier

Risk of Violating Law/Agreement

Mitigation Strategy

20 U.S.C. § 1232g (Family Educational Rights and Privacy Act - FERPA))

Education

CDE, CDHE, DEC

Education records

Protects privacy of students and their parents. The act is designed to ensure that students and parents of students may obtain access to the student's educational records and challenge the content or release of such records to third parties. The law applies to all educational agencies or institutions that receive funds under an applicable program of the U.S. Department of Education.

In general, parents or eligible students must provide consent before PII from education records can be disclosed. There are limited exceptions to this requirement for state education agencies.

​

Loss of Federal Funding

-Change to Federal Legislation

-Data Sharing Agreements-with provisions specified by FERPA

-Aggregation

-Redaction

C.R.S. § 22-16-101 et. seq.

(Student Data Transparency and Security Act)

Health, Education

CDE, DEC , CDHE, CDHS (Child Welfare)

​

The purpose of the law is to increase transparency regarding student PII as well as specify and enforce limitations on the collection, use, storage and destruction of student data (C.R.S. § 22-16-102). It applies to public education entities as well as school service providers.

All external research requests for student PII must go through the department's student PII research request review process as approved by the State Board of Education.This does not prohibit the sharing of data but the entire review process can take 6-12 months.

No specific sanctions or consequences are identified

-Aggregation

-De-Identification

Statute/

Regulation/

Agreement

Impacted Domain

Agencies

Data Type

Description of Law/Agreement

Barrier

Risk of Violating Law/Agreement

Mitigation Strategy

C.R.S. § 24-73-102 (Protection of Personal Identifying Information)

All

All

Personal Identifying Information (PII), more broadly

To protect PII from unauthorized access, use, modification, disclosure, or destruction, a governmental agency that maintains, owns, or licenses PII shall implement and maintain reasonable security procedures and practices that are appropriate to the nature of the PII and the nature and size of the governmental entity.

Balancing the fulfillment of requests and data sharing with the privacy of Coloradans.

​

Whether Data is determined to be PII, it is evaluated in relation to the other data elements it is shared with.

No specific sanctions or consequences are identified

-Create standard guidelines through the OAG.

CRS 24-74-101

(Protection of Personal Identifying Information)

ALL

ALL State agencies, including IHE��DOR,�CDHE, CDPHE

Personal Data

Driver's license info

Financial Aid information (including CASFA applications)

Act specifies measures in several categories to protect personal identifying information (PII) kept by state agencies a state agency employee is prohibited from disclosing or making accessible PII that is not available to the public for the purpose of investigating for, participating in, cooperating with, or assisting in federal immigration enforcement.

State agency �This law ensures that all personal data entrusted to the state of Colorado cannot be shared with outside agencies such as ICE without a judicial warrant. This means that Coloradans can now safely access drivers licenses and other resources without fear their data will be used against them.

​

Balancing the fulfillment of requests and data sharing with the privacy of Coloradans.

No specific sanctions or consequences are identified

-Publicly available information may be shared, but not PII where there is an expectation of privacy;

Data Sharing Agreement State agencies after 1/1/2022 no longer collect, inquire, or verify immigration status to be eligible for govt funded program for housing or econ dev;

Disclosure to 3rd p requires 3rd p to confirm they will not share PII from Db with any fed immigration enforcement

Statute/

Regulation/

Agreement

Impacted Domain

Agencies

Data Type

Description of Law/Agreement

Barrier

Risk of Violating Law/Agreement

Mitigation Strategy

IRS Publication 1075 Tax Information Security Guidelines for Fed, State, & Local Agencies/Safeguards (FTI data) (based on IRC 6103)

Regulatory, Health, Workforce & Economy

DOR, CDHS, CDLE

FTI Federal Tax Information IRS Publication 1075 based on 26 CFR

FTI consists of federal tax returns and return information (and information derived from it) that is in the agency’s possession or control that is covered by the confidentiality protections of the IRC and subject to the IRC § 6103(p)(4) safeguarding requirements including IRS oversight. FTI is categorized as Sensitive But Unclassified (SBU) information and may contain personally identifiable information (PII).

CDHS - Community Partnerships - There is not an easy way to determine if data becomes FTI.

Loss of Federal/IRS data sets to agencies ;

IRC § 7213 prescribes criminal penalties, making it a felony offense for federal and state employees and others who illegally disclose federal tax returns and return information (FTI).

Unauthorized inspection of FTi a misdemeanor (fines or imprisonment/ both)

-Ability to determine data lineage. If not validated by IRS, it is not considered FTI.

Avoid co-mingling of any protected data from other data sets.