Student Data Privacy
Denver Public Schools "is committed to protecting the confidentiality of student information obtained, created and/or maintained by the district. Student privacy and the district's use of confidential student information are protected by federal and state law, including the Family Educational Rights and Privacy Act (FERPA) and the Student Data Transparency and Security Act (the Act). The Board directs district staff to manage its student data privacy, protection and security obligations in accordance with this policy and applicable law." DPS Administration Policy JRCB.
Safeguarding student data is an essential responsibility for all people who work in education. Denver Public Schools has created a training course for all staff to ensure that they are protecting student data, and that all members of Team DPS are in compliance with the state and federal laws regarding student data privacy.
All DPS staff, regardless of their role in the District, are required to complete this training annually. If you have not already done so, please complete the Privacy and Protection of Confidential Student Information course in Learning Space to satisfy the current year requirement.
Rules for Storing and Sharing Student Data
For in-depth guidance on the DPS rules for storing and sharing student data, review the Acceptable Use Policy (AUP) in the Employment Practice Manual.
Use the Academic Technology Menu
Review the DPS Academic Technology Menu (Lightspeed Digital Insight Platform) to see which tools have a Data Protection Addendum (a formal data sharing agreement) that allows DPS to designate school service contract providers as “school officials” to share student data without parent/guardian consent. These tools are clear for you to use; however, a school may need to pay for their own contract.
Please contact the Purchasing Department at firstname.lastname@example.org if you would like to purchase a tool.
Instructions to Use Online Tools
Download and read these instructions before you use any software or educational tool that includes student information. It also includes a link to a Google Form Parent Consent Letter and a video link demonstrating how to set up the letter for your school's needs.
Google Third Party Apps OAuth
Signing in with Google
Recently DoTS, in collaboration with DPS’ Legal team and Educational Technology, has begun restricting the use of the “Sign in with Google” button for DPS Google accounts. The District has signed Data Protection Addendums (commonly referred to as a “DPA”) with various companies that help protect DPS users’ data. These companies are indicated with a “DPA” tag in addition to a specified Date Approved on the ATM (Academic Technology Menu). Below is some information on why “Sign in with Google” can be problematic.
Data Privacy Concerns
When you use the “Sign in with Google” button (OAuth) for a third-party app, you grant it access to specific information from your Google account. This can include your name, email address, profile picture, and, in some cases, edit and own files in our Google Drive domain. While this information may be necessary for the app's functionality, it also means that our data is in the hands of the app developer. If the developer lacks robust security measures or has malicious intent, our sensitive data could be at risk of unauthorized access or misuse. FERPA places the responsibility for protecting student Personally Identifiable Information (PII) data on the schools and district, even when it’s supplied to a third-party.
Limited Control Over Data Sharing
When you utilize Google Sign-In, you typically consent to share your data with the third-party application, often without granular control over what information is being shared. This lack of control can lead to overexposure of district information, potentially exposing us to privacy breaches or unwanted marketing activities.
The security of third-party applications can vary widely. While Google itself maintains high-security standards, third-party developers may not implement the same level of protection. Weak security practices can make these apps susceptible to data breaches, putting your DPS Google account and student/district data at risk.
Data Harvesting and Monetization
Some third-party applications may have a business model that relies on collecting user data to sell it to advertisers or other third parties. When you use Google Sign-In, you might unknowingly contribute to this data harvesting, which can result in our information being used for targeted advertising or other commercial purposes without your explicit consent.
Below is an example of some of the services that a simple app such as Zoom requires access to in your Google account:
If your Principal has added an app to the ATM that we do not have a DPA with, teachers and students are approved to use the app however, the use of the “Sign in with Google” button will not be available. If you create an account with the third-party service, please be sure to not share DPS data with the service and anonymize student accounts as much as possible.
For more information about how to keep student information secure, please see the following resources:
- Department of Technology Services (DoTS) Cybersecurity website
- Federal Student Aid and Identity Theft
- Federal Trade Commission resources for Educators
Student Data Privacy Questions? Contact:
Department of Technology Services (DoTS)
Emily Griffith Campus
1860 Lincoln St., 7th Floor
Denver, CO 80203
Submit your own incident 24/7
Click DoTS Help
Monday through Friday
720-423-3888 (English and Spanish)