Section 24-37.5-703 - Interdepartmental data protocol - contents(1) The chief information officer, or the chief information officer's designee, in coordination with the government data advisory board, must publish on or before November 1, 2022, an interoperability data framework and protocol aimed at promoting interoperability of data models across state agencies, with the goal of minimizing duplication of records, enhancing security, and increasing the state's capability to monitor and audit data-sharing transactions. At a minimum, the interoperability data framework shall: (a) Include the protocol and procedures to be used by state agencies in data management; and(b) Be designed to ensure that data collected by different state agencies can be matched and discrepancies in the data processing are reconciled to accurately identify data pertaining to the same record without allowing any permanent sharing of personal identifying information.(2) The protocol and procedures included in the interdepartmental data protocol by which state agencies may share data and by which a state agency may release data to a political subdivision or to a nongovernmental organization shall prioritize and coordinate data management and protection efforts across state agencies to maximize the privacy and protection of all data and to reduce the risk of public exposure of private or protected data. This includes but is not limited to:(a) Defining processes for managing data throughout the data management lifecycle;(b) Establishing the circumstances under which and the reasons that a state agency may share information with another state agency, a political subdivision, or a nongovernmental organization;(c) Ensuring compliance with all state and federal laws and regulations concerning the privacy of information, including but not limited to the federal "Family Educational Rights and Privacy Act of 1974", 20 U.S.C. sec. 1232g, and the federal "Health Insurance Portability and Accountability Act of 1996", 42 U.S.C. sec. 1320d to 1320d-9; and(d) Establishing a protocol that secures all personal identifying information collected and developing standards to minimize the collection of personal identifying information.(3) Notwithstanding any provision of this section, the interdepartmental data protocol shall not prohibit the release or sharing of data as required by federal or state laws including, but not limited to, the "Colorado Open Records Act", part 2 of article 72 of this title 24 or as required to comply with a court-issued subpoena, warrant, or order. In addition, the interdepartmental data protocol is not intended to prevent the sharing of data as permitted by existing contracts or agreements entered into by state agencies that comply with all applicable laws. Any sharing of data with nongovernmental organizations or individuals that is permitted, but not required, by state or federal laws, must be subject to a written agreement containing sufficient terms to protect against any unauthorized or unlawful access or release of any personal identifying information or to protect the confidentiality of nonpublic information that may be shared with such parties.Amended by 2021 Ch. 211, § 13, eff. 9/7/2021.Amended by 2018 Ch. 300, § 2, eff. 8/8/2018 and 7/1//2019.L. 20008: Entire part added, p. 780, § 1, effective August 5. L. 2009: Entire section R&RE, (HB 09-1285), ch. 891, p. 891, § 2, effective August 5. L. 2010: (1)(d)(II) amended, (HB 10-1392), ch. 1338, p. 1338, § 1, effective May 26. L. 2013: (1)(d)(II)(D) amended, (HB 13-1079), ch. 1194, p. 1194, § 10, effective May 18. L. 2018: (1)(d)(I), IP(1)(d)(II), (1)(d)(II)(A), (6), and (7) amended, (SB 18-209), ch. 1824, p. 1824, § 2, effective August 8; (1)(b) amended, (SB 18-209), ch, 300, p. 1824, § 2, effective 7/1/2019.