GUIDANCE TO EXECUTIVE BRANCH DEPARTMENTS AND AGENCIES
ON DATA PRIVACY
My administration is focused on a Colorado that works for all, and in order for us to
uphold that vision, we must make sure that Coloradans trust that they can seek assistance from
the State without making undue sacrifices related to data privacy. As our ability to utilize data to
inform and improve government services for Coloradans expands, we also want to ensure that
executive branch departments and agencies have policies that protect consumer data and privacy,
including when handling requests for information from the federal government or from third
parties. Technology increases the consumption of data, the desire for interoperability, the
possibilities to learn and improve, and the need for enhanced protections. Colorado is committed
to continuing to secure and limit personally-identifiable information collected by executive
branch departments and agencies to protect Coloradans’ information. The intention of this
guidance is to strike a balance between an individual’s right to privacy and the need to collect
data to deliver high quality government services to Coloradans.

FINDINGS
1.
Coloradans’ access to government services is key to our collective health and wellness.
When Coloradans access services for which they are eligible, it enhances our economic, civic
and social lives. Job training programs provide new opportunities for Colorado workers, and
drivers licenses help ensure safety on our roads. State government should strive for services to be
accessible for all Coloradans, so that we may all benefit.
2.
Our communities are better and safer when all residents are full participants in society,
including by engaging with their State government and accessing everything the government has
to offer. All should feel welcome to be the recipients of State services without fear of abuse of
their privacy or data. Executive branch departments and agencies should implement policies to
increase the public’s confidence in our State government and encourage people to access the
services offered by those agencies, including services that can be crucial in a time of crisis.
3.
Executive branch departments and agencies increasingly collect residents’ personal
information to be able to provide a variety of services, including education, healthcare, financial
assistance, and regulatory and enforcement activities designed to ensure the safety of Colorado
residents. Colorado residents have a reasonable expectation that State agencies will not disclose
this information with outside actors.

 GUIDANCE
I am providing the following Guidance to State executive branch departments and agencies for
protecting Coloradans’ data and privacy when handling requests for information from the federal
government or third parties.
1. For the purposes of this Guidance, personal identifying information (PII) means
information that may be used, alone or in conjunction with any other information, to
identify a specific individual, including but not limited to: name; date of birth; place of
birth; social security number or tax identification number; password or pass code; official
government-issued driver's license or identification card number; vehicle registration
information; license plate number; photograph, electronically stored photograph, or
digitized image; fingerprint; record of a physical feature, physical characteristic, or
handwriting; government passport number; health insurance identification number;
employer, student, or military identification number; school or educational institution
attended; source of income; medical information; biometric data; financial and tax
records; home or work addresses or other contact information; family or emergency
contact information; status as a recipient of public assistance or as a crime victim; race;
ethnicity; national origin; immigration or citizenship status; sexual orientation; gender
identity; physical disability; intellectual and developmental disability; or religion.
2. It is important to ensure that State agencies are still able to perform their intended
functions, comply with State and federal law, cooperate in criminal investigations, and
comply with statutory and regulatory requirements for federal and State government
funding. For each request for PII by the Federal government or a third party, excluding
those requests to systems that under federal or State law cannot be used for administrative
or immigration purposes, agency staff must identify the following prior to approving the
request, and should only release the requested data if:
a. The request meets the following requirements:
i.
That any responsive disclosure to the request is permitted under State and
federal law and regulation;
ii.
That any responsive disclosure to the request is limited to information that
is relevant or necessary to accomplish the stated purpose; and
iii.
That, if the request can be satisfied with de-identified or aggregated data,
then it must be released in that form; and
b. The request meets one or more of the following requirements:
i.
That the request supports an active criminal investigation or is responsive
to a possible crime in progress; or
ii.
That the request is responsive to a court-authorized subpoena, warrant, or
other valid order; or

 iii.

That the request is necessary to perform agency duties, functions, or other
business, as required by State or federal statute or rule, and is not solely
related to federal civil immigration enforcement.

3. Ensure information pertaining to immigration status is not collected from or inquired of
individuals, except when it is required by State or federal law or serves a legitimate law
enforcement purpose or activity, or is otherwise authorized by the Governor.
4. Prior to releasing PII and when practicable, State employees must:
a. Notify their division director or, if not feasible, their immediate supervisor of the
request, and receive express written authorization from the division director or
direct supervisor to grant the request.
b. If the request is timely or urgent to preserve or protect public safety, notify their
division director or immediate supervisor as soon as possible after the request for
information has been granted.
5. When granting a request for release of PII, State employees shall ensure that information
is transmitted electronically in a manner that is consistent with cybersecurity standards
and that the transmission is encrypted. A copy of the transmitted data should be kept
securely for at least ninety (90) days.
6. Executive branch law enforcement agencies are required to provide notice to law
enforcement partners that PII in the control of or shared by executive branch departments
and agencies may only be used for active criminal investigations and must not be utilized
for federal civil immigration purposes.
7. All State executive branch departments and agencies, except for the Department of Public
Safety (DPS), shall maintain a written log of each individual request. Each log should
include:
a. The date of each request;
b. Whether each request was granted or denied;
c. The name and title of the state employee (or state contractor or temporary
employee) granting or denying the request;
d. A description of the articulated purpose of the request;
e. The federal office or agency or third-party that requested information, including
the name of the individual requestor, and if the individual is a law enforcement
officer, the individual’s badge number; and
f. A summary description of why the request was granted or denied, including how
the request met or did not meet the guidelines articulated by this Guidance.

 8. Each Executive Branch agency and principal department under the authority of the
Governor shall provide the information in its written log to the Governor’s Office of
Legal Counsel (OLC) on a quarterly basis. Written logs shall be due to OLC on January
15, April 15, July 15, and October 15. The first log shall be submitted on July 15, 2020.
Agencies must also attest that no request was granted for any purpose other than those
outlined by this Guidance. OLC may follow-up with State executive departments or
agencies on any request.
a. If any request under consideration falls outside this Guidance, the division
director of the agency must contact and provide to the OLC written
documentation for why the request should be granted. OLC will provide guidance
to the division director on whether or not to grant the request.
9. Agencies must implement this guidance within thirty (30) days from the date of signature
by the Governor. Agencies must submit implementation guidance to OLC upon request.

GIVEN under my hand
this twentieth day of
May, 2020.

Jared Polis
Governor