53B-28-501.  Definitions.
     As used in this part:

(1)  “Advisory group” means the institution of higher education privacy advisory group established by the state privacy officer under Section 53B-28-502.

Terms Used In Utah Code 53B-28-501

  • Advisory group: means the institution of higher education privacy advisory group established by the state privacy officer under Section 53B-28-502. See Utah Code 53B-28-501
  • Board: means the Utah Board of Higher Education described in Section 53B-1-402. See Utah Code 53B-1-101.5
  • Contract: A legal written agreement that becomes binding when signed.
  • Data breach: means an unauthorized release of or unauthorized access to personally identifiable student data that an education entity maintains. See Utah Code 53B-28-501
  • Education entity: means the Utah Board of Higher Education or an institution. See Utah Code 53B-28-501
  • Institution: means an institution of higher education described in Section 53B-1-102. See Utah Code 53B-28-501
  • Person: means :Utah Code 68-3-12.5
  • Personally identifiable student data: includes :
(i) a student's first and last name;
(ii) the first and last name of a student's family member;
(iii) a student's or a student's family's home or physical address;
(iv) a student's email address or other online contact information;
(v) a student's telephone number;
(vi) a student's social security number;
(vii) a student's biometric identifier;
(viii) a student's health or disability data;
(ix) a student's education entity student identification number;
(x) a student's social media user name and password or alias;
(xi) if associated with personally identifiable student data, the student's persistent identifier, including:
(A) a customer number held in a cookie; or
(B) a processor serial number;
(xii) a combination of a student's last name or photograph with other information that together permits a person to contact the student online;
(xiii) information about a student or a student's family that a person collects online and combines with other personally identifiable student data to identify the student; and
(xiv) information that, alone or in combination, is linked or linkable to a specific student that would allow a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty. See Utah Code 53B-28-501
  • Process: means a writ or summons issued in the course of a judicial proceeding. See Utah Code 68-3-12.5
  • State: when applied to the different parts of the United States, includes a state, district, or territory of the United States. See Utah Code 68-3-12.5
  • State privacy officer: means the state privacy officer described in Section 67-3-13. See Utah Code 53B-28-501
  • Student: means an individual enrolled in an institution. See Utah Code 53B-28-501
  • Student data: means information about a student at the individual student level. See Utah Code 53B-28-501
    • (2)  “Aggregate data” means data that:

    (a)  are totaled and reported at the group, cohort, class, course, institution, region, or state level, with at least 10 individuals in the level; and

    (b)  do not reveal personally identifiable student data.

    (3)  “Data breach” means an unauthorized release of or unauthorized access to personally identifiable student data that an education entity maintains.

    (4)  “Data governance plan” means an education entity’s comprehensive plan for managing education data that:

    (a)  incorporates reasonable data industry best practices to maintain and protect student data and other education-related data;

    (b)  describes the role, responsibility, and authority of the board or an institution privacy officer;

    (c)  provides for necessary technical assistance, training, support, and auditing;

    (d)  describes the process for sharing student data between the education entity and another person;

    (e)  describes the education entity’s data expungement process, including how to respond to requests for expungement;

    (f)  describes the data breach response process; and

    (g)  is published annually and available on the institution’s website or the Utah System of Higher Education’s website.

    (5)  “Education entity” means the Utah Board of Higher Education or an institution.

    (6)  “Higher education privacy officer” means a privacy officer that the board designates under Section 53B-28-503.

    (7)  “Institution” means an institution of higher education described in Section 53B-1-102.

    (8)  “Minor” means a person younger than 18 years old.

    (9) 

    (a)  “Personally identifiable student data” means student data that identifies or is used by the holder to identify a student.

    (b)  “Personally identifiable student data” includes:

    (i)  a student’s first and last name;

    (ii)  the first and last name of a student’s family member;

    (iii)  a student’s or a student’s family’s home or physical address;

    (iv)  a student’s email address or other online contact information;

    (v)  a student’s telephone number;

    (vi)  a student’s social security number;

    (vii)  a student’s biometric identifier;

    (viii)  a student’s health or disability data;

    (ix)  a student’s education entity student identification number;

    (x)  a student’s social media user name and password or alias;

    (xi)  if associated with personally identifiable student data, the student’s persistent identifier, including:

    (A)  a customer number held in a cookie; or

    (B)  a processor serial number;

    (xii)  a combination of a student’s last name or photograph with other information that together permits a person to contact the student online;

    (xiii)  information about a student or a student’s family that a person collects online and combines with other personally identifiable student data to identify the student; and

    (xiv)  information that, alone or in combination, is linked or linkable to a specific student that would allow a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty.

    (10)  “State privacy officer” means the state privacy officer described in Section 67-3-13.

    (11)  “Student” means an individual enrolled in an institution.

    (12) 

    (a)  “Student data” means information about a student at the individual student level.

    (b)  “Student data” does not include aggregate or de-identified data.

    (13)  “Third-party contractor” means a person who:

    (a)  is not an institution or an employee of an institution; and

    (b)  pursuant to a contract with an education entity, collects or receives student data in order to provide a product or service, as described in the contract, if the product or service is not related to school photography, yearbooks, graduation announcements, or a similar product or service.

    Enacted by Chapter 461, 2022 General Session

      Previous section
    Next section  
     Part 5 Contents