53E-9-304. Student data ownership and access — Notification in case of significant data breach.
(1)
Terms Used In Utah Code 53E-9-304
Adult student: means a student who:
(a)
is at least 18 years old;
(b)
is an emancipated student; or
(c)
qualifies under the McKinney-Vento Homeless Education Assistance Improvements Act of 2001, 42 U. See Utah Code 53E-9-301
Data breach: means an unauthorized release of or unauthorized access to personally identifiable student data that is maintained by an education entity. See Utah Code 53E-9-301
an individual who has written authorization from a student's parent or legal guardian to act as a parent or legal guardian on behalf of the student. See Utah Code 53E-9-301
Personally identifiable student data: includes :
(i)
a student's first and last name;
(ii)
the first and last name of a student's family member;
(iii)
a student's or a student's family's home or physical address;
(iv)
a student's email address or other online contact information;
(v)
a student's telephone number;
(vi)
a student's social security number;
(vii)
a student's biometric identifier;
(viii)
a student's health or disability data;
(ix)
a student's education entity student identification number;
(x)
a student's social media user name and password or alias;
(xi)
if associated with personally identifiable student data, the student's persistent identifier, including:
(A)
a customer number held in a cookie; or
(B)
a processor serial number;
(xii)
a combination of a student's last name or photograph with other information that together permits a person to contact the student online;
(xiii)
information about a student or a student's family that a person collects online and combines with other personally identifiable student data to identify the student; and
(xiv)
information that, alone or in combination, is linked or linkable to a specific student that would allow a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty. See Utah Code 53E-9-301
Student data: means information about a student at the individual student level. See Utah Code 53E-9-301
(a)
A student owns the student’s personally identifiable student data.
(b)
An education entity shall allow the following individuals to access a student’s student data that is maintained by the education entity:
(i)
the student’s parent;
(ii)
the student; and
(iii)
in accordance with the education entity’s internal policy described in Section 53E-9-303 and in the absence of a parent, an individual acting as a parent to the student.
(2)
(a)
If a significant data breach occurs at an education entity, the education entity shall notify:
(i)
the student, if the student is an adult student; or
(ii)
the student’s parent, if the student is not an adult student.