53E-9-304.  Student data ownership and access — Notification in case of significant data breach.

(1) 

Terms Used In Utah Code 53E-9-304

  • Adult student: means a student who:
(a) is at least 18 years old;
(b) is an emancipated student; or
(c) qualifies under the McKinney-Vento Homeless Education Assistance Improvements Act of 2001, 42 U. See Utah Code 53E-9-301
  • Data breach: means an unauthorized release of or unauthorized access to personally identifiable student data that is maintained by an education entity. See Utah Code 53E-9-301
  • Education entity: means :
    (a) the state board;
    (b) a local school board;
    (c) a charter school governing board;
    (d) a school district;
    (e) a charter school; or
    (f) the Utah Schools for the Deaf and the Blind. See Utah Code 53E-9-301
  • Parent: means :
    (a) a student's parent;
    (b) a student's legal guardian; or
    (c) an individual who has written authorization from a student's parent or legal guardian to act as a parent or legal guardian on behalf of the student. See Utah Code 53E-9-301
  • Personally identifiable student data: includes :
    (i) a student's first and last name;
    (ii) the first and last name of a student's family member;
    (iii) a student's or a student's family's home or physical address;
    (iv) a student's email address or other online contact information;
    (v) a student's telephone number;
    (vi) a student's social security number;
    (vii) a student's biometric identifier;
    (viii) a student's health or disability data;
    (ix) a student's education entity student identification number;
    (x) a student's social media user name and password or alias;
    (xi) if associated with personally identifiable student data, the student's persistent identifier, including:
    (A) a customer number held in a cookie; or
    (B) a processor serial number;
    (xii) a combination of a student's last name or photograph with other information that together permits a person to contact the student online;
    (xiii) information about a student or a student's family that a person collects online and combines with other personally identifiable student data to identify the student; and
    (xiv) information that, alone or in combination, is linked or linkable to a specific student that would allow a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty. See Utah Code 53E-9-301
  • State board: means the State Board of Education. See Utah Code 53E-1-102
  • Student data: means information about a student at the individual student level. See Utah Code 53E-9-301
  • (a)  A student owns the student’s personally identifiable student data.

    (b)  An education entity shall allow the following individuals to access a student’s student data that is maintained by the education entity:

    (i)  the student’s parent;

    (ii)  the student; and

    (iii)  in accordance with the education entity’s internal policy described in Section 53E-9-303 and in the absence of a parent, an individual acting as a parent to the student.
  • (2) 

    (a)  If a significant data breach occurs at an education entity, the education entity shall notify:

    (i)  the student, if the student is an adult student; or

    (ii)  the student’s parent, if the student is not an adult student.

    (b)  In accordance with Title 63G, Chapter 3, Utah Administrative Rulemaking Act, the state board shall make rules to define a significant data breach described in Subsection (2)(a).

    Amended by Chapter 408, 2020 General Session