Superseded 7/1/2023)

Superseded 7/1/2023
53E-9-308.  Sharing student data — Prohibition — Requirements for student data manager — Authorized student data sharing.

(1) 

Terms Used In Utah Code 53E-9-308

  • Data governance plan: means an education entity's comprehensive plan for managing education data that:
(a) incorporates reasonable data industry best practices to maintain and protect student data and other education-related data;
(b) describes the role, responsibility, and authority of an education entity data governance staff member;
(c) provides for necessary technical assistance, training, support, and auditing;
(d) describes the process for sharing student data between an education entity and another person;
(e) describes the education entity's data expungement process, including how to respond to requests for expungement;
(f) describes the data breach response process; and
(g) is published annually and available on the education entity's website. See Utah Code 53E-9-301
  • Education entity: means :
    (a) the state board;
    (b) a local school board;
    (c) a charter school governing board;
    (d) a school district;
    (e) a charter school; or
    (f) the Utah Schools for the Deaf and the Blind. See Utah Code 53E-9-301
  • Jurisdiction: (1) The legal authority of a court to hear and decide a case. Concurrent jurisdiction exists when two courts have simultaneous responsibility for the same case. (2) The geographic area over which the court has authority to decide cases.
  • Parent: means :
    (a) a student's parent;
    (b) a student's legal guardian; or
    (c) an individual who has written authorization from a student's parent or legal guardian to act as a parent or legal guardian on behalf of the student. See Utah Code 53E-9-301
  • Person: means :Utah Code 68-3-12.5
  • Personally identifiable student data: includes :
    (i) a student's first and last name;
    (ii) the first and last name of a student's family member;
    (iii) a student's or a student's family's home or physical address;
    (iv) a student's email address or other online contact information;
    (v) a student's telephone number;
    (vi) a student's social security number;
    (vii) a student's biometric identifier;
    (viii) a student's health or disability data;
    (ix) a student's education entity student identification number;
    (x) a student's social media user name and password or alias;
    (xi) if associated with personally identifiable student data, the student's persistent identifier, including:
    (A) a customer number held in a cookie; or
    (B) a processor serial number;
    (xii) a combination of a student's last name or photograph with other information that together permits a person to contact the student online;
    (xiii) information about a student or a student's family that a person collects online and combines with other personally identifiable student data to identify the student; and
    (xiv) information that, alone or in combination, is linked or linkable to a specific student that would allow a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty. See Utah Code 53E-9-301
  • Process: means a writ or summons issued in the course of a judicial proceeding. See Utah Code 68-3-12.5
  • School official: means an employee or agent of an education entity, if the education entity has authorized the employee or agent to request or receive student data on behalf of the education entity. See Utah Code 53E-9-301
  • State: when applied to the different parts of the United States, includes a state, district, or territory of the United States. See Utah Code 68-3-12.5
  • State board: means the State Board of Education. See Utah Code 53E-1-102
  • Student data: means information about a student at the individual student level. See Utah Code 53E-9-301
  • Student data manager: means :
    (a) the state student data officer; or
    (b) an individual designated as a student data manager by an education entity under Section 53E-9-303, who fulfills the duties described in Section 53E-9-308. See Utah Code 53E-9-301
  • Subpoena: A command to a witness to appear and give testimony.
  • Written consent: means written authorization to collect or share a student's student data, from:
    (a) the student's parent, if the student is not an adult student; or
    (b) the student, if the student is an adult student. See Utah Code 53E-9-301
    (a)  Except as provided in Subsection (1)(b), an education entity, including a student data manager, may not share personally identifiable student data without written consent.

    (b)  An education entity, including a student data manager, may share personally identifiable student data:

    (i)  in accordance with the Family Education Rights and Privacy Act and related provisions under 20 U.S.C. Secs. 1232g and 1232h;

    (ii)  as required by federal law; and

    (iii)  as described in Subsections (3), (5), and (6).
  • (2)  A student data manager shall:

    (a)  authorize and manage the sharing, outside of the student data manager’s education entity, of personally identifiable student data for the education entity as described in this section;

    (b)  act as the primary local point of contact for the state student data officer described in Section 53E-9-302; and

    (c)  fulfill other responsibilities described in the data governance plan of the student data manager’s education entity.

    (3)  A student data manager may share a student’s personally identifiable student data with a caseworker or representative of the Department of Health and Human Services if:

    (a)  the Department of Health and Human Services is:

    (i)  legally responsible for the care and protection of the student, including the responsibility to investigate a report of educational neglect, as provided in Subsection 80-2-701(5); or

    (ii)  providing services to the student;

    (b)  the student’s personally identifiable student data is not shared with a person who is not authorized:

    (i)  to address the student’s education needs; or

    (ii)  by the Department of Health and Human Services to receive the student’s personally identifiable student data; and

    (c)  the Department of Health and Human Services maintains and protects the student’s personally identifiable student data.

    (4)  The Department of Health and Human Services, a school official, or the Utah Juvenile Court may share personally identifiable student data to improve education outcomes for youth:

    (a)  in the custody of, or under the guardianship of, the Department of Health and Human Services;

    (b)  receiving services from the Division of Juvenile Justice and Youth Services;

    (c)  in the custody of the Division of Child and Family Services;

    (d)  receiving services from the Division of Services for People with Disabilities; or

    (e)  under the jurisdiction of the Utah Juvenile Court.

    (5) 

    (a)  A student data manager may share personally identifiable student data in response to a subpoena issued by a court.

    (b)  A person who receives personally identifiable student data under Subsection (5)(a) may not use the personally identifiable student data outside of the use described in the subpoena.

    (6) 

    (a)  A student data manager may share student data, including personally identifiable student data, in response to a request to share student data for the purpose of research or evaluation, if the student data manager:

    (i)  verifies that the request meets the requirements of 34 C.F.R. § 99.31(a)(6);

    (ii)  submits the request to the education entity’s research review process; and

    (iii)  fulfills the instructions that result from the review process.

    (b) 

    (i)  In accordance with state and federal law, and subject to Subsection (6)(b)(ii), the state board shall share student data, including personally identifiable student data, as requested by the Utah Registry of Autism and Developmental Disabilities described in Section 26B-7-115.

    (ii) 

    (A)  At least 30 days before the state board shares student data in accordance with Subsection (6)(b)(i), the education entity from which the state board received the student data shall provide notice to the parent of each student for which the state board intends to share student data.

    (B)  The state board may not, for a particular student, share student data as described in Subsection (6)(b)(i) if the student’s parent requests that the state board not share the student data.

    (iii)  A person who receives student data under Subsection (6)(b)(i):

    (A)  shall maintain and protect the student data in accordance with state board rule described in Section 53E-9-307;

    (B)  may not use the student data for a purpose not described in Section 26B-7-115; and

    (C)  is subject to audit by the state student data officer described in Section 53E-9-302.

    Amended by Chapter 328, 2023 General Session