Approval Date: August 13, 2019

FED-Student Data Protection

Definitions

  1. “Aggregate Data” means data that:
    1. Are totaled and reported at the group, cohort, school, school district, region, or state level with at least 10 individuals in the level;
    2. Do not reveal personally identifiable student data; and
    3. Are collected in accordance with board rule.
  2. “Biometric Identifier”
    1. Biometric identifier means a:
      1. Retina or iris scan;
      2. Fingerprint;
      3. Human biological sample used for valid scientific testing or screening; or
      4. Scan of hand or face geometry.
    2. “Biometric identifier” does not include:
      1. A writing sample;
      2. A written signature;
      3. A voiceprint;
      4. A photograph;
      5. Demographic data; or
      6. A physical description, such as height, weight, hair color, or eye color.
  3. “Biometric Information" means information, regardless of how the information is collected, converted, stored, or shared:
    1. Based on an individual’s biometric identifier; and
    2. Used to identify the individual.
  4. “Cyber security framework” means:
    1. the cyber security framework developed by the Center for Internet Security found at http://www.cisecurity.org/controls/; or
    2. a comparable IT security framework.
  5. "Data Breach" means an unauthorized release of or unauthorized access to personally identifiable student data that is maintained by an education entity.
  6. “Data Governance Plan” means a comprehensive plan for managing education data that:
    1. Incorporates reasonable data industry best practices to maintain and protect student data and other education-related data;
    2. describes the role, responsibility, and authority of an education entity data governance staff member;
    3. Provides for necessary technical assistance, training, support, and auditing;
    4. Describes the process for sharing student data between the District and another person;
    5. Describes the process for an adult student or parent to request that data be expunged including how to respond to requests for expungement;
    6. describes the data breach response process; and
    7. Is published annually and available on the District’s website.
  7. “Destroy” means to remove data or a record:
    1. In accordance with current industry best practices; and
    2. rendering the data or record irretrievable in the normal course of business of the District or a third-party contractor.
  8. "Disclosure" means permitting access to, revealing, releasing, transferring, disseminating, or otherwise communicating all or any part of any individual record orally, in writing, electronically, or by any other communication method.
  9. "Expunge" means to seal or permanently delete data so as to limit its availability to all except authorized individuals.
  10. “Metadata Dictionary” means a record that:
    1. Defines and discloses all personally identifiable student data collected and shared by the education entity;
    2. comprehensively lists all recipients with whom the education entity has shared personally identifiable student data, including:
      1. The purpose for sharing the data with the recipient;
      2. The justification for sharing the data, including whether sharing the data was required by federal law, state law, or a local directive; and
      3. How sharing the data is permitted under federal or state law; and;
    3. Without disclosing personally identifiable student data, is displayed on the education entity's website.
  11. “Optional Student Data” means student data that is neither necessary student data nor data which the District is prohibited from collecting (as described in Prohibited Collection of Student Data,, below).
    1. “Optional student data” includes:
      1. Information that is related to an IEP or needed to provide special needs services but is not “necessary student data”;
      2. Biometric information; and
      3. Information that is not necessary student data but is required for a student to participate in a federal or other program.
  12. “Significant data breach” means a data breach where:
    1. An intentional data breach successfully compromises student records;
    2. A large number of student records are compromised;
    3. Sensitive records are compromised, regardless of number; or
    4. The surrounding circumstances make the breach significant as determined by the District.
Utah Code § 53E-9-301 (2019)
Utah Admin. Rules R277-487-2 (March 13, 2019)

District Responsiblities

The District shall annually provide a training regarding the confidentiality of student data to any employee with access to education records as defined in FERPA.

The District shall designate an individual to act as a student data manager to fulfill the responsibilities of a student data manager described in Requirements for Student Data Manager, below.

If possible, the District shall designate a records officer pursuant to the Government Records Access and Management Act as defined in Utah Code § 63G-2-103(24), as the student data manager.

The District shall designate an individual to act as an Information Security Officer to fulfill the responsibilities described in Information Security Officer Roles and Responsibilities, below.

The District shall implement a cyber security framework.

The District shall create and maintain a District:

  1. Data governance plan; and
  2. Metadata dictionary.

By October 1 annually, the District shall enter all student data elements shared with third parties into the State Board's metadata dictionary.

By October 1 annually, the District shall provide the State Superintendent with evidence that the District has implemented a cyber security framework and the name and contact information of the District Information Security Officer.

The District shall provide the State Superintendent with a copy or link to the District's data governance plan by October 1 annually.

The District shall publicly post the definition of directory information as defined in FERPA and describe how a student data manager may share personally identifiable information that is directory information. By October 1 annually, the District shall provide the State Superintendent with a copy of or a link to the District’s definition of directory information.

The District shall establish an external research review process to evaluate requests for data for the purpose of external research or evaluation.

Utah Code § 53E-9-303 (2019)
Utah Admin. Rules R277-487-2 (March 13, 2019)
Utah Admin. Rules R277-487-3 (March 13, 2019)

Student Data Ownership and Access

A student owns the student’s personally identifiable student data.

The District shall allow a student or a student’s parent (or in the absence of a parent an individual who is acting as the student’s parent) to access the student’s student data which is maintained by the District.

Utah Code § 53E-9-304 (2019)

Data Retention

The District shall classify all student data which it collects under an approved records retention schedule. The District shall retain and dispose of all student data in accordance with an approved records retention schedule.

If no existing retention schedule governs student disciplinary records collected by the District:

  1. The District may propose to the State Records Committee a retention schedule of up to one year if collection of the data is not required by federal or state law or Board rule; or
  2. The District may propose to the State Records Committee a retention schedule of up to three years if collection of the data is required by federal or state law or State Board rule, unless a longer retention period is prescribed by federal or state law or State Board rule.

The District’s retention schedules shall take into account the District’s administrative need for the data.

Unless the data requires permanent retention, the District’s retention schedules shall require destruction or expungement of student data after the administrative need for the data has passed.

A parent or adult student may request that the District amend, expunge, or destroy any record not subject to an approved retention schedule and believed to be inaccurate, misleading, or in violation of the privacy rights of the student. The District shall process such a request following the same procedures outlined to amend a student education record under FERPA, as set out in Policy FE “Right to Amend Records.”

Utah Admin. Rules R277-487-4 (March 13, 2019)

Notification in Case of Breach

If there is a release of a student’s personally identifiable student data due to a significant data breach, the District shall notify:

  1. The student, if the student is an adult student; or
  2. The student’s parent, if the student is not an adult student.
Utah Code § 53E-9-304(2) (2019)

Within 10 business days of the discovery of a significant data breach (either by the District or by third parties), the District shall report the significant data breach to the State Superintendent.

Utah Admin. Rules R277-487-3(12) (March 13, 2019)

Prohibited Collection of Student Data

The District may not collect a student’s:

  1. Social Security number; or
  2. Criminal record, except as required in Utah Code § 78A-6-112 (Minor taken into custody by peace officer, private citizen, or probation officer).
Utah Code §53E-9-305(1) (2019)

Student Data Disclosure Statement

If the District collects student data into a cumulative record it shall, in accordance with this section, prepare and distribute to parents and students a student data disclosure statement that:

  1. Is a prominent, stand-alone document;
  2. Is annually updated and published on the District’s website;
  3. States the necessary and optional student data the District collects;
  4. States that the District will not collect the student data described in Prohibited Collection of Student Data, above;
  5. Describes the types of student data that the District may not share without a data authorization;
  6. Describes how the District may collect, use, and share student data;
  7. Includes the following statement: “The collection, use, and sharing of student data has both benefits and risks. Parents and students should learn about these benefits and risks and make choices regarding student data accordingly.”;
  8. Describes in general terms how the District stores and protects student data; and
  9. States a student’s rights under the student data protection statutes.
Utah Code § 53E-9-305(2) (2019)

Student Data Disclosure Statement Recipients

The District may collect the necessary student data of a student into a cumulative record only if the District provides a student data disclosure statement to:

  1. The student, if the student is an adult student; or
  2. The student’s parent, if the student is not an adult student.
Utah Code § 53E-9-305(4) (2019)

Optional Student Data Collection

The District may collect optional student data into a cumulative record only if it:

  1. Provides, to an individual described in Student Data Disclosure Statement Recipients, above, a student data disclosure statement that includes a description of:
    1. The optional student data to be collected; and
    2. How the District will use the optional student data; and
  2. Obtains a data authorization to collect the optional student data from an individual described in Student Data Disclosure Statement Recipients, above.
Utah Code § 53E-9-305(5) (2019)

Student Biometric Indentifier and Biometric Information Data Collection

The District may collect a student’s biometric identifier or biometric information if the District:

  1. Provides, to an individual described in Student Data Disclosure Statement Recipients, above, a biometric information collection notice that is separate from a student data collection notice and which states:
    1. The biometric identifier or biometric information to be collected;
    2. The purpose of collecting the biometric identifier or biometric information; and
    3. How the District will use and store the biometric identifier or biometric information; and
  2. Obtains written consent to collect the biometric identifier or biometric information from an individual described in Student Data Disclosure Statement Recipients, above.
Utah Code § 53E-9-305(6) (2019)

Sharing Student Data

The District may not share a student’s personally identifiable student data without written consent, except in conformance with the requirements of this policy and with the Family Educational Rights and Privacy Act (“FERPA”) and related provisions under 20 U.S.C. §§ 1232(g) and 1232(h)

Utah Code § 53E-9-308 (2019)

Student Data Manager Roles and Responsibilities

The District will designate a student data manager who shall:

  1. Authorize and manage the sharing, outside of the District, of personally identifiable student data for the District as described in this section;
  2. Provide for necessary technical assistance, training, and support
  3. Act as the primary local point of contact for the state student data officer described in Utah Code § 53E-9-302; and
  4. Ensure that the following notices are available to parents:
  5. Fulfill other responsibilities described in the District’s data governance plan.

Information Security Officer Roles and Responsibilities

The District will designate an Information Security Officer who shall:

  • Oversee adoption of the CIS controls
  • Provide for necessary technical assistance, training, and support as it relates to IT security

Expungement Request Policy

The LEA recognizes the risk associated with data following a student year after year that could be used to mistreat the student. The LEA shall review all requests for records expungement from parents and make a determination based on the following procedure.

Procedure:

The following records may not be expunged: grades, transcripts, a record of the student’s enrollment, assessment information.

The procedure for expungement shall match the record amendment procedure found in 34 CFR, Subpart C of FERPA.

  1. If a parent believes that a record is misleading, inaccurate, or in violation of the student’s privacy, they may request that the record be expunged.
  2. The LEA shall decide whether to expunge the data within a reasonable time after the request.
  3. If the LEA decides not to expunge the record, they will inform the parent of their decision as well as the right to an appeal hearing.
  4. The LEA shall hold the hearing within a reasonable time after receiving the request for a hearing.
  5. The LEA shall provide the parent notice of the date, time, and place in advance of the hearing.
  6. The hearing shall be conducted by any individual that does not have a direct interest in the outcome of the hearing.
  7. The LEA shall give the parent a full and fair opportunity to present relevant evidence. At the parents’ expense and choice, they may be represented by an individual of their choice, including an attorney.
  8. The LEA shall make its decision in writing within a reasonable time following the hearing.
  9. The decision must be based exclusively on evidence presented at the hearing and include a summary of the evidence and reasons for the decision.
  10. 10.If the decision is to expunge the record, the LEA will seal it or make it otherwise unavailable to other staff and educators.

Data Breach Response Policy

The LEA shall follow industry best practices to protect information and data. In the event of a data breach or inadvertent disclosure of personally identifiable information, the LEA staff shall follow industry best practices for responding to the breach.

Procedure:

  1. The superintendent will work with the information security officer to designate individuals to be members of the cyber incident response team (CIRT)
  2. At the beginning of an investigation, the information security officer will begin tracking the incident and log all information and evidence related to the investigation.
  3. The information security officer will call the CIRT into action once there is reasonable evidence that an incident or breach has occurred.
  4. The information security officer will coordinate with other IT staff to determine the root cause of the breach and close the breach.
  5. The CIRT will coordinate with legal counsel to determine if the incident is meets the legal definition of a significant breach as defined in R277-487 and determine which entities and individuals need to be notified.
  6. If law enforcement is notified and begins an investigation, the CIRT will consult with them before notifying parents or the public so as to not interfere with the law enforcement investigation.
Utah Code § 53E-9-308(2) (2019)

Permitted and Prohibited Sharing of Student Data by Student Data Manager

A student data manager may share the personally identifiable student data of a student with the student with the student and the student’s parent. Otherwise, a student data manager may only share a student’s personally identifiable student data from a cumulative record in accordance with federal law or as follows. Such data may be shared with:

  1. A school official;
  2. An authorized caseworker, in accordance with this policy, or other representative of the Department of Human Services; or
  3. A person to whom the District has outsourced a service or function:
    1. To research the effectiveness of a program’s implementation; or
    2. that the District’s employees would typically perform.

A student data manager may share a student’s personally identifiable student data from a cumulative record with a caseworker or representative of the Department of Human Services if:

  1. The Department of Human Services is:
    1. legally responsible for the care and protection of the student; or
    2. providing services to the student; and
  2. The student’s personally identifiable student data is not shared with a person who is not authorized:
    1. to address the student’s education needs; or
    2. by the Department of Human Services to receive the student’s personally identifiable student data; and
  3. The Department of Human Services maintains and protects the student’s personally identifiable student data.
  4. A student data manager may share a student’s personally identifiable student data to improve educational outcomes for the student where the student is:

    1. In the custody of or under the guardianship of, the Department of Human Services;
    2. Receiving services from the Division of Juvenile Justice Services;
    3. In the custody of the Division of Child and Family Services;
    4. Receiving services from the Division of Services for People with Disabilities; or
    5. Under the jurisdiction of the Utah Juvenile Court.

    A student data manager may share aggregate data.

    A student data manager may not share personally identifiable student data for the purpose of external research or evaluation except as follows: If a student data manager receives a request to share data for the purpose of external research or evaluation, the student data manager shall:

    1. Verify that the request meets the requirements of 34 C.F.R. § 99.31(a)(6);
    2. Submit the request to the District’s external research review process; and
    3. Fulfill the instructions that result from the review process.

    If the student data manager is informed that the State Board of Education intends to share student data collected by the District with the Utah Registry of Autism and Developmental Disabilities, the student data manager shall give notice to the parent of each student whose data is to be shared of the State Board’s intention to share the data. This notice shall be provided at least 30 days before the State Board is to share the data. If a parent requests that the State Board not share the data, the student data manager shall relay that request to the State Board.

    A student data manager may share personally identifiable student data in response to a subpoena issued by a court.

    In accordance with State Board of Education rule, a student data manager may share personally identifiable information that is directory information.

Utah Code § 53E-9-308 (2019)

Third Party Contractors

The District may provide a third-party contractor with personally identifiable student data received under a contract with the District strictly for the Utah School Boards Association Policy Services purpose of providing the contracted product or service within the negotiated contract terms.

When contracting with a third-party contractor, the District shall require the following provisions in the contract:

  1. Requirements and restrictions related to the collection, use, storage, or sharing of student data by the third-party contractor that are necessary for the District to ensure compliance with the provisions of the Student Data Protection Act and State Board of Education rules;
  2. A description of a person, or type of person, including an affiliate of the third-party contractor, with whom the third-party contractor may share student data;
  3. Provisions that govern requests by the District for the deletion of the student data received by the third-party contractor from the District;
  4. Except as provided in this policy and if required by the District, provisions that prohibit the secondary use of personally identifiable student data by the third-party contractor; and
  5. An agreement by the third-party contractor that, at the request of the District, the District or its designee may audit the third-party contractor to verify compliance with the contract.

A third-party contractor’s use of personally identifiable student data shall be in accordance with Utah Code §§ 53E-9-309, 53E-9-310, and FERPA.

If the District contracts with a third-party contractor to collect and have access to the District's student data, the District shall monitor and maintain control of the data.

If the District contracts with a third-party contractor to collect and have access to the District's student data, the District shall notify a student and the student's parent or guardian in writing that the student's data is collected and maintained by the third-party contractor.

Utah Admin. Rules R277-487-3 (March 13, 2019)
Utah Admin. Rules R277-487-11 (March 13, 2019)
Utah Code § 53E-9-309 (2019)
Utah Code § 53E-9-3010 (2019)