53E-9 - Student Privacy and Data Protection
Title 53E > 53E-9
Sections (16)
General Provisions
53E-9-101 - Title.
This chapter is known as “Student Privacy and Data Protection.”
Student Privacy
53E-9-201 - Definitions.
53E-9-202 - Application of state and federal law to the administration and operation of public schools — Local school board and charter school governing board policies.
53E-9-202(1) As used in this section “education entity” means:
the state board; a local school board or charter school governing board; a school district; a public school; or the Utah Schools for the Deaf and the Blind. 53E-9-202(2) An education entity and an employee, student aide, volunteer, third party contractor, or other agent of an education entity shall protect the privacy of a student, the student’s parents, and the student’s family and support parental involvement in the education of their children through compliance with the protections provided for family and student privacy under this part and the Family Educational Rights and Privacy Act and related provisions under 20 U.S.C. Secs. 1232g and 1232h, in the administration and operation of all public school programs, regardless of the source of funding. 53E-9-202(3) A local school board or charter school governing board shall enact policies governing the protection of family and student privacy as required by this part.
53E-9-203 - Activities prohibited without prior written consent — Validity of consent — Qualifications — Training on implementation.
53E-9-203(1) Except as provided in Subsection (8), Section 53G-9-604, and Section 53G-9-702, an LEA shall include in policies the LEA adopts under Section 53E-9-202a requirement for obtaining prior written consent from the student’s parent when administering to a student:any psychological or psychiatric examination, test, or treatment; andany survey, analysis, or evaluation in which the purpose or effect is to cause the student to reveal information, whether the information is personally identifiable or not, concerning the student’s or any family member’s:political affiliations or, except as provided under Section 53G-10-202 or rules of the state board, political philosophies;mental or psychological problems;sexual behavior, orientation, gender identity, or attitudes;illegal, anti-social, self-incriminating, or demeaning behavior;critical appraisals of individuals with whom the student or family member has close family relationships;religious affiliations or beliefs;legally recognized privileged and analogous relationships, such as those with lawyers, medical personnel, or ministers; andincome, except as required by law.An LEA shall annually obtain prior written consent for the following at the time a student registers with the LEA:surveys related to an early warning system described in Section 53F-4-207;surveys that include social emotional learning questions; andthe school climate survey described in Section 53G-8-802. 53E-9-203(2) Prior written consent under Subsection (1) is required in all grades, kindergarten through grade 12. 53E-9-203(3) Except as provided in Subsection (8), Section 53G-9-604, and Section 53G-9-702, the requirements under Subsection (1) shall also apply within the curriculum and other school activities unless prior written consent of the student’s parent has been obtained. 53E-9-203(4) An LEA may not:use the prior written consent described in Subsection (1) that a different LEA obtained for a student who transfers to the LEA after the beginning of the school year; orprovide:a reward to a student for a student’s participation in any psychological or psychiatric examination, test, treatment, survey, analysis, or evaluation; ora consequence to a student for a student’s lack of participation in any psychological or psychiatric examination, test, treatment, survey, analysis, or evaluation. 53E-9-203(5) Written parental consent is valid only if a parent has been first given written notice, including notice that a copy of the educational or student survey questions to be asked of the student in obtaining the desired information is made available at the school, and a reasonable opportunity to obtain written information concerning:records or information, including information about relationships, that may be examined or requested;the means by which the records or information shall be examined or reviewed;the means by which the information is to be obtained;the purposes for which the records or information are needed;the entities or persons, regardless of affiliation, who will have access to the personally identifiable information; anda method by which a parent of a student can grant permission to access or examine the personally identifiable information.For a survey described in Subsection (1), the LEA shall ensure that the written notice described in Subsection (5)(a) includes:the survey the LEA will administer to the parent’s student;the intended purposes and uses of the data collected;the types of persons or governmental entities that:share the collected data, including a list of recipients who will receive the student-level data; orreceive the data collected from a governmental entity on a regular or contractual basis; andthe record series as defined in Section 63G-2-103 in which the data is or will be included, if applicable. 53E-9-203(6) Except in response to a situation which a school employee reasonably believes to be an emergency, as authorized under Title 80, Chapter 2, Part 6, Child Abuse and Neglect Reports, by order of a court, or as described in Subsection (1)(b), disclosure to a parent must be given at least two weeks before information protected under this section is sought.Following disclosure, a parent may waive the two week minimum notification period.Unless otherwise agreed to by a student’s parent and the person requesting written consent, the authorization is valid only for the activity for which it was granted.A written withdrawal of authorization submitted to the school principal by the authorizing parent terminates the authorization.A general consent used to approve admission to school or involvement in special education, remedial education, or a school activity does not constitute written consent under this section. 53E-9-203(7) This section does not limit the ability of a student under Section 53G-10-203 to spontaneously express sentiments or opinions otherwise protected against disclosure under this section.If a school employee or agent believes that a situation exists which presents a serious threat to the well-being of a student, that employee or agent shall notify the student’s parent without delay.If, however, the matter has been reported to the Division of Child and Family Services within the Department of Human Services, it is the responsibility of the division to notify the student’s parent of any possible investigation, prior to the student’s return home from school.The division may be exempted from the notification requirements described in this Subsection (7)(b)(ii) only if it determines that the student would be endangered by notification of the student’s parent, or if that notification is otherwise prohibited by state or federal law. 53E-9-203(8) If a school employee, agent, or school resource officer believes a student is at-risk of attempting suicide, physical self-harm, or harming others, the school employee, agent, or school resource officer may intervene and ask a student questions regarding the student’s suicidal thoughts, physically self-harming behavior, or thoughts of harming others for the purposes of:referring the student to appropriate prevention services; andinforming the student’s parent.An LEA shall develop and adopt a policy regarding intervention measures consistent with Subsection (8)(a) while requiring the minimum degree of intervention to accomplish the goals of this section. 53E-9-203(9) An LEA governing board shall provide inservice for teachers and administrators on the implementation of this section. 53E-9-203(10) The state board shall provide procedures for disciplinary action for violations of this section. 53E-9-203(11) Data collected from a survey described in Subsection (1):is a private record as provided in Section 63G-2-302;may not be shared except in accordance with the Family Educational Rights and Privacy Act, 20 U.S.C. Sec. 1232g; may only be used by an individual, organization, or governmental entity, including the state board, for the purposes identified in the notice described in Subsection (5); andmay not be included in a student’s Student Achievement Backpack, as that term is defined in Section 53E-3-511.
53E-9-204 - Access to education records — Training requirement — Certification.
53E-9-204(1) As used in this section, “education record” means the same as that term is defined in the Family Educational Rights and Privacy Act, 20 U.S.C. Sec. 1232g. 53E-9-204(2) A local school board or charter school governing board shall require each public school to:
create and maintain a list that includes the name and position of each school employee who the public school authorizes, in accordance with Subsection (4), to have access to an education record; and provide the list described in Subsection (2)(a) to the school’s local school board or charter school governing board. 53E-9-204(3) A local school board or charter school governing board shall:
provide training on student privacy laws; and require a school employee on the list described in Subsection (2) to: complete the training described in Subsection (3)(a); and provide to the local school board or charter school governing board a certified statement, signed by the school employee, that certifies that the school employee completed the training described in Subsection (3)(a) and that the school employee understands student privacy requirements. 53E-9-204(4) Except as provided in Subsection (4)(b), a local school board, charter school governing board, public school, or school employee may only share an education record with a school employee if: that school employee’s name is on the list described in Subsection (2); and federal and state privacy laws authorize the education record to be shared with that school employee. A local school board, charter school governing board, public school, or school employee may share an education record with a school employee if the board, school, or employee obtains written consent from: the parent of the student to whom the education record relates, if the student is younger than 18 years old; or the student to whom the education record relates, if the student is 18 years old or older.
53E-9-205 - Parental right to student information.
53E-9-205(1) As used in this section:
“Education record” means the same as that term is defined in Section 53E-9-204. “Gender identity” means the same as that term is defined in Section 34A-5-102. “Parent” means a parent or legal guardian with legal custody of the child in question. “Sex” means the biological, physical condition of being male or female, determined by an individual’s genetics and anatomy at birth. 53E-9-205(2) In accordance with Section 53E-2-201, each school and each local governing board shall ensure that no policy or action of the school or LEA:
except as provided in Subsection 53E-9-203(6), operates to shield a student’s education record from the student’s parent; and interferes with a parent’s: fundamental parental right and primary responsibility to direct the education of the parent’s child; and freedom of access to information regarding the parent’s child. 53E-9-205(3) Notwithstanding any other provision of law, a school or LEA may not:
prohibit a parent of a child from accessing the child’s education record; or without written parental consent make changes to a student’s education record regarding a student’s gender identity that does not conform with the student’s sex.
Student Data Protection
53E-9-301 - Definitions.
As used in this part: 53E-9-301(1) “Adult student” means a student who:
is at least 18 years old; is an emancipated student; or qualifies under the McKinney-Vento Homeless Education Assistance Improvements Act of 2001, 42 U.S.C. Sec. 11431 et seq. 53E-9-301(2) “Aggregate data” means data that:
are totaled and reported at the group, cohort, school, school district, region, or state level with at least 10 individuals in the level; do not reveal personally identifiable student data; and are collected in accordance with state board rule. 53E-9-301(3) “Biometric identifier” means a: retina or iris scan; fingerprint; human biological sample used for valid scientific testing or screening; or scan of hand or face geometry. “Biometric identifier” does not include: a writing sample; a written signature; a voiceprint; a photograph; demographic data; or a physical description, such as height, weight, hair color, or eye color. 53E-9-301(4) “Biometric information” means information, regardless of how the information is collected, converted, stored, or shared:
based on an individual’s biometric identifier; and used to identify the individual. 53E-9-301(5) “Data breach” means an unauthorized release of or unauthorized access to personally identifiable student data that is maintained by an education entity. 53E-9-301(6) “Data governance plan” means an education entity’s comprehensive plan for managing education data that:
incorporates reasonable data industry best practices to maintain and protect student data and other education-related data; describes the role, responsibility, and authority of an education entity data governance staff member; provides for necessary technical assistance, training, support, and auditing; describes the process for sharing student data between an education entity and another person; describes the education entity’s data expungement process, including how to respond to requests for expungement; describes the data breach response process; and is published annually and available on the education entity’s website. 53E-9-301(7) “Education entity” means:
the state board; a local school board; a charter school governing board; a school district; a charter school; or the Utah Schools for the Deaf and the Blind. 53E-9-301(8) “Expunge” means to seal or permanently delete data, as described in state board rule made in accordance with Title 63G, Chapter 3, Utah Administrative Rulemaking Act, under Section 53E-9-306. 53E-9-301(9) “General audience application” means an Internet website, online service, online application, mobile application, or software program that:
is not specifically intended for use by an audience member that attends kindergarten or a grade from 1 to 12, although an audience member may attend kindergarten or a grade from 1 to 12; and is not subject to a contract between an education entity and a third-party contractor. 53E-9-301(10) “Local education agency” or “LEA” means:
a school district; a charter school; or the Utah Schools for the Deaf and the Blind. 53E-9-301(11) “Metadata dictionary” means a record that:
defines and discloses all personally identifiable student data collected and shared by the education entity; comprehensively lists all recipients with whom the education entity has shared personally identifiable student data, including: the purpose for sharing the data with the recipient; the justification for sharing the data, including whether sharing the data was required by federal law, state law, or a local directive; and how sharing the data is permitted under federal or state law; and without disclosing personally identifiable student data, is displayed on the education entity’s website. 53E-9-301(12) “Necessary student data” means data required by state statute or federal law to conduct the regular activities of an education entity, including:
name; date of birth; sex; parent contact information; custodial parent information; contact information; a student identification number; local, state, and national assessment results or an exception from taking a local, state, or national assessment; courses taken and completed, credits earned, and other transcript information; course grades and grade point average; grade level and expected graduation date or graduation cohort; degree, diploma, credential attainment, and other school exit information; attendance and mobility; drop-out data; immunization record or an exception from an immunization record; race; ethnicity; tribal affiliation; remediation efforts; an exception from a vision screening required under Section 53G-9-404 or information collected from a vision screening described in Section 53G-9-404; information related to the Utah Registry of Autism and Developmental Disabilities, described in Section 26B-7-115; student injury information; a disciplinary record created and maintained as described in Section 53E-9-306; juvenile delinquency records; English language learner status; and child find and special education evaluation data related to initiation of an IEP. 53E-9-301(13) “Optional student data” means student data that is not: necessary student data; or student data that an education entity may not collect under Section 53E-9-305. “Optional student data” includes: information that is:
related to an IEP or needed to provide special needs services; and not necessary student data; biometric information; and information that is not necessary student data and that is required for a student to participate in a federal or other program. 53E-9-301(14) “Parent” means:
a student’s parent; a student’s legal guardian; or an individual who has written authorization from a student’s parent or legal guardian to act as a parent or legal guardian on behalf of the student. 53E-9-301(15) “Personally identifiable student data” means student data that identifies or is used by the holder to identify a student. “Personally identifiable student data” includes: a student’s first and last name; the first and last name of a student’s family member; a student’s or a student’s family’s home or physical address; a student’s email address or other online contact information; a student’s telephone number; a student’s social security number; a student’s biometric identifier; a student’s health or disability data; a student’s education entity student identification number; a student’s social media user name and password or alias; if associated with personally identifiable student data, the student’s persistent identifier, including:
a customer number held in a cookie; or a processor serial number; a combination of a student’s last name or photograph with other information that together permits a person to contact the student online; information about a student or a student’s family that a person collects online and combines with other personally identifiable student data to identify the student; and information that, alone or in combination, is linked or linkable to a specific student that would allow a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty. 53E-9-301(16) “School official” means an employee or agent of an education entity, if the education entity has authorized the employee or agent to request or receive student data on behalf of the education entity. 53E-9-301(17) “Student data” means information about a student at the individual student level. “Student data” does not include aggregate or de-identified data. 53E-9-301(18) “Student data manager” means:
the state student data officer; or an individual designated as a student data manager by an education entity under Section 53E-9-303, who fulfills the duties described in Section 53E-9-308. 53E-9-301(19) “Targeted advertising” means presenting advertisements to a student where the advertisement is selected based on information obtained or inferred over time from that student’s online behavior, usage of applications, or student data. “Targeted advertising” does not include advertising to a student: at an online location based upon that student’s current visit to that location; or in response to that student’s request for information or feedback, without retention of that student’s online activities or requests over time for the purpose of targeting subsequent ads. 53E-9-301(20) “Third-party contractor” means a person who:
is not an education entity; and pursuant to a contract with an education entity, collects or receives student data in order to provide a product or service, as described in the contract, if the product or service is not related to school photography, yearbooks, graduation announcements, or a similar product or service. 53E-9-301(21) “Written consent” means written authorization to collect or share a student’s student data, from:
the student’s parent, if the student is not an adult student; or the student, if the student is an adult student.
53E-9-302 - State student data protection governance.
53E-9-302(1) An education entity or a third-party contractor who collects, uses, stores, shares, or deletes student data shall protect student data as described in this part.In accordance with Title 63G, Chapter 3, Utah Administrative Rulemaking Act, the state board shall make rules to administer this part, including student data protection standards for public education employees, student aides, and volunteers. 53E-9-302(2) The state board shall oversee the preparation and maintenance of:a statewide data governance plan; anda state-level metadata dictionary. 53E-9-302(3) The state board shall establish a student data protection advisory group to oversee student data protection in the state.The student data protection advisory group shall be composed of:members from the Legislature;members from the state board;the state student data officer;one or more LEAs;state board employees; andothers who use student data at the local level.The student data protection advisory group shall:make recommendations to the state board regarding:enacted or proposed legislation; andstate and local student data protection policies across the state;review and monitor the state student data governance plan; andperform other tasks related to student data protection as directed by the state board. 53E-9-302(4) The state board shall designate a state student data officer.The state student data officer shall:act as the primary point of contact for state student data protection administration in assisting the state board to administer this part;ensure compliance with student privacy laws throughout the public education system, including:providing training and support to applicable state board and LEA employees; andproducing resource materials, model plans, and model forms for local student data protection governance, including a model student data collection notice;investigate complaints of alleged violations of this part;report violations of this part to:the state board;an applicable education entity; andthe student data protection advisory group; andact as a state level student data manager. 53E-9-302(5) The state board shall designate:at least one support manager to assist the state student data officer; anda student data protection auditor to assist the state student data officer. 53E-9-302(6) The state board shall establish a research review process for a request for data for the purpose of research or evaluation.
53E-9-303 - Local student data protection governance.
53E-9-303(1) An LEA shall adopt policies to protect student data in accordance with this part and state board rule, taking into account the specific needs and priorities of the LEA. 53E-9-303(2) An LEA shall designate an individual to act as a student data manager to fulfill the responsibilities of a student data manager described in Section 53E-9-308. If possible, an LEA shall designate the LEA’s records officer as defined in Section 63G-2-103, as the student data manager. 53E-9-303(3) An LEA shall create and maintain an LEA:
data governance plan; and metadata dictionary. 53E-9-303(4) An LEA shall establish an external research review process for a request for data for the purpose of external research or evaluation.
53E-9-304 - Student data ownership and access — Notification in case of significant data breach.
53E-9-304(1) A student owns the student’s personally identifiable student data. An education entity shall allow the following individuals to access a student’s student data that is maintained by the education entity: the student’s parent; the student; and in accordance with the education entity’s internal policy described in Section 53E-9-303 and in the absence of a parent, an individual acting as a parent to the student. 53E-9-304(2) If a significant data breach occurs at an education entity, the education entity shall notify: the student, if the student is an adult student; or the student’s parent, if the student is not an adult student. In accordance with Title 63G, Chapter 3, Utah Administrative Rulemaking Act, the state board shall make rules to define a significant data breach described in Subsection (2)(a).
53E-9-305 - Collecting student data — Prohibition — Student data collection notice — Written consent.
53E-9-305(1) An education entity may not collect a student’s:
social security number; or except as required in Section 80-6-103, criminal record. 53E-9-305(2) Except as provided in Subsection (3), an education entity that collects student data shall, in accordance with this section, prepare and distribute to parents and students a student data collection notice statement that:
is a prominent, stand-alone document; is annually updated and published on the education entity’s website; states the student data that the education entity collects; states that the education entity will not collect the student data described in Subsection (1); states the student data described in Section 53E-9-308 that the education entity may not share without written consent; includes the following statement:“The collection, use, and sharing of student data has both benefits and risks. Parents and students should learn about these benefits and risks and make choices regarding student data accordingly.”; describes in general terms how the education entity stores and protects student data; and states a student’s rights under this part. 53E-9-305(3) The state board may publicly post the state board’s collection notice described in Subsection (2). 53E-9-305(4) An education entity may collect the necessary student data of a student if the education entity provides a student data collection notice to:
the student, if the student is an adult student; or the student’s parent, if the student is not an adult student. 53E-9-305(5) An education entity may collect optional student data if the education entity:
provides, to an individual described in Subsection (4), a student data collection notice that includes a description of: the optional student data to be collected; and how the education entity will use the optional student data; and obtains written consent to collect the optional student data from an individual described in Subsection (4). 53E-9-305(6) An education entity may collect a student’s biometric identifier or biometric information if the education entity:
provides, to an individual described in Subsection (4), a biometric information collection notice that is separate from a student data collection notice, which states: the biometric identifier or biometric information to be collected; the purpose of collecting the biometric identifier or biometric information; and how the education entity will use and store the biometric identifier or biometric information; and obtains written consent to collect the biometric identifier or biometric information from an individual described in Subsection (4). 53E-9-305(7) Except under the circumstances described in Subsection 53G-8-211(2), an education entity may not refer a student to an evidence-based alternative intervention described in Section 53G-8-211 without written consent. 53E-9-305(8) Nothing in this section prohibits an education entity from including additional information related to student and parent privacy in the notice described in Subsection (2).
53E-9-306 - Using and expunging student data — Rulemaking — Disciplinary records.
53E-9-306(1) In accordance with Title 63G, Chapter 2, Government Records Access and Management Act, and Title 63G, Chapter 3, Utah Administrative Rulemaking Act, the state board shall make rules regarding using and expunging student data, including:
a categorization of disciplinary records that includes the following levels of maintenance: one year; three years; and in accordance with Subsection (3), as determined by the education entity; the types of student data that may be expunged, including: medical records; and behavioral test assessments; the types of student data that may not be expunged, including: grades; transcripts; a record of the student’s enrollment; and assessment information; and the timeline and process for a prior student or parent of a prior student to request that an education entity expunge all of the prior student’s student data. 53E-9-306(2) In accordance with state board rule, an education entity may create and maintain a disciplinary record for a student. 53E-9-306(3) As recognized in Section 53E-9-304, and to ensure maximum student data privacy, an education entity shall, in accordance with state board rule, expunge a student’s student data that is stored by the education entity. An education entity shall retain and dispose of records in accordance with Section 63G-2-604 and state board rule.
53E-9-307 - Securing and cataloguing student data.
In accordance with Title 63G, Chapter 3, Utah Administrative Rulemaking Act , the state board shall make rules that: 53E-9-307(1) using reasonable data industry best practices, prescribe the maintenance and protection of stored student data by:
an education entity; the Utah Registry of Autism and Developmental Disabilities, described in Section 26B-7-115, for student data obtained under Section 53E-9-308; and a third-party contractor; and 53E-9-307(2) state requirements for an education entity’s metadata dictionary.
53E-9-308 - Sharing student data — Prohibition — Requirements for student data manager — Authorized student data sharing.
53E-9-308(1) Except as provided in Subsection (1)(b), an education entity, including a student data manager, may not: share personally identifiable student data without written consent; or share student data with a federal agency. An education entity, including a student data manager, may share personally identifiable student data: in accordance with the Family Education Rights and Privacy Act and related provisions under 20 U.S.C. Secs. 1232g and 1232h; as required by federal law; and as described in Subsections (3), (5), and (6). 53E-9-308(2) A student data manager shall:
authorize and manage the sharing, outside of the student data manager’s education entity, of personally identifiable student data for the education entity as described in this section; act as the primary local point of contact for the state student data officer described in Section 53E-9-302; and fulfill other responsibilities described in the data governance plan of the student data manager’s education entity. 53E-9-308(3) A student data manager may share a student’s personally identifiable student data with a caseworker or representative of the Department of Health and Human Services if:
the Department of Health and Human Services is: legally responsible for the care and protection of the student, including the responsibility to investigate a report of educational neglect, as provided in Subsection 80-2-701(5); or providing services to the student; the student’s personally identifiable student data is not shared with a person who is not authorized: to address the student’s education needs; or by the Department of Health and Human Services to receive the student’s personally identifiable student data; and the Department of Health and Human Services maintains and protects the student’s personally identifiable student data. 53E-9-308(4) The Department of Health and Human Services, a school official, or the Utah Juvenile Court may share personally identifiable student data to improve education outcomes for youth:
in the custody of, or under the guardianship of, the Department of Health and Human Services; receiving services from the Division of Juvenile Justice and Youth Services; in the custody of the Division of Child and Family Services; receiving services from the Division of Services for People with Disabilities; or under the jurisdiction of the Utah Juvenile Court. 53E-9-308(5) A student data manager may share personally identifiable student data in response to a subpoena issued by a court. A person who receives personally identifiable student data under Subsection (5)(a) may not use the personally identifiable student data outside of the use described in the subpoena. 53E-9-308(6) A student data manager may share student data, including personally identifiable student data, in response to a request to share student data for the purpose of research or evaluation, if the student data manager: verifies that the request meets the requirements of 34 C.F.R. Sec. 99.31(a)(6); submits the request to the education entity’s research review process; and fulfills the instructions that result from the review process. In accordance with state and federal law, and subject to Subsection (6)(b)(ii), the state board shall share student data, including personally identifiable student data, as requested by the Utah Registry of Autism and Developmental Disabilities described in Section 26B-7-115. At least 30 days before the state board shares student data in accordance with Subsection (6)(b)(i), the education entity from which the state board received the student data shall provide notice to the parent of each student for which the state board intends to share student data. The state board may not, for a particular student, share student data as described in Subsection (6)(b)(i) if the student’s parent requests that the state board not share the student data. A person who receives student data under Subsection (6)(b)(i):
shall maintain and protect the student data in accordance with state board rule described in Section 53E-9-307; may not use the student data for a purpose not described in Section 26B-7-115; and is subject to audit by the state student data officer described in Section 53E-9-302.
53E-9-309 - Third-party contractors.
53E-9-309(1) A third-party contractor shall use personally identifiable student data received under a contract with an education entity strictly for the purpose of providing the contracted product or service within the negotiated contract terms. 53E-9-309(2) When contracting with a third-party contractor, an education entity, or a government agency contracting on behalf of an education entity, shall require the following provisions in the contract:
requirements and restrictions related to the collection, use, storage, or sharing of student data by the third-party contractor that are necessary for the education entity to ensure compliance with the provisions of this part and state board rule; a description of a person, or type of person, including an affiliate of the third-party contractor, with whom the third-party contractor may share student data; provisions that, at the request of the education entity, govern the deletion of the student data received by the third-party contractor; except as provided in Subsection (4) and if required by the education entity, provisions that prohibit the secondary use of personally identifiable student data by the third-party contractor; and an agreement by the third-party contractor that, at the request of the education entity that is a party to the contract, the education entity or the education entity’s designee may audit the third-party contractor to verify compliance with the contract. 53E-9-309(3) As authorized by law or court order, a third-party contractor shall share student data as requested by law enforcement. 53E-9-309(4) A third-party contractor may:
use student data for adaptive learning or customized student learning purposes; market an educational application or product to a parent of a student if the third-party contractor did not use student data, shared by or collected on behalf of an education entity, to market the educational application or product; use a recommendation engine to recommend to a student: content that relates to learning or employment, within the third-party contractor’s application, if the recommendation is not motivated by payment or other consideration from another party; or services that relate to learning or employment, within the third-party contractor’s application, if the recommendation is not motivated by payment or other consideration from another party; respond to a student request for information or feedback, if the content of the response is not motivated by payment or other consideration from another party; use student data to allow or improve operability and functionality of the third-party contractor’s application; or identify for a student nonprofit institutions of higher education or scholarship providers that are seeking students who meet specific criteria: regardless of whether the identified nonprofit institutions of higher education or scholarship providers provide payment or other consideration to the third-party contractor; and only if the third-party contractor obtains authorization in writing from:
a student’s parent through the student’s school or LEA; or for an adult student, the student. 53E-9-309(5) At the completion of a contract with an education entity, if the contract has not been renewed, a third-party contractor shall return or delete upon the education entity’s request all personally identifiable student data under the control of the education entity unless a student or the student’s parent consents to the maintenance of the personally identifiable student data. 53E-9-309(6) A third-party contractor may not: except as provided in Subsection (6)(b), sell student data; collect, use, or share student data, if the collection, use, or sharing of the student data is inconsistent with the third-party contractor’s contract with the education entity; or use student data for targeted advertising. A person may obtain student data through the purchase of, merger with, or otherwise acquiring a third-party contractor if the third-party contractor remains in compliance with this section. 53E-9-309(7) The provisions of this section do not:
apply to the use of a general audience application, including the access of a general audience application with login credentials created by a third-party contractor’s application; apply if the student data is shared in accordance with the education entity’s directory information policy, as described in 34 C.F.R. 99.37; apply to the providing of Internet service; or impose a duty on a provider of an interactive computer service, as defined in 47 U.S.C. Sec. 230, to review or enforce compliance with this section. 53E-9-309(8) A provision of this section that relates to a student’s student data does not apply to a third-party contractor if the education entity or third-party contractor obtains authorization from the following individual, in writing, to waive that provision:
the student’s parent, if the student is not an adult student; or the student, if the student is an adult student.
53E-9-310 - Penalties.
53E-9-310(1) A third-party contractor that knowingly or recklessly permits unauthorized collecting, sharing, or use of student data under this part:except as provided in Subsection (1)(b), may not enter into a future contract with an education entity;may be required by the state board to pay a civil penalty of up to $25,000; andmay be required to pay:the education entity’s cost of notifying parents and students of the unauthorized sharing or use of student data; andexpenses incurred by the education entity as a result of the unauthorized sharing or use of student data.An education entity may enter into a contract with a third-party contractor that knowingly or recklessly permitted unauthorized collecting, sharing, or use of student data if:the state board or education entity determines that the third-party contractor has corrected the errors that caused the unauthorized collecting, sharing, or use of student data; andthe third-party contractor demonstrates:if the third-party contractor is under contract with an education entity, current compliance with this part; oran ability to comply with the requirements of this part. The state board may assess the civil penalty described in Subsection (1)(a)(ii) in accordance with Title 63G, Chapter 4, Administrative Procedures Act.The state board may bring an action in a court with jurisdiction under Title 78A, Judiciary and Judicial Administration, if necessary, to enforce payment of the civil penalty described in Subsection (1)(a)(ii).Notwithstanding Title 78B, Chapter 3a, Venue for Civil Actions, the state board shall bring an action described in Subsection (1)(d)(i) in the county in which the office of the state board is located if the action is brought in the district court.An individual who knowingly or intentionally permits unauthorized collecting, sharing, or use of student data may be found guilty of a class A misdemeanor. 53E-9-310(2) A parent or adult student may bring an action in a court with jurisdiction under Title 78A, Judiciary and Judicial Administration, for damages caused by a knowing or reckless violation of Section 53E-9-309 by a third-party contractor.If the court finds that a third-party contractor has violated Section 53E-9-309, the court may award to the parent or student:damages; andcosts.