53H-14 - Data, Records, and Privacy
Title 53H > 53H-14
Sections (19)
General Provisions
53H-14-101 - General provisions — Definitions.
Restricted Records
53H-14-201 - General provisions — Definitions.
As used in this part: 53H-14-201(1) “Person” means:a federal, state, or local governmental entity:that sponsors sponsored research; orparticipates in a technology transfer;an individual;a nonprofit or profit corporation;a partnership;a sole proprietorship; orother type of business organization. 53H-14-201(2) “Restricted record” means a record that is restricted as provided by Section 53H-14-203. 53H-14-201(3) “Sponsored research” refers to research, training, and other sponsored activities as defined by the federal Executive Office of the President, Office of Management and Budget:conducted by an institution through an office responsible for sponsored projects or programs; andfunded or otherwise supported by an external person that is not created or controlled by the institution. 53H-14-201(4) “Technology transfer” refers to transferring information, commercializing research, or providing technical assistance between an institution and external persons for the purpose of economic development.
53H-14-202 - Records that may be classified as restricted.
An institution may classify only the following records as restricted: 53H-14-202(1) that portion of a technology transfer record or sponsored research record to which access must be restricted for the purpose of securing and maintaining proprietary protection of intellectual property rights, including but not limited to patents, copyrights, trademarks, and trade secrets; or 53H-14-202(2) that portion of a technology transfer record or sponsored research record to which access is restricted for competitive or proprietary purposes, as a condition of actual or potential participation in a sponsored research or technology transfer agreement; provided, however, that upon receipt of a written request for a reasonably identifiable record, the institution shall disclose:prior to a memorandum of intent to contract or an agreement in principle between the parties:the names of the parties, or, if the disclosure of names would cause competitive harm, a general description of the type of parties negotiating the technology transfer or sponsored research agreement; anda general description of the nature of the technology transfer or sponsored research under consideration, excluding proprietary or competitive information; orafter a memorandum of intent to contract or an agreement in principle between the parties:the names of the parties involved in the technology transfer or sponsored research; a general description of the nature of the technology transfer or sponsored research to be conducted, excluding proprietary or competitive information; andrecords of the technology transfer or sponsored research to be conducted, excluding those portions of records to which access is limited under this part or Title 63G, Chapter 2, Government Records Access and Management Act.
53H-14-203 - Access to restricted records.
53H-14-203(1) Notwithstanding any other provision of Title 63G, Chapter 2, Government Records Access and Management Act, access to records restricted by this part shall only be permitted upon:written consent of the institution originating, receiving, or maintaining the records; ora finding by the director of the Government Records Office or a court that the record has not been properly classified as restricted under Section 63G-2-302, provided that the review of a restricted classification of a record shall not include considerations of weighing public and private interests regarding access to a properly classified record as contained in Subsection 63G-2-403(11)(b) or 63G-2-404(7) or Section 63G-2-309. 53H-14-203(2) Subsection (1)(b) does not limit the authority of the board to reclassify and disclose a record of an institution.
53H-14-204 - Business confidentiality claims.
53H-14-204(1) Any person who provides to an institution a record that the person believes should be protected under a provision listed in Subsection 63G-2-309(1)(b)(i), restricted under Section 53H-14-202, or both protected under a provision listed in Subsection 63G-2-309(1)(b)(i) and restricted under Section 53H-14-202, shall provide the institution:a written claim of business confidentiality; anda concise statement of reasons supporting the claim of business confidentiality.The person described in Subsection (1)(a) shall make the filing at the commencement of:the sponsored research project; orthe technology transfer process.A claim of business confidentiality submitted under this Subsection (1) shall cover all protected and restricted records exchanged during the:sponsored research project; ortechnology transfer process. 53H-14-204(2) The inadvertent failure to make a legally adequate claim of business confidentiality at the time required by Subsection (1) does not prejudice the claimant’s right to make a legally adequate claim at a different time before disclosure of the record.
53H-14-205 - Applicability of the Government Records Access and Management Act.
Except as otherwise provided by this part, the provisions of Title 63G, Chapter 2, Government Records Access and Management Act , will apply to restricted technology transfer or sponsored research records as defined in this part, as if the records were protected records as defined by Title 63G, Chapter 2, Government Records Access and Management Act .
Internet Postsecondary Institution Privacy
53H-14-301 - General provisions — Definitions.
As used in this part: 53H-14-301(1) “Personal Internet account” means an online account that is used by a student or prospective student exclusively for personal communications unrelated to any purpose of an institution. 53H-14-301(2) “Personal Internet account” does not include an account created, maintained, used, or accessed by a student or prospective student for education related communications or for an educational purpose of the institution.
53H-14-302 - Prohibited activities.
An institution may not do any of the following: 53H-14-302(1) request a student or prospective student to disclose a username and password, or a password that allows access to the student’s or prospective student’s personal Internet account; or 53H-14-302(2) expel, discipline, fail to admit, or otherwise penalize a student or prospective student for failure to disclose information specified in Subsection (1).
53H-14-303 - Permitted activities.
53H-14-303(1) This part does not prohibit an institution from requesting or requiring a student to disclose a username or password to gain access to or operate the following:an electronic communications device supplied by or paid for in whole or in part by the institution; oran account or service provided by the institution that is either obtained by virtue of the student’s admission to the institution or used by the student for educational purposes. 53H-14-303(2) This part does not prohibit or restrict an institution from viewing, accessing, or using information about a student or prospective student that can be obtained without the information described in Subsection 53H-14-302(1) or that is available in the public domain.
53H-14-304 - Duties not created.
53H-14-304(1) This part does not create a duty for an institution to search or monitor the activity of a personal Internet account. 53H-14-304(2) An institution is not liable under this part for failure to request or require that a student or prospective student grant access to, allow observation of, or disclose information that allows access to or observation of the student’s or prospective student’s personal Internet account.
53H-14-305 - Private right of action.
53H-14-305(1) A person aggrieved by a violation of this part may bring a civil cause of action against an institution in a court of competent jurisdiction. 53H-14-305(2) In an action brought under Subsection (1), if the court finds a violation of this part, the court shall award the aggrieved person not more than $500.
Confidential Communications for Institutional Advocacy Services
53H-14-401 - General provisions — Definitions.
As used in this part: 53H-14-401(1) “Certified advocate” means an individual who:is employed by or volunteers at a qualified institutional victim services provider;has completed at least 40 hours of training in counseling and assisting victims of sexual harassment, sexual assault, rape, dating violence, domestic violence, or stalking; andacts under the supervision of the director or director’s designee of a qualified institutional victim services provider. 53H-14-401(2) “Confidential communication” means information that is communicated by a victim, in the course of the victim seeking an institutional advocacy service, to:a certified advocate;a qualified institutional victim services provider;a person reasonably necessary for the transmission of the information;an individual who is present at the time the information is transmitted for the purpose of furthering the victim’s interests; oranother individual, in the context of group counseling at a qualified institutional victim services provider.”Confidential communication” includes a record that is created or maintained as a result of the communication described in Subsection (2)(a). 53H-14-401(3) “Institution” means a Utah institution that is a private postsecondary educational institution or a public institution, including an institution of higher education listed in Section 53H-1-102. 53H-14-401(4) “Institutional advocacy service” means a safety planning, counseling, psychological, support, advocacy, medical, or legal service that:addresses issues involving:sexual harassment;sexual assault;rape;domestic violence;dating violence; orstalking; andis provided by a qualified institutional victim services provider. 53H-14-401(5) “Qualified institutional victim services provider” means an organization that:is affiliated with an institution;employs or provides volunteer opportunities for certified advocates;provides an institutional advocacy service to victims or families of victims; andis designated by the affiliated institution as a qualified institutional victim services provider.”Qualified institutional victim services provider” may include an institution’s:sexual assault center;victim advocacy center;women’s center;health center; orcounseling service center. 53H-14-401(6) “Record” means a book, letter, document, paper, map, plan, photograph, film, card, tape, recording, electronic data, or other documentary material regardless of physical form or characteristics. 53H-14-401(7) “Victim” means an individual who seeks an institutional advocacy service.
53H-14-402 - Confidentiality of information — Disclosure of confidential communication.
53H-14-402(1) Except as provided in Subsection (2), and notwithstanding Title 63G, Chapter 2, Government Records Access and Management Act, a person may not disclose a confidential communication. 53H-14-402(2) A person may disclose a confidential communication if:the victim gives written and informed consent to the disclosure;the person has an obligation to disclose the confidential communication under Section 26B-6-205, 80-2-602, or 78B-3-502;the disclosure is required by federal law; ora court of competent jurisdiction orders the disclosure.
Higher Education Student Data Protection
53H-14-501 - General provisions — Definitions.
As used in this part: 53H-14-501(1) “Advisory group” means the institution of higher education privacy advisory group established by the state privacy auditor under Section 53H-14-502. 53H-14-501(2) “Aggregate data” means data that:are totaled and reported at the group, cohort, class, course, institution, region, or state level, with at least 10 individuals in the level; anddo not reveal personally identifiable student data. 53H-14-501(3) “Data breach” means an unauthorized release of or unauthorized access to personally identifiable student data that an education entity maintains. 53H-14-501(4) “Data governance plan” means an education entity’s comprehensive plan for managing education data that:incorporates reasonable data industry best practices to maintain and protect student data and other education-related data;describes the role, responsibility, and authority of the board or an institution privacy officer;provides for necessary technical assistance, training, support, and auditing;describes the process for sharing student data between the education entity and another person;describes the education entity’s data expungement process, including how to respond to requests for expungement;describes the data breach response process; andis published annually and available on the institution’s website or the Utah System of Higher Education’s website. 53H-14-501(5) “Education entity” means the Utah Board of Higher Education or an institution. 53H-14-501(6) “Higher education privacy officer” means a privacy officer that the board designates under Section 53H-14-503. 53H-14-501(7) “Minor” means a person younger than 18 years old. 53H-14-501(8) “Personally identifiable student data” means student data that identifies or is used by the holder to identify a student.”Personally identifiable student data” includes:a student’s first and last name;the first and last name of a student’s family member;a student’s or a student’s family’s home or physical address;a student’s email address or other online contact information;a student’s telephone number;a student’s social security number;a student’s biometric identifier;a student’s health or disability data;a student’s education entity student identification number;a student’s social media user name and password or alias;if associated with personally identifiable student data, the student’s persistent identifier, including:a customer number held in a cookie; ora processor serial number;a combination of a student’s last name or photograph with other information that together permits a person to contact the student online;information about a student or a student’s family that a person collects online and combines with other personally identifiable student data to identify the student; andinformation that, alone or in combination, is linked or linkable to a specific student that would allow a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty. 53H-14-501(9) “State privacy auditor” means the state privacy auditor described in Section 67-3-13. 53H-14-501(10) “Student” means an individual enrolled in an institution. 53H-14-501(11) “Student data” means information about a student at the individual student level.”Student data” does not include aggregate or de-identified data. 53H-14-501(12) “Third-party contractor” means a person who:is not an institution or an employee of an institution; andpursuant to a contract with an education entity, collects or receives student data in order to provide a product or service, as described in the contract, if the product or service is not related to school photography, yearbooks, graduation announcements, or a similar product or service.
53H-14-502 - State student data protection governance.
53H-14-502(1) The state privacy auditor shall establish a higher education privacy advisory group to advise institutions and institution boards of trustees on student data protection. 53H-14-502(2) The advisory group shall consist of:the state privacy auditor;the higher education privacy officer; andthe following members, appointed by the commissioner:at least one Utah System of Higher Education employee; andat least one representative of the Utah Board of Higher Education. 53H-14-502(3) The advisory group shall:discuss and make recommendations to the board and institutions regarding:existing and proposed:board rules; orboard policies of the Utah Board of Higher Education or institutions; andtraining on protecting student data privacy; andperform other tasks related to student data protection as designated by the Utah Board of Higher Education. 53H-14-502(4) The higher education privacy officer shall:provide training and support to institution boards and employees; andproduce:resource materials;model data governance plans;model forms for institution student data protection governance; anda model data collection notice. 53H-14-502(5) The board shall:create and maintain a data governance plan; andannually publish the data governance plan on the Utah System of Higher Education website; andestablish standards for:institution policies to protect student data;institution data governance plans; anda third-party contractor’s use of student data.
53H-14-503 - Institution student data protection governance.
53H-14-503(1) An institution shall adopt policies to protect student data in accordance with this part and board rule, including the standards the board establishes under Subsection 53H-14-502(5).The policies described in Subsection (1)(a) shall take into account the specific needs and priorities of the institution. 53H-14-503(2) The board shall designate a higher education privacy officer. 53H-14-503(3) The higher education privacy officer shall:verify compliance with student privacy laws, rules, and policies throughout the Utah System of Higher Education;support institutions in developing data governance plans and student data privacy training; andact as the primary point of contact for the state privacy auditor. 53H-14-503(4) An institution shall:designate an individual to act as the primary contact for the higher education privacy officer;create and maintain an institution:data governance plan that complies with the standards the board establishes under Subsection 53H-14-502(5); andrecord of student data privacy training; andannually publish the institution’s data governance plan on the institution’s website.
53H-14-504 - Notification of significant data breach.
53H-14-504(1) If a significant data breach occurs at an institution, the institution shall notify each student whose personally-identifiable student data was disclosed. 53H-14-504(2) In accordance with Title 63G, Chapter 3, Utah Administrative Rulemaking Act, the board shall make rules to define a significant data breach described in Subsection (1).
53H-14-505 - Third-party contractors.
53H-14-505(1) A third-party contractor shall use personally identifiable student data received under a contract with an education entity strictly for the purpose of providing the contracted product or service within the negotiated contract terms. 53H-14-505(2) When contracting with a third-party contractor, an education entity, or a government agency contracting on behalf of an education entity, shall:ensure that the contract terms comply with the standards the board establishes under Subsection 53H-14-502(5); andrequire the following provisions in the contract:requirements and restrictions related to the collection, use, storage, or sharing of student data by the third-party contractor that are necessary for the education entity to ensure compliance with the provisions of this part and board rule;a description of a person, or type of person, including an affiliate of the third-party contractor, with whom the third-party contractor may share student data;provisions that, at the request of the education entity, govern the deletion of the student data received by the third-party contractor;except as provided in Subsection (4) and if required by the education entity, provisions that prohibit the secondary use of personally identifiable student data by the third-party contractor; andan agreement by the third-party contractor that, at the request of the education entity that is a party to the contract, the education entity or the education entity’s designee may audit the third-party contractor to verify compliance with the contract. 53H-14-505(3) As authorized by law or court order, a third-party contractor shall share student data as requested by law enforcement. 53H-14-505(4) A third-party contractor may:use student data for adaptive learning or customized student learning purposes;market an educational application or product to a student if the third-party contractor does not use student data, shared by or collected on behalf of an education entity, to market the educational application or product;use a recommendation engine to recommend to a student:content that relates to learning or employment, within the third-party contractor’s application, if the recommendation is not motivated by payment or other consideration from another party; orservices that relate to learning or employment, within the third-party contractor’s application, if the recommendation is not motivated by payment or other consideration from another party;respond to a student request for information or feedback, if the content of the response is not motivated by payment or other consideration from another party;use student data to allow or improve operability and functionality of the third-party contractor’s application; oridentify for a student nonprofit institutions of higher education or scholarship providers that are seeking students who meet specific criteria:regardless of whether the identified nonprofit institutions of higher education or scholarship providers provide payment or other consideration to the third-party contractor; andonly if the third-party contractor obtains authorization in writing from:the student’s parent, if the student is a minor; orthe student. 53H-14-505(5) At the completion of a contract with an education entity, if the contract has not been renewed, a third-party contractor shall return or delete upon the education entity’s request all personally identifiable student data under the control of the education entity unless a student or a minor student’s parent consents to the maintenance of the personally identifiable student data. 53H-14-505(6) A third-party contractor may not:except as provided in Subsection (6)(b), sell student data;collect, use, or share student data, if the collection, use, or sharing of the student data is inconsistent with the third-party contractor’s contract with the education entity; oruse student data for targeted advertising.A person may obtain student data through the purchase of, merger with, or otherwise acquiring a third-party contractor if the third-party contractor remains in compliance with this section. 53H-14-505(7) The provisions of this section do not:apply to the use of a general audience application, including the access of a general audience application with login credentials created by a third-party contractor’s application;apply if the student data is shared in accordance with the education entity’s directory information policy, as described in 34 C.F.R. Sec. 99.37;apply to the providing of Internet service; orimpose a duty on a provider of an interactive computer service, as defined in 47 U.S.C. Sec. 230, to review or enforce compliance with this section. 53H-14-505(8) A provision of this section that relates to a student’s student data does not apply to a third-party contractor if the education entity or third-party contractor obtains authorization from the following individual, in writing, to waive that provision:the student’s parent, if the student is a minor; orthe student.
53H-14-506 - Penalties.
53H-14-506(1) A third-party contractor that knowingly or recklessly permits unauthorized collecting, sharing, or use of student data under this part:except as provided in Subsection (2), may not enter into a future contract with an institution; may be required by the board to pay a civil penalty of up to $25,000; andmay be required to pay:an institution’s cost of notifying parents and students of the unauthorized sharing or use of student data; andany expense incurred by the institution as result of the unauthorized sharing or use of student data. 53H-14-506(2) An education entity may enter into a contract with a third-party contractor that knowingly or recklessly permitted unauthorized collecting, sharing, or use of student data if:the education entity determines that the third-party contractor has corrected the errors that caused the unauthorized collecting, sharing, or use of student data; andthe third-party contractor demonstrates:if the third-party contractor is under contract with the education entity, current compliance with this part; oran ability to comply with the requirements of this part. 53H-14-506(3) If necessary, the board may bring an action in a court with jurisdiction under Title 78A, Judiciary and Judicial Administration, to enforce payment of the civil penalty described in Subsection (1)(b).Notwithstanding Title 78B, Chapter 3a, Venue for Civil Actions, the board shall bring an action described in Subsection (3)(a) in the county in which the office of the education entity is located if the action is brought in the district court. 53H-14-506(4) An individual who knowingly or intentionally permits unauthorized collecting, sharing, or use of student data may be found guilty of a class A misdemeanor. 53H-14-506(5) A student or a minor student’s parent may bring an action against a third-party contractor in a court with jurisdiction under Title 78A, Judiciary and Judicial Administration, for damages caused by a knowing or reckless violation of Section 53H-14-505 by a third-party contractor.If the court finds that a third-party contractor has violated Section 53H-14-505, the court may award to the parent or student:damages; andcosts.