Utah Admin. Code R277-487-3 - Data Privacy and Security Policies

(1) By October 1 annually, each LEA shall provide the Superintendent with the following information:

(a) the name and contact information for the LEA's designated data manager and information security officer;

(b) the LEA's data governance plan;

(c) the LEA's annual notification of FERPA rights, as described in 34 CFR 99.7;

(d) the LEA's directory information notice, as described in 34 CFR 99.37;

(e) the LEA's student data collection notice, as described in Subsection 53E-9-305(2);

(f) the LEA's metadata dictionary; and

(g) evidence that the LEA has implemented a cyber security framework.

(2) An LEA shall ensure that school enrollment verification data, student performance data, and personally identifiable student data are collected, maintained, and transmitted:

(a) in a secure manner; and

(b) consistent with sound data collection and storage proceduresbased on the LEA's cyber security framework.

(3) An LEA shall report all significant data breaches of student data either by the LEA or by third parties to the Superintendent within ten business days of the initial discovery of the significant data breach.

(4) All public education employees, aides, and volunteers shall maintain appropriate confidentiality pursuant to federal, state, local laws, and LEA policies created in accordance with this section, with regard to student performance data and personally identifiable student data.

(5) An employee, aide, or volunteer may not share, disclose, or disseminate passwords for electronic maintenance of:

(a) student performance data; or

(b) personally identifiable student data.

(6) A public education employee licensed under Section 53E-6-201 may only access or use student information and records if the public education employee accesses the student information or records consistent with the educator's obligations under Rule R277-515.

(7) The Board may discipline a licensed educator in accordance with licensing discipline procedures if the educator violates this Rule R277-487.

(8) In accordance with the LEA's data governance plan, each LEA shall annually provide a training regarding the confidentiality of student data to any employee with access to education records as defined in FERPA.

Notes

Utah Admin. Code R277-487-3

Amended by Utah State Bulletin Number 2015-3, effective 1/7/2015 Amended by Utah State Bulletin Number 2015-15, effective 7/8/2015 Amended by Utah State Bulletin Number 2017-15, effective 7/10/2017 Amended by Utah State Bulletin Number 2019-1, effective 12/10/2018 Amended by Utah State Bulletin Number 2019-7, effective 3/13/2019 Amended by Utah State Bulletin Number 2019-23, effective 11/8/2019