Utah Admin. Code R277-487-7 - Application to Third Parties

(1) A third-party contractor shall protect student personally identifiable information against unauthorized access and redisclosure, both physical and digital.

(2) A third-party contractor shall have policies in place that follow reasonably industry best practices and adequately address the protection of student personally identifiable information.

(3) A third-party contractor shall develop and document an information security program.

(4) A third-party contract shall inform an LEA or the Superintendent of the precautions taken regarding the maintenance and protection of student personally identifiable information.

(5) For the purposes of meeting the audit requirements of a contract subject to Subsection 53E-9-309(2)(e), a third-party contractor may:

(a) provide an LEA or the Superintendent a self-assessment of their compliance with the contract and the effectiveness of the information security program described in Subsection (3);

(b) provide responses to a questionnaire provided by the LEA or Superintendent;

(c) provide a report of an industry-recognized privacy and security audit, such as an SOC2 or SOC3; or

(d) submit to an onsite audit, if agreed upon by the third-party contract and the LEA or Superintendent.

Notes

Utah Admin. Code R277-487-7

Amended and Renumbered by Utah State Bulletin Number 2015-3, effective 1/7/2015 Amended by Utah State Bulletin Number 2015-15, effective 7/8/2015 Amended by Utah State Bulletin Number 2017-15, effective 7/10/2017 Amended by Utah State Bulletin Number 2019-1, effective 12/10/2018 Amended by Utah State Bulletin Number 2019-7, effective 3/13/2019 Amended by Utah State Bulletin Number 2019-23, effective 11/8/2019