DAR File No. 38956

Education, Administration

Rule R277-487

Public School Data Confidentiality and Disclosure

Notice of Proposed Rule

(Amendment)

DAR File No.: 38956
Filed: 11/14/2014 12:39:00 PM

RULE ANALYSIS

Purpose of the rule or reason for the change:

A Utah State Board of Education member and Utah State Office of Education (USOE) staff attended a national conference to discuss student data transparency, governance, and security procedures. As a result of information obtained at the conference, Rule R277-487 is amended.

Summary of the rule or change:

The amendments provide procedures for data governance structures and processes, as well as publicly available student data privacy provisions and high-quality practices, and safeguard student data by focusing on transparency, governance, and data security procedures.

State statutory or constitutional authorization for this rule:

• Subection 53A-1-401(3)
• Section 53A-1-411
• Subsection 53A-13-301(3)

Anticipated cost or savings to:

the state budget:

There may be costs for the USOE to implement the additional requirements. Costs for USOE staff to develop materials, train identified entities, and prepare required reports are speculative at this time. At least for the near future, costs for additional responsibilities and resources will be absorbed with existing staff and within existing budgets.

local governments:

There is likely no cost or savings to local government as a result of the amendments to this rule. For the most part, additional responsibilities and requirements apply to the USOE.

small businesses:

There is likely no cost or savings to small businesses as a result of the amendments to this rule. For the most part, additional responsibilities and requirements apply to the USOE.

persons other than small businesses, businesses, or local governmental entities:

There is likely no cost or savings to persons other than small businesses, businesses, or local government entities. For the most part, additional responsibilities and requirements apply to the USOE.

Compliance costs for affected persons:

There is likely no cost or savings to local government as a result of the amendments to this rule. Additional responsibilities and requirements, for the most part, apply to the USOE.

Comments by the department head on the fiscal impact the rule may have on businesses:

I have reviewed this rule and believe that there is likely no fiscal impact on businesses.

Brad C. Smith, State Superintendent

The full text of this rule may be inspected, during regular business hours, at the Division of Administrative Rules, or at:

Education
Administration
250 E 500 S
SALT LAKE CITY, UT 84111-3272

Direct questions regarding this rule to:

• Carol Lear at the above address, by phone at 801-538-7835, by FAX at 801-538-7768, or by Internet E-mail at carol.lear@schools.utah.gov

Interested persons may present their views on this rule by submitting written comments to the address above no later than 5:00 p.m. on:

12/31/2014

This rule may become effective on:

01/07/2015

Authorized by:

Carol Lear, Director, School Law and Legislation

R277. Education, Administration.

R277-487. Public School Data Confidentiality and Disclosure.

R277-487-1. Definitions.

A. "Board" means the Utah State Board of Education.

B. "Chief Privacy Officer" means a USOE employee designated by the Board as primarily responsible to oversee and direct the DGPB to carry out the responsibilities of this rule, direct the development of materials and training about student and public education employee privacy and security standards, including FERPA, for the USOE and LEAs.

[B]C. "Classroom-level assessment data" means student scores on state-required tests, aggregated in groups of more than 10 students at the classroom level or, if appropriate, at the course level, without individual student identifiers of any kind.

[C]D. "Comprehensive Administration of Credentials for Teachers in Utah Schools (CACTUS)" means the electronic file maintained and owned by the USOE on all licensed Utah educators. The file includes information such as:

(1) personal directory information;

(2) educational background;

(3) endorsements;

(4) employment history; and

(5) a record of disciplinary action taken against the educator.

E. "Data Governance/Policy Board (DGPB)" means a board composed of USOE and LEA employees, as directed by the Board, whose purpose is to resolve public education data and process issues, make policy decisions, review all research requests for public education data, and fill only those requests that are appropriate and comply with the standards in this rule.

F. "Data security protections" means protections developed and initiated by the Chief Privacy Officer and the DGPB that protect, monitor and secure student, public educator and public education employee data as outlined and identified in FERPA and Sections 63G-2-302 through 63G-2-305.

[D]G. "Disciplinary action" means any lesser action taken by UPPAC which does not materially affect a licensed educator's license and licensing action taken by the Board for suspension or revocation.

[E]H. "FERPA" means the Family Educational Rights and Privacy Act of 1974, 20 U.S.C. 1232g, a federal law designed to protect the privacy of students' education records. The law is hereby incorporated by reference.

[F]I. "LEA" means local education agency, including local school boards/public school districts, charter schools, and, for purposes of this rule, the Utah Schools for the Deaf and the Blind.

J. "Personally identifiable student information" means the student's name; a personal identifier, such as the student's social security number or student number; other indirect identifiers such as the student's date of birth or place of birth; other information that, alone or in combination, is linked or linkable to a specific student and enables a person in the school community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty; or information requested by a person who the educational agency or institution reasonably knows is entitled to the requested information.

[G]K. "Student information" means materials, information, records and knowledge that an LEA possesses or maintains, or both, about individual students. Student information is broader than student records and personally identifiable student information may include information or knowledge that school employees possess or learn in the course of their duties.

[H. "Student record" means a record in any form, including handwriting, print, computer media, video or audio tape, film, microfilm, and microfiche, that is directly related to a student and maintained by an educational agency or institution or by a party acting for an agency or institution. Student records shall be maintained by LEAs consistent with 20 U.S.C. Section 1232g.

] L. "Student performance data" means data relating to student performance, including data on state, local and national assessments, course-taking and completion, grade-point average, remediation, retention, degree, diploma, or credential attainment, enrollment, and demographic data.

M. "USOE" means the Utah State Office of Education.

 

R277-487-2. Authority and Purpose.

A. This rule is authorized under Utah Constitution Article X, Section 3 which vests general control and supervision over public education in the Board, by Section 53A-1-401(3) which allows the Board to make rules in accordance with its responsibilities; by Section 53A-13-301(3) regarding confidentiality and required or appropriate disclosure of [student records data]personally identifiable student information; by Section 53A-1-607(2) regarding disclosure of student performance data to LEAs for assessment and accountability purposes; by Section 53A-8a-410(4) to ensure the privacy and protection of individual educator evaluation data; by Section 53A-3-602.5 regarding a school performance report requiring criterion-referenced or online computer adaptive tests to be aggregated for all students by class; by Section 53A-1-411 which directs the Board to establish procedures for administering or making available online surveys to obtain information about public education issues; and by Section 53A-6-104 which authorizes the Board to issue licenses to educators and maintain licensing information.

B. The purpose of this rule is to:

(1) provide for appropriate review and disclosure of student [assessment]performance data on state [mandated]administered assessments as required by law;

(2) provide for adequate and appropriate review of student [assessment]performance data on state [mandated]administered assessments to professional education staff and parents of students;

(3) ensure the privacy of student [records]performance data and personally identifiable student information, as directed by law;

(4) provide an online education survey conducted with public funds for Board review and approval; and

(5) provide for appropriate protection and maintenance of educator licensing data.

 

R277-487-3. [Confidentiality of Student ]Data Privacy and Security Policies.

A. Board Responsibilities:

(1) The Board shall develop resource materials for LEAs to train employees, aids, and volunteers of an LEA regarding confidentiality of personally identifiable student information and student [records]performance data, as defined in FERPA.

(2) The Board shall make the materials available to each LEA.

B. LEA Responsibilities:

(1) LEAs shall establish policies and provide appropriate training for employees regarding the confidentiality of student [records]performance data and personally identifiable student information, including an overview of all federal, state, and local laws that pertain to the privacy of students, their parents, and their families. The policy should address the specific needs or priorities of the LEA.

(2) LEAs shall require password protection for all student [records]performance data and personally identifiable student information maintained electronically.

C. Public Education Employee and Volunteer Responsibilities:

(1) All public education employees, aids, and volunteers in public schools shall become familiar with federal, state, and local law s regarding the confidentiality of student [information and student records]performance data and personally identifiable student information.

(2) All public education employees, aids, and volunteers shall maintain appropriate confidentiality pursuant to federal, state, and local laws with regard to student [records]performance data and personally identifiable student information.

(3) An employee, aid, or volunteer shall maintain student [records]performance data and personally identifiable student information in a secure and appropriate place as designated by LEA policies[of an LEA].

(4) An employee, aid, or volunteer accessing student [records]performance data and personally identifiable student information in electronic format shall comply with LEA policies[of an LEA] regarding the procedures for maintaining confidentiality of electronic records.

(5) An employee, aid, or volunteer shall not share, disclose, or disseminate passwords for electronic maintenance of student [records]performance data and personally identifiable student information.

(6) All public education employees, aids and volunteers have a responsibility to protect confidential student performance data and personally identifiable student information and access records only as necessary for their assignment(s).

(7) Public education employees licensed under Section 53A-6-104 shall access and use student information and records consistent with R277-515, Utah Educator Standards. Violations may result in licensing discipline.

 

R277-487-4. Transparency.

A. The Chief Privacy Officer working with the DGPB shall recommend USOE policies for Board approval and model policies for LEAs regarding the state's student data systems.

B. The Rules/policies shall address:

(1) accessibility to parents, students and the public of the student data defined in R277-487-1;

(2) authorized purposes, uses and disclosures of data maintained by the state and LEAs;

(3) the rights of parents and students regarding their personally identifiable information under state and federal law;

(4) parent, student and public access to information about student data privacy and the security safeguards that protect the data from unauthorized access and use; and

(5) contact information for parents and students to request student and public school information from LEAs consistent with the law.

 

R277-487-5. Additional Responsibilities of Chief Privacy Officer and DGPB.

A. The Chief Privacy Officer may pursue legislation as approved by the Board for additional data security protections and the regulation of use of the data.

B. The Chief Privacy Officer shall supervise regular privacy and security compliance audits, following initiation by the Board.

C. The Chief Privacy Officer and the DGPB shall have responsibility for identification of threats to data security protections.

D. The Chief Privacy Officer and the DGPB shall develop and recommend policies for USOE and model policies for LEAs for consistent wiping or destruction of devices when devices are discarded by public education entities.

E. The Chief Privacy Officer and the DGPB shall develop USOE and model LEA policies for the training of staff for appropriate responses to suspected or known breaches of data security protections.

 

R277-487-6. Prohibition of Public Education Data Use for Marketing.

Data maintained by the state, school districts, schools, and other public education agencies or institutions in the state, including data provided by contractors, shall not be sold or used for marketing purposes (except with regard to authorized uses or directory information not obtained through a contract with an educational agency or institution).

 

R277-487-[6]7. Public Education Research Data.

A. The USOE may provide limited or extensive data sets for research and analysis purposes to qualified researchers or organizations.

(1) A reasonable method shall be used to qualify researchers or organizations to receive data, such as evidence that a research proposal has been approved by a federally recognized Institutional Review Board (IRB).

(2) Aggregate deidentified student assessment data are available through the USOE website. [Individual student]Personally identifiable student information is protected.

(3) The USOE is not obligated to fill every request for data and has procedures to determine which requests will be filled or to assign priorities to multiple requests. The USOE/Board understands that it will respond in a timely manner to all requests submitted under Section 63G-2-101 et seq., Government Records Access and Management Act. In filling data requests, higher priority may be given to requests that will help improve instruction in Utah's public schools.

(4) A fee may be charged to prepare data or to deliver data, particularly if the preparation requires original work. The USOE shall comply with Section 63G-2-203 in assessing fees.

(5) The researcher or organization shall provide a copy of the report or publication produced using USOE data to the USOE at least 10 business days prior to the public release.

B. Student data and information: Requests for data that disclose student information shall be provided in accordance with the Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. Section 1232g; such responses may include:

(1) [individual ]student data that are de[-]identified, meaning [it is not possible to trace the data to individual students]that a reasonable person in the school community who does not have personal knowledge of the relevant circumstances could not identify student(s) with reasonable certainty;

(2) agreements with recipients of student data where recipients agree not to report or publish data in a manner that discloses students' identities. For example, reporting test scores for a race subgroup that has a count, also known as n-size, of less than 10 could enable someone to identify the actual students and shall not be published;

(3) release of student data, with appropriate binding agreements, for state or federal accountability or for the purpose of improving instruction to specific student subgroups.

C. Licensed educator information:

(1) The USOE shall provide information about licensed educators maintained in the CACTUS database that is required under Section 63G-2-301(2).

(2) Additional information/data may be released by the USOE consistent with the purposes of CACTUS, the confidentiality protections accepted by requester(s), and the benefit that the research may provide for public education in Utah, as determined by the USOE.

D. Recipients of USOE research data shall sign a USOE -designated [non-disclosure]confidentiality agreement , if required by the USOE.

E. The Board or the USOE may commission research or may approve research requests.

 

R277-487-[7]8. Public Education Survey Data.

A. The [Board]Chief Privacy Officer, working with the DGPB, shall approve statewide education surveys administered with public funds through the USOE or through a contract issued by the USOE, as required under Section 53A-1-411.

B. Data obtained from [USOE]Board statewide surveys administered with public funds are the property of the Board.

C. Data obtained from [USOE]Board statewide surveys administered with public funds shall be made available as follows:

(1) Survey data made available by the Board shall protect the privacy of students in accordance with FERPA.

(2) Survey data about educators shall be available in a manner that protects the privacy of individual educators consistent with State law.

 

R277-487-[4]9. Comprehensive Administration of Credentials for Teachers in Utah Schools (CACTUS) Data, Confidentiality, and Appropriate Disclosure.

A. CACTUS maintains public, protected and private information on licensed Utah educators. Private or protected information includes such items as home address, date of birth, social security number, and any disciplinary action taken against an individual's license.

B. A CACTUS file shall be opened on a licensed Utah educator when:

(1) the individual initiates a USOE background check, or

(2) the USOE receives a paraprofessional license application from an LEA.

C. The data in CACTUS may only be changed as follows:

(1) Authorized USOE staff or authorized LEA staff may change demographic data.

(2) Authorized USOE staff may update licensing data such as endorsements, degrees, license areas of concentration and licensed work experience.

(3) Authorized employing LEA staff may update data on educator assignments for the current school year only.

D. A licensed individual may view his own personal data. An individual may not change or add data except under the following circumstances:

(1) A licensed individual may change his demographic data when renewing his license.

(2) A licensed individual shall contact his employing LEA for the purpose of correcting demographic or current educator assignment data.

(3) A licensed individual may petition the USOE for the purpose of correcting any errors in his CACTUS file.

E. Individuals currently employed by public or private schools under letters of authorization or as interns are included in CACTUS.

F. Individuals working in LEAs as student teachers are included in CACTUS.

G. Designated individuals have access to CACTUS data:

(1) Training shall be provided to designated individuals prior to granting access.

(2) Authorized USOE staff may view or change CACTUS files on a limited basis with specific authorization.

(3) For employment or assignment purposes only, authorized LEA staff members may access data on individuals employed by their own LEA or data on licensed individuals who do not have a current assignment in CACTUS.

(4) Authorized LEA staff may also view specific limited information on job applicants if the applicant has provided the LEA with a CACTUS identification number.

(5) CACTUS information belongs solely to the USOE. The USOE shall make the final determination of information included in or deleted from CACTUS.

(6) CACTUS data consistent with Section 63G-2-301(1) under the Government Records Access and Management Act are public information and shall be released by the USOE.

 

R277-487-[5]10. Educator Evaluation Data.

A. The Board shall provide classroom-level assessment data to administrators and teachers. School administrators shall share information requested by parents while ensuring the privacy of individual student information and educator evaluation data.

B. Individual educator evaluation data shall be protected at the school, LEA and state levels and, if applicable, at the USOE.

C. LEAs shall designate employees who may have access to educator evaluation records.

D. LEAs may not release or disclose student assessment information that reveals educator evaluation information or records.

E. LEAs shall train employees in the confidential nature of employee evaluations and the importance of securing evaluations and records.

 

R277-487-11. Training and Technical Assistance.

A. The Chief Privacy Officer and DGPB shall develop training for the Board, the USOE and LEAs.

B. The Chief Privacy Officer and DGPB shall develop model policies, as resources permit.

 

R277-487-12. Application to Third Party Vendors and Contractors.

A. The USOE and LEAs shall have policies that expressly limit access to personally identifiable student data to third party vendors and contractors.

B. Personally identifiable student information may only be released consistent with the provisions of 34 CFR Part 99.31(a).

C. De-identified student data and information may only be released consistent with 34 CFR Part 99.31(b).

D. CACTUS or public education employee information may only be released consistent with state law, with express permission of the licensed individual or employee or with the purposes for which the information was entered into CACTUS or a similar employee database.

E. Sanctions for violations of authorized use and release of student and employee data:

(1) All USOE contracts shall include sanctions for contractors or third part vendors who violate provisions of state policies regarding unauthorized use and release of student and employee data.

(2) The USOE shall recommend that LEA policies include sanctions for contractors or third part vendors who violate provisions of LEA policies regarding unauthorized use and release of student and employee data.

 

R277-487-13. Annual Reports by Chief Privacy Officer and DGPB.

A. The Chief Privacy Officer shall work with the DGPB, the USOE, and the Board to prepare an annual report about student data.

B. The public report shall include:

(1) information about the implementation of this rule;

(2) information about research studies begun or planned using student information and data;

(3) the identification of significant threats to student data privacy and security;

(4) a summary of data system audits; and

(5) recommendations for further improvements specific to student data security and the systems that are necessary for accountability in:

(1) Board rules;

(2) legislation; or

(3) both Board rules and legislation, if appropriate.

 

KEY: students, records, confidentiality

Date of Enactment or Last Substantive Amendment: [August 7, 2013]2015

Notice of Continuation: November 14, 2014

Authorizing, and Implemented or Interpreted Law: Art X Sec 3; 53A-13-301(3); 53A-1-401(3); 53A-1-411