DAR File No. 41648
This rule was published in the June 1, 2017, issue (Vol. 2017, No. 11) of the Utah State Bulletin.
Education, Administration
Rule R277-487
Public School Data Confidentiality and Disclosure
Notice of Proposed Rule
(Amendment)
DAR File No.: 41648
Filed: 05/15/2017 04:17:19 PM
RULE ANALYSIS
Purpose of the rule or reason for the change:
This rule is amended in response to H.B. 358 from the 2016 General Session, and S.B 163 and S.B 102 from the 2017 General Session, that enact provisions regarding student data privacy and access to education records.
Summary of the rule or change:
The amendments to this rule provide standards and procedures for Utah Board of Education (Board) and local education agency (LEA) employees to ensure student data privacy consistent with the Utah Student Privacy Act. The amendments include provisions for required training; identification of local school board or charter school governing board employees who are authorized to access education records; and prohibits local school board, charter school governing board, and public school employees from sharing an education record with an employee who is not authorized.
Statutory or constitutional authorization for this rule:
- Subsection 53A-13-301(4)
- Art X, Sec 3
- Section 53A-1-401
- Section 53A-1-411
- Subsection 53A-8a-410(4)
Anticipated cost or savings to:
the state budget:
The amendments to this rule require the Board to develop student data privacy policies and training to ensure student data privacy statewide. The Board received an appropriation during the 2017 General Session to cover the costs of the new program.
local governments:
The amendments to this rule require LEAs to develop student data privacy policies and training to ensure student data privacy. Training and other compliance at the local level will likely be performed by existing employees and within existing budgets.
small businesses:
The amendments to this rule require training to ensure student data privacy and apply to the public education system, so there will likely be no result cost or savings to small businesses.
persons other than small businesses, businesses, or local governmental entities:
The amendments to this rule require training to ensure student data privacy, which likely will not result in a cost or savings to persons other than small businesses, businesses, or local government entities. Training will be performed at the state and local level which will likely be performed by existing employees and within existing budgets.
Compliance costs for affected persons:
The amendments to this rule require training to ensure student data privacy, which likely will not result in any compliance costs for affected persons. Training will be performed at the state and local level which will likely be performed by existing employees and within existing budgets.
Comments by the department head on the fiscal impact the rule may have on businesses:
To the best of my knowledge, there should be no fiscal impact on businesses resulting from this new language.
Sydnee Dickson, State Superintendent
The full text of this rule may be inspected, during regular business hours, at the Office of Administrative Rules, or at:
EducationAdministration
250 E 500 S
SALT LAKE CITY, UT 84111-3272
Direct questions regarding this rule to:
- Angela Stallings at the above address, by phone at 801-538-7656, by FAX at 801-538-7768, or by Internet E-mail at [email protected]
Interested persons may present their views on this rule by submitting written comments to the address above no later than 5:00 p.m. on:
07/03/2017
This rule may become effective on:
07/10/2017
Authorized by:
Angela Stallings, Deputy Superintendent, Policy and Communication
RULE TEXT
R277. Education, Administration.
R277-487. Public School Data Confidentiality and Disclosure.
R277-487-[2]1
. Authority and Purpose.
[A.](1) This rule is authorized [under]
by:
(a) Utah Constitution Article X, Section 3
, which vests general control and supervision over public
education in the Board[, by];
(b) Section 53A-1-401[(3)], which allows the Board to make rules [in accordance with its responsibilities]to execute the Board's duties and responsibilities under the
Utah Constitution and state law;[by]
(c) Subsection 53A-13-301(4)
, which directs
that the Board [to]may make[s] rules to establish standards for public
education employees, student aides, and volunteers in public
schools regarding the confidentiality of student information and
student records;[by]
(d) Subsection 53A-8a-410(4)
, which directs
that the Board [to]may make rules to ensure the privacy and protection of
individual evaluation data; and[by]
(e) Section 53A-1-411 , which directs the Board to establish procedures for administering or making available online surveys to obtain information about public education issues.
[B.](2) The purpose of this rule is to:
([1]a) provide for appropriate review and disclosure of student
performance data on state administered assessments as required by
law;
([2]b) provide for adequate and appropriate review of student
performance data on state administered assessments to professional
education staff and parents of students;
([3]c) ensure the privacy of student performance data and
personally identifiable student information, as directed by
law;
([4]d) provide an online education survey conducted with public
funds for Board review and approval; and
([5]e) provide for appropriate protection and maintenance of
educator licensing data.
R277-487-[1]2
. Definitions.
[A. "Board" means the Utah State Board of
Education.]
(1) "Association" has the same meaning as that term is defined in Subsection 53A-1-1601(3).
[B.](2) "Chief Privacy Officer" means a [USOE]Board employee designated by the Board as primarily
responsible to
:
(a) oversee and[direct the DGPB to] carry out the responsibilities
of this rule[,]; and
(b) direct the development of materials and training about
student and public education employee privacy[and security] standards
for the Board and LEAs, including[FERPA, for the USOE and LEAs]:
(i) FERPA; and
(ii) the Utah Student Data Protection Act, Title 53A, Chapter 1, Part 14.
[C.](3) "Classroom-level assessment data" means
student scores on state-required tests, aggregated in groups of
more than 10 students at the classroom level or, if appropriate, at
the course level, without individual student identifiers of any
kind.
[D.](4) "Comprehensive Administration of Credentials for
Teachers in Utah Schools
" or "[(]CACTUS[)]" means the electronic file maintained and
owned by the [USOE]Board on all licensed Utah educators
,[. The file]
which includes information such as:
([1]a) personal directory information;
([2]b) educational background;
([3]c) endorsements;
([4]d) employment history; and
([5]e) a record of disciplinary action taken against the
educator.
(5) "Confidentiality" refers to an obligation not to disclose or transmit information to unauthorized parties.
[E. "Data Governance/Policy Board (DGPB)" means a
board composed of USOE and LEA employees, as directed by the Board,
whose purpose is to resolve public education data and process
issues, make policy decisions, review all research requests for
public education data, and fill only those requests that are
appropriate and comply with the standards in this
rule.]
(6) "Data governance plan" has the same meaning as defined in Subsection 53A-1-1402(9).
[F.](7) "Data security protections" means protections
developed and initiated by the [Chief Privacy Officer and the DGPB]Superintendent that protect, monitor and secure student,
public educator and public education employee data as outlined and
identified in FERPA and Sections 63G-2-302 through 63G-2-305.
[G. "Disciplinary action" means any lesser action
taken by UPPAC which does not materially affect a licensed
educator's license and licensing action taken by the Board for
suspension or revocation.]
(8) "Disclosure" includes permitting access to, revealing, releasing, transferring, disseminating, or otherwise communicating all or any part of any individual record orally, in writing, electronically, or by any other communication method.
[H.](9) "Enrollment verification data" includes:
([1]a) a student's birth certificate or other verification
of age;
([2]b) verification of immunization or exemption from
immunization form;
([3]c) proof of Utah public school residency;
([4]d) family income verification; or
([5]e) special education program information, including:
([a]i) an individualized education program;
([b]ii) a Section 504 accommodation plan; or
([c]iii) an English
language learner plan.
[I.](10) "FERPA" means the Family Educational Rights
and Privacy Act of 1974, 20 U.S.C. 1232g[, a federal law designed to protect the privacy of
students' education records. The law is hereby incorporated by
reference].
(11) "Information Technology Systems Security Plan" means a plan incorporating policies and process for:
(a) system administration;
(b) network security;
(c) application security;
(d) endpoint, server, and device security;
(e) identity, authentication, and access management;
(f) data protection and cryptography;
(g) monitoring, vulnerability, and patch management;
(h) high availability, disaster recovery, and physical protection;
(i) incident responses;
(j) acquisition and asset management; and
(k) policy, audit, and e-discovery training.
[J.](12) "LEA" [or "local education agency "means a school
district, charter school or]includes, for purposes of this rule, the Utah Schools for
the Deaf and the Blind.
(13) "Metadata dictionary" has the same meaning as defined in Subsection 53A-1-1402(16).
[K.](14) "Personally identifiable student [information]data" [means the student's name; a personal identifier, such
as the student's social security number or student number;
other indirect identifiers such as the student's date of birth
or place of birth; other information that, alone or in combination,
is linked or linkable to a specific student and enables a person in
the school community, who does not have personal knowledge of the
relevant circumstances, to identify the student with reasonable
certainty; or information requested by a person who the educational
agency or institution reasonably knows is entitled to the requested
information.]has the same meaning as defined in Subsection
53A-1-1402(20).
(15)(a) "Student data advisory groups" has the same meaning as described in Subsection 53A-1-1403(3).
(16) "Student data manager: means the individual at the LEA level who:
(a) is designated as the student data manager by an LEA under Section 53A-1-1404;
(b) authorizes and manages the sharing of student data;
(c) acts as the primary contact for the Chief Privacy Officer;
(d) maintains a list of persons with access to personally identifiable student information; and
(e) is in charge of providing annual LEA staff and volunteer training on data privacy.
[L.](17)(a) "Student information" means materials,
information, records and knowledge that an LEA possesses or
maintains[, or both,] about individual students.
(b) Student information is broader than student records and personally identifiable student information and may include information or knowledge that school employees possess or learn in the course of their duties.
[M.](18) "Student performance data" means data
relating to student performance, including:
(a) data on state, local and national assessments[,];
(b) course-taking and completion[,];
(c) grade-point average[,];
(d) remediation[,];
(e) retention[,];
(f) degree, diploma, or credential attainment[,]; and
(g) enrollment[,] and demographic data.
[N. "Superintendent" means the State
Superintendent of Public Instruction or the Superintendent's
designee.]
[O.](19) "Third party [provider]contractor" [means a third party who provides educational services on
behalf of an LEA]has the same meaning as defined in Subsection
53A-1-1402(26).
[P. "USOE" means the Utah State Office of
Education.]
R277-487-3. Data Privacy and Security Policies.
[A. Board Responsibilities:]
(1) The [Chief Privacy Officer and DGPB ]Superintendent shall develop resource materials for LEAs to
train employees, aides, and volunteers of an LEA regarding
confidentiality of personally identifiable student information and
student performance data[, as defined in FERPA].
(2) The [Chief Privacy Officer and DGPB]Superintendent shall make the materials
developed in accordance with Subsection (1) available to
each LEA.
[B. LEA Responsibilities:
(1) An LEA is responsible for the collection,
maintenance, and transmission of student data.
(2) An LEA shall establish policies and provide
appropriate training for employees regarding the confidentiality
of student performance data and personally identifiable student
information.
(3) An LEA shall provide the policies described in
R277-487-3B(2) to parents of students affected by the policies, as
well as post the policies for the public on the LEA's
website.]
(3) An LEA or public school may not be a member of or pay dues to an association that is not in compliance with:
(a) FERPA;
(b) Title 53A, Chapter 1, Part 14, Student Data Protection Act;
(c) Title 53A, Chapter 13, Part 3, Utah Family Educational Rights and Privacy Act; and
(d) this R277-487.
(4) An LEA shall comply with Title 53A, Chapter 1, Part 14, Student Data Protection Act.
(5) An LEA shall comply with Section 53A-13-303.
(6) An LEA is responsible for the collection, maintenance, and transmission of student data.
([4]7) An LEA shall ensure that school enrollment verification
data, student performance data, and personally identifiable student
information are collected, maintained, and transmitted:
(a) in a secure manner; and
(b) consistent with sound data collection and storage procedures, established by the LEA.
([5]8) An LEA may contract with a third party provider to
collect, maintain, and have access to school enrollment
verification data or other student data if:
(a) the third party [provider]contractor meets the definition of a school official under
34 CFR 99.31 (a)(1)(i)(B);
(b) the contract between the LEA and the
third party [provider]contractor includes a provision that the data is the
property of the [LEA]student under Section 53A-1-1405; and
(c) the LEA monitors and maintains control of the data.
([6]9) If an LEA contracts with a third party [provider]contractor to collect and have access to the LEA's data
as described in [R277-487-3B(5)]Subsection (6), the LEA shall notify a student and the
student's parent or guardian in writing that the student's
data is collected and maintained by the third party [provider]contractor.
[(7) As required in Section 53A-13-301, an LEA shall notify
the parent or guardian of a student if there is a release of the
student's personally identifiable student data due to a
security breach.]
(10) An LEA shall publicly post the LEA's definition of directory information and describe how a student data manager may share personally identifiable information that is directory information.
(11) By July 1 annually, an LEA shall enter all student data elements shared with third parties into the Board's metadata dictionary.
(12) An LEA shall report all unauthorized disclosures of student data by third parties to the Superintendent.
(13) An LEA shall provide the Superintendent with a copy or link to the LEA's data governance plan by October 1 annually.
(14) An LEA shall provide the Superintendent with a copy or link to the LEA's Information Technology Systems Security Plan by October 1 annually.
[C. Public Education Employee and Volunteer
Responsibilities:]
([1]15) All public education employees, aides, and volunteers in
public schools shall become familiar with federal, state, and local
laws regarding the confidentiality of student performance data and
personally identifiable student information.
([2]16) All public education employees, aides, and volunteers
shall maintain appropriate confidentiality pursuant to federal,
state, local laws, and LEA policies created in accordance with this
section, with regard to student performance data and personally
identifiable student information.
([3]17) An employee, aide, or volunteer may not share, disclose,
or disseminate passwords for electronic maintenance of:
(a) student performance data; or
(b) personally identifiable student information.
([4]18) A public education employee licensed under Section
53A-6-104 may
only access or use student information and records if the
public education employee accesses the student information or
records consistent with
the educator's obligations under R277-515[, Utah Educator Standards].
([5]19)
The Board may discipline a licensed educator[A public education employee may be disciplined] in
accordance with licensing discipline procedures if the [public education employee]educator violates this R277-487.
(20) An LEA shall annually provide a training regarding the confidentiality of student data to any employee with access to education records as defined in FERPA.
(21) A school employee shall annually submit a certified statement to the LEA's student data manager, which certifies that the school employee completed the LEA's required student privacy training and understands student privacy requirements.
R277-487-4. Transparency.
[A.](1) The [Chief Privacy Officer working with the DGPB]Superintendent shall recommend [USOE ]policies for Board approval and model
policies for LEAs regarding [the state's] student data systems.
[B.](2) [The Chief Privacy Officer shall ensure that the
rules/policies address]A policy prepared in accordance with Subsection (1) shall
include provisions regarding:
([1]a) accessibility [to]by parents, students
, and the public [of the]to student performance data;
([2]b) authorized purposes, uses, and disclosures of data
maintained by the Superintendent [and]or an LEA[s];
([3]c) the rights of parents and students regarding their
personally identifiable information under state and federal
law;
([4]d) parent, student
, and public access to information about student data
privacy and the security safeguards that protect the data from
unauthorized access and use; and
([5]e) contact information for parents and students to request
student and public school information from
an LEA[s] consistent with the law.
R277-487-5. [Additional] Responsibilities of Chief Privacy Officer[and DGPB].
[A.](1) The Chief Privacy Officer:
(a) may recommend legislation, as approved by the Board, for
additional data security protections and the regulation of use of
the data[.];
[B.](b) [The Chief Privacy Officer ]shall supervise regular
privacy and security compliance audits, following initiation by the
Board[.];
[C.](c) [The Chief Privacy Officer and the DGPB ]shall have
responsibility for identification of threats to data security
protections[.];
[D.](d) [The Chief Privacy Officer and the DGPB ]shall
develop and recommend policies [for the Superintendent ]to the Board and model policies for LEAs for:
(i) protection of personally identifiable student information;
(ii) consistent wiping or destruction of devices when
devices are discarded by public education entities[.]; and
[E.](iii) [The Chief Privacy Officer and the DGPB shall develop USOE
and model LEA policies for the training of staff for
]appropriate responses to suspected or known breaches of data
security protections[.];
(e) shall conduct training for Board staff and LEAs on student privacy; and
(f) shall develop and maintain a metadata dictionary as required by Section 53A-1-1403.
R277-487-6. Prohibition of Public Education Data Use for Marketing.
Data maintained by the state,
a school district[s], school[s], [and]or other public education [agencies or institutions]agency or institution in the state, including data provided
by contractors, may not be sold or used for marketing purposes, or targeted advertising as defined in Subsection
53A-1-1402(26) [(]except with regard to authorized uses [or]of directory information not obtained through a contract
with an educational agency or institution[)].
R277-487-7. Public Education Research Data.
[A.](1) The Superintendent may provide limited or extensive data
sets for research and analysis purposes to qualified researchers or
organizations.
([1]2) The Superintendent shall use reasonable methods to
qualify researchers or organizations to receive data, such as
evidence that a research proposal has been approved by a federally
recognized Institutional Review Board [(IRB).]or "IRB."
([2]3)
The Superintendent may post [A]aggregate de-identified student assessment data [is available through the USOE]to the Board website.
(4) The Superintendent shall ensure that personally identifiable student information is protected.
([3]5) The Superintendent:
(a) is not obligated to fill every request for data and
shall establish procedures to determine which requests will be
filled or to assign priorities to multiple requests;[. The Superintendent shall respond in a timely manner to
all requests submitted under Section 63G-2-101 et seq., Government
Records Access and Management Act. In filling data requests, the
Superintendent]
(b) may give higher priority to requests that will help
improve instruction in Utah's public schools[.]; and
[(4) The Superintendent]
(c) may charge a fee to prepare data or to deliver data,
particularly if the preparation requires original work[. The Superintendent shall comply with Section 63G-2-203 in
assessing fees for responses to GRAMA requests].
([5]6) [The]A researcher or organization shall provide a copy of the
report or publication produced using [USOE]Board data to the [USOE]Superintendent at least 10 business days prior to the public
release.
[B. Student data and information:]
(7) Requests for data that disclose student information [shall]may only be provided in accordance with [the Family Educational Rights and Privacy Act (FERPA), 20
U.S.C. Section 1232g; such responses]Section 53A-1-1409 and FERPA, incorporated herein by reference,
and may include:
([1]a) student data that are de-identified, meaning that a
reasonable person in the school community who does not have
personal knowledge of the relevant circumstances could not identify
student(s) with reasonable certainty;
([2]b) agreements with recipients of student data where
recipients agree not to report or publish data in a manner that
discloses students' identities[. For example, reporting test scores for a race subgroup
that has a count, also known as n-size, of less than 10 could
enable someone to identify the actual students and shall not be
published];
or
([3]c) release of student data, with appropriate binding
agreements, for state or federal accountability or for the purpose
of improving instruction to specific student subgroups.
[C. Licensed educator information:]
[(1) The Superintendent shall provide information about
licensed educators maintained in the CACTUS database that is
required under Section 63G-2-301(2).
(2) The Superintendent may release
information/data:
(a) consistent with the purposes of CACTUS;
(b) if the requester accepts the confidentiality
protections established by the Superintendent; and
(c) if the research may provide a benefit for public
education in Utah, as determined by the
Superintendent.]
[D.](8) Recipients of [USOE]Board research data shall sign a [USOE-designated ]confidentiality agreement, if
required by the Superintendent.
[E.](9)
Either [T]the Board or the Superintendent may commission research or
may approve research requests.
(10) Request for records under Title 63G, Chapter 2, Government Records Access and Management Act, are not subject to this Section R277-487-7.
R277-487-8. Public Education Survey Data.
[A.](1) The [Chief Privacy Officer, working with the DGPB,]Superintendent shall approve statewide education surveys
administered with public funds through the [USOE]Board or through a contract [issued]approved by the [USOE]Board, as required under Section 53A-1-411.
[B.](2) Data obtained from [Board]a statewide survey[s] administered with public funds
under Subsection (1) to the extent not subject to Section
53A-1-1405 are the property of the Board.
[C.](3)
The Superintendent shall make [D]data obtained from [Board statewide surveys administered with public funds
shall be made]a survey developed in accordance with Subsection (1)
available [as follows:]only if the data is shared in such a manner as to protect the
privacy of students and educators in accordance with federal and
state law.
[(1) Survey data made available by the Board shall protect
the privacy of students in accordance with FERPA.
(2) The Superintendent shall ensure that survey data about
educators is provided to a requester in a manner that protects the
privacy of individual educators consistent with State
law.]
R277-487-9. [Comprehensive Administration of Credentials for Teachers in
Utah Schools (CACTUS) Data, Confidentiality, and Appropriate
Disclosure]CACTUS Data.
[A.](1) [CACTUS]The Board maintains information on
all licensed Utah educators
in CACTUS, including information classified as private,
controlled, or protected under GRAMA.
[B.](2) The Superintendent shall open a CACTUS file for a
licensed Utah educator when[: (1)] the individual initiates a [USOE]Board background check[, or].
[(2) the USOE receives a paraprofessional license
application from an LEA.
C. The data in CACTUS may only be changed as
follows:]
(3) Authorized Board staff may update CACTUS data as directed by the Superintendent.
([1]4) Authorized [USOE staff or authorized ]LEA staff may change
demographic data
and update data on educator assignments in CACTUS for the
current school year only.
[(2) Authorized USOE staff may update licensing data such as
endorsements, degrees, license areas of concentration and licensed
work experience.]
[(3) Authorized employing LEA staff may update data on
educator assignments for the current school year
only.]
[D.](5) A licensed individual may view his own personal data
, but[. An individual] may not change or add data
in CACTUS except under the following circumstances:
(a) A licensee may change the licensee's contact and demographic information at any time;
[(1) A licensed individual may change his demographic data
when renewing his license.]
([2]b)
An employing LEA may correct[A licensed individual shall contact his employing LEA for
the purpose of correcting demographic or]
a current educator's assignment data
on behalf of a licensee.
([3]c) A [licensed individual]licensee may petition the [USOE]Board for the purpose of correcting any errors in [his]the licensee's CACTUS file.
[E.](6) The Superintendent shall include an [I]individual[s] currently employed by
a public or private school[s] under
a letter[s] of authorization or as
an intern[s are included] in CACTUS.
[F.](7) The Superintendent shall include an [I]individual[s] working in
an LEA[s] as
a student teacher[s are included] in CACTUS.
[G. Designated individuals have access to CACTUS
data:]
([1]8)
The Superintendent shall provide [T]training
and ongoing support [shall be provided ]to
authorized CACTUS users[designated individuals prior to granting
access].
[(2) Authorized USOE staff may view or change CACTUS files
on a limited basis with specific authorization.]
([3]9) For employment or assignment purposes only, authorized
LEA staff members may:
(a) access data on individuals employed by the[ir own] LEA[or data on licensed individuals who do not have a current
assignment in CACTUS.]; or
([4]b) [Authorized LEA staff may also] view specific
limited information on job applicants if the applicant has provided
the LEA with a CACTUS identification number.
([5]10) CACTUS information belongs solely to the [USOE]Board.[The USOE shall make the final determination of information
included in or deleted from CACTUS.]
([6]g)
The Superintendent may release data within CACTUS [data may only be released ]in accordance with the
provisions of [GRAMA]Title 63G, Chapter 2, Government Records Access and Management
Act.
R277-487-10. Educator Evaluation Data.
[A.](1)(a) The Superintendent [shall]may provide classroom-level assessment data to
administrators and teachers
in accordance with federal and state privacy laws.
(b) School administrators shall share information requested by parents while ensuring the privacy of individual student information and educator evaluation data.
[B.](2) Individual educator evaluation data shall be protected
at the school, LEA and state levels and, if applicable, [at]by the [USOE]Board.
[C.](3)
An LEA[s] shall designate employees who may have access
to educator evaluation records.
[D.](4)
An LEA[s] may not release or disclose student assessment
information that reveals educator evaluation information or
records.
[E.](5)
An LEA[s] shall train employees in the confidential
nature of employee evaluations and the importance of securing
evaluations and records.
[R277-487-11. Training and Technical Assistance.
A. The Chief Privacy Officer and DGPB shall develop
training for the Board, the USOE and LEAs.
B. The Chief Privacy Officer and DGPB shall develop model
policies, as resources permit.]
R277-487-1[2]1. Application to Third Party[Providers and] Contractors.
[A.](1) The [USOE]Board and LEAs shall set policies that govern a third party
[provider or ]contractor's access to personally
identifiable student data and public school enrollment verification
data
consistent with Section 53A-1-1401 et seq.
[B.](2) An LEA may release [S]student information and public school enrollment
verification data to a third party [provider]contractor if:
([1]a) the release is allowed by, and released in accordance
with,
Section 53A-1-1409 and FERPA
, incorporated herein by reference, and its implementing
regulations; and
([2]b) [if ]the LEA complies with the requirements of
Subsection R277-487-3[B](6).
[C. CACTUS or public education employee information may only
be released consistent with state law, with express permission of
the licensed individual or employee, or with the purposes for which
the information was entered into CACTUS or a similar employee
database.]
[D. Sanctions for violations of authorized use and release
of student and employee data:]
([1]4) All [USOE]Board contracts shall include sanctions for contractors or
third party providers who violate provisions of state policies
regarding unauthorized use and release of student and employee
data.
([2]5) The Superintendent shall recommend that LEA policies
include sanctions for contractors [or third party providers ]who violate provisions
of federal or state privacy law and LEA policies regarding
unauthorized use and release of student and employee data.
R277-487-1[3]2. Annual Reports by Chief Privacy Officer[and DGPB].
[A.](1) The Chief Privacy Officer[, with the assistance of DGPB,] shall submit to
the Board an annual report [about ]regarding student data.
[B.](2) The public report shall include:
([1]a) information about the implementation of this rule;
([2]b) information about research studies begun or planned using
student information and data;
([3]c) identification of significant threats to student data
privacy and security;
([4]d) a summary of data system audits; and
([5]e) recommendations for further improvements specific to
student data security and the systems that are necessary for
accountability in Board rules or legislation.
R277-487-13. Data Security and Privacy Training for Educators.
(1) The Superintendent shall develop a student and data security and privacy training for educators.
(2) The Superintendent shall make the training developed in accordance with Subsection (1) available through UEN.
(3) Beginning in the 2018-19 school year, an educator shall complete the training developed in accordance with Subsection (1) as a condition of re-licensure.
KEY: students, records, confidentiality
Date of Enactment or Last Substantive Amendment: [July 8, 2015]2017
Notice of Continuation: November 14, 2014
Authorizing, and Implemented or Interpreted Law: Art X Sec 3;
53A-13-301(4); 53A-1-401[(3)]; 53A-1-411; 53A-8a-410(4)
Additional Information
More information about a Notice of Proposed Rule is available online.
The Portable Document Format (PDF) version of the Bulletin is the official version. The PDF version of this issue is available at https://rules.utah.gov/publicat/bull_pdf/2017/b20170601.pdf. The HTML edition of the Bulletin is a convenience copy. Any discrepancy between the PDF version and HTML version is resolved in favor of the PDF version.
Text to be deleted is struck through and surrounded by brackets ([example]). Text to be added is underlined (example). Older browsers may not depict some or any of these attributes on the screen or when the document is printed.
For questions regarding the content or application of this rule, please contact Angela Stallings at the above address, by phone at 801-538-7656, by FAX at 801-538-7768, or by Internet E-mail at [email protected]. For questions about the rulemaking process, please contact the Office of Administrative Rules.