2
3
4
5
6
7 LONG TITLE
8 General Description:
9 This bill repeals provisions related to the State Board of Education sharing student data.
10 Highlighted Provisions:
11 This bill:
12 ▸ repeals provisions related to the State Board of Education sharing student data with
13 the Utah Registry of Autism and Developmental Disabilities;
14 ▸ repeals provisions related to the State Board of Education sharing student data with
15 the State Board of Regents; and
16 ▸ makes technical and conforming changes.
17 Money Appropriated in this Bill:
18 None
19 Other Special Clauses:
20 None
21 Utah Code Sections Affected:
22 AMENDS:
23 53E-9-301, as last amended by Laws of Utah 2018, Chapters 304, 389 and renumbered
24 and amended by Laws of Utah 2018, Chapter 1
25 53E-9-305, as last amended by Laws of Utah 2018, Chapter 304 and renumbered and
26 amended by Laws of Utah 2018, Chapter 1
27 53E-9-307, as last amended by Laws of Utah 2018, Chapter 304 and renumbered and
28 amended by Laws of Utah 2018, Chapter 1
29 53E-9-308, as last amended by Laws of Utah 2018, Chapters 285, 304 and renumbered
30 and amended by Laws of Utah 2018, Chapter 1
31
32 Be it enacted by the Legislature of the state of Utah:
33 Section 1. Section 53E-9-301 is amended to read:
34 53E-9-301. Definitions.
35 As used in this part:
36 (1) "Adult student" means a student who:
37 (a) is at least 18 years old;
38 (b) is an emancipated student; or
39 (c) qualifies under the McKinney-Vento Homeless Education Assistance
40 Improvements Act of 2001, 42 U.S.C. Sec. 11431 et seq.
41 (2) "Aggregate data" means data that:
42 (a) are totaled and reported at the group, cohort, school, school district, region, or state
43 level with at least 10 individuals in the level;
44 (b) do not reveal personally identifiable student data; and
45 (c) are collected in accordance with board rule.
46 (3) (a) "Biometric identifier" means a:
47 (i) retina or iris scan;
48 (ii) fingerprint;
49 (iii) human biological sample used for valid scientific testing or screening; or
50 (iv) scan of hand or face geometry.
51 (b) "Biometric identifier" does not include:
52 (i) a writing sample;
53 (ii) a written signature;
54 (iii) a voiceprint;
55 (iv) a photograph;
56 (v) demographic data; or
57 (vi) a physical description, such as height, weight, hair color, or eye color.
58 (4) "Biometric information" means information, regardless of how the information is
59 collected, converted, stored, or shared:
60 (a) based on an individual's biometric identifier; and
61 (b) used to identify the individual.
62 (5) "Board" means the State Board of Education.
63 (6) "Data breach" means an unauthorized release of or unauthorized access to
64 personally identifiable student data that is maintained by an education entity.
65 (7) "Data governance plan" means an education entity's comprehensive plan for
66 managing education data that:
67 (a) incorporates reasonable data industry best practices to maintain and protect student
68 data and other education-related data;
69 (b) describes the role, responsibility, and authority of an education entity data
70 governance staff member;
71 (c) provides for necessary technical assistance, training, support, and auditing;
72 (d) describes the process for sharing student data between an education entity and
73 another person;
74 (e) describes the education entity's data expungement process, including how to
75 respond to requests for expungement;
76 (f) describes the data breach response process; and
77 (g) is published annually and available on the education entity's website.
78 (8) "Education entity" means:
79 (a) the board;
80 (b) a local school board;
81 (c) a charter school governing board;
82 (d) a school district;
83 (e) a charter school;
84 (f) the Utah Schools for the Deaf and the Blind; or
85 (g) for purposes of implementing the School Readiness Initiative described in Title
86 53F, Chapter 6, Part 3, School Readiness Initiative, the School Readiness Board created in
87 Section 35A-3-209.
88 (9) "Expunge" means to seal or permanently delete data, as described in board rule
89 made under Section 53E-9-306.
90 (10) "General audience application" means an Internet website, online service, online
91 application, mobile application, or software program that:
92 (a) is not specifically intended for use by an audience member that attends kindergarten
93 or a grade from 1 to 12, although an audience member may attend kindergarten or a grade from
94 1 to 12; and
95 (b) is not subject to a contract between an education entity and a third-party contractor.
96 [
97
98 [
99 [
100 [
101 [
102 [
103 [
104 [
105 [
106 [
107 (a) for a student with a disability; and
108 (b) that is developed, reviewed, and revised in accordance with the Individuals with
109 Disabilities Education Act, 20 U.S.C. Sec. 1400 et seq.
110 [
111 (a) a school district;
112 (b) a charter school;
113 (c) the Utah Schools for the Deaf and the Blind; or
114 (d) for purposes of implementing the School Readiness Initiative described in Title
115 53F, Chapter 6, Part 3, School Readiness Initiative, the School Readiness Board created in
116 Section 35A-3-209.
117 [
118 (a) defines and discloses all personally identifiable student data collected and shared by
119 the education entity;
120 (b) comprehensively lists all recipients with whom the education entity has shared
121 personally identifiable student data, including:
122 (i) the purpose for sharing the data with the recipient;
123 (ii) the justification for sharing the data, including whether sharing the data was
124 required by federal law, state law, or a local directive; and
125 (iii) how sharing the data is permitted under federal or state law; and
126 (c) without disclosing personally identifiable student data, is displayed on the
127 education entity's website.
128 [
129 to conduct the regular activities of an education entity, including:
130 (a) name;
131 (b) date of birth;
132 (c) sex;
133 (d) parent contact information;
134 (e) custodial parent information;
135 (f) contact information;
136 (g) a student identification number;
137 (h) local, state, and national assessment results or an exception from taking a local,
138 state, or national assessment;
139 (i) courses taken and completed, credits earned, and other transcript information;
140 (j) course grades and grade point average;
141 (k) grade level and expected graduation date or graduation cohort;
142 (l) degree, diploma, credential attainment, and other school exit information;
143 (m) attendance and mobility;
144 (n) drop-out data;
145 (o) immunization record or an exception from an immunization record;
146 (p) race;
147 (q) ethnicity;
148 (r) tribal affiliation;
149 (s) remediation efforts;
150 (t) an exception from a vision screening required under Section 53G-9-404 or
151 information collected from a vision screening required under Section 53G-9-404;
152 (u) information related to the Utah Registry of Autism and Developmental Disabilities,
153 described in Section 26-7-4;
154 (v) student injury information;
155 (w) a disciplinary record created and maintained as described in Section 53E-9-306;
156 (x) juvenile delinquency records;
157 (y) English language learner status; and
158 (z) child find and special education evaluation data related to initiation of an IEP.
159 [
160 (i) necessary student data; or
161 (ii) student data that an education entity may not collect under Section 53E-9-305.
162 (b) "Optional student data" includes:
163 (i) information that is:
164 (A) related to an IEP or needed to provide special needs services; and
165 (B) not necessary student data;
166 (ii) biometric information; and
167 (iii) information that is not necessary student data and that is required for a student to
168 participate in a federal or other program.
169 [
170 (a) a student's parent;
171 (b) a student's legal guardian; or
172 (c) an individual who has written authorization from a student's parent or legal
173 guardian to act as a parent or legal guardian on behalf of the student.
174 [
175 or is used by the holder to identify a student.
176 (b) "Personally identifiable student data" includes:
177 (i) a student's first and last name;
178 (ii) the first and last name of a student's family member;
179 (iii) a student's or a student's family's home or physical address;
180 (iv) a student's email address or other online contact information;
181 (v) a student's telephone number;
182 (vi) a student's social security number;
183 (vii) a student's biometric identifier;
184 (viii) a student's health or disability data;
185 (ix) a student's education entity student identification number;
186 (x) a student's social media user name and password or alias;
187 (xi) if associated with personally identifiable student data, the student's persistent
188 identifier, including:
189 (A) a customer number held in a cookie; or
190 (B) a processor serial number;
191 (xii) a combination of a student's last name or photograph with other information that
192 together permits a person to contact the student online;
193 (xiii) information about a student or a student's family that a person collects online and
194 combines with other personally identifiable student data to identify the student; and
195 (xiv) information that, alone or in combination, is linked or linkable to a specific
196 student that would allow a reasonable person in the school community, who does not have
197 personal knowledge of the relevant circumstances, to identify the student with reasonable
198 certainty.
199 [
200 education entity has authorized the employee or agent to request or receive student data on
201 behalf of the education entity.
202 [
203 student level.
204 (b) "Student data" does not include aggregate or de-identified data.
205 [
206 (a) the state student data officer; or
207 (b) an individual designated as a student data manager by an education entity under
208 Section 53E-9-303, who fulfills the duties described in Section 53E-9-308.
209 [
210 where the advertisement is selected based on information obtained or inferred over time from
211 that student's online behavior, usage of applications, or student data.
212 (b) "Targeted advertising" does not include advertising to a student:
213 (i) at an online location based upon that student's current visit to that location; or
214 (ii) in response to that student's request for information or feedback, without retention
215 of that student's online activities or requests over time for the purpose of targeting subsequent
216 ads.
217 [
218 (a) is not an education entity; and
219 (b) pursuant to a contract with an education entity, collects or receives student data in
220 order to provide a product or service, as described in the contract, if the product or service is
221 not related to school photography, yearbooks, graduation announcements, or a similar product
222 or service.
223 [
224 student data, from:
225 (a) the student's parent, if the student is not an adult student; or
226 (b) the student, if the student is an adult student.
227 Section 2. Section 53E-9-305 is amended to read:
228 53E-9-305. Collecting student data -- Prohibition -- Student data collection notice
229 -- Written consent.
230 (1) An education entity may not collect a student's:
231 (a) social security number; or
232 (b) except as required in Section 78A-6-112, criminal record.
233 (2) An education entity that collects student data shall, in accordance with this section,
234 prepare and distribute, except as provided in Subsection (3), to parents and students a student
235 data collection notice statement that:
236 (a) is a prominent, stand-alone document;
237 (b) is annually updated and published on the education entity's website;
238 (c) states the student data that the education entity collects;
239 (d) states that the education entity will not collect the student data described in
240 Subsection (1);
241 (e) states the student data described in Section 53E-9-308 that the education entity may
242 not share without written consent;
243 (f) includes the following statement:
244 "The collection, use, and sharing of student data has both benefits and risks. Parents
245 and students should learn about these benefits and risks and make choices regarding student
246 data accordingly.";
247 (g) describes in general terms how the education entity stores and protects student data;
248 and
249 (h) states a student's rights under this part[
250 [
251
252
253 (3) The board may publicly post the board's collection notice described in Subsection
254 (2).
255 (4) An education entity may collect the necessary student data of a student if the
256 education entity provides a student data collection notice to:
257 (a) the student, if the student is an adult student; or
258 (b) the student's parent, if the student is not an adult student.
259 (5) An education entity may collect optional student data if the education entity:
260 (a) provides, to an individual described in Subsection (4), a student data collection
261 notice that includes a description of:
262 (i) the optional student data to be collected; and
263 (ii) how the education entity will use the optional student data; and
264 (b) obtains written consent to collect the optional student data from an individual
265 described in Subsection (4).
266 (6) An education entity may collect a student's biometric identifier or biometric
267 information if the education entity:
268 (a) provides, to an individual described in Subsection (4), a biometric information
269 collection notice that is separate from a student data collection notice, which states:
270 (i) the biometric identifier or biometric information to be collected;
271 (ii) the purpose of collecting the biometric identifier or biometric information; and
272 (iii) how the education entity will use and store the biometric identifier or biometric
273 information; and
274 (b) obtains written consent to collect the biometric identifier or biometric information
275 from an individual described in Subsection (4).
276 (7) Except under the circumstances described in Subsection 53G-8-211(2), an
277 education entity may not refer a student to an alternative evidence-based intervention described
278 in Subsection 53G-8-211(3) without written consent.
279 Section 3. Section 53E-9-307 is amended to read:
280 53E-9-307. Securing and cataloguing student data.
281 In accordance with Title 63G, Chapter 3, Utah Administrative Rulemaking Act, the
282 board shall make rules that:
283 (1) using reasonable data industry best practices, prescribe the maintenance and
284 protection of stored student data by:
285 (a) an education entity; and
286 [
287
288 [
289 (2) state requirements for an education entity's metadata dictionary.
290 Section 4. Section 53E-9-308 is amended to read:
291 53E-9-308. Sharing student data -- Prohibition -- Requirements for student data
292 manager -- Authorized student data sharing.
293 (1) (a) Except as provided in Subsection (1)(b), an education entity, including a student
294 data manager, may not share personally identifiable student data without written consent.
295 (b) An education entity, including a student data manager, may share personally
296 identifiable student data:
297 (i) in accordance with the Family Education Rights and Privacy Act and related
298 provisions under 20 U.S.C. Secs. 1232g and 1232h;
299 (ii) as required by federal law; and
300 (iii) as described in Subsections (3), (5), and (6).
301 (2) A student data manager shall:
302 (a) authorize and manage the sharing, outside of the student data manager's education
303 entity, of personally identifiable student data for the education entity as described in this
304 section;
305 (b) act as the primary local point of contact for the state student data officer described
306 in Section 53E-9-302; and
307 (c) fulfill other responsibilities described in the data governance plan of the student
308 data manager's education entity.
309 (3) A student data manager may share a student's personally identifiable student data
310 with a caseworker or representative of the Department of Human Services if:
311 (a) the Department of Human Services is:
312 (i) legally responsible for the care and protection of the student, including the
313 responsibility to investigate a report of educational neglect, as provided in Subsection
314 62A-4a-409(5); or
315 (ii) providing services to the student;
316 (b) the student's personally identifiable student data is not shared with a person who is
317 not authorized:
318 (i) to address the student's education needs; or
319 (ii) by the Department of Human Services to receive the student's personally
320 identifiable student data; and
321 (c) the Department of Human Services maintains and protects the student's personally
322 identifiable student data.
323 (4) The Department of Human Services, a school official, or the Utah Juvenile Court
324 may share personally identifiable student data to improve education outcomes for youth:
325 (a) in the custody of, or under the guardianship of, the Department of Human Services;
326 (b) receiving services from the Division of Juvenile Justice Services;
327 (c) in the custody of the Division of Child and Family Services;
328 (d) receiving services from the Division of Services for People with Disabilities; or
329 (e) under the jurisdiction of the Utah Juvenile Court.
330 (5) (a) A student data manager may share personally identifiable student data in
331 response to a subpoena issued by a court.
332 (b) A person who receives personally identifiable student data under Subsection (5)(a)
333 may not use the personally identifiable student data outside of the use described in the
334 subpoena.
335 (6) [
336 identifiable student data, in response to a request to share student data for the purpose of
337 research or evaluation, if the student data manager:
338 [
339 [
340 [
341 [
342
343
344 [
345 [
346
347 [
348 [
349
350 [
351
352
353
354 [
355
356 [
357