2
3
4
5
6
7 LONG TITLE
8 General Description:
9 This bill amends provisions regarding the sharing of student data.
10 Highlighted Provisions:
11 This bill:
12 ▸ prohibits the sharing of certain student data;
13 ▸ extends a deadline for the state board regarding data integration with a local
14 education agency (LEA);
15 ▸ prohibits an education entity from sharing student data with a federal agency, except
16 as required by federal law; and
17 ▸ makes technical changes.
18 Money Appropriated in this Bill:
19 None
20 Other Special Clauses:
21 This bill provides a special effective date.
22 Utah Code Sections Affected:
23 AMENDS:
24 53B-28-505, as enacted by Laws of Utah 2022, Chapter 461
25 53B-28-506 (Effective 01/01/24), as enacted by Laws of Utah 2022, Chapter 461
26 53E-3-511, as last amended by Laws of Utah 2019, Chapter 186
27 53E-9-302, as last amended by Laws of Utah 2020, Chapter 408
28 53E-9-308, as last amended by Laws of Utah 2022, Chapter 335
29
30 Be it enacted by the Legislature of the state of Utah:
31 Section 1. Section 53B-28-505 is amended to read:
32 53B-28-505. Third-party contractors.
33 (1) A third-party contractor shall use personally identifiable student data received
34 under a contract with an education entity strictly for the purpose of providing the contracted
35 product or service within the negotiated contract terms.
36 (2) When contracting with a third-party contractor on or after January 1, 2024, an
37 education entity, or a government agency contracting on behalf of an education entity, shall:
38 (a) ensure that the contract terms comply with the standards the board establishes under
39 Subsection 53B-28-502(5); and
40 (b) require the following provisions in the contract:
41 (i) requirements and restrictions related to the collection, use, storage, or sharing of
42 student data by the third-party contractor that are necessary for the education entity to ensure
43 compliance with the provisions of this part and board rule;
44 (ii) a description of a person, or type of person, including an affiliate of the third-party
45 contractor, with whom the third-party contractor may share student data;
46 (iii) provisions that, at the request of the education entity, govern the deletion of the
47 student data received by the third-party contractor;
48 (iv) except as provided in Subsection (4) and if required by the education entity,
49 provisions that prohibit the secondary use of personally identifiable student data by the
50 third-party contractor; and
51 (v) an agreement by the third-party contractor that, at the request of the education entity
52 that is a party to the contract, the education entity or the education entity's designee may audit
53 the third-party contractor to verify compliance with the contract.
54 (3) As authorized by law or court order, a third-party contractor shall share student data
55 as requested by law enforcement.
56 (4) A third-party contractor may:
57 (a) use student data for adaptive learning or customized student learning purposes;
58 (b) market an educational application or product to a student if the third-party
59 contractor does not use student data, shared by or collected on behalf of an education entity, to
60 market the educational application or product;
61 (c) use a recommendation engine to recommend to a student:
62 (i) content that relates to learning or employment, within the third-party contractor's
63 application, if the recommendation is not motivated by payment or other consideration from
64 another party; or
65 (ii) services that relate to learning or employment, within the third-party contractor's
66 application, if the recommendation is not motivated by payment or other consideration from
67 another party;
68 (d) respond to a student request for information or feedback, if the content of the
69 response is not motivated by payment or other consideration from another party;
70 (e) use student data to allow or improve operability and functionality of the third-party
71 contractor's application; or
72 (f) identify for a student nonprofit institutions of higher education or scholarship
73 providers that are seeking students who meet specific criteria:
74 (i) regardless of whether the identified nonprofit institutions of higher education or
75 scholarship providers provide payment or other consideration to the third-party contractor; and
76 (ii) only if the third-party contractor obtains authorization in writing from:
77 (A) the student's parent, if the student is a minor; or
78 (B) the student.
79 (5) At the completion of a contract with an education entity, if the contract has not
80 been renewed, a third-party contractor shall return or delete upon the education entity's request
81 all personally identifiable student data under the control of the education entity unless a student
82 or a minor student's parent consents to the maintenance of the personally identifiable student
83 data.
84 (6) (a) A third-party contractor may not:
85 (i) except as provided in Subsection (6)(b), sell student data;
86 (ii) collect, use, or share student data, if the collection, use, or sharing of the student
87 data is inconsistent with the third-party contractor's contract with the education entity; or
88 (iii) use student data for targeted advertising.
89 (b) A person may obtain student data through the purchase of, merger with, or
90 otherwise acquiring a third-party contractor if the third-party contractor remains in compliance
91 with this section.
92 (7) The provisions of this section do not:
93 (a) apply to the use of a general audience application, including the access of a general
94 audience application with login credentials created by a third-party contractor's application;
95 (b) apply if the student data is shared in accordance with the education entity's
96 directory information policy, as described in 34 C.F.R. Sec. 99.37;
97 (c) apply to the providing of Internet service; or
98 (d) impose a duty on a provider of an interactive computer service, as defined in 47
99 U.S.C. Sec. 230, to review or enforce compliance with this section.
100 (8) A provision of this section that relates to a student's student data does not apply to a
101 third-party contractor if the education entity or third-party contractor obtains authorization from
102 the following individual, in writing, to waive that provision:
103 (a) the student's parent, if the student is a minor; or
104 (b) the student.
105 Section 2. Section 53B-28-506 (Effective 01/01/24) is amended to read:
106 53B-28-506 (Effective 01/01/24). Penalties.
107 (1) [
108 contractor that knowingly or recklessly permits unauthorized collecting, sharing, or use of
109 student data under this part:
110 [
111 contract with [
112 [
113 (c) may be required to pay:
114 (i) an institution's cost of notifying parents and students of the unauthorized sharing or
115 use of student data; and
116 (ii) any expense incurred by the institution as result of the unauthorized sharing or use
117 of student data.
118 [
119 knowingly or recklessly permitted unauthorized collecting, sharing, or use of student data if:
120 (i) the education entity determines that the third-party contractor has corrected the
121 errors that caused the unauthorized collecting, sharing, or use of student data; and
122 (ii) the third-party contractor demonstrates:
123 (A) if the third-party contractor is under contract with the education entity, current
124 compliance with this part; or
125 (B) an ability to comply with the requirements of this part.
126 [
127
128 [
129 office of the education entity is located, if necessary, to enforce payment of the civil penalty
130 described in Subsection [
131 [
132 sharing, or use of student data may be found guilty of a class A misdemeanor.
133 (2) (a) A student or a minor student's parent may bring an action against [
134 a third-party contractor in a court of competent jurisdiction for damages caused by a knowing
135 or reckless violation of Section 53B-28-505 by a third-party contractor [
136
137 (b) If the court finds that a third-party contractor has violated Section 53B-28-505, the
138 court may [
139 (i) damages; and
140 (ii) costs.
141 Section 3. Section 53E-3-511 is amended to read:
142 53E-3-511. Student Achievement Backpack -- Utah Student Record Store.
143 (1) As used in this section:
144 (a) "Authorized LEA user" means a teacher or other person who is:
145 (i) employed by an LEA that provides instruction to a student; and
146 (ii) authorized to access data in a Student Achievement Backpack through the Utah
147 Student Record Store.
148 (b) "Statewide assessment" means the same as that term is defined in Section
149 53E-4-301.
150 (c) "Student Achievement Backpack" means, for a student from kindergarten through
151 grade 12, a complete learner profile that:
152 (i) is in electronic format;
153 (ii) follows the student from grade to grade and school to school; and
154 (iii) is accessible by the student's parent or an authorized LEA user.
155 (d) "Utah Student Record Store" means a repository of student data collected from
156 LEAs as part of the state's longitudinal data system that is:
157 (i) managed by the state board;
158 (ii) cloud-based; and
159 (iii) accessible via a web browser to authorized LEA users.
160 (2) (a) The state board shall use the state board's robust, comprehensive data collection
161 system, which collects longitudinal student transcript data from LEAs and the unique student
162 identifiers as described in Section 53E-4-308, to allow the following to access a student's
163 Student Achievement Backpack:
164 (i) the student's parent; and
165 (ii) each LEA that provides instruction to the student.
166 (b) The state board shall ensure that a Student Achievement Backpack:
167 (i) provides a uniform, transparent reporting mechanism for individual student
168 progress;
169 (ii) provides a complete learner history for postsecondary planning;
170 (iii) provides a teacher with visibility into a student's complete learner profile to better
171 inform instruction and personalize education;
172 (iv) assists a teacher or administrator in diagnosing a student's learning needs through
173 the use of data already collected by the state board;
174 (v) facilitates a student's parent taking an active role in the student's education by
175 simplifying access to the student's complete learner profile; and
176 (vi) serves as additional disaster mitigation for LEAs by using a cloud-based data
177 storage and collection system.
178 (3) Using existing information collected and stored in the state board's data warehouse,
179 the state board shall create the Utah Student Record Store where an authorized LEA user may:
180 (a) access data in a Student Achievement Backpack relevant to the user's LEA or
181 school; or
182 (b) request student records to be transferred from one LEA to another.
183 (4) The state board shall implement security measures to ensure that:
184 (a) student data stored or transmitted to or from the Utah Student Record Store is
185 secure and confidential pursuant to the requirements of the Family Educational Rights and
186 Privacy Act, 20 U.S.C. Sec. 1232g; [
187 (b) an authorized LEA user may only access student data that is relevant to the user's
188 LEA or school[
189 (c) except as provided in Section 53E-9-308, an authorized LEA user shares only
190 aggregate or de-identified data.
191 (5) A student's parent may request the student's Student Achievement Backpack from
192 the LEA or the school in which the student is enrolled.
193 (6) An authorized LEA user may access student data in a Student Achievement
194 Backpack, which shall include the following data, or request that the data be transferred from
195 one LEA to another:
196 (a) student demographics;
197 (b) course grades;
198 (c) course history; and
199 (d) results of a statewide assessment.
200 (7) An authorized LEA user may access student data in a Student Achievement
201 Backpack, which shall include the data listed in Subsections (6)(a) through (d) and the
202 following data, or request that the data be transferred from one LEA to another:
203 (a) section attendance;
204 (b) the name of a student's teacher for classes or courses the student takes;
205 (c) teacher qualifications for a student's teacher, including years of experience, degree,
206 license, and endorsement;
207 (d) results of statewide assessments;
208 (e) a student's writing sample that is written for a writing assessment administered
209 pursuant to Section 53E-4-303;
210 (f) student growth scores on a statewide assessment, as applicable;
211 (g) a school's grade assigned pursuant to Chapter 5, Part 2, School Accountability
212 System;
213 (h) results of benchmark assessments of reading administered pursuant to Section
214 53E-4-307; and
215 (i) a student's reading level at the end of grade 3.
216 (8) No later than [
217 collected in the Utah Student Record Store for a Student Achievement Backpack is integrated
218 into each LEA's student information system and is made available to a student's parent and an
219 authorized LEA user in an easily accessible viewing format.
220 Section 4. Section 53E-9-302 is amended to read:
221 53E-9-302. State student data protection governance.
222 (1) (a) An education entity or a third-party contractor who collects, uses, stores, shares,
223 or deletes student data shall protect student data as described in this part.
224 (b) In accordance with Title 63G, Chapter 3, Utah Administrative Rulemaking Act, the
225 state board shall make rules to administer this part, including student data protection standards
226 for public education employees, student aides, and volunteers.
227 (2) The state board shall oversee the preparation and maintenance of:
228 (a) a statewide data governance plan; and
229 (b) a state-level metadata dictionary.
230 (3) As described in this Subsection (3), the state board shall establish advisory groups
231 to oversee student data protection in the state and make recommendations to the state board
232 regarding student data protection[
233 (a) [
234 (i) that is composed of members from:
235 (A) the Legislature;
236 (B) the state board and state board employees; and
237 (C) one or more LEAs;
238 (ii) to discuss and make recommendations to the state board regarding:
239 (A) enacted or proposed legislation; and
240 (B) state and local student data protection policies across the state;
241 (iii) that reviews and monitors the state student data governance plan; and
242 (iv) that performs other tasks related to student data protection as designated by the
243 state board.
244 (b) [
245 (i) that is composed of the state student data officer and other state board employees;
246 and
247 (ii) that performs duties related to state and local student data protection, including:
248 (A) overseeing data collection and usage by state board program offices; and
249 (B) preparing and maintaining the state board's student data governance plan under the
250 direction of the student data policy advisory group.
251 (c) [
252 (i) that is composed of members who use student data at the local level; and
253 (ii) that provides feedback and suggestions on the practicality of actions proposed by
254 the student data policy advisory group and the student data governance advisory group.
255 (4) (a) The state board shall designate a state student data officer.
256 (b) The state student data officer shall:
257 (i) act as the primary point of contact for state student data protection administration in
258 assisting the state board to administer this part;
259 (ii) ensure compliance with student privacy laws throughout the public education
260 system, including:
261 (A) providing training and support to applicable state board and LEA employees; and
262 (B) producing resource materials, model plans, and model forms for local student data
263 protection governance, including a model student data collection notice;
264 (iii) investigate complaints of alleged violations of this part;
265 (iv) report violations of this part to:
266 (A) the state board;
267 (B) an applicable education entity; and
268 (C) the student data policy advisory group; and
269 (v) act as a state level student data manager.
270 (5) The state board shall designate:
271 (a) at least one support manager to assist the state student data officer; and
272 (b) a student data protection auditor to assist the state student data officer.
273 (6) The state board shall establish a research review process for a request for data for
274 the purpose of research or evaluation.
275 Section 5. Section 53E-9-308 is amended to read:
276 53E-9-308. Sharing student data -- Prohibition -- Requirements for student data
277 manager -- Authorized student data sharing.
278 (1) (a) Except as provided in Subsection (1)(b), an education entity, including a student
279 data manager, may not:
280 (i) share personally identifiable student data without written consent[
281 (ii) share student data with a federal agency.
282 (b) An education entity, including a student data manager, may share personally
283 identifiable student data:
284 (i) in accordance with the Family Education Rights and Privacy Act and related
285 provisions under 20 U.S.C. Secs. 1232g and 1232h;
286 (ii) as required by federal law; and
287 (iii) as described in Subsections (3), (5), and (6).
288 (2) A student data manager shall:
289 (a) authorize and manage the sharing, outside of the student data manager's education
290 entity, of personally identifiable student data for the education entity as described in this
291 section;
292 (b) act as the primary local point of contact for the state student data officer described
293 in Section 53E-9-302; and
294 (c) fulfill other responsibilities described in the data governance plan of the student
295 data manager's education entity.
296 (3) A student data manager may share a student's personally identifiable student data
297 with a caseworker or representative of the [
298 Health and Human Services if:
299 (a) the [
300 (i) legally responsible for the care and protection of the student, including the
301 responsibility to investigate a report of educational neglect, as provided in Subsection
302 80-2-701(5); or
303 (ii) providing services to the student;
304 (b) the student's personally identifiable student data is not shared with a person who is
305 not authorized:
306 (i) to address the student's education needs; or
307 (ii) by the [
308 to receive the student's personally identifiable student data; and
309 (c) the [
310 maintains and protects the student's personally identifiable student data.
311 (4) The [
312 school official, or the Utah Juvenile Court may share personally identifiable student data to
313 improve education outcomes for youth:
314 (a) in the custody of, or under the guardianship of, the [
315
316 (b) receiving services from the Division of Juvenile Justice Services;
317 (c) in the custody of the Division of Child and Family Services;
318 (d) receiving services from the Division of Services for People with Disabilities; or
319 (e) under the jurisdiction of the Utah Juvenile Court.
320 (5) (a) A student data manager may share personally identifiable student data in
321 response to a subpoena issued by a court.
322 (b) A person who receives personally identifiable student data under Subsection (5)(a)
323 may not use the personally identifiable student data outside of the use described in the
324 subpoena.
325 (6) (a) A student data manager may share student data, including personally
326 identifiable student data, in response to a request to share student data for the purpose of
327 research or evaluation, if the student data manager:
328 (i) verifies that the request meets the requirements of 34 C.F.R. Sec. 99.31(a)(6);
329 (ii) submits the request to the education entity's research review process; and
330 (iii) fulfills the instructions that result from the review process.
331 (b) (i) In accordance with state and federal law, and subject to Subsection (6)(b)(ii), the
332 state board shall share student data, including personally identifiable student data, as requested
333 by the Utah Registry of Autism and Developmental Disabilities described in Section 26-7-4.
334 (ii) (A) At least 30 days before the state board shares student data in accordance with
335 Subsection (6)(b)(i), the education entity from which the state board received the student data
336 shall provide notice to the parent of each student for which the state board intends to share
337 student data.
338 (B) The state board may not, for a particular student, share student data as described in
339 Subsection (6)(b)(i) if the student's parent requests that the state board not share the student
340 data.
341 (iii) A person who receives student data under Subsection (6)(b)(i):
342 (A) shall maintain and protect the student data in accordance with state board rule
343 described in Section 53E-9-307;
344 (B) may not use the student data for a purpose not described in Section 26-7-4; and
345 (C) is subject to audit by the state student data officer described in Section 53E-9-302.
346 Section 6. Effective date.
347 (1) Except as provided in Subsection (2), this bill takes effect on July 1, 2023.
348 (2) The actions affecting Section 53B-28-506 (Effective 01/01/24) take effect on
349 January 1, 2024.