R277-487-3. Data Privacy and Security Policies  

  (1) The Superintendent shall develop resource materials for LEAs to train employees, aides, and volunteers of an LEA regarding confidentiality of personally identifiable student data and student performance data.

  (2) The Superintendent shall make the materials developed in accordance with Subsection (1) available to each LEA.

  (3) An LEA or public school may not be a member of or pay dues to an association that is not in compliance with:

  (a) FERPA;

  (b) Title 53E, Chapter 9, Part 3, Student Data Protection Act;

  (c) Title 53E, Chapter 9, Part 2, Utah Family Educational Rights and Privacy Act; and

  (d) this Rule R277-487.

  (4) An LEA shall comply with Title 53E, Chapter 9, Part 3, Student Data Protection Act.

  (5) An LEA shall comply with Section 53E-9-204.

  (6) An LEA is responsible for the collection, maintenance, and transmission of student data.

  (7) An LEA shall ensure that school enrollment verification data, student performance data, and personally identifiable student data are collected, maintained, and transmitted:

  (a) in a secure manner; and

  (b) consistent with sound data collection and storage procedures, established by the LEA.

  (8) An LEA may contract with a third party contractor to collect, maintain, and have access to school enrollment verification data or other student data if:

  (a) the third party contractor meets the definition of a school official under 34 C.F.R. 99.31(a)(1)(i)(B); and

  (b) the contract between the LEA and the third party contractor includes the provisions required by Subsection 53E-9-309(2).

  (9) An LEA shall publicly post the LEA's definition of directory information, as defined in FERPA, and describe how a student data manager may share personally identifiable information that is directory information.

  (10) An LEA shall provide the Superintendent with a copy or link to the LEA's directory information definition by October 1 annually.

  (11) By October 1 annually, an LEA shall enter all student data elements shared with third parties into the Board's metadata dictionary.

  (12) An LEA shall report all significant data breaches of student data either by the LEA or by third parties to the Superintendent within ten business days of the initial discovery of the significant data breach.

  (13) An LEA shall provide the Superintendent with a copy or link to the LEA's data governance plan by October 1 annually.

  (14) An LEA shall provide the Superintendent with the following information by October 1 annually:

  (a) evidence that the LEA has implemented a cyber security framework; and

  (b) the name and contacted information for the LEA's designated Information Security Officer.

  (15) All public education employees, aides, and volunteers in public schools shall become familiar with federal, state, and local laws regarding the confidentiality of student performance data and personally identifiable student data.

  (16) All public education employees, aides, and volunteers shall maintain appropriate confidentiality pursuant to federal, state, local laws, and LEA policies created in accordance with this section, with regard to student performance data and personally identifiable student data.

  (17) An employee, aide, or volunteer may not share, disclose, or disseminate passwords for electronic maintenance of:

  (a) student performance data; or

  (b) personally identifiable student data.

  (18) A public education employee licensed under Section 53E-6-201 may only access or use student information and records if the public education employee accesses the student information or records consistent with the educator's obligations under Rule R277-515.

  (19) The Board may discipline a licensed educator in accordance with licensing discipline procedures if the educator violates this Rule R277-487.

  (20) An LEA shall annually provide a training regarding the confidentiality of student data to any employee with access to education records as defined in FERPA.