Utah Administrative Code (Current through November 1, 2019) |
R277. Education, Administration |
R277-487. Public School Data Confidentiality and Disclosure |
R277-487-2. Definitions
-
(1) "Association" has the same meaning as that term is defined in Subsection 53G-7-1101(3).
(2) "Chief Privacy Officer" means a Board employee designated by the Board as primarily responsible to:
(a) oversee and carry out the responsibilities of this rule; and
(b) direct the development of materials and training about student and public education employee privacy standards for the Board and LEAs, including:
(i) FERPA; and
(ii) the Utah Student Data Protection Act, Title 53E, Chapter 9, Part 3.
(3) "Classroom-level assessment data" means student scores on state-required tests, aggregated in groups of more than 10 students at the classroom level or, if appropriate, at the course level, without individual student identifiers of any kind.
(4) "Comprehensive Administration of Credentials for Teachers in Utah Schools" or "CACTUS" means the electronic file maintained and owned by the Board on all licensed Utah educators, which includes information such as:
(a) personal directory information;
(b) educational background;
(c) endorsements;
(d) employment history; and
(e) a record of disciplinary action taken against the educator.
(5) "Confidentiality" refers to an obligation not to disclose or transmit information to unauthorized parties.
(6) "Cyber security framework" means:
(a) the cyber security framework developed by the Center for Internet Security found at http://www.cisecurity.org/controls/; or
(b) a IT security framework that is comparable to the cyber security framework described in Subsection (6)(a).
(7) "Data governance plan" has the same meaning as defined in Subsection 53E-9-301(7).
(8) "Data security protections" means protections developed and initiated by the Superintendent that protect, monitor and secure student, public educator and public education employee data as outlined and identified in FERPA and Sections 63G-2-302 through 63G-2-305.
(9) "Destroy" means to remove data or a record:
(a) in accordance with current industry best practices; and
(b) rendering the data or record irretrievable in the normal course of business of an LEA or a third-party contractor.
(10) "Disclosure" includes permitting access to, revealing, releasing, transferring, disseminating, or otherwise communicating all or any part of any individual record orally, in writing, electronically, or by any other communication method.
(11) "Expunge" means to seal a record so as to limit its availability to all except authorized individuals.
(12) "Enrollment verification data" includes:
(a) a student's birth certificate or other verification of age;
(b) verification of immunization or exemption from immunization form;
(c) proof of Utah public school residency;
(d) family income verification; or
(e) special education program information, including:
(i) an individualized education program;
(ii) a Section 504 accommodation plan; or
(iii) an English language learner plan.
(13) "FERPA" means the Family Educational Rights and Privacy Act of 1974, 20 U.S.C. 1232g, and its implementing regulations found at 34 C.F.R., Part 99.
(14) "LEA" includes, for purposes of this rule, the Utah Schools for the Deaf and the Blind.
(15) "Metadata dictionary" has the same meaning as defined in Subsection 53E-9-301(14).
(16) "Personally identifiable student data" has the same meaning as defined in Subsection 53E-9-301(14).
(17) "Significant data breach" means a data breach where:
(a) an intentional data breach successfully compromises student records;
(b) a large number of student records are compromised;
(c) sensitive records are compromised, regardless of number; or
(d) a data breach an LEA deems to be significant based on the surrounding circumstances.
(18) "Student data advisory groups" has the same meaning as described in Subsection 53E-9-302(3).
(19) "Student data manager" means the individual at the LEA level who:
(a) is designated as the student data manager by an LEA under Section 53E-9-303;
(b) authorizes and manages the sharing of student data;
(c) acts as the primary contact for the Chief Privacy Officer;
(d) maintains a list of persons with access to personally identifiable student data; and
(e) is in charge of providing annual LEA staff and volunteer training on data privacy.
(20) "Student performance data" means data relating to student performance, including:
(a) data on state, local and national assessments;
(b) course-taking and completion;
(c) grade-point average;
(d) remediation;
(e) retention;
(f) degree, diploma, or credential attainment; and
(g) enrollment and demographic data.
(20) "Third party contractor" has the same meaning as defined in Subsection 53E-9-301(23).