Section 53E-9-301 - DefinitionsAs used in this part:
(1) "Adult student" means a student who: (a) is at least 18 years old;(b) is an emancipated student; or(c) qualifies under the McKinney-Vento Homeless Education Assistance Improvements Act of 2001, 42 U.S.C. Sec. 11431 et seq.(2) "Aggregate data" means data that: (a) are totaled and reported at the group, cohort, school, school district, region, or state level with at least 10 individuals in the level;(b) do not reveal personally identifiable student data; and(c) are collected in accordance with state board rule.(3)(a) "Biometric identifier" means a: (iii) human biological sample used for valid scientific testing or screening; or(iv) scan of hand or face geometry.(b) "Biometric identifier" does not include:(ii) a written signature;(vi) a physical description, such as height, weight, hair color, or eye color.(4) "Biometric information" means information, regardless of how the information is collected, converted, stored, or shared: (a) based on an individual's biometric identifier; and(b) used to identify the individual.(5) "Data breach" means an unauthorized release of or unauthorized access to personally identifiable student data that is maintained by an education entity.(6) "Data governance plan" means an education entity's comprehensive plan for managing education data that: (a) incorporates reasonable data industry best practices to maintain and protect student data and other education-related data;(b) describes the role, responsibility, and authority of an education entity data governance staff member;(c) provides for necessary technical assistance, training, support, and auditing;(d) describes the process for sharing student data between an education entity and another person;(e) describes the education entity's data expungement process, including how to respond to requests for expungement;(f) describes the data breach response process; and(g) is published annually and available on the education entity's website.(7) "Education entity" means: (b) a local school board;(c) a charter school governing board;(f) the Utah Schools for the Deaf and the Blind.(8) "Expunge" means to seal or permanently delete data, as described in state board rule made in accordance with Title 63G, Chapter 3, Utah Administrative Rulemaking Act, under Section 53E-9-306.(9) "General audience application" means an Internet website, online service, online application, mobile application, or software program that: (a) is not specifically intended for use by an audience member that attends kindergarten or a grade from 1 to 12, although an audience member may attend kindergarten or a grade from 1 to 12; and(b) is not subject to a contract between an education entity and a third-party contractor.(10) "Local education agency" or "LEA" means: (c) the Utah Schools for the Deaf and the Blind.(11) "Metadata dictionary" means a record that: (a) defines and discloses all personally identifiable student data collected and shared by the education entity;(b) comprehensively lists all recipients with whom the education entity has shared personally identifiable student data, including:(i) the purpose for sharing the data with the recipient;(ii) the justification for sharing the data, including whether sharing the data was required by federal law, state law, or a local directive; and(iii) how sharing the data is permitted under federal or state law; and(c) without disclosing personally identifiable student data, is displayed on the education entity's website.(12) "Necessary student data" means data required by state statute or federal law to conduct the regular activities of an education entity, including: (d) parent contact information;(e) custodial parent information;(g) a student identification number;(h) local, state, and national assessment results or an exception from taking a local, state, or national assessment;(i) courses taken and completed, credits earned, and other transcript information;(j) course grades and grade point average;(k) grade level and expected graduation date or graduation cohort;(l) degree, diploma, credential attainment, and other school exit information;(m) attendance and mobility;(o) immunization record or an exception from an immunization record;(t) an exception from a vision screening required under Section 53G-9-404 or information collected from a vision screening described in Section 53G-9-404;(u) information related to the Utah Registry of Autism and Developmental Disabilities, described in Section 26B-7-115;(v) student injury information;(w) a disciplinary record created and maintained as described in Section 53E-9-306;(x) juvenile delinquency records;(y) English language learner status; and(z) child find and special education evaluation data related to initiation of an IEP.(13)(a) "Optional student data" means student data that is not: (i) necessary student data; or(ii) student data that an education entity may not collect under Section 53E-9-305.(b) "Optional student data" includes: (i) information that is: (A) related to an IEP or needed to provide special needs services; and(B) not necessary student data;(ii) biometric information; and(iii) information that is not necessary student data and that is required for a student to participate in a federal or other program.(14) "Parent" means: (b) a student's legal guardian; or(c) an individual who has written authorization from a student's parent or legal guardian to act as a parent or legal guardian on behalf of the student.(15)(a) "Personally identifiable student data" means student data that identifies or is used by the holder to identify a student.(b) "Personally identifiable student data" includes:(i) a student's first and last name;(ii) the first and last name of a student's family member;(iii) a student's or a student's family's home or physical address;(iv) a student's email address or other online contact information;(v) a student's telephone number;(vi) a student's social security number;(vii) a student's biometric identifier;(viii) a student's health or disability data;(ix) a student's education entity student identification number;(x) a student's social media user name and password or alias;(xi) if associated with personally identifiable student data, the student's persistent identifier, including: (A) a customer number held in a cookie; or(B) a processor serial number;(xii) a combination of a student's last name or photograph with other information that together permits a person to contact the student online;(xiii) information about a student or a student's family that a person collects online and combines with other personally identifiable student data to identify the student; and(xiv) information that, alone or in combination, is linked or linkable to a specific student that would allow a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty.(16) "School official" means an employee or agent of an education entity, if the education entity has authorized the employee or agent to request or receive student data on behalf of the education entity.(17)(a) "Student data" means information about a student at the individual student level.(b) "Student data" does not include aggregate or de-identified data.(18) "Student data manager" means: (a) the state student data officer; or(b) an individual designated as a student data manager by an education entity under Section 53E-9-303, who fulfills the duties described in Section 53E-9-308.(19)(a) "Targeted advertising" means presenting advertisements to a student where the advertisement is selected based on information obtained or inferred over time from that student's online behavior, usage of applications, or student data.(b) "Targeted advertising" does not include advertising to a student:(i) at an online location based upon that student's current visit to that location; or(ii) in response to that student's request for information or feedback, without retention of that student's online activities or requests over time for the purpose of targeting subsequent ads.(20) "Third-party contractor" means a person who: (a) is not an education entity; and(b) pursuant to a contract with an education entity, collects or receives student data in order to provide a product or service, as described in the contract, if the product or service is not related to school photography, yearbooks, graduation announcements, or a similar product or service.(21) "Written consent" means written authorization to collect or share a student's student data, from: (a) the student's parent, if the student is not an adult student; or(b) the student, if the student is an adult student.Amended by Chapter 328, 2023 General Session ,§ 98, eff. 5/3/2023.Amended by Chapter 408, 2020 General Session ,§ 27, eff. 5/12/2020.Amended by Chapter 342, 2019 General Session ,§ 13, eff. 5/14/2019.Amended by Chapter 175, 2019 General Session ,§ 1, eff. 5/14/2019.Amended by Chapter 186, 2019 General Session ,§ 138, eff. 5/14/2019.Amended by Chapter 87, 2019 General Session ,§ 3, eff. 5/14/2019.Amended by Chapter 389, 2018 General Session ,§ 4, eff. 7/1/2018.Amended by Chapter 304, 2018 General Session ,§ 1, eff. 5/8/2018.Renumbered from § 53A-1-1402 and amended by Chapter 1, 2018 General Session ,§ 219, eff. 1/24/2018.Amended by Chapter 370, 2017 General Session ,§ 1, eff. 5/9/2017.Added by Chapter 221, 2016 General Session ,§ 4, eff. 5/10/2016.