Utah Code 53B-28-505. Third-party contractors
Current as of: 2024 | Check for updates
|
Other versions
(1) A third-party contractor shall use personally identifiable student data received under a contract with an education entity strictly for the purpose of providing the contracted product or service within the negotiated contract terms.
Terms Used In Utah Code 53B-28-505
- Board: means the Utah Board of Higher Education described in Section 53B-1-402. See Utah Code 53B-1-101.5
- Contract: A legal written agreement that becomes binding when signed.
- Education entity: means the Utah Board of Higher Education or an institution. See Utah Code 53B-28-501
- Minor: means a person younger than 18 years old. See Utah Code 53B-28-501
- Person: means :(24)(a) an individual;(24)(b) an association;(24)(c) an institution;(24)(d) a corporation;(24)(e) a company;(24)(f) a trust;(24)(g) a limited liability company;(24)(h) a partnership;(24)(i) a political subdivision;(24)(j) a government office, department, division, bureau, or other body of government; and(24)(k) any other organization or entity. See Utah Code 68-3-12.5
- Personally identifiable student data: includes :
(9)(b)(i) a student's first and last name;(9)(b)(ii) the first and last name of a student's family member;(9)(b)(iii) a student's or a student's family's home or physical address;(9)(b)(iv) a student's email address or other online contact information;(9)(b)(v) a student's telephone number;(9)(b)(vi) a student's social security number;(9)(b)(vii) a student's biometric identifier;(9)(b)(viii) a student's health or disability data;(9)(b)(ix) a student's education entity student identification number;(9)(b)(x) a student's social media user name and password or alias;(9)(b)(xi) if associated with personally identifiable student data, the student's persistent identifier, including:(9)(b)(xi)(A) a customer number held in a cookie; or(9)(b)(xi)(B) a processor serial number;(9)(b)(xii) a combination of a student's last name or photograph with other information that together permits a person to contact the student online;(9)(b)(xiii) information about a student or a student's family that a person collects online and combines with other personally identifiable student data to identify the student; and(9)(b)(xiv) information that, alone or in combination, is linked or linkable to a specific student that would allow a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty. See Utah Code 53B-28-501- Student: means an individual enrolled in an institution. See Utah Code 53B-28-501
- Student data: means information about a student at the individual student level. See Utah Code 53B-28-501
- Third-party contractor: means a person who:
(13)(a) is not an institution or an employee of an institution; and(13)(b) pursuant to a contract with an education entity, collects or receives student data in order to provide a product or service, as described in the contract, if the product or service is not related to school photography, yearbooks, graduation announcements, or a similar product or service. See Utah Code 53B-28-501- Writing: includes :
(48)(a) printing;(48)(b) handwriting; and(48)(c) information stored in an electronic or other medium if the information is retrievable in a perceivable format. See Utah Code 68-3-12.5(2) When contracting with a third-party contractor on or after January 1, 2024, an education entity, or a government agency contracting on behalf of an education entity, shall:(2)(a) ensure that the contract terms comply with the standards the board establishes under Subsection 53B-28-502(5); and(2)(b) require the following provisions in the contract:(2)(b)(i) requirements and restrictions related to the collection, use, storage, or sharing of student data by the third-party contractor that are necessary for the education entity to ensure compliance with the provisions of this part and board rule;(2)(b)(ii) a description of a person, or type of person, including an affiliate of the third-party contractor, with whom the third-party contractor may share student data;(2)(b)(iii) provisions that, at the request of the education entity, govern the deletion of the student data received by the third-party contractor;(2)(b)(iv) except as provided in Subsection (4) and if required by the education entity, provisions that prohibit the secondary use of personally identifiable student data by the third-party contractor; and(2)(b)(v) an agreement by the third-party contractor that, at the request of the education entity that is a party to the contract, the education entity or the education entity’s designee may audit the third-party contractor to verify compliance with the contract.(3) As authorized by law or court order, a third-party contractor shall share student data as requested by law enforcement.(4) A third-party contractor may:(4)(a) use student data for adaptive learning or customized student learning purposes;(4)(b) market an educational application or product to a student if the third-party contractor does not use student data, shared by or collected on behalf of an education entity, to market the educational application or product;(4)(c) use a recommendation engine to recommend to a student:(4)(c)(i) content that relates to learning or employment, within the third-party contractor’s application, if the recommendation is not motivated by payment or other consideration from another party; or(4)(c)(ii) services that relate to learning or employment, within the third-party contractor’s application, if the recommendation is not motivated by payment or other consideration from another party;(4)(d) respond to a student request for information or feedback, if the content of the response is not motivated by payment or other consideration from another party;(4)(e) use student data to allow or improve operability and functionality of the third-party contractor’s application; or(4)(f) identify for a student nonprofit institutions of higher education or scholarship providers that are seeking students who meet specific criteria:(4)(f)(i) regardless of whether the identified nonprofit institutions of higher education or scholarship providers provide payment or other consideration to the third-party contractor; and(4)(f)(ii) only if the third-party contractor obtains authorization in writing from:(4)(f)(ii)(A) the student’s parent, if the student is a minor; or(4)(f)(ii)(B) the student.(5) At the completion of a contract with an education entity, if the contract has not been renewed, a third-party contractor shall return or delete upon the education entity’s request all personally identifiable student data under the control of the education entity unless a student or a minor student’s parent consents to the maintenance of the personally identifiable student data.(6)(6)(a) A third-party contractor may not:(6)(a)(i) except as provided in Subsection (6)(b), sell student data;(6)(a)(ii) collect, use, or share student data, if the collection, use, or sharing of the student data is inconsistent with the third-party contractor’s contract with the education entity; or(6)(a)(iii) use student data for targeted advertising.(6)(b) A person may obtain student data through the purchase of, merger with, or otherwise acquiring a third-party contractor if the third-party contractor remains in compliance with this section.(7) The provisions of this section do not:(7)(a) apply to the use of a general audience application, including the access of a general audience application with login credentials created by a third-party contractor’s application;(7)(b) apply if the student data is shared in accordance with the education entity’s directory information policy, as described in 34 C.F.R. § 99.37;(7)(c) apply to the providing of Internet service; or(7)(d) impose a duty on a provider of an interactive computer service, as defined in 47 U.S.C. § 230, to review or enforce compliance with this section.(8) A provision of this section that relates to a student’s student data does not apply to a third-party contractor if the education entity or third-party contractor obtains authorization from the following individual, in writing, to waive that provision:(8)(a) the student’s parent, if the student is a minor; or(8)(b) the student. - Personally identifiable student data: includes :