US Lawyer Database

843-966-9603

Menu
Claim your profile

For Lawyer-Seekers

YOU DESERVE THE BEST LAWYER

Claim your profile

For Lawyer-Seekers

Menu

843-966-9603

Section 505 – Third-party contractors.

Home » US Law » 2022 Utah Code » Title 53B - State System of Higher Education » Chapter 28 - Student Rights and Responsibilities » Part 5 - Higher Education Student Data Protection » Section 505 – Third-party contractors.

Section 505 – Third-party contractors.

Section 505 – Third-party contractors.

Effective 7/1/2022
53B-28-505. Third-party contractors.

  • (1) A third-party contractor shall use personally identifiable student data received under a contract with an education entity strictly for the purpose of providing the contracted product or service within the negotiated contract terms.
  • (2) When contracting with a third-party contractor, an education entity, or a government agency contracting on behalf of an education entity, shall:
    • (a) ensure that the contract terms comply with the standards the board establishes under Subsection 53B-28-502(5); and
    • (b) require the following provisions in the contract:
      • (i) requirements and restrictions related to the collection, use, storage, or sharing of student data by the third-party contractor that are necessary for the education entity to ensure compliance with the provisions of this part and board rule;
      • (ii) a description of a person, or type of person, including an affiliate of the third-party contractor, with whom the third-party contractor may share student data;
      • (iii) provisions that, at the request of the education entity, govern the deletion of the student data received by the third-party contractor;
      • (iv) except as provided in Subsection (4) and if required by the education entity, provisions that prohibit the secondary use of personally identifiable student data by the third-party contractor; and
      • (v) an agreement by the third-party contractor that, at the request of the education entity that is a party to the contract, the education entity or the education entity’s designee may audit the third-party contractor to verify compliance with the contract.
  • (3) As authorized by law or court order, a third-party contractor shall share student data as requested by law enforcement.
  • (4) A third-party contractor may:
    • (a) use student data for adaptive learning or customized student learning purposes;
    • (b) market an educational application or product to a student if the third-party contractor does not use student data, shared by or collected on behalf of an education entity, to market the educational application or product;
    • (c) use a recommendation engine to recommend to a student:
      • (i) content that relates to learning or employment, within the third-party contractor’s application, if the recommendation is not motivated by payment or other consideration from another party; or
      • (ii) services that relate to learning or employment, within the third-party contractor’s application, if the recommendation is not motivated by payment or other consideration from another party;
    • (d) respond to a student request for information or feedback, if the content of the response is not motivated by payment or other consideration from another party;
    • (e) use student data to allow or improve operability and functionality of the third-party contractor’s application; or
    • (f) identify for a student nonprofit institutions of higher education or scholarship providers that are seeking students who meet specific criteria:
      • (i) regardless of whether the identified nonprofit institutions of higher education or scholarship providers provide payment or other consideration to the third-party contractor; and
      • (ii) only if the third-party contractor obtains authorization in writing from:
        • (A) the student’s parent, if the student is a minor; or
        • (B) the student.
  • (5) At the completion of a contract with an education entity, if the contract has not been renewed, a third-party contractor shall return or delete upon the education entity’s request all personally identifiable student data under the control of the education entity unless a student or a minor student’s parent consents to the maintenance of the personally identifiable student data.
  • (6)
    • (a) A third-party contractor may not:
      • (i) except as provided in Subsection (6)(b), sell student data;
      • (ii) collect, use, or share student data, if the collection, use, or sharing of the student data is inconsistent with the third-party contractor’s contract with the education entity; or
      • (iii) use student data for targeted advertising.
    • (b) A person may obtain student data through the purchase of, merger with, or otherwise acquiring a third-party contractor if the third-party contractor remains in compliance with this section.
  • (7) The provisions of this section do not:
    • (a) apply to the use of a general audience application, including the access of a general audience application with login credentials created by a third-party contractor’s application;
    • (b) apply if the student data is shared in accordance with the education entity’s directory information policy, as described in 34 C.F.R. Sec. 99.37;
    • (c) apply to the providing of Internet service; or
    • (d) impose a duty on a provider of an interactive computer service, as defined in 47 U.S.C. Sec. 230, to review or enforce compliance with this section.
  • (8) A provision of this section that relates to a student’s student data does not apply to a third-party contractor if the education entity or third-party contractor obtains authorization from the following individual, in writing, to waive that provision:
    • (a) the student’s parent, if the student is a minor; or
    • (b) the student.

Enacted by Chapter 461, 2022 General Session