Ecosystems/Utah

🏔️

Utah

Student Data Privacy Team

Utah State Board of Education

SDPC MemberUpdated: 2026-02

📧 privacy@schools.utah.gov 📞 (801) 538-7500 🌐 Official Website

📋

Check your state's current vendor registry listing

Search vendor and product DPAs by company, product, or district from the SDPC registry.

Search agreements →

700,000+

Students Protected

157 districts and charters+

Districts & Charters

5,406

Vendor Agreements

—

Days Left

SB 267 Enforcement: July 1, 2026

Utah LEAs must evaluate edtech products for addictive design, data practices, and academic effectiveness before adoption. Districts with expired DPAs face immediate compliance gaps.

Start IAMSAFE Evaluation Check Your DPAs

⚖️ Legal Framework

Federal Laws

Family Educational Rights and Privacy Act (FERPA)

20 U.S.C. § 1232g

Federal law protecting the privacy of student education records. Gives parents certain rights with respect to their children's education records.

Learn more →

Protection of Pupil Rights Amendment (PPRA)

20 U.S.C. § 1232h

Federal law that affords parents certain rights regarding surveys, collection and use of information for marketing purposes, and certain physical exams.

Learn more →

State Laws

Student Privacy Act

Utah Code 53E-9-2

Foundational state law establishing student privacy protections.

View full text →

Student Data Protection Act

Utah Code 53E-9-3

Primary state law governing student data protection requirements and responsibilities.

• Requires each district and charter to designate a "student data manager" (53E-9-303)
• Details responsibilities of data managers (53E-9-308)
• Establishes Utah's statutory right to audit vendor data practices (53E-9-309)

View full text →

Public School Data Confidentiality and Disclosure

Board Rule R277-487

Utah State Board of Education rule governing how schools handle student data.

• Cybersecurity framework implementation
• Data confidentiality and disclosure protocols
• Compliance oversight standards

View full text →

SB 267 — Student Digital Safety Amendments

Utah SB 267 (2025)

Requires LEAs to evaluate edtech products for addictive design, data practices, and academic effectiveness before adoption. Enforcement begins July 1, 2026.

• LEAs must evaluate apps for addictive design features before allowing use
• Requires assessment of data collection practices beyond DPA scope
• Academic effectiveness evaluation required for edtech procurement
• Enforcement deadline: July 1, 2026 — 130 days from now

View full text →

Government Data Privacy Act

Utah Code 63A-19

Broader state law governing government data privacy, including educational entities.

View full text →

Personal Privacy for Employee

Utah Code 53G-10-207

Protects privacy of school employee personal information.

View full text →

👥 Key Roles

Data Manager

Utah Code 53E-9-303

Required

Responsibilities:

• Serving as the primary contact for USBE's student data privacy team
• Completing annual compliance checks, including the Privacy Practices Benchmark
• Overseeing privacy practices in your LEA (policies, DPAs, data sharing)
• Collaborating with the information security officer
+1 more...

First Steps:

1. Sign up for the Student Data Privacy newsletter
2. Schedule one-hour onboarding meeting with USBE specialist
3. Complete Data Manager Course on Canvas

Information Security Officer (ISO)

Recommended

Responsibilities:

• Serving as the primary cybersecurity contact for USBE's Student Data Privacy Team
• Completing annual compliance checks, including cybersecurity components of Privacy Practices Benchmark
• Overseeing implementation of a cybersecurity framework (per Board Rule R277-487)
• Collaborating with data manager to respond to data incidents and breaches
+1 more...

First Steps:

1. Sign up for Student Data Privacy newsletter
2. Familiarize with cybersecurity framework your LEA has adopted
3. Attend conferences and professional learning opportunities

Appointed Records Officer (ARO)

Required

Responsibilities:

• Establish and enforce protocols for controlling access to student records
• Manage and maintain data retention policies
• Provide guidance and training to LEA staff on record management
• Act as liaison between LEAs, parents, and state authorities
+1 more...

First Steps:

1. Complete Records Officer Certification Course
2. Review Educational Retention Schedule
3. Familiarize with Quick Disposition Guide

📞 Key Contacts

Nicole Sanchez

Student Data Privacy Specialist

privacy@schools.utah.gov

Jeremy Zabriskie

Data Privacy and Security Specialist

privacy@schools.utah.gov

Maren Peterson

Local/State Agency RIM Specialist, Utah State Archives

marenpeterson@utah.gov (801) 531-3866

📚 Resources

📄 DPA Templates

National Data Privacy Agreement (NDPA) v2.2
Current standard template (released November 2025) with all exhibits. Used by SDPC member states nationwide.
National Research Student Data Privacy Agreement (NRDPA)
Template for research partnerships
Early Interactive Software Provider NDPA (EISP-NDPA)
Specialized template for early education software
A Vendor's Guide to Utah DPAs
Comprehensive guide explaining Utah requirements for vendors

📖 Guides

Data Manager Onboarding Slides
Presentation for new data managers
Privacy Principles One-pager
Quick reference for core privacy principles
Cyber Threats vs. Digital Threats One-pager
Understanding the difference between threat types
Data Breach Reporting and Notification Requirements
Step-by-step guide for breach response
2024 H.B. 182 Guidance for LEA Leaders on Student Surveys
Legislative guidance on survey compliance

🎓 Training

Data Privacy Basics
Foundation course for all staff
Handling Employee Data
Privacy training for HR and administrative staff
Office Staff Training
Privacy training for front office personnel
Sharing Data with Law Enforcement
Guidelines for legal data disclosure requests
2025 Annual Privacy Practices Benchmark Webinar
Annual compliance training

🔧 Tools

Utah Vendor Agreement Registry
Searchable database of 1,200+ vendor and product agreements—DPAs, NDPA exhibits, and statewide contracts
Access →
IAMSAFE Framework
7-step edtech evaluation: Inventory, Appraise, Map, Score, Act, File, Evaluate. Designed for SB 267 compliance.
Access →
Academic Effectiveness Rubric
6-dimension, 5-star scoring system aligned to ESSA evidence tiers. Evaluates pedagogy, engagement, accessibility, data practices, addictive design, and equity.
Access →
USPA Application Menu
Google Sheet tracking approved apps statewide
Utah DPA Negotiation Tracker Form
Submit new DPA negotiations
Utah DPA Negotiation Tracker Sheet
Dashboard of all ongoing negotiations
USBE Data Breach Reporting Form
Official form for reporting breaches to USBE

🔄 Workflows

Vendor Approval Workflow

Process for approving new educational technology vendors

1Request Received

→

2Check Registry

→

3Evaluate Status

→

4Vendor Signs

→

5Upload to Registry

→

6Approve

Data Breach Response Workflow

Process for responding to data security incidents

1Incident Discovered

→

2ISO Notifies

→

3Assess Impact

→

4Report to USBE

→

5Report to Cyber Center

→

6Notify Affected

→

7Document & Remediate

→

8Follow-up Review

Annual Compliance Workflow

Annual Privacy Practices Benchmark submission process

1Announcement

→

2Data Manager Survey

→

3ISO Components

→

4Submit

→

5Address Gaps

→

6Document

GRAMA Request Workflow

Process for handling public records requests

1Request Received

→

2ARO Review

→

3Classify Records

→

4Legal Consult

→

5Prepare Records

→

6Redact

→

7Respond

→

8Document

✅ Compliance Requirements

● Mandatory Designations

✓ Data Manager (Utah Code 53E-9-303) - REQUIRED
✓ Information Security Officer - REQUESTED
✓ Appointed Records Officer - REQUIRED (Annual certification)

● Annual Requirements

✓ Privacy Practices Benchmark submission
✓ Cybersecurity framework compliance review
✓ Records Officer recertification
✓ Privacy policy updates
✓ Staff training completion

● Ongoing Requirements

✓ DPA management with all vendors accessing student data
✓ SB 267 edtech product evaluations (effective July 1, 2026)
✓ Data breach reporting (within required timelines)
✓ GRAMA request responses
✓ Participation in USPA
✓ Newsletter subscription and monitoring

Ready to validate your knowledge?

Take the ABYA Privacy & AI Governance Certification to demonstrate your district's compliance readiness.

Start certification →

Utah

Check your state's current vendor registry listing

SB 267 Enforcement: July 1, 2026

⚖️ Legal Framework

Federal Laws

Family Educational Rights and Privacy Act (FERPA)

Protection of Pupil Rights Amendment (PPRA)

State Laws

Student Privacy Act

Student Data Protection Act

Public School Data Confidentiality and Disclosure

SB 267 — Student Digital Safety Amendments

Government Data Privacy Act

Personal Privacy for Employee

👥 Key Roles

Data Manager

Responsibilities:

First Steps:

Information Security Officer (ISO)

Responsibilities:

First Steps:

Appointed Records Officer (ARO)

Responsibilities:

First Steps:

📞 Key Contacts

Nicole Sanchez

Jeremy Zabriskie

Maren Peterson

📚 Resources

📄 DPA Templates

National Data Privacy Agreement (NDPA) v2.2

National Research Student Data Privacy Agreement (NRDPA)

Early Interactive Software Provider NDPA (EISP-NDPA)

A Vendor's Guide to Utah DPAs

📖 Guides

Data Manager Onboarding Slides

Privacy Principles One-pager

Cyber Threats vs. Digital Threats One-pager

Data Breach Reporting and Notification Requirements

2024 H.B. 182 Guidance for LEA Leaders on Student Surveys

🎓 Training

Data Privacy Basics

Handling Employee Data

Office Staff Training

Sharing Data with Law Enforcement

2025 Annual Privacy Practices Benchmark Webinar

🔧 Tools

Utah Vendor Agreement Registry

IAMSAFE Framework

Academic Effectiveness Rubric

USPA Application Menu

Utah DPA Negotiation Tracker Form

Utah DPA Negotiation Tracker Sheet

USBE Data Breach Reporting Form

🔄 Workflows

Vendor Approval Workflow

Data Breach Response Workflow

Annual Compliance Workflow

GRAMA Request Workflow

✅ Compliance Requirements

● Mandatory Designations

● Annual Requirements

● Ongoing Requirements

Ready to validate your knowledge?