(1) By November 15 annually, each LEA shall provide the Superintendent with the following information:
- (a) the name and contact information for the LEA's designated data manager and information security officer.
(b) evidence that the LEA has implemented:
(i) privacy requirements outlined in:
- (A) Title 53E, Chapter 9, Part 2, Student Privacy;
- (B) Title 53E, Chapter 9, Part 3, Student Data Protection;
- (C) Title 63A, Chapter 19, Government Data Privacy Act;
- (D) FERPA; and
- (E) 20 U.S.C. 1232b, Protection of Pupil Rights Amendment; and
- (ii) other privacy practices identified by the Superintendent; and
- (iii) a cybersecurity framework.
(2) An LEA shall ensure that school enrollment verification data, student performance data, and personally identifiable student data are collected, maintained, and transmitted:
- (a) in a secure manner; and
- (b) consistent with sound data collection and storage procedures based on the LEA's cyber security framework.
- (3) An LEA shall report all significant data breaches of student data either by the LEA or by third parties to the Superintendent within ten business days of the initial discovery of the significant data breach.
- (4) All public education employees, aides, and volunteers shall maintain appropriate confidentiality pursuant to federal, state, local laws, and LEA policies created in accordance with this section, with regard to student performance data and personally identifiable student data.
(5) An employee, aide, or volunteer may not share, disclose, or disseminate passwords for electronic maintenance of:
- (a) student performance data; or
- (b) personally identifiable student data.
- (6) A public education employee licensed under Section 53E-6-201 may only access or use student information and records if the public education employee accesses the student information or records consistent with the educator's obligations under Rule R277-217.
- (7) The Board may discipline a licensed educator in accordance with licensing discipline procedures if the educator violates this Rule R277-487.
- (8) In accordance with the LEA's data governance plan, each LEA shall annually provide a training regarding the confidentiality of student data to any employee with access to education records as defined in FERPA.
KEY: students, records, confidentiality, privacy
Date of Last Change: July 8, 2025
Notice of Continuation: May 10, 2024
Authorizing, and Implemented or Interpreted Law: Art X Sec 3; 53E-9-302; 53E-3-401; 53G-11-511