- (1) A third-party contractor shall protect student personally identifiable information against unauthorized access and redisclosure, both physical and digital.
- (2) A third-party contractor shall have policies in place that follow reasonably industry best practices and adequately address the protection of student personally identifiable information.
- (3) A third-party contractor shall develop and document an information security program.
- (4) A third-party contract shall inform an LEA or the Superintendent of the precautions taken regarding the maintenance and protection of student personally identifiable information.
(5) For the purposes of meeting the audit requirements of a contract subject to Subsection 53E-9-309(2)(e), a third-party contractor may:
- (a) provide an LEA or the Superintendent a self-assessment of their compliance with the contract and the effectiveness of the information security program described in Subsection (3);
- (b) provide responses to a questionnaire provided by the LEA or Superintendent;
- (c) provide a report of an industry-recognized privacy and security audit, such as an SOC2 or SOC3; or
- (d) submit to an onsite audit, if agreed upon by the third-party contract and the LEA or Superintendent.
KEY: students, records, confidentiality, privacy
Date of Last Change: July 8, 2025
Notice of Continuation: May 10, 2024
Authorizing, and Implemented or Interpreted Law: Art X Sec 3; 53E-9-302; 53E-3-401; 53G-11-511