Utah Student Data Privacy Legal Compliance Guide

The following chart provides a brief overview of the laws of the state of Utah addressing privacy and security of student data, and the corresponding provisions of Microsoft’s standard operating documents that demonstrate compliance with those laws and regulations.

Microsoft’s standard Online Services Data Protection Addendum (“DPA”) addresses the requirements imposed on third-party contractors by Utah’s statutory framework.  The DPA sets forth Microsoft’s standard obligations with respect to the processing and security of customer data and personal data in connection with Microsoft’s provision of online services. 

The reference chart below briefly identifies those provisions of Utah law that are applicable to Microsoft, and the relevant provision(s) from Microsoft’s DPA that addresses Microsoft’s compliance with that requirement.

Utah Law ProvisionCompliant Microsoft Provision(s)
Utah Code § 53E-9-309(1)
Prohibition against use of student data for purposes other than providing the contracted product or service within the negotiated contract terms
Microsoft Online Services Data Protection Addendum -> Data Protection Terms -> Nature of Data Processing; Ownership -> Processing to Provide Customer the Online Services
Utah Code § 53E-9-309(5)
Deletion of a student’s data within a reasonable time
Microsoft Online Services Data Protection Addendum -> Data Protection Terms -> Data Retention and Deletion
Utah Code § 53E-9-309(6)(a)(i)
Selling a student’s data
Microsoft Online Services Data Protection Addendum -> Data Protection Terms -> Nature of Data Processing; Ownership -> Processing to Provide Customer the Online Services
Utah Code § 53E-9-309(6)(a)(ii)
Collection, use, or sharing of student data, if the collection, use, or sharing of the student data is inconsistent with the third-party contractor’s contract with the education entity
Microsoft Online Services Data Protection Addendum -> Data Protection Terms -> Nature of Data Processing; Ownership -> Processing to Provide Customer the Online Services
Utah Code § 53E-9-309(6)(a)(iii)
Use of student data for targeted advertising
Microsoft Online Services Data Protection Addendum -> Data Protection Terms -> Nature of Data Processing; Ownership -> Processing to Provide Customer the Online Services

In addition to the provisions above, Utah Code § 53E-9-309(2) requires that, when contracting with a third-party contractor, an education entity, or a government agency contracting on behalf of an education entity, shall require the following provisions in the contract:

(a) requirements and restrictions related to the collection, use, storage, or sharing of student data by the third-party contractor that are necessary for the education entity to ensure compliance with the provisions of this part and state board rule;

(b) a description of a person, or type of person, including an affiliate of the third-party contractor, with whom the third-party contractor may share student data;

(c) provisions that, at the request of the education entity, govern the deletion of the student data received by the third-party contractor;

(d) except as provided in Subsection (4) and if required by the education entity, provisions that prohibit the secondary use of personally identifiable student data by the third-party contractor; and

(e) an agreement by the third-party contractor that, at the request of the education entity that is a party to the contract, the education entity or the education entity’s designee may audit the third-party contractor to verify compliance with the contract.