Skip to main content
Utah

Utah Student Data Privacy

Requires Signed Agreement
Does not require signed agreement

Utah requires strong contract-based controls for third-party contractors that receive personally identifiable student data under Utah Code 53E-9-309.

Utah Student Privacy and Data Protection Guide

Primary Law
Student Privacy and Data Protection - third-party contractor requirements for personally identifiable student data

Citation
Utah Code Title 53E, Chapter 9, Part 3 (Student Data Protection), notably 53E-9-309

Official Text
https://le.utah.gov/xcode/Title53E/Chapter9/C53E-9-S309_2020051220200512.pdf

Overview

Utah has a dedicated student privacy framework that addresses how student data is collected, used, shared, and safeguarded. A key compliance element is how Utah regulates third-party contractors that receive personally identifiable student data under a contract with a public education entity.

For districts, the operational takeaway is clear: when a vendor will receive student PII, districts should use signed agreements that define permitted use, prohibit unauthorized redisclosure, and require appropriate security and data lifecycle controls.

Applicability and Scope

Utah's student data protection requirements are most relevant when:

  • A district contracts with a vendor that receives or processes personally identifiable student data
  • Tools integrate with district systems (SIS, identity providers, learning platforms) and receive roster or student performance data
  • Districts need a consistent process to review, approve, and monitor edtech vendors

Third-Party Contractor Requirements

Utah's framework establishes expectations for contractors that receive student PII under a contract, including purpose limitation and protections against misuse or unauthorized disclosure. Districts should ensure vendor terms match actual data flows and that subcontractors are controlled.

Security and Data Lifecycle Controls

Districts should verify that vendors have reasonable safeguards appropriate to the sensitivity of student data, and that districts can request deletion or data return when the relationship ends or when data is no longer needed.

How Can EdPrivacy Help Utah Schools

Utah's framework is easiest to implement when districts can consistently document which vendors receive student PII, what contract terms apply, and what security and data lifecycle controls are in place. EdPrivacy helps districts centralize approvals and vendor artifacts so oversight remains consistent across many tools.

The platform helps districts:

  • Track which tools and integrations receive personally identifiable student data
  • Store signed DPAs/contracts, privacy terms, and security documentation in one place
  • Document approval conditions (purpose limitation, disclosure controls, retention and deletion expectations)
  • Monitor vendor changes and schedule periodic re-review

Summary

Utah districts should be prepared to:

  • Use signed vendor agreements whenever student PII is shared with a third-party contractor
  • Confirm vendors are limited to school purposes and do not misuse or redisclose student data
  • Verify security safeguards and clear data lifecycle controls
  • Maintain consistent documentation and monitoring across the districts edtech ecosystem

Utah Code 53E-9-309 supports a contract-driven approach that makes signed agreements and enforceable safeguards central to protecting student data.