Data Governance Plan

What is a Data Governance Plan?

 

A Data Governance Plan is a comprehensive plan that covers many topics, all of which address protecting student data.  A Data Governance Plan is often not a single policy, but rather a combination of policies and procedures that together help protect student data. 

Your Data Governance Plan should, at minimum, addresses the following topics: 

• • Element 1: Maintaining and protecting student data
  • Element 2: Roles and responsibilities of data governance staff members
  • Element 3: Training and support 
  • Element 4: Auditing
  • Element 5: Sharing student data
  • Element 6: Data expungement process
  • Element 7: Data breach response process

 

Instructions & Requirements

 

Follow the instructions below to create or update your Data Governance Plan.

 

Gather up the right people to review or construct your Data Governance Plan.

Your data governance plan is a compilation of policies and procedures.  Some parts of the plan will be quite technical on one topic, and other parts quite technical on another topic.  Consider involving the following folks when reviewing or constructing your Data Governance Plan: 

• • The person who oversees writing policies in your LEA
  • Your cybersecurity expert
  • LEA's designated Data Manager

 

Look through your LEA's current policies to find overlap with the elements required in the Data Governance Plan. 

Because a data governance plan spans so many topics, there's a good chance your LEA will already have policies that address some of the information that will be contained in your Data Governance Plan.  We recommend looking through your existing policies prior to creating or updating your Data Governance Plan.  Otherwise, you might end up with multiple policies regarding the same topic--and possibly even policies that contain conflicting information.  

 

Decide how you will structure your Data Governance Plan.

Your Data Governance Plan will cover a variety of topics for a variety of audiences, so it might make sense to divide the plan up into multiple policies.  Or, you can bundle all the necessary policies together into a single "Data Governance Plan" policy. What's important is having the policies and procedures in place that keep student data safe; we recommend that you organize those policies and procedures according to the organization method your LEA is already using.

 

Create or update your policy and procedures on Element 1: Maintaining and protecting student data. 53E-9-301(6)(a) Links to an external site.

• In this element you will outline your policies and procedures for maintaining and protecting student data. This element might primarily contain IT operations and cybersecurity policies and procedures, but could include other information as well, such as policy and process on storing hard copies of student records.

• This element could be a completely separate policy or it may be best practices incorporated into specific policies (e.g., your data-sharing policy may include data protection controls).

• This element likely should incorporate the CIS Controls Links to an external site. or another cybersecurity framework.

• For security reasons, you likely should not include detailed information about your security posture in your policies or procedures (e.g., not state what day you patch software) since it could give attackers an advantage.

 

Create or update your policy and procedures on Element 2: Roles and responsibilities of data governance staff members. 53E-9-301(6)(b) Links to an external site.

• For this element, you will outline the roles and responsibilities of any individuals in your LEA who are responsible for overseeing policies in your data governance plan. This likely will include your LEA's Data Manager and Information Security Officer, though it may include others.   

• This element could be a completely separate policy that discusses roles in general, or it could be incorporated into specific policies (e.g., your data-sharing policy may describe the data manager’s specific role).

 

Create or update your policy and procedures on Element 3: Training and support. 53E-9-301(6)(c) Links to an external site.

• For this element you will describe your LEA's policy and procedures for employee training and support regarding student data privacy and protection. 

• This element could be a completely separate policy that discusses training in general, or it could be incorporated into specific policies (e.g., your data sharing policy may describe staff training requirements, whereas your data breach response policy may include tabletop or other training activities).

• In version 8, CIS Control 14 includes several security topics that staff should be trained on.

• Utah Law ( 53E-9-202 Links to an external site. , 204 Links to an external site. ) and Utah Board Rule ( R277-487 Links to an external site. ) state two distinct training requirements for employees.  This can be confusing because the topics of the two trainings seem very similar, and yet the requirements for how frequently each training must occur is different. Here's some more information about the two requirements: 

  • • 53E-9-204(3) Links to an external site. says that "each school employee who the public school authorizes...to have access to an education record" must receive training on "student privacy laws." USBE interprets this to mean training on FERPA (federal law), Student Data Protection Act (Utah law), PPRA (federal law), and UT FERPA (Utah law). The law does not state how frequently the training must occur.

    • R277-487(3)(8) Links to an external site. says that "any employee with access to education records" must receive training on "confidentiality of student data;" specifically, employees' obligation not to disclose or transmit information to unauthorized parties. The rule says that the training must be completed annually. 

 

Create or update your policy(s) and procedures on Element 4: Auditing. 53E-9-301(6)(c) Links to an external site.

• 53E-9-301(6)(c) Links to an external site.  requires your data governance plan to incorporate “necessary auditing”; however, neither law nor board rule specifies that any audits are required in conjunction with data protection.

• This element could be a completely separate policy that discusses auditing in general, or it could be incorporated into specific policies (e.g., your data-sharing policy may describe how you will monitor that policies are being followed).

• This element could also include seeking out external security audits (from UEN, for example), and/or your LEA conducting an audit of a third-party contractor (53E-9-309(2) Links to an external site.).

 

Create or update your policy(s) and procedures on Element 5: Sharing student data. 53E-9-301(6)(d) Links to an external site.

For this element, you'll describe your LEA's policies and procedures on sharing student data, both internally and externally.  You should include information about the who, what, and how of different types of data sharing.  Your policy on sharing student data will need to conform to FERPA (specifically 34 CFR 99, Subpart D Links to an external site.) and 53E-9-308 Links to an external site. of the Student Data Protection Act.

Create or update your policy and procedures on Element 6: Data expungement process. 53E-9-301(6)(e) Links to an external site.

• In this element you will state and describe your policy and procedures for expunging records, including how parents request records to be expunged, how you respond to those requests, and holding hearings.  This policy should conform to 53E-9-306 Links to an external site. , R277-487-4(5)-(7) Links to an external site. , and 34 CFR Part 99, Subpart C Links to an external site. .

• IMPORTANT: Board Rule was updated in 2018 to clarify the expungement process to be more in line with FERPA. The change included removing the 24-year-old rule. If it's been a while since you updated your policy that addresses expungement, you might want to check to make sure it's current. The 2019 Data Governance Plan Model Document contains up-to-date wording regarding data expungement (see the "Model documents" section of this page).

 

Create or update your policy and procedures on Element 7: Data breach response process. 53E-9-301(6)(f) Links to an external site., 53E-9-304 Links to an external site., R277-487-3 Links to an external site.

• In this element, you will create policies and procedures outlining how you will respond to a data breach in your LEA.  Your response process should include information about what should be done, when, how, by whom, and to whom.   The following is a resource you can use to help you develop your data breach response process if you’d like: Computer Security Incident Handling Guide: Recommendations of the National Institute of Standards and Technology. Links to an external site.

• Utah Board Rule outlines two specific reporting obligations for LEAs if they experience a significant data breach. Make sure your policy and procedures include these reporting obligations:

  • • In the event of a significant data breach, the LEA will notify (a) the student, or (b) the student’s parent, if the student is not an adult student. (R277-487-3(3) Links to an external site.)
    • In the event of a significant data breach, the LEA will report the breach to USBE within 10 business days of the initial discovery. (R277-487-3(3) Links to an external site.)

• For security reasons, you may or may not want to publicly post the procedures that accompany your data breach response process policy.

 

Get the Data Governance Plan and/or the relevant policies approved by your school board.

In some LEAs, only policies need to be approved by the school board, while the procedures that accompany those policies do not.  In other LEAs both policies and their accompanying procedures need to go through school board approval.  Check with the person who oversees policy writing and approval for your LEA to see exactly what will need to be approved.

 

Post the Data Governance Plan and/or the relevant policies on your LEA website.

• Your data governance plan and/or the relevant policies are required to be posted on your LEA's website and easily located by the general public. (53E-9-301(6)(g) Links to an external site.)

• For security reasons, you may or may not want to publicly post the procedures that accompany your policies related to cybersecurity and data protection.

 

2024-25 Privacy Compliance Review

 

Will our LEA need to submit a Data Governance Plan in the 2024-2025 Privacy Compliance Review?

• We encourage you to review your agency's Data Governance Plans to ensure information is current and accurate.
• All LEAs will submit this notice this year.
• Since one requirement of this document is that it is posted publicly on your website, you will be asked to provide a link to the document.

 

Are the 2024-2025 Data Governance Plan requirements the same as last year's requirements?

Yes, the requirements are the same as last year.

 

How and when will the Data Governance Plan be submitted?

If your LEA is required to submit your Data Governance Plan, the primary data manager will submit the plan and/or relevant policies in the Privacy Compliance Survey.** A link to the survey will be sent via email to the primary data manager of each LEA in October 2024. 

In the survey, the data manager will paste a link to the page(s) on your LEA website that either displays or links to your Data Governance Plan and/or relevant policies.

 

*You can see your 2023-24 status for Data Governance Plan on your most recent Privacy Compliance Report. Contact John Lyman, or Nicole Sanchez if you need a new copy of your report. 

**See the Annual Privacy Compliance Review page for more information about the Privacy Compliance Survey.

Resources

 

Model document

Model documents are meant to cover the minimum requirements stated in Utah law.  Please go through and discuss with your administration what you may need to change in order to fit your specific needs.

Document	Author	Notes
Data Governance Plan Model Document (2019) Links to an external site.	USBE	Use this model document if you want to combine all the required components of the Data Governance Plan into a single policy (see Step 3 in the Instructions & Requirements section above). If you want to split your Data Governance Plan into multiple policies, feel free to use pieces of the text contained in the model document.

  

Other resources

Resource	Author	Notes
CIS Controls v7.1 Links to an external site.	Center for Internet Security (CIS)	Example of a cybersecurity framework your LEA might choose to adopt as a part of your Data Governance Plan.
CIS Controls v8 Links to an external site.	Center for Internet Security (CIS)	IMPORTANT: In May 2021, the Center for Internet Security (CIS) published version 8 of the CIS Controls If you have been using the CIS Controls as the cybersecurity framework for your LEA, you could take a look at the new controls and decide if you want to make any changes to your current policies and procedures.
NIST.gov - Cybersecurity Framework Links to an external site.	National Institute of Standards and Technology (NIST)	Example of a cybersecurity framework your LEA might choose to adopt as a part of your Data Governance Plan.
Computer Security Incident Handling Guide: Recommendations of the National Institute of Standards and Technology Links to an external site.	National Institute of Standards and Technology (NIST)	Possible resource for developing the Data Breach Response Process element of your Data Governance Plan.

Legal References

 

• 34 CFR Subpart C - What Are the Procedures for Amending Education Records? Links to an external site. (Code of Federal Regulations)
• 34 CFR Subpart D - May an Educational Agency or Institution Disclose Personally Identifiable Information From Education Records? Links to an external site. (Code of Federal Regulations)
• 53E-9-202. Application of state and federal law to the administration and operation of public schools -- Local school board and charter school governing board policies. Links to an external site. (Utah FERPA)
• 53E-9-203. Activities prohibited without prior written consent -- Validity of consent -- Qualifications -- Training on implementation. Links to an external site. (Utah FERPA)
• 53E-9-204. Access to education records -- Training requirement -- Certification. Links to an external site. (Utah FERPA)
• 53E-9-301. Definitions. Links to an external site. (Utah's Student Data Protection Act)
• 53E-9-304. Student data ownership and access -- Notification in case of significant data breach. Links to an external site. (Utah's Student Data Protection Act)
• 53E-9-306.  Using and expunging student data -- Rulemaking -- Disciplinary records. Links to an external site. (Utah's Student Data Protection Act)
• 53E-9-308.  Sharing student data -- Prohibition -- Requirements for student data manager -- Authorized student data sharing. Links to an external site. (Utah's Student Data Protection Act)
• 53E-9-309.  Third-party contractors Links to an external site.. (Utah's Student Data Protection Act)
• R277-487: Public School Data Confidentiality and Disclosure Links to an external site. (Utah Board Rule)