Resources

Data Practices and Student Privacy

We have a variety of tools and resources to assist families. Here you’ll find school policy documents, and other helpful references to return to throughout the school year.

Tiffany Allen
tallen@utahvirtual.org
801.262.4922

Utah Virtual Academy (UTVA) collects student data that is necessary to provide its students with appropriate educational services and programs. The collected data is stored in the students’ cumulative record.

Collection, Use, and Sharing Student Data

The collection, use, and sharing of student data has both benefits and risks. Parents and students should review this information to learn about these benefits and risks to make informed decisions regarding this data.

Student data is collected by UTVA during the enrollment process and through the parent portal. All paper documents collected during this process is maintained in a fireproof, locked filing cabinet at the UTVA office. Student data is stored and secured in an individual student cumulative file, as well as within the UTVA online educational system.

In addition to data that is stored on site, critical online information is securely maintained by K12 and data backups occur daily. Data is backed up to a separate, disk-based storage system in a secure, geographically segregated data center for optimal protection. K12 also employs a data replication strategy and architecture. This data replication strategy is designed to help protect against data loss should the primary data center experience a catastrophic event requiring K12 to run system operations from our contingency data center.

Collecting Student Data—Prohibition—Student Data Disclosure Statement—Authorization

UTVA may collect necessary student data and maintain that data in a cumulative record from:

  • the student if the student is an adult student; or
  • the student’s parent if the student is not an adult student.

In accordance with state guidelines, UTVA will collect the student data listed below. All collected student data will be maintained in the student’s cumulative record:

  • Student Name
  • Birth Certificate US or Country of Origin/student’s age
  • Proof of Residence
  • Immunization record
  • Free and Reduce Lunch Status
  • School behavior record, including suspension and expulsion records (as appropriate)
  • Vision and Hearing Screenings
  • Special education program information (as appropriate), including:
    • an individualized education program;
    • a Section 504 accommodation plan; or
    • an English learner plans

In addition, accordance with state guidelines, UTVA will collect the following optional data, based on individual student need:

  • Official Immigration Documentation
  • U.S. citizenship official documentation
  • U.S. Passport
  • School Transcripts
  • Promotion, Grade Placement, and Retention History
  • Attendance history
  • High School course credit history
  • Report Cards
  • Academic testing results such as ACT, Diebels, SAGE, and interim assessments
  • Court Documents signed or stamped by a judge, magistrate, or deputy clerk
  • Court Orders
  • Proof of legal guardianship, per state guidelines
  • Department of Child Services Documentation
  • Children’s Health Information Red Pack (“CHIRP”) Form
  • Written statement signed by one parent or guardian that the child is an adherent of a religious denomination
  • English Language Learning needs
  • Medical and social developmental history, as necessary to ensure educational access and programming
  • Evaluation reports, such as cognitive and achievement data, as necessary to ensure educational access and programming

UTVA will not request or collect a student’s social security number or criminal record unless required by law.


Sharing Student Data—Prohibition—Requirements UTVA’s Data Manager

UTVA will not share a student’s personally identifiable student data if the personally identifiable student data is not shared in accordance with: the Family Education Rights and Privacy Act (FERPA) and related provisions under 20 U.S.C. Secs. 1232g and 1232h; and this policy.

The Data Manager will be responsible for the following and will serve as the primary point of contact questions about student data from students, parents and state officials.

  • UTVA’s Data Manager authorize and manage the sharing of personally identifiable student data from a cumulative record for UTVA.
  • UTVA’s Data Manager will not permit the sharing of student personally identifiable data from a cumulative record outside of the school without parent permission.
  • UTVA’s Data Manager may share the personally identifiable student data of a student with the student and the student’s parent if the student is under 18 years of age.
  • UTVA’s Data Manager may share a student’s personally identifiable student data from a cumulative record with:
  • a school official;
  • an authorized caseworker or other representative of the Utah Department of Human Services if;
    • (a) the Department of Human Services is:
      • (i) legally responsible for the care and protection of the student; or
      • (ii) providing services to the student;
    • (b) the student’s personally identifiable student data is not shared with a person who is not authorized:
      • (i) to address the student’s education needs; or
      • (ii) by the Department of Human Services to receive the student’s personally identifiable student data; and
    • (c) the Department of Human Services maintains and protects the student’s personally identifiable student data, or a person to whom UTVA has outsourced a service or function:
      • (i) that the education entity’s employees would typically perform; or
      • (ii) to research the effectiveness of a program’s implementation;
  • UTVA’s Data Manager may share personally identifiable student data in response to a subpoena issued by a court

UTVA’s Data Manager may share aggregate data:

  • If UTVA’s Data Manager receives a request to share data for the purpose of external research or evaluation. The student data manager shall:
    • submit the request to UTVA’s external research review process; and
    • fulfill the instructions that result from the review process.
  • UTVA’s Data Manager may not share personally identifiable student data for the purpose of external research or evaluation.

Aggregate data means data that:

  • are totaled and reported at the group, cohort, school, school district, region, or state level with at least 10 individuals in the level;
  • do not reveal personally identifiable student data; and
  • are collected in accordance with board rule.

Student Ownership of Their Own Data

A student owns the student’s personally identifiable student data and owns all rights to their personal data. Students and parents are responsible for their own collection, use, or sharing of their student data. A student may download, export, transfer, save, or maintain his or her student’s student data.

Notification in case of breach:

If there is a release of a student’s personally identifiable student data due to a UTVA security breach, UTVA will notify:

  • the student if the student is an adult student; or
  • the student’s parent or legal guardian if the student is not an adult student.

Biometric Identifier Information

UTVA has elected not to collect student biometric identifier information, at this time.

Compliance with Applicable Law

This policy is a good faith attempt to comply with all applicable laws. To the extent any provision of this policy does not comply with any applicable law, it is invalid to the extent to it does not comply with any applicable law.


Applications to conduct research involving students, parents or staff of Utah Virtual Academy (UTVA) must be approved in writing by the Head of School in conjunction with various administrators. While UTVA is committed to the advancement of educational research any project or research approved must be aligned and support UTVA’s Academic Plan. In addition, proposed research generally will not be approved during the time students are participating in state testing (April-June).

Research guidelines incorporated in this application are designed:

  • to protect staff and student time from unauthorized or excessive data collection.
  • to protect the confidentiality and safety of students, parents and staff.
  • to guarantee the integrity and quality of any research conducted in the school.
  • to ensure the school is complying with applicable laws and regulations governing student data privacy.

This policy applies to research studies which includes the systematic collection of any data about UTVA students, parents, and/or staff for developing descriptions, predictions, interventions or explanations relating to various aspects of education.

Research studies may include:

  • Projects/research that addresses critical educational needs of the district.
  • Grant-funded projects that have been subjected to peer review and have full-time faculty or professional evaluators supervising data collection and analysis.
  • Studies conducted by the district employees for the purpose of fulfilling advanced degree requirements.
  • Studies conducted by agencies that provide health and social services for children and families
  • Surveys for grant monies use evaluation

Approved research must not violate state and federal code related to privacy. In addition, it should not impose undue burden on school personnel, such as excessive surveys, testing and unreasonable time demands. In addition, no research by students at the undergraduate level will be approved.

The Application Process

The following instructions describe the forms/documentation that must be submitted for consideration of approval of external research. These should be submitted to: Meghan Merideth, Head of School, mmerideth@utahvirtual.org.

Each application must include the following elements:

  1. Name of the organization, institution or agency represented by investigator and or team.
  2. Other institutional review or human subject review boards involved (attach copies of current approval from all applicable approval sources).
  3. Names and titles of all researchers who will have contact with subjects and data.
  4. The proposal should include the following information:
    • Statement of the research questions, problem, or purpose.
    • The research/study time period.
    • A brief literature review including sources supporting the thesis of the research project.
    • Description of research design, sample data, data collection procedures and methods of analysis used.
    • If applicable, provide copies of any surveys, tests and questions that will be employed.
    • If applicable, provide copies of all necessary Informed Consent documents.
    • Data on how all the data will be secured, shared, and destroyed following the completion of the research.

The forms used for the study to obtain consent from parties from whom data will be collected must include descriptions of: (1) the individual(s) conducting the research including contact information, (2) the purpose of the study, (3) data collection procedures, (4) the study duration and time required of those participating in the study, (5) procedures to withdraw from the study with no penalty, (6) how the data will be utilized, (7) potential risks and benefits to the participants and (8) steps taken to ensure confidentiality of the study data and participants. In addition, these consent forms must include lines for participant’s signature and date of signature giving consent.

The last date for new research to be considered is 30 days prior to the end of the school year. However, UTVA reserves the right to extend the period should the need arise. Any research deadlines extensions must be submitted in writing to the HOS 30 days before expiration of existing research permission dates.

Review Process

Research requests will be assessed foremost for their value to UTVA and UTVA families. In addition, UTVA will assess the relative cost-benefit of the research to UTVA . Finally, the research design should be one from which valid conclusions can be drawn.

Prior to making the decision whether or not to approve the external research request, the Head of School will obtain feedback from the Administration team and other stakeholders, as appropriate, based on their knowledge of and concern with the proposed research including the researchers access to and use of student data.

The review process will take approximately four weeks to complete, but it could take longer. A final decision regarding the status of the application will be sent to the applicant in writing.

Research Conduct

UTVA holds the following expectations for external researchers:

  • The confidentiality of student records must be maintained, and the privacy and rights of individuals and schools respected.
  • While conducting research studies in the schools, individuals should abide by standards of professional conduct and dress.
  • The disruption of the school’s routine must be kept to a minimum.
  • Meetings and data collection should be scheduled far enough in advance to allow for adequate planning.
  • It is the obligation of the researcher to secure informed consent from parents/guardians.
  • The researcher(s) is/are responsible for absorbing all financial costs of conducting the study.
  • The researcher(s) must notify the Head of School regarding any proposed changes in the study. Such changes cannot proceed until the Head of School has approved them in writing.
  • No research will be approved unless the researcher agrees to provide UTVA a copy of the final research report. The researcher applicant must agree to release this report for use by UTVA and its service provider without limitation, approval, or remuneration.

Compliance with Applicable Law

This policy is a good faith attempt to comply with all applicable laws. To the extent any provision of this policy does not comply with any applicable law, it is invalid to the extent to it does not comply with any applicable law.”


The Metadata Dictionary is a required online portal by state law (the Student Data Protection Act, U.C.A §53E-9-301(14) and U.C.A §53E-9-303(b). The purpose of the Dictionary is to speak to questions of data privacy and ultimately to transparency—allowing parents and students to know what data is being collected and with whom it is being shared with. All student data that is sent to a third-party vendor must be catalogued on the Utah State Board of Education’s Metadata Dictionary. The Metadata Dictionary is open to the public and contains a list of approved online entities that UTVA has engaged in partnerships. The Metadata Dictionary can be found here.


Utah Virtual Academy (the “School”) collects student data for two main purposes: to comply with law and to improve students’ educational experience. Student data enables the School to participate in education programs and to qualify for education funds. Student data also helps the School to better plan and personalize classroom instruction, increase student and teacher performance, and make informed decisions.

Student data collected by the School includes data defined as necessary student data, optional student data, and personally identifiable student data (PII) in Utah Code § 53E-9-301. The School collects student data primarily through registration, but it also collects additional student data during the school year. The necessary, optional, and PII data collected by the School is listed in its Data Governance Plan, which is published on the School’s website. The School does not collect student social security numbers or, except as required in Utah Code § 78A-6-112, criminal records.

The School strives to not share PII unless the sharing is in accordance with Utah’s student privacy and data protection laws and the Family Educational Rights and Privacy Act (“FERPA”). Except as allowed by law, the School will not share PII externally without written consent. Some examples of where the School is allowed by law to share PII without written consent include sharing such data with an authorized caseworker or other representative of the Department of Human Services, in response to a valid subpoena, or to persons or entities qualifying as school officials under FERPA.

The School takes many measures to protect student data. Student data stored digitally is stored on computers and systems that are secured, maintained, and supported by qualified IT service providers. Confidential PII in print form is stored in secured, locked areas in the School.

A student’s rights under Utah Code § 53E-9-301 through 310 include:

  • Each student owns his or her PII. A student and his or her parent must be allowed to access such student data maintained by the School;
  • A student’s parent or guardian, or an adult student, has the right to be notified by the School if a significant data breach occurs at the School;
  • A prior student or parent of a prior student is entitled to have the prior student’s student data that is stored by the School expunged in accordance with State Board of Education rules; and
  • A student is entitled to receive a student data collection notice from the School prior to the School collecting necessary or optional student data of the student.

The collection, use, and sharing of student data has both benefits and risks. Parents and students should learn about these benefits and risks and make choices regarding student data accordingly.

Consent Form – Applicable to Students in Grades 9–12

The School requests written consent to share with the State Board of Regents the following student data of students in grades 9–12:

  • Name
  • Parent name;
  • Grade;
  • School; and
  • Contact information (primary phone number, email address, and physical address).

This student data would be used by the State Board of Regents strictly for the purpose of providing information and resources about higher education to students in grades 9–12 and to help such students enter the higher education system and remain until graduation.