Delaware Student Data Privacy Legal Compliance Guide

The following chart provides a brief overview of the laws of the state of Delaware addressing privacy and security of student data, and the corresponding provisions of Microsoft’s standard operating documents that demonstrate compliance with those laws and regulations.

Delaware’s Student Data Privacy Protection Act is codified at 14 Del. C. §§ 8101A–8106A.  As an entity that provides online and cloud computing services, Microsoft is an “operator” within the meaning of the Act. 

Microsoft’s standard Online Services Data Protection Addendum (“DPA”) addresses the requirements imposed on operators by Delaware’s statutory framework.  The DPA sets forth Microsoft’s standard obligations with respect to the processing and security of customer data and personal data in connection with Microsoft’s provision of online services. 

The reference chart below briefly identifies those provisions of Delaware law that are applicable to operators such as Microsoft, and the relevant provision(s) from Microsoft’s DPA that addresses Microsoft’s compliance with that requirement.

Delaware Law ProvisionCompliant Microsoft Provision(s)
14 Del. C. § 8104A(1)
Operator’s duty to implement and maintain reasonable security procedures and practices
Microsoft Online Services Data Protection Addendum -> Data Protection Terms -> Data Security -> Security Practices and Policies

See also Microsoft Online Services Data Protection Addendum -> Appendix A – Security Measures

14 Del. C. § 8104A(2)
Deletion of a student’s data within a reasonable timeframe not to exceed 45 calendar days from request
Microsoft Online Services Data Protection Addendum -> Data Protection Terms -> Data Retention and Deletion
14 Del. C. § 8105A(1)
Targeted advertising based on student data
Microsoft Online Services Data Protection Addendum -> Data Protection Terms -> Nature of Data Processing; Ownership -> Processing to Provide Customer the Online Services
14 Del. C. § 8105A(2)
Use of information to amass a profile about a student
Microsoft Online Services Data Protection Addendum -> Data Protection Terms -> Nature of Data Processing; Ownership -> Processing to Provide Customer the Online Services
14 Del. C. § 8105A(3)
Selling student data
Microsoft Online Services Data Protection Addendum -> Data Protection Terms -> Nature of Data Processing; Ownership -> Processing to Provide Customer the Online Services
14 Del. C. § 8105A(4)
No disclosure of covered information unless based on defined exceptions
Microsoft Online Services Data Protection Addendum -> Data Protection Terms -> Disclosure of Processed Data

See also Microsoft Online Services Data Protection Addendum -> Data Protection Terms -> Nature of Data Processing; Ownership -> Processing for Microsoft’s Legitimate Business Operations

In addition to the provisions above, C.R.S. § 22-16-108 requires that each school service contract provider shall facilitate access to and correction of any factually inaccurate student personally identifiable information by a contracting local education provider in response to a request for correction that the local education provider receives and responds to in accordance with section 22-16-112(1)(c).  C.R.S. § 22-16-108(3).

Upon discovering the misuse or unauthorized release of student personally identifiable information held by the contract provider, a subcontractor of the contract provider, or a subsequent subcontractor, the contract provider shall notify the contracting public education entity as soon as possible, regardless of whether the misuse or unauthorized release is a result of a material breach of the terms of the contract.  C.R.S. § 22-16-108(4).