District of Columbia Student Data Privacy Legal Compliance Guide

The following chart provides a brief overview of the laws of the District of Columbia (“D.C.”) addressing privacy and security of student and teacher data, and the corresponding provisions of Microsoft’s standard operating documents that demonstrate compliance with those laws and regulations.

As an entity that provides online services, Microsoft is an “operator” under D.C. law.  Operators must agree that personally identifiable student information provided to the operator by a student or educational institution to facilitate the use of the operator’s pre-k through 12 purposes website, service, or application is under the control of the local education agency.  D.C. Code Ann. § 38-831.02(a)(2).

Microsoft’s standard Online Services Data Protection Addendum (“DPA”) addresses the requirements imposed on operators by D.C.’s statutory framework.  The DPA sets forth Microsoft’s standard obligations with respect to the processing and security of customer data and personal data in connection with Microsoft’s provision of online services. 

The reference chart below briefly identifies those provisions of D.C. law that are applicable to operators such as Microsoft, and the relevant provision(s) from Microsoft’s DPA that addresses Microsoft’s compliance with that requirement.

D.C. Law ProvisionCompliant Microsoft Provision(s)
D.C. Code § 38-831.02(a)(1)
Operator’s duty to implement and maintain reasonable security policies and procedures
Microsoft Online Services Data Protection Addendum -> Data Protection Terms -> Data Security -> Security Practices and Policies

See also Microsoft Online Services Data Protection Addendum -> Appendix A – Security Measures

D.C. Code § 38-831.02(a)(3)
Deletion of personally identifiable student information within a reasonable time
Microsoft Online Services Data Protection Addendum -> Data Protection Terms -> Data Retention and Deletion
D.C. Code § 38-831.02(b)(1)(A)
Selling, renting, or trading personally identifiable student information
Microsoft Online Services Data Protection Addendum -> Data Protection Terms -> Nature of Data Processing; Ownership -> Processing to Provide Customer the Online Services
D.C. Code § 38-831.02(b)(1)(B)
Targeted advertising based on personally identifiable student information
Microsoft Online Services Data Protection Addendum -> Data Protection Terms -> Nature of Data Processing; Ownership -> Processing to Provide Customer the Online Services
D.C. Code § 38-831.02(b)(1)(C)
Use of personally identifiable student information to develop a profile about a student
Microsoft Online Services Data Protection Addendum -> Data Protection Terms -> Nature of Data Processing; Ownership -> Processing to Provide Customer the Online Services
D.C. Code § 38-831.02(b)(1)(D)
No disclosure of personally identifiable student information unless based on defined exceptions
Microsoft Online Services Data Protection Addendum -> Data Protection Terms -> Disclosure of Processed Data

See also Microsoft Online Services Data Protection Addendum -> Data Protection Terms -> Nature of Data Processing; Ownership -> Processing for Microsoft’s Legitimate Business Operations