This legal compliance guide provides a brief overview of the laws of the state of Idaho addressing privacy and security of student data.
As a provider of online services, Microsoft qualifies as a private vendor under Idaho law.
Under Idaho Code Ann. § 33-133, all school districts, primary schools, secondary schools, and other similar institutions entering into contracts that govern databases, online services, assessments, special education or instructional supports with private vendors shall include in each such contract a provision that private vendors are permitted to use aggregated data; or an individual student’s data for secondary uses, but only if the vendor discloses in clear detail the secondary uses and receives written permission from the student’s parent or legal guardian.
The contract shall also include either of the following:
(1) a prohibition on any secondary uses of student data by the private vendor including, but not limited to, sales, marketing or advertising, but permitting the private vendor to process or monitor such data solely to provide and maintain the integrity of the service; or
(2) a requirement that the private vendor disclose in detail any secondary uses of student data including, but not limited to, sales, marketing or advertising, and the board shall obtain express parental consent for those secondary uses prior to deployment of the private vendor’s services under the contract.
The state board of education and the state department of education shall ensure that any and all private vendors employed or otherwise engaged by the board or the department shall comply with these provisions.
Microsoft’s standard Online Services Data Protection Addendum (“DPA”) sets forth Microsoft’s standard obligations with respect to the processing and security of customer data and personal data in connection with Microsoft’s provision of online services.