Kansas Student Data Privacy Legal Compliance Guide

The following chart provides a brief overview of the laws of the state of Kansas addressing privacy and security of student data, and the corresponding provisions of Microsoft’s standard operating documents that demonstrate compliance with those laws and regulations.

Kansas’ Student Online Personal Protection Act is codified at K.S.A. 72-6331 through 72-6334.  As an entity that provides online services, Microsoft is an “operator” under the Act. 

Microsoft’s standard Online Services Data Protection Addendum (“DPA”) addresses the requirements imposed on operators by Kansas’ statutory framework.  The DPA sets forth Microsoft’s standard obligations with respect to the processing and security of customer data and personal data in connection with Microsoft’s provision of online services. 

The reference chart below briefly identifies those provisions of Kansas law that are applicable to operators such as Microsoft, and the relevant provision(s) from Microsoft’s DPA that addresses Microsoft’s compliance with that requirement.

Kansas Law ProvisionCompliant Microsoft Provision(s)
K.S.A. 72-6333(a)(1)
Targeted advertising based on information, including covered information
Microsoft Online Services Data Protection Addendum -> Data Protection Terms -> Nature of Data Processing; Ownership -> Processing to Provide Customer the Online Services

K.S.A. 72-6333(a)(2)
Use of information to amass a profile about a student
Microsoft Online Services Data Protection Addendum -> Data Protection Terms -> Nature of Data Processing; Ownership -> Processing to Provide Customer the Online Services
K.S.A. 72-6333(a)(3)
Selling or renting a student’s information
Microsoft Online Services Data Protection Addendum -> Data Protection Terms -> Nature of Data Processing; Ownership -> Processing to Provide Customer the Online Services
K.S.A. 72-6333(a)(4)
No disclosure of covered information unless based on defined exceptions
Microsoft Online Services Data Protection Addendum -> Data Protection Terms -> Disclosure of Processed Data
See also Microsoft Online Services Data Protection Addendum -> Data Protection Terms -> Nature of Data Processing; Ownership -> Processing for Microsoft’s Legitimate Business Operations
K.S.A. 72-6333(b)(1)
Operator’s duty to implement and maintain reasonable security procedures and practices
Microsoft Online Services Data Protection Addendum -> Data Protection Terms -> Data Security -> Security Practices and Policies
See also Microsoft Online Services Data Protection Addendum -> Appendix A – Security Measures
K.S.A. 72-6333(b)(2)
Deletion of a student’s covered information within a reasonable time
Microsoft Online Services Data Protection Addendum -> Data Protection Terms -> Data Retention and Deletion

In addition to the provisions above, Kansas’ Student Data Privacy Act (K.S.A. 72-6312 through 72-6320) provides that, in the event of a security breach or unauthorized disclosure of student data or personally identifiable information of any student, whether by a school district, the department, the state board of education, state agency, or other entity or third party given access to student data or personally identifiable information of any student, the school district, department, state board of education, state agency, or other entity or third party shall immediately notify each affected student, if an adult, or the parent or legal guardian of the student, if a minor, of the breach or unauthorized disclosure and investigate the causes and consequences of the breach or unauthorized disclosure.  K.S.A. 72-6318.