Kentucky Student Data Privacy Legal Compliance Guide

The following chart provides a brief overview of the laws of the Commonwealth of Kentucky addressing privacy and security of student and teacher data, and the corresponding provisions of Microsoft’s standard operating documents that demonstrate compliance with those laws and regulations.

Microsoft is a “cloud computing service provider” under Kentucky law.  Under KRS 365.734(3), a cloud computing service provider that enters into an agreement to provide cloud computing services to an educational institution shall certify in writing to the educational institution that it will comply with the requirements of KRS 365.734(2) outlined below.

Microsoft’s standard Online Services Data Protection Addendum (“DPA”) addresses the requirements imposed on cloud computing service providers by Kentucky’s statutory framework.  The DPA sets forth Microsoft’s standard obligations with respect to the processing and security of customer data and personal data in connection with Microsoft’s provision of online services. 

The reference chart below briefly identifies those provisions of Kentucky law that are applicable to cloud computing service providers such as Microsoft, and the relevant provision(s) from Microsoft’s DPA that addresses Microsoft’s compliance with that requirement.

Kentucky Law ProvisionCompliant Microsoft Provision(s)
KRS 365.734(2)
A cloud computing service provider shall not process student data for any purpose other than providing, improving, developing, or maintaining the integrity of its cloud computing services, unless the provider receives express permission from the student’s parent. However, a cloud computing service provider may assist an educational institution to conduct educational research as permitted by the Family Educational Rights and Privacy Act of 1974, as amended, 20 U.S.C. sec. 1232g
Microsoft Online Services Data Protection Addendum -> Data Protection Terms -> Nature of Data Processing; Ownership -> Processing to Provide Customer the Online Services

KRS 365.734(2)
A cloud computing service provider shall not in any case process student data to advertise or facilitate advertising or to create or correct an individual or household profile for any advertisement purpose, and shall not sell, disclose, or otherwise process student data for any commercial purpose
Online Services Data Protection Addendum
-> Data Protection Terms -> Nature of Data Processing; Ownership -> Processing to Provide Customer the Online Services