The following chart provides a brief overview of the laws of the state of Louisiana addressing privacy and security of student data, and the corresponding provisions of Microsoft’s standard operating documents that demonstrate compliance with those laws and regulations.
LA R.S. § 17:3914 is a Louisiana law designed to protect the privacy of students. It provides limitations and prohibitions on the collection and sharing of student information. Unlawful disclosure of personally identifiable student information is punishable by a fine of not more than ten thousand dollars or imprisonment for not more than three years, or both.
Microsoft’s standard Online Services Data Protection Addendum (“DPA”) addresses the requirements imposed on operators by Louisiana’s statutory framework. The DPA sets forth Microsoft’s standard obligations with respect to the processing and security of customer data and personal data in connection with Microsoft’s provision of online services.
The reference chart below briefly identifies those provisions of Louisiana law that are applicable to operators such as Microsoft, and the relevant provision(s) from Microsoft’s DPA that addresses Microsoft’s compliance with that requirement.
|Louisiana Law Provision||Compliant Microsoft Provision(s)|
|R.S. § 17:3914(F)(3)|
Contractors may not allow access to, release, or allow the release of student information to any person or entity except as specified in the contract. No contractor shall use student information to conduct predictive modeling for the purpose of limiting the educational opportunities of students.
|Microsoft Online Services Data Protection Addendum -> Data Protection Terms -> Disclosure of Processed Data|
R.S. § 17:3914(J)(1)
No city, parish, or other local public school system, local or state governmental agency, public or private entity, or any person with access to personally identifiable student information shall sell, transfer, share, or process any student data for use in commercial advertising, or marketing, or any other commercial purpose, unless otherwise stipulated in a contract for services as provided in Subsection (F) of this Section.
|Microsoft Online Services Data Protection Addendum -> Data Protection Terms -> Nature of Data Processing; Ownership -> Processing to Provide Customer the Online Services|
In addition to the provisions above for which Microsoft Corporation is in compliance, LA R.S. § 17:3914(F)(3) requires that a contract include requirements regarding the protection of student information which, at a minimum, include provision for all of the following:
(a) Guidelines for authorizing access to computer systems on which student information is stored including guidelines for authentication of authorized access.
(b) Privacy compliance standards.
(c) Privacy and security audits performed under the direction of the local school superintendent.
(d) Breach planning, notification, and remediation procedures.
(e) Information storage, retention, and disposition policies.
(f) Disposal of all information from the servers of the contractor upon termination of the contract, unless otherwise directed by an applicable legal requirement or otherwise specified in the contract and subject to the privacy protection provisions of this Part. Upon termination of the contract, all information removed from the contractor’s servers shall be returned to the city, parish, or other local public school board.