Massachusetts Student Data Privacy Legal Compliance Guide

The following chart provides a brief overview of the laws of the Commonwealth of Massachusetts addressing privacy and security of student data, and the corresponding provisions of Microsoft’s standard operating documents that demonstrate compliance with those laws and regulations.

The Massachusetts Student Records Regulations protect the privacy and security of student records.  As an entity that provides online services, Microsoft may be a school principal’s or school superintendent’s “designee” within the meaning of the Regulations. 

Microsoft’s standard Online Services Data Protection Addendum (“DPA”) addresses the requirements imposed on designees by Massachusetts’ statutory framework.  The DPA sets forth Microsoft’s standard obligations with respect to the processing and security of customer data and personal data in connection with Microsoft’s provision of online services. 

The reference chart below briefly identifies those provisions of Massachusetts law that are applicable to designees such as Microsoft, and the relevant provision(s) from Microsoft’s DPA that addresses Microsoft’s compliance with that requirement.

Massachusetts Regulatory ProvisionCompliant Microsoft Provision(s)
603 Code Mass. Regs. § 23.05(1)
The school principal or his/her designee shall be responsible for the privacy and security of all student records maintained in the school
Microsoft Online Services Data Protection Addendum -> Data Protection Terms

Microsoft Online Services Data Protection Addendum -> Appendix A – Security Measures
603 Code Mass. Regs. § 23.05(2)
The superintendent of schools or his/her designee shall be responsible for the privacy and security of all student records that are not under the supervision of a school principal, for example, former students’ transcripts stored in the school department’s central administrative offices or student records of school-age children with special needs who have not been enrolled in a public school
Microsoft Online Services Data Protection Addendum -> Data Protection Terms

Microsoft Online Services Data Protection Addendum -> Appendix A – Security Measures