Montana Student Data Privacy Legal Compliance Guide

The following chart provides a brief overview of the laws of the state of Montana addressing privacy and security of student data, and the corresponding provisions of Microsoft’s standard operating documents that demonstrate compliance with those laws and regulations.

Montana’s Pupil Online Personal Information Protection Act addresses the privacy and security of student data.  As an entity that provides online services, Microsoft is an “operator” within the meaning of the Act. 

Microsoft’s standard Online Services Data Protection Addendum (“DPA”) addresses the requirements imposed on operators by Montana’s statutory framework.  The DPA sets forth Microsoft’s standard obligations with respect to the processing and security of customer data and personal data in connection with Microsoft’s provision of online services. 

The reference chart below briefly identifies those provisions of Montana law that are applicable to operators such as Microsoft, and the relevant provision(s) from Microsoft’s DPA that addresses Microsoft’s compliance with that requirement.

Montana Law ProvisionCompliant Microsoft Provision(s)
Mont. Code Ann. § 20-7-1325(1)(a)
Targeted advertising based on information, including covered information
Microsoft Online Services Data Protection Addendum -> Data Protection Terms -> Nature of Data Processing; Ownership -> Processing to Provide Customer the Online Services

Mont. Code Ann. § 20-7-1325(1)(b)
Use of information to amass a profile about a student
Microsoft Online Services Data Protection Addendum -> Data Protection Terms -> Nature of Data Processing; Ownership -> Processing to Provide Customer the Online Services
Mont. Code Ann. § 20-7-1325(1)(c)
Selling a student’s information
Microsoft Online Services Data Protection Addendum -> Data Protection Terms -> Nature of Data Processing; Ownership -> Processing to Provide Customer the Online Services
Mont. Code Ann. § 20-7-1325(1)(d)
No disclosure of covered information unless based on defined exceptions
Microsoft Online Services Data Protection Addendum -> Data Protection Terms -> Disclosure of Processed Data

See also Microsoft Online Services Data Protection Addendum -> Data Protection Terms -> Nature of Data Processing; Ownership -> Processing for Microsoft’s Legitimate Business Operations
Mont. Code Ann. § 20-7-1325(2)(a)
Operator’s duty to implement and maintain reasonable security procedures and practices
Microsoft Online Services Data Protection Addendum -> Data Protection Terms -> Data Security -> Security Practices and Policies

See also Microsoft Online Services Data Protection Addendum -> Appendix A – Security Measures
Mont. Code Ann. § 20-7-1325(2)(b)
Deletion of a student’s covered information upon request
Microsoft Online Services Data Protection Addendum -> Data Protection Terms -> Data Retention and Deletion

In addition to the provisions above, Mont. Code Ann. § 20-7-1326(2) requires that all contracts with third parties to provide services[1] contain all of the following:

(a) a statement that pupil records continue to be the property of and under the control of the school district;

(b) notwithstanding subsection (2)(a), a description of the means by which pupils may retain possession and control of their own pupil-generated content, if applicable, including options by which a pupil may transfer pupil-generated content to a personal account;

(c) a prohibition against the third party for using any information in pupil records for any purpose other than those required or specifically permitted by the contract;

(d) a description of the procedures by which a parent, legal guardian, or eligible pupil may review personally identifiable information in the pupil’s records and correct erroneous information;

(e) a description of the actions the third party will take, including the designation and training of responsible individuals, to ensure the security and confidentiality of pupil records. Compliance with this requirement does not, in itself, absolve the third party of liability in the event of an unauthorized disclosure of pupil records.

(f) a description of the procedures for notifying the affected parent, legal guardian, or pupil if 18 years of age or older in the event of an unauthorized disclosure of the pupil’s records;

(g) a certification that pupil records will not be retained or available to the third party upon completion of the terms of the contract and a description of how that certification will be enforced. This requirement does not apply to pupil-generated content if a pupil chooses to establish or maintain an account with the third party for the purpose of storing that content pursuant to subsection (2)(b).

(h) a description of how the school district and the third party will jointly ensure compliance with the federal Family Educational Rights and Privacy Act (20 U.S.C. 1232g); and

(i) a prohibition against the third party using personally identifiable information in pupil records to engage in targeted advertising.

Pursuant to Mont. Code Ann. § 20-7-1326(3), in addition to any other penalties, a contract that fails to comply with the requirements above is void if, upon notice and a reasonable opportunity to cure, the noncompliant party fails to come into compliance and cure any defect. Written notice of noncompliance may be provided by any party to the contract. All parties subject to a contract voided shall return all pupil records in their possession to the school district.


[1]Including cloud-based services for the digital storage, management, and retrieval of pupil records; or digital educational software that authorizes a third-party provider of digital educational software to access, store, and use pupil records.