Nevada Student Data Privacy Legal Compliance Guide

The following chart provides a brief overview of the laws of the state of Nevada addressing privacy and security of student (or pupil) data, and the corresponding provisions of Microsoft’s standard operating documents that demonstrate compliance with those laws and regulations.

Nevada’s laws regarding the privacy of data concerning pupils is codified at NRS § 388.283, et seq.  As an entity that provides online services, Microsoft is a “school service provider” within the meaning of the statute. 

Microsoft’s standard Online Services Data Protection Addendum (“DPA”) addresses the requirements imposed on school service providers by Nevada’s statutory framework.  The DPA sets forth Microsoft’s standard obligations with respect to the processing and security of customer data and personal data in connection with Microsoft’s provision of online services. 

The reference chart below briefly identifies those provisions of Nevada law that are applicable to school service providers such as Microsoft, and the relevant provision(s) from Microsoft’s DPA that addresses Microsoft’s compliance with that requirement.

Nevada Law ProvisionCompliant Microsoft Provision(s)
NRS § 388.291(1)(a)
School service provider must provide written disclosure to such persons or governmental entities in language that is easy to understand, which includes, without limitation:
(a) The types of personally identifiable information collected by the school service provider and the manner in which such information is used
Microsoft Online Services Data Protection Addendum -> Data Protection Terms -> Nature of Data Processing; Ownership -> Processing to Provide Customer the Online Services

Microsoft Online Services Data Protection Addendum -> Data Protection Terms -> Disclosure of Processed Data

Microsoft Online Services Data Protection Addendum -> Data Protection Terms
->Nature of Data Processing; Ownership -> Processing for Microsoft’s Legitimate Business Operations
NRS § 388.291(1)(b)
School service provider must provide written disclosure to such persons or governmental entities in language that is easy to understand, which includes, without limitation:
(b) A description of the plan for the security of data concerning pupils which has been established by the school service provider pursuant to NRS 388.293
Microsoft Online Services Data Protection Addendum -> Data Protection Terms -> Data Security -> Security Practices and Policies

See also Microsoft Online Services Data Protection Addendum -> Appendix A – Security Measures
NRS § 388.291(2)
Before a school service provider makes a material change to the plan for the security of data concerning pupils established pursuant to NRS 388.293, the school service provider must provide notice
Microsoft Online Services Data Protection Addendum -> Notices
NRS § 388.291(3)
The disclosure or notice provided pursuant to subsection 1 or 2, as applicable, must be provided to:
(a) The board of trustees of a school district, the governing body of a charter school or the governing body of a university school for profoundly gifted pupils, as applicable, that uses the school service of the school service provider; and
(b) Any teacher who uses the school service
Microsoft Online Services Data Protection Addendum -> Notices

NRS § 388.292(3)
Deletion of a pupil’s personally identifiable information within a reasonable time not to exceed 30 days after receiving a request
Microsoft Online Services Data Protection Addendum -> Data Protection Terms -> Data Retention and Deletion
NRS § 388.292(5)(a)
Targeted advertising based on information, including covered information
Microsoft Online Services Data Protection Addendum -> Data Protection Terms -> Nature of Data Processing; Ownership -> Processing to Provide Customer the Online Services
NRS § 388.292(5)(b)
Selling a pupil’s information
Microsoft Online Services Data Protection Addendum -> Data Protection Terms -> Nature of Data Processing; Ownership -> Processing to Provide Customer the Online Services
NRS § 388.292(5)(c)
Use of information to create a profile about a pupil
Microsoft Online Services Data Protection Addendum -> Data Protection Terms -> Nature of Data Processing; Ownership -> Processing to Provide Customer the Online Services
NRS § 388.292(5)(d)
Use of a pupil’s personally identifiable information inconsistent with contract
Microsoft Online Services Data Protection Addendum -> Data Protection Terms -> Nature of Data Processing; Ownership -> Processing to Provide Customer the Online Services
NRS § 388.292(5)(e)
Knowingly retaining a pupil’s personally identifiable information beyond the authorized contract period
Microsoft Online Services Data Protection Addendum -> Data Protection Terms -> Data Retention and Deletion
NRS § 388.293(1)(a)–(b)
Detailed plan for security of data concerning pupils
Microsoft Online Services Data Protection Addendum -> Data Protection Terms -> Data Security -> Security Practices and Policies

See also Microsoft Online Services Data Protection Addendum -> Appendix A – Security Measures
NRS § 388.293(3)
Breach notification requirements
Microsoft Online Services Data Protection Addendum -> Data Protection Terms -> Data Security -> Security Incident Notification

Microsoft Online Services Data Protection Addendum-> Appendix A – Security Measures -> Information Security Incident Management

In addition to the provisions above, NRSA § 388.291(4) provides that a school service provider shall:

(a) Allow a pupil who is at least 18 years of age and the parent or legal guardian of any pupil to review personally identifiable information concerning the pupil that is maintained by the school service provider; and

(b) Establish a process, in accordance with any contract governing the activities of a school service provider and which is consistent with the provisions of NRS 388.281 to 388.296, inclusive, for the correction of such information upon the request of:

(1) A pupil who is at least 18 years of age or the parent or legal guardian of any pupil; or

(2) The teacher of the pupil or the board of trustees of the school district in which the school that the pupil attends is located, the governing body of the charter school that the pupil attends or the governing body of the university school for profoundly gifted pupils that the pupil attends, as applicable.