In late October 2024, Ohio Senate Bill 29 (“SB 29”)[1] took effect. This new law regulates educational records and student data privacy throughout the state, specifically relating to student-issued devices (e.g., laptops, tablets, software). What makes SB 29 unique is that it extends beyond schools and school districts and impacts third-party technology providers that work with these entities. Taft anticipates greater emphasis on compliance with this new law ahead of the 2025-2026 school year. Here is what you need to know about the Ohio student data privacy law.

Who is Regulated?

Ohio schools, school districts, and technology providers acting on behalf of school districts must comply with various obligations under SB 29. “Technology provider” is “a person who contracts with a school district to provide a school-issued device for student use and creates, receives, or maintains educational records pursuant or incidental to its contract with the district.”

“School-issued device” means hardware, software, devices, and accounts that a school district, acting independently or with a technology provider, provides to an individual student for that student’s dedicated personal use.

What is an Educational Record?

“Educational records” means records, files, documents, and other materials that contain information directly related to a student and are maintained by a school district board of education or by a person acting for the school district. Such records may include student contact information, home address, parent names, class schedules, report cards and transcripts, attendance records, disciplinary records, lunch account information, etc.

“Educational records” excludes the following:

  • Records in Faculty’s Possession. Records of instructional, supervisory, and administrative personnel and educational personnel that are (i) in the sole possession of the maker and (ii) not accessible or revealed to any other person except a substitute teacher. For example, individual homework assignments submitted by the student in a teacher’s possession would not be considered an educational record.
  • Records of School District Employees. Records made and maintained in the normal course of business that relate exclusively to individuals employed by the school district, in that person’s capacity as an employee, that are not available for use for any other purpose. A directory of all faculty that includes name, address and phone number would not be an educational record.
  • Records of Students 18+ for Medical Treatment Purposes –records on a student who is eighteen or older, which are made or maintained by a physician, psychiatrist, psychologist, or other recognized professional or paraprofessional acting in the person’s professional or paraprofessional capacity, or assisting in that capacity, and that are made, maintained, or used only in connection with the provision of treatment to the student and are unavailable to anyone other than persons providing such treatment, except that such records can be personally reviewed by a physician or other appropriate professional of the student’s choice.

Obligations of Schools and School Districts

  • Enter Contracts with Technology Providers. School districts must enter contracts with technology providers to ensure appropriate security safeguards for educational records. Such contracts must also include:
    • A restriction on unauthorized access by the technology provider’s employees or contractors (additionally, technology providers are prohibited from selling, sharing or disseminating educational records except as provided by law).
    • A requirement that the technology provider’s employees or contractors may be authorized to access educational records only as necessary to fulfill the official duties of the employee or contractor.
  • Provide Technology Provider Contracts for Inspection. Each school district must provide parents and students an opportunity to inspect a complete copy of any contract with a technology provider.
  • Provide Notice to Parents and Students of Contracts Affecting Educational Records. Not later than August 1 of each school year, each school district must provide parents and students notice, by mail, email, or other direct form of communication, of any curriculum, testing, or assessment technology provider contract affecting a student’s educational records. This notice must also:
    • identify each curriculum, testing, or assessment technology provider with access to educational records;
    • identify the educational records affected by the curriculum, testing, or assessment technology provider contract; and
    • include information about the contract inspection and provide contact information for a school department to which a parent or student may direct questions or concerns regarding any program or activity that allows a curriculum, testing, or assessment technology provider access to a student’s educational records.
  • Provide Notice if the School District Monitors School-Issued Devices. If a school district opts to monitor or access a school-issued device under one of the monitoring exceptions under SB 29 (“Monitoring Exception”), additional notice must be provided to parents of enrolled students. Additionally, when a school district uses a Monitoring Exception (as discussed below), within 72 hours of the access, the district must notify the student’s parent and provide a written description of the triggering circumstance, including which features of the device were accessed and a description of the threat, if any. This notice is not required when the notice itself would pose a threat to life or safety but must instead be given within 72 hours after that threat has ceased.

Obligations of Technology Providers

  • Report Breaches. In the event of a breach of educational records in the technology provider’s possession, following the discovery of the breach, the provider must inform the school district of all information necessary for the school district to perform its requirements under Ohio’s breach notification law. A “breach” means unauthorized access to and acquisition of computerized data that compromises the security or confidentiality of personal information that causes or reasonably is believed will cause a material risk of identity theft or other fraud. For example, a breach involving student transcripts may require reporting under Ohio’s breach notification law.
  • Destroy/Return Educational Data at the Expiration of the Contract. Within 90 days of the expiration of a contract with a school district, a technology provider must destroy or return to the appropriate school district all educational records created, received, or maintained under or incident to the contract.
  • Honor Educational Records Restrictions. Technology providers are prohibited from (i) selling, sharing, or disseminating educational records, except as provided by law and (ii) using educational records for commercial purposes (e.g., marketing or advertising to a student or parent). A commercial purpose does not include providing the specific services contracted for by a school district.
    • A technology provider may use student aggregate information (removed of any personally identifiable information) for improving, maintaining, developing, supporting, or diagnosing the provider’s website, service, or operation.

Restriction on Student Monitoring and Monitoring Exceptions

Generally, school districts and technology providers are prohibited from electronically accessing or monitoring any of the following:

  • Location-tracking features of a school-issued device;
  • Audio or visual receiving, transmitting, or recording feature of a school-issued device;
  • Student interactions with a school-issued device, including, but not limited to, keystroke and web-browsing activity.

However, under the new law’s Monitoring Exceptions, a school district or technology may monitor or access school-issued devices in the following circumstances where the activity is:

  • limited to a noncommercial educational purpose for instruction, technical support, or exam-proctoring by school district employees, student teachers, staff contracted by a district, a vendor, or the Department of Education, and notice is provided in advance;
  • permitted under a judicial warrant;
  • necessary because the school district or technology provider is notified or becomes aware that the device is missing or stolen;
  • necessary to prevent or respond to a threat to life or safety, and the access is limited to that purpose;
  • necessary to comply with federal or state law; or
  • necessary to participate in federal or state funding programs.

Business Considerations

If you are a business that provides technology-based services to school districts, you may be subject to SB 29. Companies should consider:

  • Whether the company supplies the district with a “school-issued device” and identify what that device is;
  • Prepare contracts to provide its school district customers that include the contractual requirements in SB 29;
  • Be prepared to identify what, if any, educational records the company has access to.
  • Develop a process to securely delete educational records at the request of the school district or the termination of the district.

For more information on data privacy and security regulations and other data privacy questions, please visit Taft’s Privacy & Data Security Insights blog and our LinkedIn page.

[1] Ohio Rev. Code Ann. §§ 3319.325 et. seq.