Skip to main content
Hawaii

Hawaii Student Data Privacy

Requires Signed Agreement
Does not require signed agreement

Hawaii restricts edtech operators' use and disclosure of student covered information and requires reasonable security safeguards under HRS Section 302A-500.

Hawaii Student Online Personal Information Protection Guide

Primary Law
Student Online Personal Information Protection (operator restrictions and security safeguards for online services used for K-12 school purposes)

Citation
Hawaii Revised Statutes (HRS) Chapter 302A, Part II, Subpart H: Student Online Personal Information Protection (notably Section 302A-500)

Official Text
https://www.capitol.hawaii.gov/hrscurrent/Vol05_Ch0261-0319/HRS0302A/HRS_0302A-0500.htm

Overview

Hawaii restricts how operators of websites, online services, online applications, and mobile applications used for K-12 school purposes may collect, use, and disclose student covered information. The law prohibits targeted advertising based on covered information, prohibits selling student information, requires reasonable security procedures and practices, and supports deletion of student covered information when requested by schools.

For districts, the operational takeaway is to verify that vendor products used with students follow these statutory limitations and to use written agreements/DPAs as a best practice for higher-risk systems to make security, breach response, and subcontractor controls explicit.

Applicability and Scope

This is most relevant when:

  • A vendor provides an online service or app designed and marketed for K-12 school purposes
  • The product collects student covered information or persistent identifiers through school use
  • The vendor relies on third parties/subprocessors to deliver the service

Key Vendor Controls and Security Expectations

Hawaii requires operators to implement and maintain reasonable security procedures and practices appropriate to the nature of the covered information. The statute also limits disclosures and, when disclosure to third parties occurs, ties it to contractual restrictions and security obligations for those third parties.

Incident Response and Data Lifecycle

Districts should ensure vendors can support practical data lifecycle management, including deletion/return workflows and clear incident reporting and coordination expectations if student information is involved in a security incident.

How Can EdPrivacy Help Hawaii Schools

Hawaii districts benefit from a centralized way to track which tools collect student covered information and to keep vendor privacy/security documentation and agreements organized. EdPrivacy helps districts manage approvals, store vendor artifacts, and maintain repeatable oversight across many tools.

The platform helps districts:

  • Inventory tools and vendors that handle student information
  • Store privacy terms, security documentation, and any DPAs/contracts
  • Document safeguards (no targeted advertising, limited disclosure, deletion expectations)
  • Monitor vendor changes and schedule periodic re-review

Summary

Hawaii districts should be prepared to:

  • Confirm operators do not sell student information or use it for targeted advertising
  • Verify reasonable security safeguards for tools that handle student covered information
  • Control third-party access and subcontractors, especially for cloud-hosted services
  • Maintain repeatable documentation and monitoring across the district

HRS Section 302A-500 supports a vendor-limits-plus-security approach to protecting student information in online services used by schools.