Skip to main content
Idaho

Idaho Student Data Privacy

Requires Signed Agreement
Does not require signed agreement

Idaho sets statewide rules for how student data is defined, accessed, shared, and safeguarded across education systems and approved partners.

Idaho Student Data Privacy Governance Guide

Primary Law
Student data: definitions, confidentiality, authorized access, use limitations, and penalties

Citation
Idaho Code 33-133

Official Text
https://legislature.idaho.gov/statutesrules/idstat/title33/t33ch1/sect33-133/

Overview

Idaho approaches student data privacy through a governance lens. Idaho Code 33-133 focuses on defining student data and personally identifiable information, keeping student educational records confidential, and controlling access to authorized users for legitimate educational purposes.

For Idaho districts, the compliance story is less about one specific vendor prohibition and more about being able to explain your data decisions: what student data a system uses, who can access it, why access is needed, and what safeguards keep the data protected across district systems and cloud-based services.

Applicability and Scope

Idaho Code 33-133 is most relevant when student data is collected, maintained, accessed, or disclosed as part of a student educational record in statewide education data systems and district systems that connect to them, including records stored or transmitted using cloud computing services.

Student data generally includes information that:

  • Identifies or can reasonably be linked to a specific student
  • Is maintained as part of a student educational record
  • Is stored, processed, or transmitted through district systems or cloud-based services supporting district operations

Practically, if a platform touches student educational records or connects to core systems, it should be treated as in-scope for privacy review and access control.

Idaho Code 33-133: Governance and Confidentiality Expectations

Idaho emphasizes confidentiality of student data and limits access to authorized users with a legitimate role and purpose. This means districts should treat privacy compliance as a repeatable governance process, not a one-time approval event.

Districts are typically best positioned when they can demonstrate:

  • Clear ownership for student data decisions and access approvals
  • Role-based access aligned to job responsibilities
  • Use of a minimum-necessary approach for student data elements
  • Documented processes for granting, reviewing, and revoking access

Access Control and Authorized Use

Idaho's framework supports purpose-based access. When staff, contractors, or vendors need access to student information, districts should be able to show:

  • What student data elements are required and why
  • How access is approved and who authorizes it
  • How access is limited to assigned duties
  • How confidentiality expectations are communicated and enforced

This is especially important for systems that integrate with the SIS, assessment platforms, special education tools, identity systems, and data reporting services, where configuration changes can expand data exposure quickly.

Vendor Access and District Due Diligence

Idaho Code 33-133 does not operate like a single-purpose vendor marketing statute. However, when a vendor will store, process, or transmit student educational records, districts benefit from a short, consistent due diligence checklist that can be repeated across departments and revisited over time.

District reviews commonly document:

  • Which student data elements the product collects, generates, or accesses
  • Whether use is limited to the district's educational purpose (no unrelated secondary use)
  • Security safeguards appropriate to the data involved
  • Retention, return, and deletion practices when the relationship ends
  • Whether vendor terms or practices change in ways that require re-review

Safeguarding and Security Expectations

Idaho districts should ensure that student data is protected with safeguards appropriate to the sensitivity of the data and the way the tool is deployed.

District review commonly considers:

  • Access controls and account management practices
  • Secure storage and transmission expectations (including cloud services)
  • Incident response and breach reporting expectations
  • Controls on retention and redisclosure

Permitted Uses of Student Data

Student data use should be tied to legitimate educational purposes and assigned duties. Districts should evaluate whether a tool's student data use is necessary for instruction, assessment, student support, operations, or compliance with legal requirements.

When data use expands beyond what is needed for the educational purpose, districts should reassess the tool and adjust access, configuration, or approval conditions.

How Idaho Districts Commonly Implement Compliance

Idaho districts often operationalize compliance through repeatable documentation and access controls, including:

  • Maintaining an inventory of tools and services that touch student educational records
  • Documenting data flows and integrations, especially for cloud-connected systems
  • Standardizing review questions so decisions are consistent across departments
  • Keeping approval evidence and rationale in a central location
  • Revisiting approvals when products change features, data collection, or terms

How Can EdPrivacy Help Idaho Schools

Idaho's governance-focused approach favors districts that can clearly show who has access to student data, why access exists, and what conditions apply. EdPrivacy helps Idaho schools reduce administrative burden by centralizing the documentation used during tool review and by making approvals easier to explain and revisit.

The platform helps districts:

  • Maintain a searchable inventory of systems and apps that handle student educational records
  • Store vendor privacy and security documentation alongside district approval rationale
  • Track what data a tool touches and what access assumptions were made at approval time
  • Monitor vendor policy and product changes so reviews can be refreshed when risk changes

Summary

Idaho districts should be prepared to:

  • Protect confidentiality of student educational records and personally identifiable information
  • Limit access to authorized users with a legitimate educational purpose
  • Apply repeatable review criteria for vendors and tools that handle student data
  • Maintain documentation that supports defensible access and approval decisions over time

Idaho Code 33-133 is best met through consistent governance, controlled access, and ongoing oversight of the tools and services that touch student educational records.