Skip to main content
Iowa

Iowa Student Data Privacy

Requires Signed Agreement
Does not require signed agreement

Iowa student data privacy focuses on district responsibility

Iowa Student Data Privacy Guide

Primary Law: Iowa Student Data Privacy Act / Student Online Personal Information Protection Act
Citation: Iowa Code Chapter 279.71, Student Data Privacy
Official Text: https://www.legis.iowa.gov/docs/code/279.pdf

Iowa’s Student Privacy Act governs how student data may be collected, used, disclosed, and protected when shared by schools with third party service providers. The law focuses on preventing non-educational use of student data and places responsibility on school districts to ensure vendors meet statutory requirements.

Rather than mandating a specific contract structure, Iowa emphasizes district oversight and accountability for how student data is shared and managed.

Core scope and definitions

Under Iowa law, student data generally includes information that is:

  • Personally identifiable and directly related to a student.
  • Maintained by a school district or by a third party acting on the district’s behalf.
  • Generated through instructional, administrative, assessment, or operational activities.

Covered entities include:

  • Iowa public school districts and accredited nonpublic schools.
  • Area education agencies.
  • Third party service providers that receive student data from schools for educational purposes.

If a vendor receives student data from an Iowa school, the district remains responsible for ensuring the data is handled in accordance with the statute.

Restrictions on vendors and service providers

The Student Privacy Act limits how vendors may use student data provided by schools.

Vendors may not:

  • Use student data for targeted advertising.
  • Sell student data or use it for commercial purposes unrelated to education.
  • Re-disclose student data except as permitted by law or authorized by the district.
  • Use student data beyond the scope of the educational purpose for which it was shared.

These expectations apply regardless of whether a separate data privacy agreement is executed.

Security and data protection expectations

Iowa law requires that student data be protected with reasonable safeguards.

Districts are expected to ensure that vendors:

  • Implement administrative, technical, and physical security measures appropriate to the sensitivity of the data.
  • Limit access to student data to authorized personnel.
  • Protect student data from unauthorized access, disclosure, or misuse.

The responsibility for verifying these safeguards rests with the district.

How districts demonstrate compliance

Iowa law does not prescribe a single required mechanism for compliance. Instead, districts may meet their obligations through a combination of practices, including:

  • Thorough pre-approval vetting of vendor privacy and security documentation.
  • Review of public privacy policies, terms of service, and data use statements.
  • Confirmation that vendors prohibit advertising, profiling, and resale of student data.
  • Ongoing monitoring for changes in vendor policies or practices.

Written agreements are one way to document and enforce these expectations, but they are not the only lawful approach under Iowa law.

Are signed district vendor contracts required under Iowa law

Not universally.

  • Iowa law does not require districts to execute a written data privacy agreement with every vendor.
  • Districts are responsible for ensuring vendors meet statutory requirements, but the law does not mandate a specific contract form.
  • Many districts choose to use written agreements as a best practice, particularly when vendors store or process more sensitive student data.

The key requirement is that the vendor’s actual practices align with the law, not that a particular document exists.

Practical implications for Iowa districts

Iowa districts should focus on:

  • Maintaining visibility into which vendors receive student data.
  • Using a consistent vetting process to evaluate vendor privacy and security practices.
  • Documenting approval decisions and supporting evidence.
  • Monitoring vendors over time for policy or practice changes.
  • Using contracts strategically when districts determine they add value or clarity.

How edprivacy supports Iowa schools

Iowa districts must demonstrate that vendors meet student data privacy requirements, whether through vetting, contracts, or a combination of both.

Edprivacy supports Iowa schools by helping districts:

  • Centralize vendor vetting using publicly available privacy and security documentation.
  • Record approval decisions and the evidence used to support them.
  • Track which vendors are approved, under what conditions, and why.
  • Manage contracts where districts choose or are required to use them.
  • Monitor vendor policy changes that could introduce new risk over time.

Edprivacy gives Iowa administrators a flexible, defensible system for managing student data privacy responsibilities without forcing a one size fits all compliance model.