Skip to main content
Missouri

Missouri Student Data Privacy

Requires Signed Agreement
Does not require signed agreement

Missouri requires student data transparency, access controls, security planning, and vendor contract safeguards under RSMo Section 161.096.

Missouri Student Data Transparency and Vendor Safeguards Guide

Primary Law
Student data accessibility, transparency, accountability, and vendor safeguards for the statewide longitudinal data system

Citation
Missouri Revised Statutes Section 161.096 (2014 H.B. 1490)

Official Text
https://revisor.mo.gov/main/OneSection.aspx?section=161.096

Overview

Missouri establishes statewide expectations for student data transparency, access controls, security planning, and vendor safeguards through RSMo Section 161.096. The statute directs the Missouri Department of Elementary and Secondary Education to maintain public visibility into data elements, restrict access to personally identifiable student data, and ensure privacy and security requirements are reflected in contracts with vendors that provide systems, assessments, or instructional supports.

For districts, the most practical compliance takeaway is governance: maintain clear documentation of what data is collected and why, apply role-based access, and confirm vendor contracts prohibit selling student data or using it for advertising.

Applicability and Scope

Missouri's framework is especially relevant when student information is collected, stored, or shared in connection with:

  • District and state student information systems and reporting systems
  • Assessments, instructional platforms, and learning applications that process student data
  • Vendor services that host databases or provide outsourced instructional supports

Districts should consider the law in scope for any tool that stores student records, integrates with district identity systems, or receives student data exports.

Transparency and Data Inventory Expectations

Missouri requires public visibility into what student data elements exist and why they are collected. This supports a transparency-first posture and makes it easier to answer parent and community questions about data practices.

District teams often align locally by:

  • Keeping a district-level inventory of tools that collect student data
  • Documenting high-level categories of student data used by each system
  • Explaining educational purpose and operational need for data collection in plain language

Access Controls and Disclosure Limits

Missouri's statute emphasizes restricting access to personally identifiable student data to authorized users who need it to perform assigned duties. Districts benefit from treating least-privilege access as a default expectation across systems and integrations.

District review commonly considers:

  • Whether staff roles map cleanly to permission levels and student populations
  • How access is approved, reviewed, and removed when roles change
  • Whether disclosures can be minimized using aggregate or redacted information

Security Planning, Audits, and Incident Readiness

Missouri calls for a detailed security plan with privacy compliance standards, audits, breach planning and notification procedures, and retention/disposition policies. Districts should ensure vendor practices and district procedures support these expectations.

Operational practices commonly include:

  • Centralizing incident response contacts and vendor escalation paths
  • Requiring vendors to describe security controls and breach response processes
  • Documenting retention, deletion, and disposition expectations for student data

Vendor Data Practices and Oversight Expectations

Missouri law does not require districts to obtain a signed agreement or DPA with edtech vendors. Instead, it requires districts to ensure appropriate privacy, security, transparency, and access controls are in place, and that vendor practices do not include the sale of student data or advertising use.

How Can EdPrivacy Help Missouri Schools

Missouri districts need durable documentation and repeatable oversight: inventories, access controls, vendor contract safeguards, and periodic review when tools change. EdPrivacy helps districts consolidate these decisions and supporting evidence in one place so compliance is easier to demonstrate and maintain.

In Missouri, EdPrivacy also has an agreement with MOREnet to offer special pricing for MOREnet partner school districts.

The platform helps districts:

  • Maintain a current catalog of apps and vendors and note which systems handle student PII
  • Keep contracts, privacy policies, and security attestations organized alongside approval history
  • Capture district-specific guardrails (no advertising use, no sale, limited disclosure, retention and deletion expectations)
  • Prompt periodic check-ins when vendors update terms, add integrations, or change subprocessors

Summary

Missouri districts should be prepared to:

  • Support transparency by documenting what student data is used and for what purpose
  • Restrict access to student data using role-based permissions and least-privilege principles
  • Require vendor contract terms that prohibit selling student data and using it for advertising
  • Maintain security planning, audit readiness, and data lifecycle controls across tools

RSMo Section 161.096 supports a governance-driven approach to student privacy that combines transparency, security planning, and enforceable vendor safeguards.