Skip to main content
New Hampshire

New Hampshire Student Data Privacy

Requires Signed Agreement
Does not require signed agreement

New Hampshire requires student data privacy and security safeguards that districts implement through signed vendor agreements, controlled sharing, and incident response readiness.

New Hampshire Student Data Privacy and Security Guide

Primary Law
Student data privacy and security requirements for the collection, use, sharing, and protection of student information

Citation
New Hampshire Revised Statutes Annotated (RSA) 189:66 (Student data privacy and security)

Official Text
https://www.gencourt.state.nh.us/rsa/html/XV/189/189-66.htm

Overview

New Hampshire's student data privacy and security requirements focus on limiting collection and disclosure of student information, protecting student data systems, and ensuring that data is used for appropriate educational purposes. For districts using vendor-hosted services, the practical compliance posture is to require signed vendor agreements that define permitted uses, require reasonable security safeguards, and set clear incident response expectations.

Applicability and Scope

This is most relevant when:

  • A district uses vendor-hosted educational tools that collect or process student data
  • Student data is shared with third-party service providers to deliver instruction or administrative services
  • Districts need repeatable processes to approve and monitor edtech tools over time

Vendor Contract and Security Expectations

New Hampshire law does not explicitly require districts to obtain signed vendor contracts or DPAs. Instead, the state’s legal framework focuses on how student data is evaluated, protected, and governed, giving districts flexibility in how they meet those obligations.

Districts should ensure that vendor vetting reviews and/or contracts (DPAs) address:

  • Purpose limitation – Verification that student data is used exclusively for legitimate educational or school purposes
  • Security safeguards – Assessment of administrative, technical, and physical protections aligned to student data sensitivity
  • Disclosure and subcontractor controls – Transparency around data sharing, redisclosure limits, and subcontractor compliance
  • Data retention and deletion – Documented retention limits and secure deletion or return procedures
  • Incident reporting and response – Defined breach notification timelines, investigation cooperation, and response coordination

Through EdPrivacy’s standardized vetting methodology, districts can document compliance even when a signed agreement is not legally required. When contracts are used, EdPrivacy ensures required privacy, security, and accountability terms are clearly tracked and enforced, allowing districts to apply the right level of governance to each tool while maintaining transparency and trust.

How Can EdPrivacy Help New Hampshire Schools

EdPrivacy supports a dual-track compliance approach, recognizing that New Hampshire districts may rely on a robust vendor vetting process, a written agreement, or both, depending on risk level, data sensitivity, and instructional use.

Compliance is easier when districts can clearly identify which vendors handle student data and keep vetting records, contracts, and security documentation organized in one place. EdPrivacy centralizes this information so oversight remains consistent, documented, and defensible across a growing ecosystem of instructional tools.

With EdPrivacy, districts can:

  • Maintain a complete inventory of applications and vendors that handle student data
  • Store and track contracts, DPAs, and vendor privacy/security documentation
  • Document approval conditions and required safeguards for each tool
  • Monitor vendor policy changes and schedule periodic re-reviews to ensure continued compliance

This approach allows New Hampshire districts to apply the right level of governance to each vendor, while maintaining transparency, accountability, and trust.

Summary

New Hampshire districts should be prepared to:

  • Use signed vendor agreements for tools that collect or process student data
  • Require enforceable privacy/security safeguards and clear incident response expectations
  • Control subcontractors and data sharing
  • Maintain ongoing documentation and oversight across the district's edtech ecosystem

RSA 189:66 supports a contract-driven approach to safeguarding student information in vendor-hosted systems