Skip to main content
Oregon

Oregon Student Data Privacy

Requires Signed Agreement
Does not require signed agreement

Oregon student data privacy focuses on vendors

Oregon Student Data Privacy Guide

Primary Law: Oregon Student Information Protection Act
Citation: Oregon Revised Statutes § 336.184
Official Text: https://www.oregonlegislature.gov/bills_laws/ors/ors336.html

Oregon’s Student Information Protection Act governs how student information may be collected, used, disclosed, and safeguarded when schools work with third party service providers. The law focuses on limiting non educational use of student data and places clear restrictions on vendors that receive student information from Oregon schools.

Oregon regulates vendor conduct directly through statute, while also expecting districts to exercise oversight when approving and managing digital tools used with students.

Core scope and definitions

Under Oregon law, student information generally includes data that is:

  • Personally identifiable and directly related to a student.
  • Created or collected in the course of providing educational services.
  • Maintained by a school district or by a third party acting on the district’s behalf.

Covered entities include:

  • Oregon public school districts and public charter schools.
  • Education service districts.
  • Third party service providers that receive student information from schools.

If a vendor receives student information from an Oregon school for school purposes, it is subject to the statute’s restrictions.

Restrictions on vendors and service providers

Oregon law places direct limits on how vendors may use student information.

A service provider may not:

  • Use student information for targeted advertising.
  • Sell student information.
  • Use student information to amass a profile of a student for non educational purposes.
  • Redisclose student information except as permitted by law or necessary to provide the educational service.

These restrictions apply by operation of law and are not dependent on whether a separate data privacy agreement is executed.

Security and data protection expectations

The Student Information Protection Act requires vendors to use reasonable methods to safeguard student information.

Key expectations include:

  • Implementing administrative, technical, and physical safeguards appropriate to the sensitivity of the data.
  • Limiting access to student information to authorized individuals.
  • Protecting student information from unauthorized access, use, or disclosure.

Districts remain responsible for selecting vendors whose practices align with these requirements.

Permitted uses of student information

Oregon law allows vendors to use student information when necessary to:

  • Provide, operate, and improve the educational service.
  • Support instruction, assessment, and school operations.
  • Comply with state or federal law.
  • Conduct internal research and product improvement related to the service.

Any permitted use must remain tied to the educational purpose for which the data was provided.

Role of district oversight in Oregon

While Oregon regulates vendors directly, districts play an important oversight role.

Districts are expected to:

  • Evaluate whether a vendor’s practices align with statutory restrictions.
  • Avoid approving tools that allow advertising, resale, or non educational use of student data.
  • Maintain visibility into which vendors receive student information.
  • Monitor vendors for changes in privacy practices over time.

The statute does not prescribe a mandatory contract template for every vendor relationship.

Are signed district vendor contracts required under Oregon law

Not in all cases.

  • Oregon law does not require districts to execute a written data privacy agreement with every vendor as a condition of compliance.
  • Vendor obligations apply directly under statute.
  • Districts may choose to use written agreements as a best practice, particularly when vendors store larger volumes of student information or provide core instructional services.

The key requirement is that vendor practices comply with the law, regardless of how districts document approval.

Practical implications for Oregon districts

Oregon districts should focus on:

  • Using a consistent vetting process to review vendor privacy and security practices.
  • Confirming vendors prohibit advertising, profiling, and sale of student information.
  • Documenting approval decisions and supporting evidence.
  • Monitoring vendor policy changes that could introduce new risk.
  • Using contracts strategically where districts determine additional clarity or enforcement is needed.

How edprivacy supports Oregon schools

Oregon districts must ensure vendors comply with statutory student data protections, whether through vetting, contracts, or a combination of both.

edprivacy supports Oregon schools by helping districts:

  • Centralize vendor vetting using publicly available privacy and security documentation.
  • Record approval decisions and the evidence used to support them.
  • Track which vendors are approved and under what conditions.
  • Manage contracts where districts choose to use them.
  • Monitor vendor policy changes over time to maintain ongoing compliance.

Edprivacy gives Oregon administrators a practical, defensible way to manage student data privacy responsibilities without imposing unnecessary administrative burden.