Skip to main content
Rhode Island

Rhode Island Student Data Privacy

Requires Signed Agreement
Does not require signed agreement

Rhode Island regulates edtech operators' collection and use of student information and supports strong contract-driven safeguards and security expectations.

Rhode Island Student Online Personal Information Protection Guide

Primary Law
Student Online Personal Information Protection (restrictions and safeguards for operators providing online services to K-12 schools)

Citation
Rhode Island General Laws, Title 16, Chapter 104 (Student Online Personal Information Protection)

Official Text
https://webserver.rilegislature.gov/Statutes/TITLE16/16-104/16-104%20INDEX.HTM

Overview

Rhode Island regulates how operators of online educational services collect, use, disclose, and protect student information. The compliance posture for districts is to require signed agreements that limit vendor use to school purposes, prohibit impermissible commercial uses, and ensure appropriate security safeguards and data lifecycle controls.

Applicability and Scope

This is most relevant when:

  • A vendor provides an online service/application used for K-12 school purposes and receives student information
  • Tools integrate with district systems (SIS/SSO/rostering) and receive roster, grades, or performance data
  • Vendors use third parties/subprocessors to deliver the service

Vendor Controls and Security Expectations

Rhode Island districts are not required by state law to rely exclusively on signed vendor agreements, allowing flexibility in how student data protections are implemented. Districts may use formal contracts, structured vendor evaluations, or a blended approach based on the nature of the data and the instructional use.

To ensure appropriate safeguards, districts should confirm that vendor agreements and/or documented review processes establish:

  • Clearly defined limits on data use, restricting student information to authorized educational purposes
  • Explicit prohibitions on data sales and targeted advertising involving student records
  • Reasonable security and incident response practices, including cooperation during investigations
  • Procedures for data deletion or return when services end or upon district direction
  • Controls over subcontractors, including required privacy and security obligations flowing down to third parties

By using this flexible framework, Rhode Island districts can demonstrate thoughtful data governance and ongoing oversight without being constrained to a single compliance mechanism.

How Can EdPrivacy Help Rhode Island Schools

Rhode Island compliance is easier when districts can document which vendors receive student information and maintain contracts, policies, and security artifacts in one place. EdPrivacy helps districts centralize vendor approvals and ensure consistent monitoring across a large edtech ecosystem.

The platform helps districts:

  • Track tools/vendors that receive student data
  • Store signed contracts/DPAs and vendor privacy/security documentation
  • Document required safeguards and approval conditions
  • Monitor vendor changes and schedule periodic re-review

Summary

Rhode Island districts should be prepared to:

  • Use written agreements, documented vendor vetting, or both when vendors handle student information, based on risk and data sensitivity
  • Ensure vendors are limited to legitimate school purposes and do not sell, market, or otherwise misuse student data
  • Assess security practices and confirm that data deletion or return processes are practical and enforceable
  • Maintain consistent, repeatable oversight through documentation, monitoring, and periodic review

Rhode Island’s student privacy framework supports a flexible, risk-based approach to safeguarding student information in online services, allowing districts to demonstrate compliance through contractual controls, structured vetting processes, or a combination of both.