Skip to main content
Virginia

Virginia Student Data Privacy

Requires Signed Agreement
Does not require signed agreement

Virginia regulates school service providers operating under contract and requires an information security program plus contract-based limits on use/sharing of student personal information.

Virginia Student Data Privacy Guide

Primary Law

School service provider and school technology provider requirements for student personal information (security programs and contract-based use limitations)

Citation

Virginia Code § 22.1-289.01 (School service providers; school-affiliated entities; student personal information)

Official Text

https://law.lis.virginia.gov/vacode/title22.1/chapter14/section22.1-289.01/

Overview

Virginia regulates vendors that provide online school services or school-issued technology pursuant to a contract with a local school division. The statute establishes requirements for transparency, information security programs, limits on use and disclosure of student personal information, and expectations around access, deletion, and downstream data sharing.

The law’s requirements are triggered by the existence of a contractual relationship: Virginia does not independently mandate that districts must contract with vendors, but when vendors operate school services under contract, the statute governs how student personal information may be handled.

Applicability and Scope

Virginia’s requirements are most relevant when:

  • A vendor provides a website, application, or online service designed and marketed for K-12 use under contract with a school division
  • A vendor provides school-issued devices to students pursuant to a district agreement
  • Student personal information is accessed by subcontractors or successor entities in the course of providing the contracted service

The statute’s obligations attach to vendors acting in their role as contracted school service or school technology providers.

Security and Data Governance Expectations

Virginia law requires covered providers to maintain a comprehensive information security program reasonably designed to protect student personal information. It also restricts how student data may be collected, used, disclosed, or retained, tying permissible activities to authorized educational purposes and requiring controls over third-party access.

Districts typically operationalize these requirements through the terms of the underlying agreement and supporting governance practices, ensuring that:

  • Authorized purposes for data collection, use, and disclosure are clearly defined
  • An information security program appropriate to the scope and sensitivity of the data is in place
  • Subcontractors and third parties are subject to equivalent privacy and security obligations before accessing student data
  • Secondary uses or unauthorized sharing of student personal information are prohibited
  • Accountability mechanisms support monitoring, enforcement, and remediation

This approach reflects Virginia’s emphasis on purpose limitation, security accountability, and third-party controls, while recognizing that the statute governs vendors because they are operating under contract, not as a standalone contracting mandate.

Incident Response and Data Lifecycle

School divisions should ensure that contractual terms and oversight practices address:

  • Security safeguards and incident response coordination appropriate to the data involved
  • Deletion or return of student personal information upon request or at service termination
  • Subcontractor restrictions, notice requirements, and approval processes

Aligning agreements with operational reality helps ensure compliance remains enforceable and practical.

How EdPrivacy Supports Virginia Schools

Virginia school divisions benefit from clear visibility into which vendors access student personal information and how those relationships are governed.

EdPrivacy helps districts:

  • Catalog applications and services that collect, store, or process student personal information
  • Centralize agreements, privacy terms, and security documentation associated with each vendor
  • Document authorized use limitations, third-party access controls, and data deletion or return commitments
  • Monitor vendor changes and trigger re-evaluations when policies, practices, or risk profiles change

This supports consistent oversight without relying on fragmented documentation or manual tracking.

Summary

Virginia school divisions should be prepared to:

  • Ensure that vendors operating school services under contract comply with statutory privacy and security requirements
  • Confirm vendors maintain effective information security programs
  • Restrict use and disclosure of student personal information to approved educational purposes
  • Oversee subcontractor access and define workable data disposition processes
  • Maintain repeatable, well-documented oversight across contracted vendor relationships

Virginia Code § 22.1-289.01 reinforces a contract-scoped governance model centered on purpose limitation, security accountability, and third-party controls, allowing districts to demonstrate compliance through appropriately structured agreements and supporting oversight practices.