Skip to main content
West Virginia

West Virginia Student Data Privacy

Requires Signed Agreement
Does not require signed agreement

West Virginia requires strong governance of student data systems, detailed security planning, and vendor contracts with explicit privacy/security safeguards and penalties.

West Virginia Student Data Accessibility, Transparency and Accountability Guide

Primary Law
Student Data Accessibility, Transparency and Accountability Act (statewide student data system governance, security planning, and vendor contract safeguards)

Citation
West Virginia Code § 18-2-5h

Official Text
https://code.wvlegislature.gov/18-2-5h/

Overview

West Virginia's Student Data Accessibility, Transparency and Accountability Act governs how student data is inventoried, accessed, shared, protected, and reported. It requires the Department of Education to publish data inventories and privacy policies, restrict access, and implement a detailed data security plan. It also emphasizes that vendor contracts involving student data must include express privacy and security safeguards and penalties for noncompliance.

For districts, the operational takeaway is strong vendor governance: if a tool, assessment platform, or outsourced database involves student data, contracts should be signed, specific, and enforceable.

Applicability and Scope

This is most relevant when:

  • Districts use vendor-hosted assessments, databases, or instructional support tools that include student data
  • Student data is shared under inter-agency data-sharing agreements or outsourced contracts
  • Districts need consistent security planning and breach readiness aligned to state expectations

Security Planning and Vendor Controls

West Virginia’s Student Data Privacy Act emphasizes comprehensive security planning and accountability when student data is handled by or shared with third parties. The law calls for a documented data security plan addressing access controls, audits, breach preparedness, retention, disposition, and appropriate safeguards.

When student data is outsourced to private vendors, West Virginia law expects districts to ensure that privacy and security obligations are clearly enforceable. Districts may accomplish this through written contracts, documented vendor vetting, or a combination of both, provided that required protections are clearly established and maintained.

Districts should ensure that vendor agreements and/or formal security documentation address:

  • Defined access controls and audit practices appropriate to the sensitivity of the data
  • Incident response and breach planning, including notification and cooperation requirements
  • Data retention and secure disposition procedures
  • Enforceable privacy and security safeguards, with accountability measures for noncompliance

This approach supports West Virginia’s focus on planned, auditable security practices while allowing districts to apply consistent governance across vendor relationships using contracts, structured vetting, or both.

Incident Response and Governance

Districts should ensure vendor agreements and internal processes support:

  • Clear breach planning, notification, and coordination expectations
  • Access restrictions and role-based controls consistent with state policies
  • Retention and disposition rules that match district practice and legal requirements

How Can EdPrivacy Help West Virginia Schools

West Virginia’s student data privacy framework is easier to manage when districts can document vendor usage, security expectations, and governance decisions in a single system. EdPrivacy helps districts centralize approvals, agreements (where used), and security documentation so oversight remains consistent across a broad and evolving edtech ecosystem.

With EdPrivacy, districts can:

  • Maintain a comprehensive inventory of applications and vendors that access or handle student data
  • Store contracts, DPAs, and supporting privacy and security documentation in one centralized location
  • Document required security expectations, including access controls, breach response procedures, and data retention or disposition practices
  • Track vendor changes and schedule periodic re-reviews to ensure continued alignment with district and state requirements

This centralized approach reduces fragmentation and supports repeatable, auditable oversight.

Summary

West Virginia districts should be prepared to:

  • Apply written agreements, documented vendor vetting, or both when vendors handle student data, based on risk and scope of use
  • Ensure privacy and security expectations are clearly defined and enforceable, including accountability measures for noncompliance
  • Align incident response, access control, and retention practices with state security planning expectations
  • Maintain ongoing documentation and district-wide oversight of vendor data handling activities

West Virginia Code § 18-2-5h supports a governance-focused approach to student data protection, emphasizing planned security practices, enforceable controls, and consistent documentation, whether implemented through contracts, structured vetting, or a combination of both.