A Practical Guide to Understanding Ohio Rev. Code § 1347:

Why Student Data Protection Matters More Than Ever in Ohio Schools

Understanding Ohio Revised Code § 1347: Protecting Student Data is crucial for K-12 leaders. This law dictates how Ohio schools and their tech vendors must handle student personal information, from names and addresses to academic records.

Quick Answer: Ohio Revised Code § 1347 (the Ohio Privacy Act) requires schools to:

• Protect student personal information from unauthorized access.
• Grant parents and students rights to inspect and control their data.
• Ensure technology vendors meet the same data protection standards.
• Report data breaches to affected individuals within 45 days.
• Adopt clear policies for data access, logging, and security.

As schools adopt more digital tools, the risk of data breaches grows, and parents are more concerned than ever about their children's privacy. Recent amendments like House Bill 432 have strengthened these protections, giving schools more control over directory information and placing strict rules on third-party tech providers.

This guide provides practical insights for implementing new edtech, responding to records requests, or building data protection policies. Non-compliance risks loss of funding, legal action, and community trust. More importantly, protecting student data is the right thing to do.

Cybersecurity starts with awareness. Get your staff audited for phishing vulnerabilities at cybernut.com/phishing-audit to strengthen your human defenses.

Understanding Ohio Revised Code § 1347: Protecting Student Data terms at a glance:

• All About FERPA: The Federal Student Privacy Law That Still Matters in 2025
• All About New York’s Education Law § 2-d: Student Data Privacy, Explained
• California’s AB 1584: What Schools Must Know About Digital Contracts with EdTech Vendors

What is Ohio Revised Code § 1347 (The Ohio Privacy Act)?

Ohio Revised Code § 1347, also known as the Ohio Privacy Act, is the state's rulebook for how government agencies, including public school districts, handle personal information. It establishes a data governance framework that protects individual privacy while balancing the Ohio Public Records Act.

Defining Key Terms

Understanding the law requires knowing its key terms:

• Personal Information System: Any organized collection of records (digital or physical) retrievable by a person's name or ID number. Your school's student records database is a prime example.
• Personal Information: A broad category including anything that describes a person, such as names, addresses, grades, attendance, and disciplinary history.
• Confidential Personal Information (CPI): A subset of personal information that state law designates as non-public, like Social Security numbers. CPI requires the strongest protections, including access rules and password protection.
• State/Local Agency: The entities that must comply with the law. Your school district is a "local agency."

The Act's Primary Purpose

The law serves four key functions for student data:

1. Regulates Data Collection: Requires schools to collect only information that is "necessary and relevant" for their legal duties.
2. Grants Individual Rights: Gives parents and students the right to inspect their information and challenge its accuracy.
3. Establishes Protection Duties: Mandates that schools implement security safeguards and train staff on proper data handling.
4. Prevents Data Misuse: Ensures information is used only for the purposes for which it was collected.

The ODJFS eManuals > Legal Services > Public Records and Confidentiality Laws offers more guidance. ORC § 1347 balances a school's need for information with a family's right to privacy. Protecting data also means training staff to spot threats; consider an audit at cybernut.com/phishing-audit to assess your team's readiness.

Core Principles of ORC § 1347: Rights and Responsibilities

Understanding Ohio Revised Code § 1347: Protecting Student Data involves a balance of rights for families and responsibilities for schools. Parents and students gain control over their information, while schools become its responsible guardians. At CyberNut, we know that people are the core of cybersecurity; legal frameworks like this provide the "why" for our training.

Student and Parent Rights Under the Law

The Ohio Privacy Act grants families several enforceable rights:

• Right to Inspect Information: Parents can request to see their child's records. This transparency helps catch errors. Section 1347.08 - Ohio Revised Code outlines limited exceptions, such as certain psychological notes that a professional determines could cause harm if released directly.
• Right to Dispute Accuracy: If families find incorrect or outdated information, they can challenge it. The school must investigate, and parents can add a statement to the file if the dispute is not resolved.
• Right to Be Informed of Data Use: Schools must be transparent about how they use student information and who has access to it.
• Right to Opt-Out of Directory Information Release: Parents can prevent the school from releasing "directory information" (like names and photos for yearbooks). This right is absolute, even as schools gain more discretion over releasing such data.

School District Duties

With these rights come mandated duties for schools:

• Maintain Accurate Data: Schools must ensure student records are accurate, relevant, timely, and complete.
• Protect Against Unauthorized Access: Districts must take reasonable precautions, including technical and administrative safeguards, to prevent data breaches.
• Adopt Operating Rules: Each data system must have clear rules defining who can access data and for what valid reason.
• Appoint a Responsible Individual: Someone must be designated to oversee compliance for each personal information system.
• Limit Data Collection: Schools should only collect data that is necessary and relevant for legitimate educational purposes.
• Train Employees: All staff handling personal information must understand ORC § 1347 and the district's rules.

These duties create a culture where student privacy is a priority. Your staff is your first line of defense; a free phishing audit can reveal where they need more training.

A Deep Dive into Understanding Ohio Revised Code § 1347: Protecting Student Data

Let's examine the practical details of protecting student records under Ohio law.

What Qualifies as "Personal Information" for Students?

Under ORC § 1347, "personal information" is defined broadly. It includes anything that describes a student and can be retrieved by their name or ID number. This covers:

• Basic Identifiers: Name, address, phone number, date of birth.
• Academic Details: Grades, test scores, attendance records, enrollment status.
• Sensitive Data: Social Security numbers (which have special protections), disciplinary records, health information, and biometric data.

If your school can look it up by student, it's likely personal information that must be protected. For a comparison with federal law, see our guide on All About FERPA: The Federal Student Privacy Law That Still Matters in 2025.

How § 1347 Interacts with FERPA and the Ohio Public Records Act

Understanding Ohio Revised Code § 1347: Protecting Student Data requires knowing how it fits with two other key laws:

1. FERPA (Family Educational Rights and Privacy Act): This federal law sets the minimum privacy standard for all schools receiving federal funds. It protects student education records and gives parents rights of access and control.
2. Ohio Public Records Act (Chapter 149): This law promotes government transparency but is balanced by privacy protections.

ORC § 1347 often provides stronger, more specific protections than FERPA. When laws overlap, schools must follow the stricter rule.

A critical update via House Bill 432 significantly changed the landscape. This legislation removed "directory information" from the public record definition, giving school boards greater discretion to decide whether to release student information to third parties like military recruiters or businesses.

However, the parental right to opt-out remains absolute. Schools must honor any parent's request to withhold their child's directory information. This layered approach gives Ohio schools both the authority and responsibility to make thoughtful decisions about sharing student data. If you're concerned about staff awareness of these rules, a free phishing audit can identify training gaps.

Navigating Third-Party Vendors and Data Breaches

Schools rely on third-party technology vendors, but sharing data introduces risk. Understanding Ohio Revised Code § 1347: Protecting Student Data is critical for managing these relationships and responding when things go wrong.

New Rules for Technology Providers Under § 3319.326

Recent legislation, especially House Bill 432, created strict rules for EdTech vendors. Under Section 3319.326 - Ohio Revised Code, technology providers must:

• Comply with Chapter 1347 as if they were a school district.
• Acknowledge School Ownership of Data: All student records remain the property of the school district.
• Refrain from Selling or Commercializing Data: Vendors cannot sell student data or use it for marketing or advertising.
• Destroy Data After Contract End: All student records must be destroyed or returned within 90 days of a contract's termination.
• Include Contract Safeguards: Agreements must detail security measures and restrict unauthorized employee access.
• Notify Parents and Allow Inspection: Schools must inform parents about vendor contracts, and parents have the right to inspect those contracts.

Responding to a Data Breach Under § 1347.12

Even with strong protections, breaches can occur. Proactive measures, like a free phishing audit, can identify weaknesses before they're exploited. If a breach of unencrypted personal information happens, ORC § 1347.12 mandates a clear response:

• Definition: A breach is the unauthorized access and acquisition of computerized data that creates a material risk of identity theft or fraud.
• Notification Deadline: Schools must notify affected Ohio residents as quickly as possible, but no later than 45 days after findy. Notification can only be delayed if requested by law enforcement for an investigation.
• Vendor Responsibility: If a vendor is breached, they must immediately inform the school district.
• Notification Methods: Notice can be written, electronic, or by phone. For large-scale breaches, public announcements may be used.
• Credit Agency Notification: If over 1,000 Ohio residents are affected, the school must also notify nationwide consumer reporting agencies.

The law emphasizes speed and transparency to help affected individuals protect themselves. For legal specifics, see the state's guidance on Agency Disclosure of Security Breach of Computerized Personal Information Data.

Practical Steps for Compliance and Protection

Understanding Ohio Revised Code § 1347: Protecting Student Data requires putting the law into practice with clear policies and a commitment from the entire school community. At CyberNut, we know that a strong "human firewall" built through training is the best defense for sensitive data.

For School Administrators: Implementing ORC § 1347

Administrators can turn legal requirements into action with these steps:

• Develop CPI Access Policies: Create written rules defining who can access Confidential Personal Information (CPI) and for what valid reasons, as required by ORC § 1347.15.
• Log and Monitor Access: Implement systems to log who accesses CPI and when, creating an essential audit trail.
• Provide Annual Notice of Vendor Contracts: Inform parents which vendors handle student data and how they can inspect the contracts.
• Conduct Regular Staff Training: Ongoing, engaging training on data privacy is critical. Human error is a top risk, and training strengthens your defenses. Explore our Data Security and Privacy Plan resources for a comprehensive approach.
• Appoint a Responsible Individual: Designate a person to oversee compliance for each data system.
• Limit Data Collection: Collect only the student data you truly need for educational purposes.
• Ensure Password Protection: Use strong, unique passwords for all systems containing electronic CPI.

To find your specific vulnerabilities, get your staff audited at cybernut.com/phishing-audit.

For Parents: Your Role in Protecting Student Data

Parents are essential partners in data protection. Here’s how you can help:

• Know Your Right to Inspect Records: Under ORC § 1347.08, you can review your child's records and dispute any inaccuracies.
• Opt-Out of Directory Information Release: Submit an annual request to your school if you do not want your child's directory information shared. Schools must honor this request.
• Ask About Technology Vendors: Inquire which companies handle your child's data and ask to see the school's contracts with them.
• Watch for Breach Notifications: If a breach occurs, the school must notify you within 45 days. Read these notices carefully.
• Get Records from Closed Schools: If a school closes, you can request records through state resources like the Obtaining Student Records from Closed Ohio High Schools page.

Frequently Asked Questions about ORC § 1347 and Student Data

Here are answers to common questions about Understanding Ohio Revised Code § 1347: Protecting Student Data.

What is the biggest change for schools from recent amendments like HB 432?

The two most significant changes from House Bill 432 are:

1. Greater Control Over Directory Information: Directory information is no longer automatically a public record. This gives school boards more discretion to decide whether to release it to third parties. However, schools must still honor a parent's request to withhold this information.
2. Stricter Rules for Tech Vendors: Technology providers must now comply with ORC § 1347 just like a school district. This includes rules on data ownership, a ban on selling student data, and requirements for data destruction after a contract ends.

Can I see all the data a school has on my child?

Generally, yes. Under ORC § 1347.08, parents have the right to inspect their child's personal information, including academic and disciplinary records. However, there are limited exceptions. For example, certain psychological notes may only be released to a designated medical professional if direct disclosure is deemed potentially harmful. Confidential law enforcement investigatory records are also exempt.

What are the consequences for a school or its vendor violating the law?

Violations of ORC § 1347 can have serious consequences:

• Civil Actions: An individual harmed by a violation can sue the responsible agency for damages.
• Injunctions: Courts can order a school or vendor to stop unlawful data practices.
• Criminal Penalties: Knowingly violating the law can lead to criminal charges, ranging from a minor to a first-degree misdemeanor.
• Loss of Federal Funding: While not a direct penalty under ORC § 1347, major privacy violations often also break FERPA rules, which can lead to a loss of federal funds.
• Reputational Damage: A data breach can severely damage the trust between a school and its community.

Conclusion: Protecting Student Data Under ORC § 1347

Understanding Ohio Revised Code § 1347: Protecting Student Data is a fundamental commitment to student well-being. This law, along with FERPA and recent amendments, creates a strong, multi-layered defense for student information, placing clear responsibilities on schools and their technology partners.

Protecting this data is a shared duty requiring diligence from administrators, engagement from parents, and commitment from vendors. The best defense is proactive: strong policies, secure technology, and a well-trained, cyber-aware staff. Human error remains a significant risk, which is why ongoing training is essential.

At CyberNut, our mission is to empower schools to build a resilient cybersecurity culture. We turn your staff into your strongest line of defense with engaging, low-touch awareness training focused on critical threats like phishing.

Take the first step toward a more secure school. Get a free phishing audit for your staff to find where your human defenses need strengthening. We also invite you to explore our full suite of resources to build a stronger cybersecurity culture in your district.