Virginia SB 190 Imposes New Data Security Requirements on Nonprofits Serving Public Schools
Virginia Senate Bill 190, introduced in the 2026 legislative session, imposes significant new requirements on nonprofit organizations seeking to provide student support programs to public school students . The bill addresses growing concerns about student personal information and data security as more nonprofit organizations partner with school districts to deliver services.
Overview of SB 190
The bill requires any nonprofit organization seeking to provide student support programs to students enrolled in a public elementary or secondary school to register and maintain status as a certified student support agency . This certification is required before a nonprofit can begin providing services to students.
Certification Requirements
To register and maintain status as a certified student support agency, nonprofit organizations must meet several requirements relating to the protection of student personal information . These include requirements relating to policies, procedures, and protocols for:
The collection of student personal information
The use and maintenance of student personal information
The disclosure of student personal information
The disposal of student personal information
Handling any data breach or unauthorized disclosure
Department of Education Oversight
The bill requires the Virginia Department of Education to administer and oversee the certification of certified student support agencies . The Department is responsible for:
Developing a model memorandum of understanding for each student support agency and school board establishing authorizations and limitations relating to the transmission, collection, and use of student personal information
Establishing and administering a grant program for student support agencies for data security upgrades, training for staff, and third-party audits
Establishing and administering compliance monitoring and enforcement mechanisms and subsequent penalties for noncompliance
Conducting a regular audit of a certain percentage of registered student support agencies to ensure compliance and establishing provisions relating to consequences for failure of the audit
MOU Requirements
The bill requires each certified student support agency and school board to execute a memorandum of understanding in accordance with the model memorandum of understanding developed by the Department .
Implications for Virginia Nonprofits
Nonprofits that provide student support programs—including after-school programs, counseling services, tutoring, mentoring, and other student services—should prepare to comply with these new requirements. Key action steps include:
Reviewing current data security policies and procedures
Updating policies to meet the bill’s requirements
Preparing to complete the certification process
Budgeting for potential data security upgrades and training
Monitoring Department of Education guidance on the model MOU
Data Security Best Practices for Nonprofits
Even before the bill takes effect, nonprofits serving students should implement strong data security practices:
Encrypt all student data both in transit and at rest
Limit access to student information on a need-to-know basis
Train staff on data privacy and security protocols
Maintain an incident response plan for data breaches
Document all data collection, use, and disclosure practices
Virginia Nonprofit Data Security Resources
The Virginia Department of Education will provide guidance as the certification program is implemented. Nonprofits should also review Virginia’s data breach notification laws .
At Nova Tax & Accounting Services , our consulting services can help nonprofit organizations review and strengthen their data security policies and prepare for new compliance requirements. Schedule your free consultation to discuss your organization’s needs.