SOPPA (Student Online Personal Protection Act)
Effective July 1, 2021, all school districts will be required by the Student Online Personal Protection Act (SOPPA) to provide additional guarantees that student data is protected when collected by educational technology companies and that the data is used for beneficial purposes only. The list includes the online services or applications that the District uses, the contracts signed by the District, and any data collected by those tools or by the District. The District regularly updates and verifies applications and tools. For more information send inquiries to: firstname.lastname@example.org
DISTRICT REQUIREMENTS Below is a high-level overview of the new requirements. Please refer to the legislation for specific timelines and components of each element. School districts must:
1. Annually post a list of all operators of online services or applications utilized by the district.
2. Annually post all data elements that the school collects, maintains, or discloses to any entity. This information must also explain how the school uses the data, and to whom and why it discloses the data.
3. Post contracts for each operator within 10 days of signing.
4. Annually post subcontractors for each operator.
5. Post the process for how parents can exercise their rights to inspect, review and correct information maintained by the school, operator, or ISBE.
6. Post data breaches within 10 days and notify parents within 30 days.
7. Create a policy for who can sign contracts with operators.
8. Designate a privacy officer to ensure compliance.
9. Maintain reasonable security procedures and practices. Agreements with vendors in which information is shared must include a provision that the vendor maintains reasonable security procedures and practices.
GCSD9 DATA PROTECTION AGREEMENT
GCSD9 STUDENT HANDBOOKS
Annual Notice to Parents about Educational Technology Vendors Under the Student Online Personal Protection Act School districts throughout the State of Illinois contract with different educational technology vendors for beneficial K-12 purposes such as providing personalized learning and innovative educational technologies, and increasing efficiency in school operations. Under Illinois’ Student Online Personal Protection Act, or SOPPA (105 ILCS 85/), educational technology vendors and other entities that operate Internet websites, online services, online applications, or mobile applications that are designed, marketed, and primarily used for K-12 school purposes are referred to in SOPPA as operators. SOPPA is intended to ensure that student data collected by operators is protected, and it requires those vendors, as well as school districts and the Ill. State Board of Education, to take a number of actions to protect online student data. Depending upon the particular educational technology being used, our District may need to collect different types of student data, which is then shared with educational technology vendors through their online sites, services, and/or applications. Under SOPPA, educational technology vendors are prohibited from selling or renting a student’s information or from engaging in targeted advertising using a student’s information. Such vendors may only disclose student data for K-12 school purposes and other limited purposes permitted under the law. In general terms, the types of student data that may be collected and shared include personally identifiable information (PII) about students or information that can be linked to PII about students, such as:
Basic identifying information, including student or parent/guardian name and student or parent/guardian contact information, username/password, student ID number
Assessment data, grades, and transcripts
Attendance and class schedule
Special indicators (e.g., disability information, English language learner, free/reduced meals or homeless/foster care status)
In-application performance data
Application metadata and application use statistics
Permanent and temporary school student record information
Operators may collect and use student data only for K-12 purposes, which are purposes that aid in the administration of school activities, such as:
Instruction in the classroom or at home (including remote learning)
Collaboration between students, school personnel, and/or parents/guardians
Other activities that are for the use and benefit of the school district
FERPA Notification (Family Educational Rights and Privacy Act)
The Family Educational Rights and Privacy Act (FERPA) and the Illinois School Student Records Act (ISSRA) afford parents/guardians and students over 18 years of age (eligible students) certain rights with respect to the student’s school records. They are:
The right to inspect and copy the student’s education records within 10 business days after the date the District receives a request for access.
The right to request the amendment of the student’s education records that the parent(s)/ guardian(s) or eligible student believes are inaccurate, irrelevant, or improper.
The right to permit disclosure of personally identifiable information contained in the student’s education records, except to the extent that the FERPA or ISSRA authorizes disclosure without consent.
The right to a copy of any school student record proposed to be destroyed or deleted.
The right to prohibit the release of directory information concerning the parent’s/ guardian’s child.
The right to request that military recruiters or institutions of higher learning not be granted access to your secondary school student’s name, address, and telephone numbers without your prior written consent.
The right contained in this statement: No person may condition the granting or withholding of any right, privilege or benefits or make as a condition of employment, credit, or insurance the securing by any individual of any information from a student’s temporary record which such individual may obtain through the exercise of any right secured under State law.
The right to file a complaint with the U.S. Dept. of Education concerning alleged failures by the District to comply with the requirements of FERPA.
The name and address of the Office that administers FERPA is:
U.S. Department of Education
400 Maryland Avenue, SW
Washington DC 20202-8520
Directory information may be disclosed without prior notice or consent unless the parent/guardian or eligible student notifies the Records Custodian or other official in writing, before October of the current school year, that he does not want any or all of the directory information disclosed. Directory information includes the student's name, address, telephone listing, date and place of birth, major field of study, participation in officially recognized activities and sports, weight and height of members of athletic teams, dates of attendance, degrees and awards received, and the most recent previous educational agency or institution attended.
Links to policies pertaining to Student Data Privacy and Personally Identifiable Information (PII)
7:340 Student Records
7:345 Use of Educational Technologies; Student Data Privacy and Security