Shiloh CUSD #1 Student Online Privacy Protection Act

LEGISLATION BRIEF

Student Online Personal Protection Act (SOPPA)

EXECUTIVE SUMMARY

Effective July 1, 2021, school districts will be required by the Student Online Personal Protection Act (SOPPA) to provide additional guarantees that student data is protected when collected by educational technology companies, and that data is used for beneficial purposes only (105 ILCS 85).

SOPPA applies to all Illinois school districts, the Illinois State Board of Education, and operators of online services and applications. 

DISTRICT REQUIREMENTS

Below is a high-level overview of the new requirements. Please refer to the legislation for specific timelines and components of each element.

School districts must:

  1. Enter into written agreements with all K-12 service providers who collect student data. 

  2. Implement and maintain reasonable security practices. Agreements with vendors in which information is shared must include a provision that the vendor maintains reasonable security procedures and practices.

  3. Post on their website: 

    1. A list of all operators of online services or applications utilized by the district (annually). 

    2. All data elements that the school collects, maintains, or discloses to any entity (annually). This information must also explain how the school uses the data, and to whom and why it discloses the data.

    3. Contracts for each operator within 10 days of signing.

    4. Subcontractors for each operator (annually).

    5. The process for how parents can exercise their rights to inspect, review and correct information maintained by the school, operator, or ISBE.

    6. Data breaches within 10 days and notify parents within 30 days.

      Create a policy for who can sign contracts with operators.

Although not required by law, school districts will also need to undertake the following to meet the above requirements

  1. Provide teachers with the list of online operators that are safe and approved for use.

  2. Develop a process for keeping data inventory up-to-date.

IMPACT

All digital resources that collect student data will need to be reviewed, approved, and have a data privacy agreement in place prior to use. 

COVERED DATA 

SOPPA affects personally identifiable information (PII), material that is linked to PII, and material in any media or format that is not publically available and is any of the following:

  • Created by or provided to an operator by a student or the student's parent in the course of the student's, parent's, or legal guardian's use of the operator's site, service, or application for K-12 school purposes.

  • Created by or provided to an operator by an employee or agent of a school or school district for K-12 school purposes.

  • Gathered by an operator through the operation of its site, service, or application for K-12 school purposes and personally identifies a student, including, but not limited to:

  • Information in the student’s educational record

  • First and last name

  • Home address

  •  Telephone number

  • Email address

  • Information that allows physical or online contact

  • Grades

  • Discipline records

  • Test results

  • Special Education data

  • Evaluations

  • Personal characteristics

  • Socioeconomic information

  • Juvenile dependency records

  • Criminal records

  • Medical records

  • Food purchases

  • Political affiliations

  • Religious information

  • Geolocation information

  • Photos

  • Documents

  • Text messages

  • Search activity

  • Voice recordings

 Family Educational Rights and Privacy Act (FERPA)

FERPA is a Federal law that protects the privacy of student education records. The law applies to all schools that receive funds from the U.S. Department of Education. FERPA gives parents certain rights with respect to their children’s education records. These rights transfer to the student when he or she reaches the age of 18 or attends a school beyond the high school level.

Children’s Online Privacy Protection Act (COPPA)

The primary goal of COPPA is to place parents in control over what information is collected from their young children online. COPPA was designed to protect children under age 13 while accounting for the dynamic nature of the Internet. The Rule applies to operators of commercial websites and online services (including mobile apps) directed to children under 13 that collect, use, or disclose personal information from children, and operators of general audience websites or online services with actual knowledge that they are collecting, using, or disclosing personal information from children under 13. The Rule also applies to websites or online services that have actual knowledge that they are collecting personal information directly from users of another website or online service directed to children. Read more

Children’s Internet Protection Act (CIPA)

CIPA was enacted by Congress in 2000 to address concerns about children’s access to obscene or harmful content over the Internet. CIPA imposes certain requirements on schools or libraries that receive discounts for Internet access or internal connections through the E-rate program. Read more

Protection of Pupil Rights Amendment (PPRA)

PPRA is intended to protect the rights of parents and students in two ways:

  • It seeks to ensure that schools and contractors make instructional materials available for inspection by parents if those materials will be used in connection with an ED-funded survey, analysis, or evaluation in which their children participate; and

  • It seeks to ensure that schools and contractors obtain written parental consent before minor students are required to participate in any ED-funded survey, analysis, or evaluation that reveals certain information.

PPRA applies to programs that receive funding from the U.S. Department of Education. Read more

District-approved Web-based Tools/Applications and Written Agreements

Shiloh CUSD #1 values your child's privacy and strives to ensure that parents/guardians are aware of what web-based tools and applications that are being used for educational purposes. A list of Shiloh CUSD #1 approved web-based tools, written agreements with operators, and a list of data elements shared can be found here: https://sdpc.a4l.org/district_listing.php?districtID=5933 

Parent/Guardian Rights

Parents/guardians have the right to inspect, review, and correct information maintained by the school, operator, and the Illinois State Board of Education. All requests should be directed to the SOPPA Officers by using one of the following email address: weber-hallj@shiloh1.org or barrya@shiloh1.org 

Data Breaches

In the event that there is a data breach, the District will notify parents/guardians via district communication systems within 30 days of the data breach and within 60 days if a third-party is responsible for the data breach.

District Services and Applications

Services and Applications utilized by the district:

Shiloh CUSD #1 uses several pieces of software and websites to help students gain the best education possible. The following link will take you to those current services that the district uses throughout the school year. Contract information on each service is also provided. 

https://sdpc.a4l.org/district_listing.php?districtID=5933

Personally Identifiable Information (PII) which the district may collect in regards to teaching services utilized by the district. ( Not all items listed may be collected or used by the district)

  • Name

  • Email ( School Email account)

  • Address/Location

  • Phone Number

  • Socioeconomic Status

  • Grades/Test Results

  • Medical Records

  • Family Members

  • Gender

  • Race

  • Photos

  • Date of Birth

  • State or District ID number

  • Guardian Request for Student Data Removal:

 In accordance with any applicable federal regulations, a school must provide a student’s parent a paper or electronic copy of the student’s covered information,  including any covered information maintained by an operator or the State Board, within 45 days of receiving a request for such information, as provided under subsection (b). 

a) If a parent requests an electronic copy of the student's covered information, the school must provide an electronic copy of that information, unless the school does not maintain the information in an electronic format and reproducing the information in an electronic format would be unduly burden some to the school.

b) Each request under this Section must be submitted by a parent on a signed and dated request form that includes the parent’s name, address, phone number, student’s name, and the name of the school from which the request is being made. A school that receives a request under this Section must require a parent to provide proof of identity and relationship to the student before access to the covered information is granted.

c) If covered information requested by a parent under this Section includes data on more than one student, the parent may inspect and review only the covered information relevant to the parent’s student.

d) A parent may make no more than one request under this Section per State fiscal quarter.

 Cost for Copies

a) A school may not charge a parent for an electronic copy of a student’s covered information.

b) If a parent requests a paper copy of a student’s covered information, a school may charge the parent the actual cost for providing a copy of such information, provided that the cost charged shall not exceed $0.35 per page. No parent shall be denied a requested paper copy of covered information due to the parent’s inability to bear the cost of the copying.

Parents or Guardians who would like to request that some or all of student data is removed can initiate the process by emailing barrya@shiloh1.org or weber-hallj@shiloh1.org.


Student Privacy Policies: