SOPPA
What is SOPPA?
The Student Online Personal Protection Act, or SOPPA, is the data privacy law that regulates student data collection and use by schools, the Illinois State Board of Education, and PHSD #133 vendors.
DISTRICT REQUIREMENTS Below is a high-level overview of the new requirements. Please refer to the legislation for specific timelines and components of each element. School districts must:
Annually post a list of all operators of online services or applications utilized by the district.
Annually post all data elements that the school collects, maintains, or discloses to any entity. This information must also explain how the school uses the data, and to whom and why it discloses the data.
Post contracts for each operator within 10 days of signing.
Annually post subcontractors for each operator.
Post the process for how parents can exercise their rights to inspect, review and correct information maintained by the school, operator, or ISBE.
Post data breaches within 10 days and notify parents within 30 days.
Create a policy for who can sign contracts with operators.
Designate a privacy officer to ensure compliance.
Maintain reasonable security procedures and practices. Agreements with vendors in which information is shared must include a provision that the vendor maintains reasonable security procedures and practices.
Family Educational Rights and Privacy Act (FERPA)
FERPA is a Federal law that protects the privacy of student education records. The law applies to all schools that receive funds from the U.S. Department of Education. FERPA gives parents certain rights with respect to their children’s education records. These rights transfer to the student when he or she reaches the age of 18 or attends a school beyond the high school level.
Children’s Online Privacy Protection Act (COPPA)
The primary goal of COPPA is to place parents in control over what information is collected from their young children online. COPPA was designed to protect children under age 13 while accounting for the dynamic nature of the Internet. The Rule applies to operators of commercial websites and online services (including mobile apps) directed to children under 13 that collect, use, or disclose personal information from children, and operators of general audience websites or online services with actual knowledge that they are collecting, using, or disclosing personal information from children under 13. The Rule also applies to websites or online services that have actual knowledge that they are collecting personal information directly from users of another website or online service directed to children. Read more
Children’s Internet Protection Act (CIPA)
CIPA was enacted by Congress in 2000 to address concerns about children’s access to obscene or harmful content over the Internet. CIPA imposes certain requirements on schools or libraries that receive discounts for Internet access or internal connections through the E-rate program.
Protection of Pupil Rights Amendment (PPRA)
PPRA is intended to protect the rights of parents and students in two ways:
It seeks to ensure that schools and contractors make instructional materials available for inspection by parents if those materials will be used in connection with an ED-funded survey, analysis, or evaluation in which their children participate; and
It seeks to ensure that schools and contractors obtain written parental consent before minor students are required to participate in any ED-funded survey, analysis, or evaluation that reveals certain information.
PPRA applies to programs that receive funding from the U.S. Department of Education.
SDPC Database Tool
SOPPA requires that school districts must:
Enter into written agreements with all K-12 service providers who collect student data. Covered data includes, but is not limited to: information in the student's educational record, first/last name, address, phone number, email address, grades, test results, socioeconomic information, photos, search activity, voice recordings, geolocation information, and more.
Implement and maintain reasonable security practices. Student data is protected through comprehensive privacy policies and security measures such as firewalls, secure servers, intrusion detection software, and other methods. Written agreements with vendors require that the vendor also maintains security procedures.
Post a list of operators. This list will include what data elements are shared, written agreements/contracts with the operator within 10 days of signing, & subcontractors for each operator.
District Data Privacy Officer
Federal and State law govern the protection of student data, including school student records and/or covered information. The sale, rental, lease, or trading of any school student records or covered information by the District is prohibited. Protecting such information is important for legal compliance, District operations, and maintaining the trust of District stakeholders, including parents/guardians, students and staff. The Board designates the IT Director to serve as Privacy Officer, who shall ensure the District complies with the duties and responsibilities required of it under the Student Online Personal Protection Act, 105 ILCS 85/, amended by P.A. 101-516, eff. 7-1-21.
District-approved Web-based Tools/Applications and Written Agreements
PHSD #133 values your child's privacy and strives to ensure that parents/guardians are aware of what web-based tools and applications that are being used for educational purposes. A list of PHSD #133 approved web-based tools, written agreements with operators, and a list of data elements shared can be found HERE (Current list is under construction).
Parent/Guardian Rights
Parents/guardians have the right to inspect, review, and correct information maintained by the school, operator, and the Illinois State Board of Education. All requests should be directed to the Superintendent by using the following email address: czizekc@prairiehill.org.
Data Breaches
In the event that there is a data breach, the District will notify parents/guardians via district communication systems within 30 days the data breach and within 60 days if a third-party is responsible for the data breach.