Student Online Personal Protection Act (SOPPA)
Effective July 1, 2021, school districts will be required by the Student Online Personal Protection Act (SOPPA) to provide additional guarantees that student data is protected when collected by educational technology companies, and that data is used for beneficial purposes only (105 ILCS 85).
Click Here to view District 214's Approved Online Resource List
What is SOPPA?
SOPPA is a state law that governs and protects the privacy and security of student data when it is shared with and collected by educational technology companies. SOPPA regulates these companies that provide web-based sites, services, online and mobile applications that are used primarily for K to 12 purposes.
SOPPA also places responsibilities on school districts, including requiring data-sharing agreements with many of these companies. SOPPA also gives parents certain rights when it comes to their children’s data.
How Does the District Comply with SOPPA?
SOPPA requires that all companies that design, develop, and market technology specifically for K-12 education with which the District shares covered information as defined by SOPPA must sign a Data Sharing Agreement that outlines what data is being shared, the purpose of collecting the data, and how the data will be used and protected. Further, such agreements include attestations from the vendors as to their efforts to secure such information and specific requirements to respond should a data breach occur.
Data Sharing Agreements between the District and qualifying companies are stored and available to review through the District 214 approved vendor list. In addition to the approved vendor list, D214 is part of the Illinois Student Privacy Alliance Consortium. The Consortium creates a webpage that lists the agreements, to which the District provides links for students and parents from its website. As part of the listing process, the Consortium also extracts the data elements that the vendor has indicated may be part of the data accessed by their software and makes that list available on the website it creates. You can see all the outside agreements with the District vendors and the data elements subject to being shared with each vendor on the web page that the Consortium has created here.
The District has also adopted a SOPPA policy that governs the district’s implementation of SOPPA and identifies who at the district can enter into data-sharing agreements with vendors.
Finally, the District always uses robust security measures to protect the student data in its care.
How Can Parents View and Correct Student Data?
Parents may request to inspect and review their student’s covered information. Requests for reviewing records must be made in writing and include the date of the request, the parent’s name, address, phone number, student’s name, and the name of the school from which the request is being made. Parents will be required to provide proof of identity and relationship to the student before access to the covered information is granted. If the covered information you request includes your child’s school student records, the District will permit you to inspect and review any school student records of your child in accordance with the District’s procedures for student records requests.
The District shall provide an electronic copy of the records within 45 days of receiving a request for the covered information. A parent may make a request to review and receive copies of covered information no more than two requests per student per quarter.
Parents may request corrections of factual inaccuracies contained in their student’s covered information. If the covered information you are requesting be corrected includes your child’s school student records, the District will follow its procedures for amendment of student records with respect to those school student records. The District will review the request, determine if an inaccuracy exists and if so, will make any necessary corrections within 90 days of the request. If the correction needs to be made by the Illinois State Board of Education or a District’s vendor, any necessary corrections will also be made within 90 days of the request and the District will notify the parent of any necessary corrections within 10 days after receiving confirmation of the corrections.
If a parent requests the deletion of any covered information, the District will review the request to determine whether such a deletion would violate the law or result in the student being unable to participate in the District’s curriculum.
What Happens if Data is Breached?
In the unlikely situation that a vendor experiences a potential data breach, the District will be notified. After receiving notice of a potential breach, we will evaluate the report and if confirmed, provide notifications to parents. Information on any breach that impacts more than 10% of our students will be publicly displayed.
The District will also notify parents and post information in the event the District’s data systems are breached.
Note: A notice of breach may be delayed if a law enforcement agency determines that the notification will interfere with a criminal investigation. If you would like more information on SOPPA, please contact firstname.lastname@example.org