Student Online Personal Protection Act (SOPPA)
The Student Online Personal Protection Act, or SOPPA, is the data privacy law that regulates student data collection and use by schools, the Illinois State Board of Education, and vendors that maintain student information.
On August 23, 2019, Illinois Governor J.B. Pritzker signed into law the Student Online Personal Protection Act of 2019 (SOPPA). Amending the previous version of SOPPA, this legislation gives parents greater control over student data, imposes new breach notification requirements, and regulates the collection and use of student data by schools, the Illinois State Board of Education, and education technology (EdTech) vendors. This new law goes into effect July 1, 2021.
SOPPA now imposes strict limits on the collection and use of student data. Data can only be collected by schools, the Illinois State Board of Education, or technology vendors for a purpose related to school activities. Once collected, student data cannot be used for any alternative non-school purpose — e.g. it cannot be sold or used for targeted advertising.
-------
Lockport SD 91 employs several different services and websites to help students gain the best education possible. As part of using those services and websites, certain "covered information" (Personally Identifiable Information) may need to be collected by the district and shared with those services or websites ("operators").
Any external vendors or operators are required by both state law and their contracts with the district to:
Below is an example of some data elements that may be collected:
Services and Applications utilized by the district
The following link will take you to the current services that the district uses throughout the school year. Written agreements for each operator are also provided.
https://sdpc.a4l.org/district_listing.php?districtID=6528
Parent and student rights
Requests for Covered Information (ISBE Policy Rule Part 380)
a. In accordance with any applicable federal regulations, a school must provide a student’s parent a paper or electronic copy of the student’s covered information, including any covered information maintained by an operator or the State Board, within 45 days of receiving a request for such information, as provided under subsection (b). If a parent requests an electronic copy of the student's covered information, the school must provide an electronic copy of that information, unless the school does not maintain the information in an electronic format and reproducing the information in an electronic format would be unduly burdensome to the school.
b. Each request under this Section must be submitted by a parent on a signed and dated request form that includes the parent’s name, address, phone number, student’s name, and the name of the school from which the request is being made.
(3) Request corrections of factual inaccuracies contained in the student's covered information. After receiving a request for corrections and determining that a factual inaccuracy exists, a school must do either of the following:
a) If the school maintains or possesses the covered information that contains the factual inaccuracy, correct the factual inaccuracy and confirm the correction with the parent within 90 calendar days after receiving the parent's request.
b) If the operator or State Board maintains or possesses the covered information that contains the factual inaccuracy, notify the operator or the State Board of the correction. The operator or the State Board must correct the factual inaccuracy and confirm the correction with the school within 90 calendar days after receiving the notice. Within 10 business days after receiving confirmation of the correction from the operator or State Board, the school must confirm the correction with the parent.
Data Breaches
The Lockport SD 91 will inform parents within 30 days after notice of a data breach involving student covered information. Vendors are to inform the district within 30 days of a breach according to their written agreement with the district. If requested in writing by law enforcement in order to not interfere with a criminal investigation, notification of a breach may be delayed.
Our notice to parents will include the following information:
Past data breaches affecting => 10% of students after July 1, 2021 will be listed below:
None
On August 23, 2019, Illinois Governor J.B. Pritzker signed into law the Student Online Personal Protection Act of 2019 (SOPPA). Amending the previous version of SOPPA, this legislation gives parents greater control over student data, imposes new breach notification requirements, and regulates the collection and use of student data by schools, the Illinois State Board of Education, and education technology (EdTech) vendors. This new law goes into effect July 1, 2021.
SOPPA now imposes strict limits on the collection and use of student data. Data can only be collected by schools, the Illinois State Board of Education, or technology vendors for a purpose related to school activities. Once collected, student data cannot be used for any alternative non-school purpose — e.g. it cannot be sold or used for targeted advertising.
-------
Lockport SD 91 employs several different services and websites to help students gain the best education possible. As part of using those services and websites, certain "covered information" (Personally Identifiable Information) may need to be collected by the district and shared with those services or websites ("operators").
Any external vendors or operators are required by both state law and their contracts with the district to:
- Operate with a legitimate educational interest
- Use covered information only for an authorized purpose and not re-disclose it to third parties or affiliates
- Delete all covered information if the information is no longer needed or covered by the written agreement
- Maintain reasonable security procedures and practices
- Provide notice to the school of any Data Breaches effecting student covered information.
Below is an example of some data elements that may be collected:
- Name
- Date of Birth
- Email ( School Email account)
- Address/Location
- Phone Number
- Socioeconomic Status
- Grades/Test Results
- Activities
- Medical Records
- Family Members
- Gender
- Race
- Photos
Services and Applications utilized by the district
The following link will take you to the current services that the district uses throughout the school year. Written agreements for each operator are also provided.
https://sdpc.a4l.org/district_listing.php?districtID=6528
Parent and student rights
- A student's covered information shall be collected only for K through 12 school purposes and not further processed in a manner that is incompatible with those purposes.
- A student's covered information shall only be adequate, relevant, and limited to what is necessary in relation to the K through 12 school purposes for which it is processed.
- The parent of a student enrolled in a school has the right to all of the following:
- Inspect and review the student's covered information, regardless of whether it is maintained by the school, the State Board, or an operator.
- Request from a school a paper or electronic copy of the student's covered information, including covered information maintained by an operator or the State Board.
Requests for Covered Information (ISBE Policy Rule Part 380)
a. In accordance with any applicable federal regulations, a school must provide a student’s parent a paper or electronic copy of the student’s covered information, including any covered information maintained by an operator or the State Board, within 45 days of receiving a request for such information, as provided under subsection (b). If a parent requests an electronic copy of the student's covered information, the school must provide an electronic copy of that information, unless the school does not maintain the information in an electronic format and reproducing the information in an electronic format would be unduly burdensome to the school.
b. Each request under this Section must be submitted by a parent on a signed and dated request form that includes the parent’s name, address, phone number, student’s name, and the name of the school from which the request is being made.
(3) Request corrections of factual inaccuracies contained in the student's covered information. After receiving a request for corrections and determining that a factual inaccuracy exists, a school must do either of the following:
a) If the school maintains or possesses the covered information that contains the factual inaccuracy, correct the factual inaccuracy and confirm the correction with the parent within 90 calendar days after receiving the parent's request.
b) If the operator or State Board maintains or possesses the covered information that contains the factual inaccuracy, notify the operator or the State Board of the correction. The operator or the State Board must correct the factual inaccuracy and confirm the correction with the school within 90 calendar days after receiving the notice. Within 10 business days after receiving confirmation of the correction from the operator or State Board, the school must confirm the correction with the parent.
Data Breaches
The Lockport SD 91 will inform parents within 30 days after notice of a data breach involving student covered information. Vendors are to inform the district within 30 days of a breach according to their written agreement with the district. If requested in writing by law enforcement in order to not interfere with a criminal investigation, notification of a breach may be delayed.
Our notice to parents will include the following information:
- The date, estimated date, or estimated date range of the breach.
- A description of the covered information that was compromised or reasonably believed to have been compromised in the breach.
- Information that the parent may use to contact the operator and school to inquire about the breach.
- The toll-free numbers, addresses, and websites for consumer reporting agencies.
- The toll-free number, address, and website for the Federal Trade Commission.
- A statement that the parent may obtain information from the Federal Trade Commission and consumer reporting agencies about fraud alerts and security freezes.
Past data breaches affecting => 10% of students after July 1, 2021 will be listed below:
None