Student Data Privacy (SOPPA) | ROE 41 for CEO/ETC

Student Data Privacy; Notice to Parents About Educational Technology Vendors  acrobatsymbol2

Notice to Parents/Guardians and Students of Their Rights Concerning a Student’s School Records acrobatsymbol2

Effective July 1, 2021, school districts will be required by the Student Online Personal Protection Act (SOPPA) to provide additional guarantees that student data is protected when collected by educational technology companies, and that data is used for beneficial purposes only (105 ILCS 85).

DISTRICT REQUIREMENTS Below is a high-level overview of the new requirements. Please refer to the legislation for specific timelines and components of each element. School districts must:

1. Annually post a list of all operators of online services or applications utilized by the district.
2. Annually post all data elements that the school collects, maintains, or discloses to any entity. This information must also explain how the school uses the data, and to whom and why it discloses the data.
3. Post contracts for each operator within 10 days of signing.
4. Annually post subcontractors for each operator.
5. Post the process for how parents can exercise their rights to inspect, review and correct information maintained by the school, operator, or ISBE.
6. Post data breaches within 10 days and notify parents within 30 days.
7. Create a policy for who can sign contracts with operators.
8. Designate a privacy officer to ensure compliance.
9. Maintain reasonable security procedures and practices. Agreements with vendors in which information is shared must include a provision that the vendor maintains reasonable security procedures and practices.

Important Data Privacy Laws

Family Educational Rights and Privacy Act (FERPA)
Children’s Online Privacy Protection Act (COPPA)

Governs information in a student’s education record, restricting access and use of student information.

Restricts the collection of personal information from children under 13 by companies operating websites, games, mobile applications, and digital services that are directed to children or that collect personal information from individuals known to be children.
Student Online Personal Protection Act (SOPPA)
Children’s Internet Protection Act (CIPA)

Guarantees that student data is protected when collected by educational technology companies, and that data is used for beneficial purposes only.

Imposes certain requirements on schools that utilize the federal E-Rate program to receive discounts for internet access and other technology services, or that receive federal grants for other technology expenses.

What is SOPPA?
 

What happens to the student data that we send to a third party vendor? Information like names, birthdates, etc... may be provided by ROE 41 to a third party like IXL, NWEA MAP, etc... What protections do those companies have in place to make sure that our student's data is not sold or freely given to others? This is exactly what SOPPA looks to address.


As part of SOPPA, these companies must enter into Data Privacy Agreements (DPA) with each district they work with. These agreements outline what data is stored, how it is protected, what the company can and cannot do with that data, and what they will do in the event of a data breach.

Family Educational Rights and Privacy Act (FERPA)

FERPA is a Federal law that protects the privacy of student education records. The law applies to all schools that receive funds from the U.S. Department of Education. FERPA gives parents certain rights with respect to their children’s education records. These rights transfer to the student when he or she reaches the age of 18 or attends a school beyond the high school level.

Children’s Online Privacy Protection Act (COPPA)

The primary goal of COPPA is to place parents in control over what information is collected from their young children online. COPPA was designed to protect children under age 13 while accounting for the dynamic nature of the Internet. The Rule applies to operators of commercial websites and online services (including mobile apps) directed to children under 13 that collect, use, or disclose personal information from children, and operators of general audience websites or online services with actual knowledge that they are collecting, using, or disclosing personal information from children under 13. The Rule also applies to websites or online services that have actual knowledge that they are collecting personal information directly from users of another website or online service directed to children. Read more

Children’s Internet Protection Act (CIPA)

CIPA was enacted by Congress in 2000 to address concerns about children’s access to obscene or harmful content over the Internet. CIPA imposes certain requirements on schools or libraries that receive discounts for Internet access or internal connections through the E-rate program. Read more

Protection of Pupil Rights Amendment (PPRA)

PPRA is intended to protect the rights of parents and students in two ways:

It seeks to ensure that schools and contractors make instructional materials available for inspection by parents if those materials will be used in connection with an ED-funded survey, analysis, or evaluation in which their children participate; and

It seeks to ensure that schools and contractors obtain written parental consent before minor students are required to participate in any ED-funded survey, analysis, or evaluation that reveals certain information.

PPRA applies to programs that receive funding from the U.S. Department of Education. Read more about PPRA HERE.

The web based software Privacy Policies of the companies used at CEO/ETC:

Study Island (Edmentum) Carnegie Learning
 Edgenuity
 Embrace
Skyward GimKit Kami Kahoot
Nearpod Science Journal KHAN Academy Quizlet
Quizizz Flipgrid GAFE (Google workspace for education)
Note: With the Following Restrictions: Vendor will be
converted to a standard DPA if they choose to sign a
SOPPA agreement. The district will continue to utilize
Google services regardless of the vendor's decision.		 Microsoft
Note: With the Following Restrictions: Vendor will be
converted to a standard DPA if they choose to sign a
SOPPA agreement. The district will continue to utilize
Google services regardless of the vendor's decision.

In the state of Illinois districts can "piggy back" on the agreements secured by other districts. That is what we have done with our agreements as well. If you would like to view the DPAs (Data Privacy Agreements) that Madison County ROE 41 current utilizes, please click the following link HERE. (Please note that you may see other districts' names on the title pages of these DPAs.)

Links:

Data Breach Details: ROE 41 will post details here about data breaches involving 10% or more of the District's students, including the number of students whose covered information was involved in the breach, date of breach (or estimate) and operator name.