Federal and State Laws Protecting Student Data
The District is required by law to follow a variety of state and federal law and guidelines regarding the protection of student data, including the following:
Student Online Personal Protection Act (SOPPA)
On August 23, 2019, Illinois Governor J.B. Pritzker signed into law an amended version of the Student Online Personal Protection Act (SOPPA) (effective July 1, 2021) which is the data privacy law that regulates student data collection and use by schools, the Illinois State Board of Education (ISBE), and ed tech vendors. This amendment of SOPPA provides a variety of protections of student data as described below and gives parents more control over their student's data.
- External entities must protect student data, list student data used, describe the usage of student data, delete student data when no longer required, and report breaches of data. External entities are prohibited from selling, renting, leasing, trading student data, creating student profile, and targeting advertising to students.
- A school district must publish a list of data elements used, publish a list of vendor agreements, and publish parent’s rights of student data. A school district cannot sell, rent, lease or trade student data or share data with external entities without a signed agreement.
- The State Board of Education must publish a list of data elements used.
- Parents and guardians have the right to inspect, correct, and delete their child’s covered information, regardless of whether it is held by a district or a third-party operator.
Family Education Rights Privacy Act (FERPA)
The United States Department of Education guarantees that parents have the right to review and make changes to their children’s education records. FERPA also restricts who can use and access student information. FERPA provides parents with 4 basic rights:
- To inspect and review education records;
- To challenge the content of education records and to correct or delete inaccurate data;
- To control the disclosure of education records containing their child’s PII via consent;
- To file a complaint regarding noncompliance with FERPA with the Department of Education.
Children’s Online Privacy Protection Act (COPPA)
The Federal Trade Commission controls what information is collected from children under the age of 13 by companies operating websites, games, and mobile apps. It is specifically for website operators that collect information from children or operate a general audience website and have actual knowledge that personal information from children is being collected or have:
- Child targeted websites or those that have visual or audio content
- Child models
- Advertising directed to children
- Information regarding the age of the actual or intended audience
- Animated characters or other child-oriented features.
Health Insurance Portability and Accountability Act (HIPAA)
The United States Department of Health and Human Services prohibits the disclosure of protected health information to third parties without written authorization. HIPPA’s application to K12 schools is limited. Education records covered by FERPA are specifically excluded from the definition of protected health information. Schools are subject to HIPPA if they provide health services and electronically transmit “health information” for a reason specifically listed in the rule.