Amendments to the Student Online Personal Protection Act (“SOPPA”) are effective July 1, 2021, and require that Districts take certain actions on and after July 1:
- All agreements with Operators of online services and applications (marketed to and designed for K-12 educational purposes) that the District enters into, amends, or renews on or after July 1, 2021, must contain certain terms designed to protect student data. The Illinois standard data privacy agreement is found here: https://sdpc.a4l.org/agreements/IL_NDPA_V1a.pdf
- The District must post on its website:
- A list of Operators with whom the District has an agreement, a copy of each agreement, a list of each Operator’s subcontractors (or a link to the Operator’s list of subcontractors), and the business address of each Operator;
- An explanation of the student data the District collects maintains or discloses to any third party, how the District uses the data, to whom data is disclosed and the purpose of the disclosure;
- A list of breaches of student data that involve 10% or more of the District’s student enrollment; and
- A description of parental rights to inspect student data, receive a copy of data, and request correction of factual inaccuracies. ISBE regulations regarding these parental rights are pending with the Joint Committee on Administrative Rules.
- The District must implement and maintain reasonable security measures, that meet or exceed industry standards, designed to protect student data from unauthorized access, destruction, use, modification, or disclosure. ISBE guidance regarding reasonable security measures is found
- The Board of Education must adopt a policy concerning compliance with SOPPA that designates which school employees are authorized to enter agreements with Operators.