7:345 Protection of Student Personal Information Online

Protection of Student Personal Information Online

As authorized by state and federal law, the District may outsource institutional services or functions that involve the disclosure of education records/school student records to contractors, consultants, volunteers, and other third parties acting as “school officials” as defined by the Illinois School Student Records Act (ISSRA) and the Family Educational Rights and Privacy Act (FERPA).

Such school officials:

• Perform institutional services or functions for which the District would otherwise use employees;
• Are under the direct control of the District with respect to the use and maintenance of education records;
• Only use personally identifiable information (PII) from education records for the purposes for which the disclosure was made and do not redisclose PII from education records without the District’s permission; and
• Meet the criteria specified in the District’s annual notification of FERPA rights for being a school official with a legitimate educational interest in the education records.

Some school officials and other technology vendors are operators of Internet websites, online services, online applications, or mobile applications that are designed, marketed, and primarily used for K-12 school purposes; these entities are defined as “operators” under the Illinois Student Online Personal Protection Act, 105 ILCS 85/ et seq. (SOPPA).

The use of such operators’ services and technologies may involve the creation or sharing of “covered information,” as defined by SOPPA, which means student PII or information linked to PII in any media or format that is not publicly available and is any of the following:

1. created by or provided to an operator by a student or the student’s parent/guardian in the course of the student’s or parent/guardian’s use of the operator’s site, service or application;
2. created by or provided to an operator by an employee or agent of the District; or
3. gathered by an operator through the operation of its site, service, or application.

The sharing of covered information with operators must comply with all requirements of ISSRA, FERPA, and SOPPA.

The Board designates the Superintendent to serve as Privacy Officer, who shall ensure the District complies with the duties and responsibilities required of it under SOPPA, ISSRA, and FERPA, including, but not limited to, all requirements related to posting information about the use and disclosure of covered information, providing notice of a breach of covered information, and implementing and maintaining reasonable security procedures and practices.

The Privacy Officer designates which District employees are authorized to enter into written agreements with operators for those contracts that do not require separate Board approval. Such designation does not limit individual school employees outside of the scope of their employment from entering into agreements with operators on their own behalf and for non-“K through 12 school purposes,” as that term is defined in SOPPA, provided that no covered information is provided to the operators. Any agreement or contract entered into for K through 12 school purposes by an employee without designation by the Privacy Officer is void and unenforceable as against public policy.

LEGAL REF.:   20 U.S.C. §1232g, Family and Educational Rights and Privacy Act, implemented by 34 C.F.R. Part 99. 105 ILCS 10/, Ill. School Student Records Act. 105 ILCS 85/, Student Online Personal Protection Act. 

CROSS REF.:         4:15 (Identity Protection), 4:60 (Purchases and Contracts), 6:235 (Access to Electronic Networks), 7:340 (Student Records) 

ADOPTED:            September 28, 2020 

APPROVED:          December 14, 2020