Student Data and Online Privacy
-
D300 - COPPA - List of Websites & Apps with Links to their Privacy Policies
In order to create accounts for our students on these tools and applications, we must comply with federal regulations requiring parental consent, including the Children’s Online Privacy Protection Act (COPPA). Pursuant to COPPA, web-based tools and applications must notify parents and obtain verifiable parental consent before collecting personal information from children under 13 years of age.
Click here to view list of Web Apps and the privacy policy.
Student Online Privacy Protection Act (SOPPA)
District 300 is a member of the Illinois Student Privacy Alliance.
Effective July 1, 2021, school districts will be required by the Student Online Personal Protection Act (SOPPA) to provide additional guarantees that student data is protected when collected by educational technology companies, and that data is used for beneficial purposes only (105 ILCS 85).
SOPPA applies to all Illinois school districts, the Illinois State Board of Education, and operators of online services and applications.
Below is a high-level overview of the new requirements.
School districts must:
- Enter into written agreements with all K-12 service providers who collect student data. You can find all written agreements by clicking here.
- Implement and maintain reasonable security practices. Agreements with vendors in which information is shared must include a provision that the vendor maintains reasonable security procedures and practices.
- Post on their website:
- A list of all operators of online services or applications utilized by the district (annually).
- All data elements that the school collects, maintains or discloses to any person, entity, third party, or governmental agency (annually). 105 ILCS 85/27(a)(1), added by P.A. 101-516, eff. 7-1-21. This information must also explain how the school uses the data, and to whom and why it discloses the data.
- Data elements can be found by hovering over the image on the far right (Under Data) of each operator listed:
- Contracts for each operator within 10 days of signing. See above.
- Subcontractors for each operator (annually). See above.
- The process for how parents can exercise their rights to inspect, review and correct information maintained by the school, operator, or ISBE. Parents can contact privacy@d300.org if they wish to inspect, review, or correct information held in D300 databases.
- Data breaches within 10 days and notify parents within 30 days. Should a data breach occur, parents will be notified via the Blackboard notification system and a list of breaches of covered information maintained by the school or operator involving 10% or more of the District's student enrollment will be posted on this page, including:
- Number of students whose covered information was involved in the breach, unless the breach involved personal information as defined in the Personal Information Protection Act, 815 ILCS 530/5, in which case the number of students involved may not be disclosed.
- Date, estimated date, or estimated date range of each breach
- Name of the operator, in applicable
- Per 105 ILCS 85/27(a)(5), added by P.A. 101-516, eff. 7-1-21. The District must update breach information by Jan. 31 and July 31 each year, and it must remain on the District's website for at least five years after the District adds it to the list.
- Create a policy for who can sign contracts with operators. See Board Policy 7:345.
Breaches
None have been reported.