Student Data Privacy

EIASE takes the privacy of our student data seriously. The Student Online Personal Protection Act (SOPPA) went into effect on July 1, 2021, and we will use this page as an effort to maintain transparency with our effort to comply with the requirements outlined in that law.

What is SOPPA?

The Student Online Personal Protection Act, or SOPPA, is the data privacy law that regulates student data collection and use by schools, the Illinois State Board of Education, and education technology vendors.

On August 23, 2019, Illinois Governor J.B. Pritzker signed into law a new version of SOPPA that gives parents/ guardians greater control over student data. Among the changes is a new requirement to enact breach notifications that are available to the public.

SOPPA will also require Illinois school districts to provide additional guarantees that student data is protected when collected and that data is used for beneficial purposes only. The law is effective on July 1, 2021 (105 ILCS 85). You can read more about SOPPA here.

District Requirements

In order to be compliant, a district must:

  1. Annually post a list of all operators of online services or applications utilized by the district.

  2. Annually post all data elements that the school collects, maintains, or discloses to any entity. This information must also explain how the school uses the data, and to whom and why it discloses the data.

  3. Post contracts for each operator within 10 days of signing.

  4. Annually post subcontractors for each operator.

  5. Post the process for how parents can exercise their rights to inspect, review and correct information maintained by the school, operator, or ISBE.

  6. Post data breaches within 10 days and notify parents within 30 days.

  7. Create a policy for who can sign contracts with operators.

  8. Designate a privacy officer to ensure compliance.

  9. Maintain reasonable security procedures and practices. Agreements with vendors in which information is shared must include a provision that the vendor maintains reasonable security procedures and practices.

Data Privacy Agreements (DPA)

EIASE is making use of the Student Data Privacy Consortium (SDPC) to maintain our DPAs. "The Student Data Privacy Consortium (SDPC) is an unique collaborative of schools, districts, regional, territories and state agencies, policy makers, trade organizations and marketplace providers addressing real-world, adaptable, and implementable solutions to growing data privacy concerns. The Consortium also leverages work done by numerous partner organizations but focuses on issues being faced by “on-the-ground” practitioners."

If you would like to read more about the SDPC, click here.

Through the SDPC we sign contracts with vendors who handle our student's data. If you would like to view our current list of DPAs, click here.