Actor | Action |
Superintendent or Designee or Privacy Officer | Establishes an Educational Technology Committee (Ed Tech Committee) to operate as a Superintendent committee for the purposes of: (1) evaluating the use of specific online applications and other educational technologies within the District, (2) establishing a list of applications or other services approved for use within the District, (3) developing a process for the approval of online sites, applications, or services not already approved for District use which staff members may wish to use, and (4) supporting the District’s submission of an annual report to the Ill. State Board of Education (ISBE) regarding educational technology capacities and policies. See 2:150-AP, Superintendent Committees. Consider including:
Head of Information Technology (IT) Other district-level administrators, such as Curriculum Director, Student Services Director, Business Manager Building Principals Teachers Note: This procedure establishes an administrative committee. The administrative committee centralizes the local decision-making process regarding the use of educational technologies in a district, which in turn should help districts comply with the provisions of SOPPA governing the use of covered information by operators, contractual requirements, and security standards. Informs the School Board of the Ed Tech Committee’s progress. Makes recommendations to the Board about operator contracts, as needed and in alignment with Board policy 7:345, Use of Educational Technologies; Student Data Privacy and Security. Designates which District employee(s) are authorized to enter into written agreements with operators when prior board approval of the contract is not otherwise required by Board policy 4:60, Purchases and Contracts, and list them below:
________________________ _______________________ Employee Title Employee Title
________________________ _______________________ Employee Title Employee Title
Assigns the following activities to the Head of IT and the Records Custodian: Develop and maintain a protocol to manage parent requests for copies (electronic and paper) of students’ covered information. Develop and maintain a protocol to manage parent requests for corrections to factual inaccuracies contained in a student’s covered information. Develop and maintain a protocol to manage parent requests for deletion of a student’s covered information maintained by an operator. Ensures that the parent of any student whose covered information was involved in a breach is provided with a breach notification letter no later than 30 calendar days after the District determines a breach has occurred or has been notified by an operator of a breach, unless an appropriate law enforcement agency has requested in writing that the District not provide breach notifications because doing so would interfere with a criminal investigation. See 7:345-AP, E3, Parent Notification Letter for Student Data Breach. As appropriate, notifies the District’s liability carrier of any third party claims made against the District regarding a data breach. Consults with the Board Attorney for guidance as needed to ensure the District complies with the provisions of SOPPA.
|
Head of IT or Privacy Officer | Implements and maintains reasonable cybersecurity practices to protect covered information, such as technical, administrative, and physical safeguards that are consistent with (ISBE) guidance, at: isbe.net/Pages/Educational-Technology.... and 6:235-AP1, Acceptable use of the District’s Electronic Networks. Coordinates with the Superintendent to implement any staff training on such practices. Coordinates with the Business Manager regarding any recommendations for purchases of equipment or software related to cybersecurity. Creates, maintains, and regularly updates an internal inventory of all Internet websites, online services, online applications, and mobile applications that are being used in the District for K-12 purposes. Note: The inventory does not need to include general audience websites, online services, online applications, or mobile applications, even if login credentials are required to access the general audience sites, services, or applications.
The inventory list should include the following, and any other information deemed pertinent: Name of Operator Contract term and expiration/renewal date K-12 purpose for which the online service, application, etc. is being used (e.g., curriculum content area and grade level(s)) A listing of the data element of covered information that the District collects, maintains, or discloses to the operator. A layperson explanation of the data elements listed for each operator including how the district uses the information, to whom or what entities it discloses the information, and for what purpose(s) the information is used. Ensures the following information is posted on the District’s website and updated (if needed) by Jan. 31 and July 31 each year (105 ILCS 85/27(a). (See 7:345-AP, E1, Student Covered Information Reporting Form): A list of operators with which the District has written contracts. 105 ILCS 85/27(a)(2). Copies of the District’s written contracts with operators, with redactions as permitted by State law and mutually agreed upon between the District and operators. 105 ILCS 85/27(a)(2). Business address of each operator. 105 ILCS 85/27(a)(2). For each operator, a list of any subcontractors to whom covered information may be disclosed or a link to a page on the operator’s website that clearly lists that information. 105 ILCS 85/27(a)(3). An explanation that is clear and understandable by a layperson, of the following (105 ILCS 85/27(a)(1)): The data elements of covered information that the District collects, maintains, or discloses to any person, entity, third party, or governmental agency. To whom or to what entities the covered information is disclosed. How the covered information is used. The purpose of the disclosure of the covered information. For breaches involving 10% or more the District’s enrolled students, a list of any breaches of covered information maintained by the District or by an operator that includes the following information (105 ILCS 85/27(a)(5) The number of students whose covered information was involved in the breach, unless the breach involves the personal information of students, as defined by the Personal Information Protection Act, 815 ILCS 530/10. Personal information means either:
1. A student’s first name or first initial and last name in combination with any one or more of his or her (a) social security number, (b) driver’s license number or State ID card number, (c) financial account information (with any required security codes or passwords), (d) medical information, (e) health insurance information, and/or (f) unique biometric data or other unique physical or digital representation of biometric data, when either the name or data elements are not encrypted or redacted or are encrypted or redacted but the keys to unencrypt or unredact or otherwise read the name or data elements have been acquired through the breach of security; or 2. A student’s username or email address, in combination with a password or security question and answer that would permit access to an online account, when either the username or email address or password or security question and answer are not encrypted or redacted or are encrypted or redacted, but the keys to unencrypt or unredact or otherwise read the data elements have been obtained through the breach of security. A written description of the procedures a parent may use to carry out their rights to: (1) inspect and review his/her child’s covered information; (2) request electronic or paper copies of his/her child’s covered information and (3) request corrections to his/her child’s inaccurate covered information under SOPPA. 105 ILCS 85/27(4), See 7:345-AP, E4, Notice of Parent Rights Regarding Student Covered Information. Posts on the District’s website any new operator contracts within 10 business days of the District entering into the contract, along with the information required in items 3.a. through 3.e. listed immediately above. 105 ILCS 85/27(c) Promptly notifies the Superintendent of any breach of covered information or other personal information of students so that appropriate notices can be provided.
|
Business Manager or Privacy Officer | Assists Head of IT in creating, maintaining, and updating the internal inventory list referenced in the row above. Reviews operator contracts (including electronic agreements, click wrap agreements, or other terms and conditions a user must agree to before using the product or service) before approval to ensure they contain the provisions required by SOPPA (this can also be accomplished through the Business Manager’s participation in the Committee described above).
The following provisions are required for contracts entered into, renewed, or amended as of 7-1-21, if the operator is seeking in any manner any covered information from the District (105 ILCS 85/15(4) and 85/27(e),: A listing of the categories or types of covered information to be provided to the operator. A statement of the product or service being provided to the District by the operator. A statement that, pursuant to the federal Family Educational Rights and Privacy Act of 1974 (FERPA), the operator (1) is acting as a school official with a legitimate educational interest, (2) is performing an institutional service or function for which the District would otherwise use employees, (3) is under the direct control of the District, with respect to the use and maintenance of covered information, (4) is using the covered information only for an authorized purpose and (5) may not re-disclose covered information to third parties without the District’s permission or pursuant to a court order. A description of how, if a breach is attributed to the operator, any costs and expenses incurred by the District in investigating and remediating the breach will be allocated between the operator and District. The costs and expenses may include, but are not limited to: (1) providing notification to parent of those students whose covered information was compromised and to regulatory agencies or other entities as required by law or contract, (2) providing credit monitoring to those students whose covered information was exposed in a manner during the breach that a reasonable person would believe that it could impact his or her credit or financial security, (3) legal fees, audit costs, fines, and any other fees or damages imposed against the school as a result of the security breach; and (4) providing any other notifications or fulfilling any other requirements adopted by the ISBE or of any other State or federal laws A statement that the operator must delete or transfer to the school all covered information if the information is no longer needed for the purposes of the written agreement and to specify the time period in which the information must be deleted or transferred once the operator is made aware that the information is no longer needed for the purposes of the written agreement. If the District maintains a website, a statement that the District must publish the written agreement on the District’s website. If the school does not maintain a website, a statement that the District will make the written agreement available for inspection by the general public at its administrative office. A provision requiring the operator to implement and maintain reasonable security procedures and practices that otherwise meet or exceed industry standards designed to protect covered information from unauthorized access, destruction, use, modification, or disclosure. As permitted by State law, obtains the operator’s agreement regarding what provisions, if any, of the contract will be redacted in the copy that is posted on the District’s website. Items 2.a, 2.b, and 2.c in the list immediately above may NOT be redacted in the posted copy. Ensures that the District also has written agreements in place that include the provisions listed in #2 above whenever it shares, transfers, discloses, or provides access to a student’s covered information to an entity or individual, other than the student’s parent, school personnel, Board members, or ISBE, unless the disclosure or transfer is (1) required by court or State or federal law or (2) to ensure legal or regulatory compliance. 105 ILCS 85/26(2). With the authorization of the Superintendent, consults with the Board Attorney as needed for contract review. Provides a copy of all operator contracts to the Head of IT for posting on the District’s website.
|
Head of IT and Records Custodian or Privacy Officer | Develops and maintains a protocol to manage parent requests to inspect and review their child’s covered information, whether it is maintained by the District, ISBE, or an operator. 105 ILCS 85/33(c)(1). If the covered information is a school student record, then follow the procedures and timelines for responding to student record requests in 7:340-AP1, School Student Records. Develops and maintains a protocol to manage parent requests for copies (electronic and paper) of students’ covered information. Align the protocol with the following requirements (105 ILCS 85/33(c)(2): A parent must submit the request on a signed and dated form that includes the parent’s name, address, phone number, and the student’s name, and the school from which the request is being made. 23 Ill.Admin.Code §380.20(b). See 7:345-AP, E5, Parent Request Form for Student Covered Information. The District must provide the parent with a copy of the student’s covered information within 45 days of receipt of the request. 23 Ill.Admin.Code §380.20(a). If the parent requests an electronic copy of the student’s covered information, the District must provide an electronic copy of the information at no cost, unless the District does not maintain it in an electronic format and reproducing the information in an electronic format would be unduly burdensome to the District. 23 Ill.Admin.Code §380.20(a), 380.30(a). If the parent requests a paper copy of the student’s covered information, after providing the first 50 pages at no cost, the District may charge the parent the actual cost of copying not to exceed $0.15 per page. However, the parent may not be denied a copy of the information due to the parent’s inability to pay the cost of copying. 23 Ill.Admin.Code §380.30(b). A parent may make no more than two requests per student per fiscal quarter. 23 Ill.Admin.Code §380.20(d), 380.30(a). If the covered information requested includes data on more than one student, the parent may inspect and review only the covered information relevant to the parent’s child. If the covered information is a school student record, then follow the procedures and timelines for responding to student record requests in 7:340-AP1, School Student Records. Develops and maintains a protocol to manage parent requests for corrections to factual inaccuracies contained in a student’s covered information. See 7:345-AP, E6, Parent Request Form for Correction of Student Covered Information. Aligns the protocol with the following requirements (105 ILCS 85/33(c)(3): The District must determine whether the factual inaccuracy exists. If the District determines that a factual inaccuracy exists, and the District maintains or possesses the covered information, it must correct the inaccuracy and confirm the same with the parent within 90 calendar days after receiving the parent’s request. If the District determines that a factual inaccuracy exists and an operator or ISBE maintains or possesses the information, the District must notify the operator or ISBE of the factual inaccuracy and correction to be made. The operator or ISBE must confirm the correction with the District within 90 calendar days after it receives the District’s notice. The District must then confirm the correction with the parent within 10 business days after receiving confirmation of the correction from the operator or ISBE. If the covered information is a school student record, and the parent requests a hearing to challenge the accuracy of the record(s), follow the procedures and timelines in 7:340-AP1, School Student Records. Develop and maintain a protocol to manage parent requests for deletion of a student’s covered information maintained by an operator. Align the protocol with the following requirements: Deny the request if granting it would result in a violation of the Ill. School Student Records Act or other records laws, such as the deletion of a school student record (temporary or permanent) that the District is required by law to maintain for a certain period of time. 105 ILCS 85/27(g). Consider denying the request if granting it would effectively result in the student being unable to participate in all or a portion of the District’s curriculum through the site, service, or application being used.
|
Building Principal(s) or Privacy Officer | Ensures that parents are provided with 7:345-AP, E2, Student Data Privacy; Notice to Parents About Educational Technology Vendors, at the beginning of each school year through distribution of school handbooks or other means generally used by the building to provide such notices to parents. 105 ILCS 85/28(e) Promptly communicates any parent requests for copies of, corrections to, or deletion of students’ covered information to the Records Custodian and Head of IT.
|
Staff Members | Participate in any District-required trainings on the privacy and security of student data. Refrain from using any new online sites, services, or applications that collect any student data or covered information that have not be pre-approved for use by the District. Be familiar with and abide by policy 6:235, Access to Electronic Networks, and 6:235-AP1, Acceptable Use of the District’s Electronic Networks.
|
K-12 Data Privacy and Cybersecurity Resources: K-12 Data Privacy and Cybersecurity Resources: isbe.net/Pages/Educational-Technolgy/a... studentprivacy.ed.gov/
tech.ed.gov/infrastructure/ ltcillinois.org/focus/data-privacy/ cisa.gov/protecting-our-future-cyberse... studentprivacycompass.org k12six.org
cosn.org/edtech-topics/student-data-pr... cosn.org/ProtectingPrivacy
Attai, Linnette. Student Data Privacy: Building a School Compliance Program. (Rowman & Littlefield, 2018).
|