SOPPA

What is SOPPA?

Effective July 1, 2021, school districts will be required by the Student Online Personal Protection Act (SOPPA) to provide additional guarantees that student data is protected when collected by educational technology companies, and that data is used for beneficial purposes only (105 ILCS 85). Note that SOPPA also places new expectations on the Illinois State Board of Education and operators of online services or applications.

Bottom-lined Version

More Explanation

SOPPA Confirmation of Receipt

All staff must complete the SOPPA Confirmation of Receipt.

This helps the district be in compliance with the state of Illinois by acknowledging that all staff will adhere to the legislation.

FAQs

What does the district Guarantee?

  • Annually post a list of all operators of online services or applications utilized by the district.

  • Annually post all data elements that the school collects, maintains, or discloses to any entity. This information must also explain how the school uses the data, and to whom and why it discloses the data.

  • Post contracts for each operator within 10 days of signing.

  • Annually post subcontractors for each operator.

  • Post the process for how parents can exercise their rights to inspect, review and correct information maintained by the school, operator, or ISBE.

  • Post data breaches within 10 days and notify parents within 30 days.

  • Create a policy for who can sign contracts with operators.

  • Designate a privacy officer to ensure compliance.

  • Maintain reasonable security procedures and practices. Agreements with vendors in which information is shared must include a provision that the vendor maintains reasonable security procedures and practices.

Although not required by law, school districts will also need to undertake the following to meet the above requirements:

  • Provide teachers with the list of online operators that are safe and approved for use.

  • Develop a process for keeping data inventory up-to-date.


What tools need to have a signed agreement? Any platform that requires students to sign in or collects any unique identifiers from students.


How does SOPPA define a "unique identifier"?

  • Unique identifiers including, but not limited to:

  • educational record or electronic mail

  • first and last name

  • home address

  • telephone number

  • electronic mail address

  • or other information that allows physical or online contact, discipline records, test results, special education data, juvenile dependency records, grades, evaluations, criminal records, medical records, health records, a social security number, biometric information, disabilities, socioeconomic information, food purchases, political affiliations, religious information, text messages, documents, student identifiers, search activity, photos, voice recordings, or geolocation information.


What if it doesn't collect any unique identifiers? Any platform that is approved to used (meaning it has a signed data privacy agreement) will be posted on our Instructional Tech Website and also front facing to the community.


If something is not approved, what is the process to request it?

  1. Check the database to see if it's been approved or not and why

  2. Use this flow chart to request a new tool. Keep in mind that it must go through this process and does not guarantee usage.


What if it is not approved and I want to use it?

  • If the request has NOT been denied please follow the flow chart to start the approval process.

  • If the request HAS been denied please work with your coach or iTech team to find a solution.

  • DO NOT USE THE PLATFORM. This may result in a "district violation".

Additional Resources

  • State Legislation

  • "SOPPA for teachers; what to know and why it's important" (Any platforms discussed in this webinar must be on the approved list prior to usage.)

  • For any questions related to SOPPA please contact: