The Student Online Personal Protection Act, SOPPA (105 ILCS 85/) was amended in August of 2019 to provide greater protection and transparency of student data being shared with an Educational Technology (EdTech) vendor. SOPPA has provisions for breach notification and outlines parent abilities to correct covered information.
The Board of Education of the City of Chicago has adopted a SOPPA Policy. The Board policy provided for these SOPPA guidelines for the tactical implementation of this policy.
Guiding Principles for SOPPA implementation
Authorized Software - refers to any unique application, service, tool, program, platform, mobile application, product, electronic, or online tool, including free or complimentary software product or tool, which has been reviewed and approved for use on the CPS Network. You can find these tools listed on the Board’s Authorized Software student-facing site.
Breach - means the unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of covered information maintained by an operator or school.
Covered Information - means personally identifiable information or material or information that is linked to personally identifiable information or material in any media or format that is not publicly available and is any of the following:
Department/School Management - refers to the supervisor, manager, director, officer, principal, Network Chief, or other Board employees designated by their department, office, or school to implement policy compliance requirements.
Educational Technology (EdTech) - means educational software, electronic or online tools used by schools to improve student engagement, knowledge retention, individual learning, or collaboration.
Pre-K through 12 school purposes - refers to purposes directed by or that customarily take place at the direction of a school, teacher, or school district; aid in the administration of school activities. This includes, but is not limited to, instruction in the classroom or at home, administrative activities, and collaboration between students, school personnel, or parents; or are otherwise for the use and benefit of the school.
Operator - refers to the operator of an Internet website, online service, online application, or mobile application with actual knowledge that the site, service, or application is used primarily for pre-K through 12 school purposes and was designed and marketed for pre-K through 12 school purposes.
Parent - means a person who is the natural parent of the student or other person who has the primary responsibility for the care and upbringing of the student.
Personally Identifiable Information (PII) - refers to sensitive data and information that must be protected against unwarranted disclosure, such as student information, private employee information, and protected health information that can adversely affect the privacy or welfare of an individual.
Prohibited Software - refers to any software product or tool listed as ‘prohibited for use’ on the CPS Network. After careful consideration and consensus amongst multiple departments, prohibited software is identified that this technology has no place for Chicago Public Schools. The complete list of prohibited technology platforms is located on the district’s AUP Guidance website: https://www.cps.edu/AcceptableUsePolicy/Pages/aup.aspx.
Targeted advertising - means presenting advertisements to a student where the ad is selected based on information obtained or inferred from that student's online behavior, usage of applications, or covered information. The term does not include advertising to a student at an online location, based upon that student's current visit to that location or in response to that student's request for information or feedback, without retaining that student's online activities or requests over time to target subsequent ads.
Under the SOPPA law and the Board’s SOPPA Policy, parents have the right:
The Covered Information Rights
Covered information is personally identifiable information as defined above by the SOPPA law and in the Board’s SOPPA policy. Generally, covered information can be summarized in these three categories:
Category One - Provided to an operator as explicitly defined in the contract with the district
Category Two - Provided to operators by students or parents
Category Three - Derived by the operator through the course business or inferred through other means.
Category One Covered Information:
Per an agreement with an operator, the district provides Category One covered information to an operator from a subset of the district’s system of record Aspen (link to Aspen) to the operators’ electronically using One Roster standard. This is a secure way to dynamically link students, their class, and school to an EdTech operator for sharing Category One covered information. Examples of this information might be student name, email, school, class, grade, etc. The operator must provide the rationale for needing Category One Covered Information. In the majority of the agreements, the operator will be limited to Category One Covered Information.
Category Two and Category Three Covered Information:
Operators must negotiate for additional access to Category Two and Category Three covered information and may be subjected to additional reviews. The District SOPPA Representative will review if the operator needs Category Two and Category Three covered information to provide additional services to students or the district. Operators will be required to provide additional parent notice or obtain parental consent for using Category Two and Category Three Covered Information.
How Parents Can Learn what Covered Information is Shared with Operators
Chicago Public Schools will have an agreement with an operator before authorized software can be used. That agreement is to be posted on the SOPPA website, which can be found here.
On the SOPPA website, parents can see what covered information is shared with operators under the agreement and the information transmitted from the source system of Aspen.
How Parents Can Request, From the School a Copy of the Covered Information an Operator has for Their Student
The parent must complete a SOPPA request form for covered information that includes the parent’s name, signature, address, phone number, student’s name, and the name of the school of which the request is being made, and the date of the request. The parent may request an electronic or paper copy of the covered information.
The parent must provide proof of identity and relationship to the student before access to the covered information is granted.
The parent may make no more than one request per quarter.
The school must provide a student’s parent a paper or electronic copy of the student’s covered information within 45 days of receiving a request for such information. If a parent requests an electronic copy of the student's covered information, the school will provide an electronic copy of that information, unless the school does not maintain the information in an electronic format, and reproducing the information in an electronic format would be unduly burdensome to the school. If a parent requests a paper copy of a student’s covered information, a school may
charge the parent $0.35 per page. No parent shall be denied a paper copy of covered information due to the inability to pay.
How Parents May Request Corrections and Deletions of Covered Information for Their Student
Parents should request corrections and deletions of covered information from the school using a SOPPA Request Correction Form. The school will share the SOPPA Request Correction Form with the District SOPPA Representative, who will review the request. The District SOPPA Representative will review the SOPPA Request Correction Form and determine if the covered information is also a student record and may refer parents to challenging student records dictated by the Board’s Policy on Parent and Student Rights of Access to and Confidentiality of Student Records.
If covered information is not a student record, the District SOPPA Representative will coordinate a response with the operator. The school will provide the operator’s response to the parent.
Deletions of Covered Information
The district requires operators to delete or transfer covered information at the end of each term of the agreement or the end of the school year unless a student or their parent consents to maintaining the covered information. If the parent desires that an operator maintain the covered information instead of deletion, the parent may contact the District SOPPA representative for the next steps in consenting to maintain the covered information by the operator.
In addition, operators will be required to delete within seven (7) calendar days of receiving the SOPPA District Representative’s request to delete the student's Covered Information.
The Right to Know Which Authorized Software are Being Used in the Classroom
Your child’s teacher should provide parents with a list of authorized software being used in the classroom along with any required notice or consent forms from the operator. Please contact your student’s school to determine what authorized software your child’s teacher uses in the classroom.
When Additional Parent Notice or Parent Consent is Required before Using Authorized Software
If the operator has requested to include Category Two or Category Three Covered Information in the authorized software, the operator will provide additional parental notice or consent regarding the additional need for Category Two or Category Three Covered Information.
Parent consent will be required based on the recommendation from the District SOPPA Representative. The District SOPPA Representative will analyze whether the operator needs Category Two or Category Three Covered Information. The analysis may include but is not limited to a risk assessment, the sensitivity of the data, the educational or operational need.
Parents will be notified of breaches of covered information within 30 calendar days of receipt of notice that a breach has occurred. Notification may be delayed if this would interfere with a criminal investigation. Notification will include, but is not limited to:
The principal is responsible for ensuring that the Board’s SOPPA policy is enforced at the school level.
The principal does this by ensuring teachers and staff are only using authorized software. If a teacher or staff member desires to use an educational technology product and it is not authorized, the principal may request approval.
The principal is also responsible for providing a general SOPPA notice to parents at the beginning of the school year. This notice will also be found in the Student Code of Conduct Handbook.
The principal is responsible for overseeing or delegating the parent requests for covered information and corrections of covered information.
Ensuring Teachers and Staff are using Authorized Software
The principal must provide teachers and staff with the SOPPA website to obtain the list of authorized software.
Requesting Approval for Authorized Software
The principal may request approval for educational technology that is not on the list of authorized software or prohibited software. The approval process can be found on the SOPPA website. Principals should not request approval for prohibited software.
Teacher and Staff Responsibilities
Teachers and staff should review the educational technology before the start of the school year and determine if this educational technology is on the list of authorized or prohibited software. Teachers and staff should determine what authorized software, if any, is needed in their classroom.
Teachers and Staff Must Receive Approval Before using Authorized Software
Before using authorized software in their classroom, teachers and staff must secure the approval of their principal.
Informing Parents and Obtaining Consent for the use of Authorized Software
At the beginning of the school year or when a new EdTech product is introduced to the classroom, the teacher must communicate what educational products are being used. The notice should include, if warranted, additional parent notices or the parent consent for the collection of Category 2 and Category 3 covered information. The operator will provide the additional parent notice or consent form needed for the authorized software. The teacher is responsible for collecting the consent forms before using the authorized software. The teacher is responsible for finding an alternative option for students whose parents do not consent.
Notices must state, in general terms, the Categories of student data that are collected by the schools and shared with operators under this Act and the purposes of collecting and using the student data. A sample notice template is found here.
Teachers and Staff are Prohibited from Entering into Agreements for any Software
Under no circumstances may teachers and staff enter into any agreements, including clickwrap agreements (i.e., online agreements in which the user signifies acceptance by clicking a button or checking a box that states “I agree”) or no cost agreements, for any software.
Teachers and Staff Shall not Require Students to Enter into an Agreement for any Software
Under no circumstances may teachers and staff require students to enter into any agreements for any software. Teachers and staff are prohibited from requesting that students download and use applications on personal devices or log in to unapproved websites that collect student information. Staff failing to comply with this guidance shall be subject to discipline, up to and including dismissal.
An educational technology provider, vendor, or third-party provider may meet the definition of an operator.
Operators and Covered Information
Operators must understand the three categories of covered information and only request from the district the minimal amount of covered information needed to perform duties.
Category One Covered Information - Provided to an operator as explicitly defined in the contract with the district
Category Two Covered Information - Provided to operators by students or parents
Category Three Covered Information - Derived by the operator through the course business or inferred through other means.
The gathering of covered information as outlined above in Category Two and Category Three will be prohibited unless the operator has secured additional approval and allowed by the contract.
If an operator seeks to have Category Two and Category Three Covered Information in the contract, the operator must have parental notification or parental consent.
Additional Operator Prohibitions
The operator shall not collect additional covered information from district staff.
The operator shall not engage in any advertising, including targeted advertising toward students.
Operator and Students
SOPPA does not prohibit students from downloading, exporting, transferring, saving, or maintaining their student data or documents.
When to revoke or review authorized software
The district will review authorized software before renewing an agreement. The district may also review approved software at any time. The district may revoke authorized software after auditing the operator and finding deficiencies in any of the following:
District SOPPA Representative
The District SOPPA Representative will oversee the implementation of the Board’s SOPPA policy and guidelines. Questions regarding SOPPA may be directed to the District SOPPA Representative at email@example.com.