Staff & Student Data Privacy Guide
The Children’s Internet Protection Act (CIPA) was enacted to address concerns about children's access to obscene or harmful content over the Internet. CIPA imposes certain requirements on schools that receive discounts for Internet access or through the e-rate program, which makes certain communications services and products more affordable for eligible schools. To be eligible to receive discounts, a school must have an Internet safety policy that includes protection measures to block or filter Internet access to pictures that are obscene, child pornography, or harmful to minors. A school is also required to include in its Internet safety policies that the school will monitor the online activities of children and educate children about appropriate online behavior, including interacting with other individuals on social networking websites and in chat rooms, and cyber bullying awareness and response.
The Children’s Online Privacy and Protection Act (COPPA) also deals with children’s online privacy. The primary goal of COPPA is to place parents in control over what information is collected from children under age 13. COPPA applies to commercial websites and online services. The term “online service” broadly covers any service available over the Internet (including mobile apps), or that connects to the Internet or a wide-area network. COPPA imposes requirements on: operators of websites and online services directed to children under 13 that collect, use, or disclose personal information from children; operators of general audience websites or online services with actual knowledge that they are collecting, using, or disclosing personal information from children under 13; and operators of websites or online services that have actual knowledge that they are collecting personal information directly from users of another website or online service directed to children.
The Every Student Succeeds Act (ESSA) provides, in part, that school districts may use federal funds to support efforts to effectively integrate technology into curricula and instruction in numerous ways and to teach staff about the appropriate use of student data. The ESSA supports “digital learning,” which means any instructional 4 practice that effectively uses technology to strengthen a student's learning experience and encompasses a wide spectrum of computer and Internet-based tools and practices.
The Federal Educational Rights and Privacy Act (FERPA) affords parents/guardians important rights concerning their children's school student records and the personally identifiable information in those records. FERPA gives parents/guardians the rights to: (1) inspect and review the student's records maintained by the school; (2) request that a school amend the student’s records; (3) consent in writing to the disclosure of personally identifiable information from the student's records, except under certain permitted situations; and (4) file a complaint with the U.S. Department of Education’s Family Policy Compliance Office regarding an alleged violation under FERPA.
The Health Insurance Portability and Accountability Act (HIPAA) was enacted, in part, to protect the privacy and security of individually identifiable health information. The U.S. Department of Health and Human Services has issued various rules, including a Privacy Rule, to implement HIPAA. The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information and applies to health care plans and providers that conduct certain health care transactions electronically. However, the HIPAA Privacy Rule specifically excludes from its coverage records that are protected by FERPA. Therefore, in general the HIPAA Privacy Rule does not apply to public elementary or secondary schools
The Protection of Pupil Rights Amendment (PPRA) applies to a school district’s administration of surveys, analyses, or evaluations to students that concern one or more of the following areas: political affiliations or beliefs of the student or the student’s parent; mental or psychological problems of the student or the student’s family; sex behavior or attitudes; illegal, anti-social, self-incriminating, or demeaning behavior; critical appraisals of other individuals with whom the students have close family relationships; legally recognized privileged or analogous relationships, such as those of lawyers, physicians, and ministers; religious practices, affiliations, or beliefs of the student or student’s parent; or income (other than as required by law to determine eligibility for participation in a program or for receiving financial assistance under such program). School districts are required to provide notices to parents/guardians about their rights under the PPRA and any time that a school engages in activities in which certain information is collected from students
The Children's Privacy Protection and Parental Empowerment Act prohibits the sale or purchase of personal information of a child under age 16 without parent/guardian consent, unless a certain exception applies. (325 ILCS 17/1 et seq.)
The Illinois School Student Records Act (ISSRA) is similar to FERPA and also affords parents/guardians rights concerning their children's school student records and the individually identifiable information in those records. Like FERPA, the two primary purposes of the ISSRA is to ensure parent/guardian access to their child’s records and the confidentiality of student records and the information in those records. (105 ILCS 10/1 et seq.; 23 Ill Admin. Code Part 375.)
The Illinois Mental Health and Developmental Disabilities Confidentiality Act (MHDDCA) governs the confidentiality of communications and records concerning mental health or developmental disability services provided to a student by school personnel who meet the definition of a “therapist” under the MHDDCA, such as a school psychologist, social worker, or nurse. The MHDDCA affords parents/guardians (and students age 12 or older) with rights to access records and provide written consent prior to disclosure of records or communications, except under specific circumstances. (740 ILCS 110/1 et seq.)
The Local Records Act provides requirements for how local governments, such as school districts, maintain day-to-day record keeping and destroy records prepared or received in the course of public business. (50 ILCS 205/1 et seq.; 44 Ill. Admin. Code Part 4500.)
The Right to Privacy in the School Setting Act provides that schools must give notice to students and parents/guardians about privacy of students’ passwords for their social networking profiles/websites, unless there is specific information about activity on the student’s account that violates a school disciplinary rule or policy. (105 ILCS 75/1 et seq.) The Personal Information Protection Act governs the protection of personal information data, which is defined as individuals’ names in combination with their social security numbers, driver’s license numbers, State identification card numbers, or financial account information. When there is a breach in the security of such data, notice must be provided to the affected individuals that includes information required by the Act. (815 ILCS 530/1 et seq.)
The Student Online Personal Protection Act (SOPPA) protects the privacy and security of student data when collected by educational technology companies operating online websites, online services, or online/mobile applications. The SOPPA allows data 6 to be used to benefit students, including as a way to provide personalized learning and educational technology. The SOPPA bars the use of student data for targeted advertising and prohibits the sale of student information gathered during the students’ use of the educational technology. (105 ILCS 85/1 et seq.)