Online Security & Privacy

Effective July 1, 2021, school districts will be required by the Student Online Personal Protection Act (SOPPA) to provide additional guarantees that student data is protected when collected by educational technology companies, and that data is used for beneficial purposes only.

School districts must:

1. Annually post a list of all operators of online services or applications utilized by the district.
2. Annually post all data elements that the school collects, maintains, or discloses to any entity. This information must all explain how the school uses the data, and to whom and why it discloses the data.
3. Post contracts for each operator within 10 days of signing.
4. Annually post subcontractors for each operator.
5. Post the process for how parents can exercise their rights to inspect, review and correct information maintained by the school, operator, or ISBE.
6. Post data breaches within 10 days and notify parents within 30 days.
7. Create a policy for who can sign contracts with operators.
8. Designate a privacy officer to ensure compliance.
9. Maintain reasonable security procedures and practices.  Agreements with vendors in which information is shared must include a provision that the vendor maintains reasonable security procedures and practices.

Management of Student Data Access

District 220 follows best practices in establishing and managing system and network access security. Access to student data is managed and controlled through what is known as role-based security. This means that the type and amount of access to student data and other information is governed in our systems by the role which any staff member holds along with what information they require to perform their job as a trusted member of District 220 staff. Staff members must go through a process to gain access to authorized information that includes successfully logging into the District network or one of the systems they use as part of their job duties. 

Once a staff member logs in using this method, the internal application controls, role based security, and application permissions restrictions are engaged which limit the data read, write, add, or delete functionality and are specific to a staff member's role in the District.

The District also follows all rules set forth by state and federal government such as the Federal Educational Rights and Privacy Act (FERPA), the Illinois School Student Records Act, and a recent Illinois law called SOPPA (Student Online Privacy and Protection Act). For more information regarding these laws, please refer to the following links:

FERPA

IL School Students Record Act 

SOPPA

District 220 has filters and firewalls in place to protect our students from accessing harmful information on the Internet and protect the privacy of our student information. The District also utilizes a third-party platform that provides us with insights to help us evaluate whether apps, websites, or software platforms are effective and information on how these relate to student privacy. Please visit our Public Product Library at this link here. Also you can click here for our state page that lists the data elements for each of our products that we use. 

Where is student data held and where does it go?

The primary repository of student data is our Student Information System, PowerSchool. PowerSchool maintains student demographics, household contact information, enrollments, attendance, grades, schedules, transcripts, discipline, bus, lockers, heath, IEP, and LEP information. The District does not retain student Social Security Numbers within any system.

In addition to PowerSchool, District 220 also maintains multiple supporting systems that assist in running daily operations. Based on need, some student data is routinely transferred between these applications through a variety of secure and encrypted system integration processes. 

Physical access to the data centers and the servers that house this data are limited to a small group of network and system administrators in the IT Department. These data centers are also secured with fire protection and power backup capabilities. We also take routine backups of key systems and data which are securely stored and protected. 

With the evolution of cloud based solutions, the District also subscribes to some externally hosted applications which are integrated with our student information system through encrypted data communications. data transferred includes basic student information such as names and schedules so student can log into applications and access curricular materials configured by the District. 

Additionally, the District provides testing agencies such as SAT with basic student identification as part of the testing and scoring process. The District reports all required data to the Illinois State Board of Education (ISBE) and other government agencies. We only disclose the amount of personally identifiable information (PII) that is required by the app, site, or educational software to help us with understanding how students are learning and growing. We do not collect or share any social security number, financial, or other PII to anyone. We also make sure that the apps, sites, or other educational software we use do not industry standard encryption to keep the data elements we collect safe and vet our operators and vendors with a legally binding data privacy agreement to make sure we protect our PII data that is collected. 

For a list of online services and applications utilized by District 220, please click on the following link:

DATA PRIVACY AGREEMENTS (DPAs) 

Google Apps for Education

The District provides all students with a Google Apps for Education Account. This account allows them to collaborate and share documents with their teacher and fellow students and is an essential component of the classroom. We share limited information with Google solely for account creation purposes. This data, and any data created as a function of using a Google Apps for Education account, belongs to District 220. This type of account is different than having a personal Gmail account. Google does not scan student content or email for advertising purposes as they do with regular consumer accounts.

Google Apps for Education Privacy Statement

Staff Digital Resource Request Procedure

If a staff member is interested in using a resource that requires students to login to either access or produce content on the Internet, he/she is required to follow these steps:

1. Review the current Data Privacy Agreements (DPAs) the district has in place.
2. If the resource is not on the list, the staff member needs to fill out the Digital Resource Request Form, providing as much information as possible.
3. Once the district Privacy Officer has reviewed the request and has the Data Privacy Agreement (DPA) from the vendor, the staff member is able to use the resource.  If the vendor does not comply to the DPA, the resource is not to be used.

Student Records

Refer to Family Educational Rights and Privacy Act of 1974, and the Illinois School Student Records Act of 1975. All surveys requesting personal information from students will comply with board policy 7:15 (Student and Family Privacy Rights.)

RIGHTS OF PARENTS/GUARDIANS AND STUDENTS: Federal and State laws grant parents/guardians and students certain rights relating to the student records maintained by the School District, including the right to inspect, copy, and challenge student records. 

Right to Inspect and Copy Records 

Students have the right to inspect and copy their permanent records. Parents/guardians have the right to inspect and copy their child's permanent and temporary records. All rights become exclusively those of the student upon his/her 18th birthday, graduation from secondary school, marriage or entry into military service, whichever occurs first. Requests to inspect and copy records will be granted no later than 15 school days after the date that the District receives a written request. The District may charge a fee for copies of records; please contact the District's Records Custodian for fee information. 

Access to Records

Access to student records will be limited to parents/guardians and other authorized persons, except that:

• Information may be released in connection with an emergency, as provided by law.
• The records of a student will be transferred by the School District's official records custodian to the official records custodian of another school district in which the student has enrolled or intends to enroll, upon request of the other school district, and within 10 days of receipt of the request. Parents/guardians will be given prior written notice and an opportunity to inspect and copy the records to be released and to challenge the contents, with the exception of academic grades and any reference to out-of-school suspensions or expulsions. 
• Access will be granted to persons as specifically required by State or Federal law.
• Access is granted to school, District, or State Board of Education employees or officials with current demonstrable educational or administrative interest in the student, in furtherance of such interest. A school or District employee or official is a person employed by the School District as an administrator, supervisor, instructor, or support staff member (including health/medical staff and law enforcement unit personnel); a Board member; a person or company with whom the School District has contacted as its agent to provide a service instead of using its own employees (e.g., attorney, auditor, medical consultant, therapist, data analysis/reporting firm, cloud computing providers and/or providers of educational software or apps, such as Google); or a person serving on an official committee, such as a disciplinary or grievance committee, or assisting another school official in performing his or her tasks. A school or District employee or official has an educational or administrative interest if he/she needs the student record information in order to fulfill his/her professional responsibilities. Disclosure also permitted without parent/guardian consent in the following situations:
•  To any person for the purpose of research, statistical reporting or planning, provided that such research, statistical reporting or planning is permissible under and undertaken in accordance with applicable law;
• Pursuant to a court order, as provided by law; and 
• To juvenile authorities when necessary for the discharge of their official duties who request information before adjudication of the student. 

For any release of information other than specified above or otherwise authorized by law, the School District must receive the prior written consent of the student's parent/guardian. The student's prior written consent also will be requested where the student is age 12 or older and the student records include information protected under the Illinois Mental Health and Developmental Disabilities Confidentiality Act. 

Challenge of Records

A parent/guardian or eligible student may challenge a record that he/she believes is inaccurate, irrelevant, or improper. To do so, the parent/guardian or eligible student should write to the District's Records Custodian and clearly identify the records to be challenged and the basis for the challenge. A hearing may be requested, and the School District's decision may be appealed. The right to challenge school student records does not apply to: (1) academic grades, or (2) references to expulsions or out-of-school suspensions if the challenge is made at the time the student's records are forwarded to another school to which the student is transferring. For more information about challenging student records, please contact the District's Records Custodian. 

Student Directory Information 

The name of your child will be released periodically, if applicable, for the academic honor roll, as a member of a school sports team, as a winning recipient of a school award or contest, or to Medicaid for billing purposes. We do not disclose this data through our FOIA process. If you do not want your child's name included, please notify the building principal.