On July 1, 2021, amendments to Illinois’ Student Online Personal Protection Act (SOPPA) will go into effect. The amendments mandate that schools take certain steps to maintain compliance in how they handle student data when using educational technology. The Act applies to public and nonpublic schools alike, but nonpublic schools are exempt from key requirements, prohibitions, and protections under the law. Nevertheless, some of the law’s requirements may be best practice for nonpublic schools.
A significant portion of SOPPA deals with the obligations of third-party entities that handle online student data. These entities, termed “operators” under SOPPA, have certain duties under the Act with respect to schools, including nonpublic, such as maintaining reasonable security measures, deleting student data after a certain period of time, and notifying schools in the event of a data breach.
On the other hand, operators are excepted from certain duties pertaining to nonpublic schools. For instance, operators are not required to enter into written agreements with nonpublic schools in order for the operator to access or receive student data covered by SOPPA. In addition, operators do not have to disclose to nonpublic schools a list of third parties or affiliates to whom they disclose student data.
Despite the inapplicability, it may be best practice for a nonpublic school to enter into a written agreement with a vendor prior to giving the entity access to student data. A nonpublic school could have liability for a data breach, and it would want to have the security obligations in writing with the operator and the liability shifted, if possible. Moreover, if a nonpublic school complies with FERPA, it is obligated to maintain control over the data and ensure vendors comply with restrictions. A nonpublic school may want to require the operator to identify third parties or affiliates to whom it discloses student data. The most effective way to delineate obligations and liability is with a written agreement.
Nonpublic schools also are excepted from many of the requirements under SOPPA that apply to public schools. Nonpublic schools are exempted from all “school duties” under the act such as posting certain information to the school website, giving annual notice to parents regarding student data practices, and giving notice to parents in the event of a breach, among others. However, as part of its efforts to maintain open communication between the school and families, a nonpublic school may consider providing annual notice of student data practices. And even though it isn’t required, a nonpublic school may consider, as a matter of practice, providing notice of a data breach.
Further, certain prohibitions do not apply to nonpublic schools in the same manner that they apply to public school districts. Nonpublic schools are not required to enter into a written agreement to share student information with third parties other than parents, school personnel, board members, or ISBE. Nevertheless, this would be a prudent practice to contractually identify the scope of the parties’ responsibilities and perhaps limit liability. One prohibition that applies to public schools and nonpublic schools alike is the prohibition against selling, renting, leasing, or trading student data.
Finally, the rights of students and parents offered by SOPPA with respect to inspection and review of information maintained by the school or an operator do not extend to parents of students enrolled in nonpublic schools.
The new amendments to SOPPA are quite extensive, and while many of the provisions are entirely inapplicable to nonpublic schools, nonpublic schools still should be aware of the obligations generally imposed by SOPPA as well as those imposed by ISSRA and FERPA. Several of the requirements under SOPPA may be good practice for a nonpublic school. If you have any questions regarding SOPPA and its applicability to nonpublic schools, please contact Vanessa Clohessy.
Source: P.A. 101-0516
