If you work for an Illinois K-12 school district, then you’re likely aware about the changes to the Student Online Protection and Privacy Act (SOPPA). These changes require school districts to do more heavy lifting when it comes to keeping student data safe and secure. They went into effect on July 1, 2021.

There’s a lot to cover with SOPPA, so feel free to use these links to skip to a section:

• SOPPA Background and Legislative Intent
• Educational Technology in Schools
• What Is Covered under SOPPA?
• Illinois School District SOPPA Requirements
• Strategy to Comply with SOPPA
• School District Duties
• Datamation and SOPPA Compliance
• In Summary

Datamation co-hosted a webinar about SOPPA that contains much of the following information.

SOPPA Background and Legislative Intent

The intent of the SOPPA Act is to ensure the protection of student data when collected by educational technology companies. While the data may be used for beneficial purposes such as providing personalized learning and innovative educational technologies, the data is also susceptible to breaches. The Act requires additional safeguards to protect student data collected by educational technology companies. SOPPA also requires that companies use the data for beneficial purposes only. Again, became effective as of July 1, 2021.

Schools today increasingly use a wide range of online services and other technologies to help students learn. However, educational technology companies must ensure the privacy and security of student data collected. Schools and educational technology companies must create safeguards to keep private information secure.

The need for SOPPA arose out of various data breaches that compromised personal information in an online student data system.

Datamation Imaging Services complies with SOPPA by using extensive security and privacy measures in its systems and practices to ensure the use of any content or data in its systems is protected and used specifically for the benefit of the district only.

Educational Technology in Schools

While student tracking appears to be less publicized at the elementary and high school levels, big tech’s presence in classrooms looms large. In the 2017-2018 school year, the top five digital products used in K-12 classrooms were from Google; it’s a trend some call the “Google-ization of the classroom.”

With the popularity of Google’s G Suite for Education — a collaborative Google platform with more than 90 million users worldwide as of April 2019, according to estimates provided by the company to Teen Vogue — some worry about how the tech leviathan may be using kids’ data.

In their privacy notice for the product, Google does generally lay out how it collects user data but advocates and parents are concerned about specifics.

What Is Covered under SOPPA?

SOPPA covers Personally Identifiable Information (PII) or material or information that linked to personally identifiable information or material in any media or format that is not publicly available.

Under SOPPA, the definition of school is any preschool, public kindergarten, elementary or secondary educational institution, vocational or secondary educational agency or institution. This includes private or nonpublic schools.

Illinois School District SOPPA Requirements

Below is a high-level overview of the new requirements. Please refer to the legislation for specific timelines and components of each element. School districts must:

• Annually post a list of all suppliers/providers of online services or applications utilized by the district.
• Annually post all data elements that the school collects, maintains, or discloses to any entity. This information must also explain how the school uses the data, and to whom and why it discloses the data.
• Post contracts for each operator within 10 days of signing.
• Annually post subcontractors for suppliers/providers.
• Post the process for how parents can exercise their rights to inspect, review and correct information maintained by the school, operator, or ISBE.
• Post data breaches within 10 days and notify parents within 30 days.
• Create a policy for who can sign contracts with operators.
• Designate a privacy officer to ensure compliance.
• Maintain reasonable security procedures and practices. Agreements with vendors that handle PII must include a provision that the vendor maintains reasonable security procedures and practices.

Strategy to Comply with SOPPA

For organizations to comply with SOPPA, it is critical to designate an individual responsible for compliance, similar to that of a FOIA officer. This person must be knowledgeable of the terms of the SOPPA Act as well as put practices in place to ensure the district meets the terms of SOPPA.

For example, for years financial institutions and pharmaceutical companies have been vetting prospective vendors to ensure their system security and practices were thoroughly secure and provided appropriate levels of privacy. Many of these organizations have incorporated this into their purchasing process. They also have a vendor relation and/or compliance person or department tasked with screening partners and vendors.

School District Duties

These are duties that public school districts must follow:

• School districts must adopt a policy for designating which school employees can enter into written agreements with operators.
• Each school shall post and maintain on its website or, if the school does not maintain a website, make available for inspection by the general public at its administrative office:
  • An explanation of the data elements of covered information collected by the school
  • A list of operators/vendors/suppliers that the school has an agreement with
  • Procedures a parent must use to access covered information
  • A listing of any breaches realized
• After a determination of a breach of covered information maintained by the school, a school shall notify, no later than 30 calendar days after receipt or the notice or determination that a breach has occurred, the parent of any student whose covered information is involved in the breach.
• Each school must implement and maintain reasonable security procedures and practices that otherwise meet or exceed industry standards designed to protect covered information from unauthorized access, destruction, use, modification, or disclosure.
• Each school may designate an appropriate staff person as a privacy officer, who may also be an official records custodian as designated under the Illinois School Student Records Act, to carry out the duties and responsibilities assigned to schools and to ensure compliance with the requirements of SOPPA.
• A school shall make a request to delete covered information on behalf of a student’s parent if the parent requests from the school that the student’s covered information held be deleted. However, the deletion of the covered information must not be in violation of state or federal records laws.

Again, these requirements apply to public schools only. Private schools do not have to meet all of these requirements. If you work for a private school, please seek guidance from your legal counsel.

Datamation and SOPPA Compliance

SOC Audit & Compliance

As business continues to shift into remote work, companies not only need to have easy access to their documents online but also must consider the security of those sensitive documents while being digitized. Finding a company you can trust to have the highest security standards is vital when seeking a partner to outsource processes such as mailroom, document scanning, cloud document management software, and workflow automation services.

Since 2014, Datamation Imaging Services continues to receive its SOC 2 Type 2 Report. SOC 2 Type 2 is an audit that guarantees a business process outsourcing (BPO) partner has successfully implemented and follows a set of operating procedures that ensure all documents are handled securely while in their facility. A SOC 2 Type 2 accreditation is a guarantee that an organization follows both internal and external compliance guidelines accordingly.

A third-party completes the accreditation and audit. The third-party audits internal processes for a period and makes sure up to five “trust principles” are being met. Those five standards for the compliance guidelines are: security, confidentiality, availability, processing integrity, and privacy. Passing the accreditation process means that a third party has verified a business is trustworthy. The business has a clear process in place to protect their clients’ sensitive information.

In summary, passing a SOC 2 Type II audit ensures that all customer data is handled in a secure, private, and confidential manner.

Please contact Datamation if you would like a copy of our SOC 2 report.

Safety & Privacy Protocols

Datamation implements many practices and protocols to ensure compliance with SOPPA. These include:

• Encryption: All data is encrypted in transit as well as at rest. All connections to the system are secure via HTTPS. All encryption pass phrases are stored in an encrypted state.
• User Sessions: System usage is granted using a unique session ID that is passed between the system and the user. The session ID is also encrypted. Systems will automatically disconnect user sessions after a defined period of inactivity.
• SSL: All external facing portals, where customers access their data, are secured via SSL.
• Facility and Network Security: A limited number of staff have physical access to the facility. Logical access to the networks is in place and monitored.
• Vulnerability Assessment: A third party performs regular vulnerability assessments using tests and monitoring to identify and resolve critical risk vulnerabilities.
• Intrusion Protection Systems: Administrators constantly monitor system firewalls and IPS logs to ensure system usage.
• Mirrored/Backup: Sites are securely backed up synchronously and in a separate location using a separate power grid.
• Inaccessible Data: All systems used never expose customer data to a public network. An internal secure network stores data on a separate server from any other database or data.
• Secure User Access: Users must authenticate to the application with unique user IDs and complex passwords that change regularly.
• New User Authorization: Requests for new user accounts must come from an authorized client contact. In addition, policies exist for modifying user access and the removal of users who no longer need access.
• Surveillance Cameras: The Datamation facility has security cameras that monitor production activity as well as facility access.
• Data Classification: Policies and procedures are in place for classifying data based on its criticality and sensitivity. Proper classification will define protection requirements, access rights and restrictions, and set retention and destruction requirements.

Masking of Personally Identifiable Information (PII) Data

Security settings and user rights can mask or hide Personally Identifiable Information (PII) Data elements. In addition, systems can redact and encrypt data for additional security.

Data Retention and Destruction

When confidential information meets its retention requirements, the system regularly and systematically tracks and destroys that information. See the following graphic for sample records destruction rules.

In Summary

Datamation Imaging has been studying SOPPA since 2019 to understand and comply with this legislation. Datamation’s services and systems provide school districts an increased ability to comply with not only SOPPA, but FOIA, NCLB, FERPA, and other compliance guidelines.

Please note that the data in this post is collected information and recommendations.  A school district should gather final information from its legal counsel.  Datamation uses, and recommends, the Tressler Law Firm as they have a team of experts in SOPPA compliance.

In the meantime, it’s important for school districts to learn and adopt practices to ensure that the district, and its information vendors, are in compliance with SOPPA.

Typically, districts maintain records much longer than they should. To address this, a district should:

• Review, update and approve their document retention schedule
• Purge paper and electronic files according to schedule
• Don’t keep what you don’t need to keep
• Keep archived, but retained, records in a secure and private content management system. A secure system ensures compliance, retention and privacy guidelines

For more on Illinois school district retention rules and policy, check out these resources:

• Download our Illinois school district records retention white paper
• Watch our first webinar about records retention
• Watch our follow-up webinar about records retention with updated guidelines

If you have any questions about how Datamation works with school districts or are interested in our ultra secure and SOPPA-compliant solutions, do not hesitate to contact us or call (630) 321-0601. If you currently work with Datamation, you can download a PDF copy of this post as a SOPPA exhibit.