Recently, the Chicago Tribune reported on a data breach involving student data [1] stored by Pearson Clinical Assessment that may have involved a number of students at Illinois schools. On September 5, 2019, the parent of a student at Indian Prairie School District 204 in Naperville, Illinois filed a class-action lawsuit against Pearson Clinical Assessment – the education publisher that suffered a massive data breach in November 2018 exposing the personal information of thousands of teachers and students across the country.
As schools increasingly use online services and other technologies to help students learn, the ability to provide adequate protection of sensitive student data becomes increasingly problematic. Data protection is further complicated as more third party vendors provide services to schools that require the collection and storage of personal information belonging to students and staff. Therefore, schools are increasingly becoming proactive by implementing security safeguards and privacy policies to protect sensitive student and staff data to reduce their chances of being involved in breaches similar to the one seen with Pearson.
The Illinois legislature has recently adopted a statutory framework to make sure schools take all steps necessary to protect student and staff information. Specifically, the Illinois legislature’s recent amendments to the Illinois Student Online Personal Protection Act (SOPPA) [2] by setting forth an extensive list of requirements that schools must implement by July 1, 2021. These requirements are designed to ensure schools take steps to protect data. The major amendments affecting schools are summarized below:
- Under the new SOPPA amendments, schools and third-party operators are only allowed to use and collect student information for school-related purposes.
- Schools are prohibited from selling student information.
- Schools must enter into a written agreement with third-party operators before transferring any protected student information. The written agreement between schools and third-party operators must include the following information:
- A description of the student information that will be transferred to the third-party operator.
- A statement of the product or service being provided to the school by the operator.
- A statement that, pursuant to the federal Family Educational Rights and Privacy Act of 1974, the operator is acting as a school official with a legitimate educational interest, is performing an institutional service or function for which the school would otherwise use employees, under the direct control of the school, with respect to the use and maintenance of covered information, and is using the covered information only for an authorized purpose and may not re-disclose it to third parties or affiliates, unless otherwise permitted under this Act, without permission from the school or pursuant to court order.
- A description of how, if a breach is attributed to the operator, any costs and expenses incurred by the school in investigating and remediating the breach will be allocated between the operator and the school.
- A statement that the operator must delete or transfer to the school all covered information if the information is no longer needed for the purposes of the written agreement and to specify the time period in which the information must be deleted or transferred once the operator is made aware that the information is no longer needed for the purposes of the written agreement.
- If the school maintains a website, a statement that the school must publish the written agreement on the school’s website. If the school does not maintain a website, a statement that the school must make the written agreement available for inspection by the general public at its administrative office.
- The operator must notify the school of any data breach within 30 calendar days of its occurrence.
- Except for a nonpublic school, provide to the school a list of any third parties or affiliates to whom the operator is currently disclosing protected information or has disclosed protected information. This list must, at a minimum, be updated and provided to the school by the beginning of each State fiscal year and at the beginning of each calendar year.
The adoption of SOPPA dramatically impacts Illinois public schools to the extent many requirements move from being voluntary to compulsory. Over the next year, schools will need to analyze where their safeguards stand and what additional protections should be put in place before this law takes effect. The largest change for schools may be to forge a close relationship with their vendors and confirm vendors are providing the necessary safeguards. On a more practical level, schools may need to get away from using “boilerplate” contract forms with vendors and take a closer look at what the vendor is doing to protect information the schools have been entrusted to protect.