Amended Illinois Student Online Personal Protection Act to Goes into Effect This Year
The amended Student Online Personal Protection Act enacted in August of 2019 will go into effect later this year on July 1, 2021.
The new law puts restrictions on data processing, third-party data sharing, and authorizes the right to access and correct students’ personally identifiable.
Under the amended law, operators of website or online services (operators) that receive personally identifiable information (covered information) from a school, school district or the State Board must enter into a written agreement with the entity before the covered information may be transferred. The agreement must provide for:
- a listing of the categories or types of information to be provided;
- a statement of the product or service being provided to the school;
- that the operator will use the covered information only for an authorized purpose and will not redisclose it to third parties unless permitted by the Act, the school’s permission or court order;
- the allocation of the school’s costs and expenses if a breach is attributed to the operator;
- a requirement that the operator delete or transfer to the school covered information if it is no longer needed for the purposes in the written agreement, as well as the time period for that deletion or transfer.
A public school will be prohibited from selling, renting, leasing or trading covered information. It would also be prohibited from sharing, transferring, disclosing, or providing access to covered information to an entity or individual other than the student’s parent, school personnel, appointed or elected school board members, or local school council members, or the State Board, without a written agreement or the disclosure meeting one of three exceptions.
A school will post on its website a clear and understandable explanation to a layperson of the personally identifiable information “that the school collects, maintains, or discloses to any person, entity, third party, or governmental agency.” The disclosure must explain how the school uses it, to whom or what entities it discloses, and the purposes of its disclosures of the information. It also must post a list of operators that the school has signed written agreements with, as well as a copy of each written agreement. It must also disclose any breaches of personally identifiable information maintained by the school, and a written description of how parents may exercise their rights under the law.
Students’ personally identifiable information will only be collected the school purposes and not further processed in a manner that is incompatible with those purposes. Covered information shall only be adequate, relevant, and limited to what is necessary” in connection with these purposes.
Public schools will be required to provide a parent of a student, upon request, a paper or electronic copy of the student’s personally identifiable information, including information maintained by a website operator or the State Board. If a school receives a deletion request for a website operator, it would be required to pass that request on to the operator.
A school must also correct a factual inaccuracy in covered information upon request. If the school possesses the information, it must correct it within 90 calendar days. If an operator or State Board possesses it, the school must notify them and they must correct it and confirm the correction to the school within 90 calendar days of receiving the notice. The school then has 10 business day to confirm the correction with the parent.
The law also requires a school to designate an appropriate staff person as the privacy officer to carry out the duties and responsibilities assigned to schools, as well as to ensure compliance with the law’s requirements.