Data Security and Privacy at District 99
District 99 is entrusted with personal student information, and we take protecting this information seriously. In addition to following industry-standard security procedures internally and requiring a comparable level of security from our external providers, we also comply with all applicable privacy laws that govern our collecting, use, and sharing of student personal information.
It is the intent of the Department of Technology & Information Services to create an environment within the district that maintains system security, data integrity, and privacy by preventing unauthorized access to data and by preventing misuse of, damage to, or loss of data. The Superintendent has authorized the Chief Technology Officer and Data Privacy Officer to establish, implement, and maintain data and information security measures. These policies, standards, guidelines, processes, and procedures apply to all students and employees of the district, contractual third parties and agents of the district, and volunteers who have access to district data systems or data. The Data Security & Governance Guide outlines procedures and standards regarding data governance, data security, and individual privacy protection for Community High School District 99.
The district subscribes to the data principles of Confidentiality, Integrity, and Availability
- Confidentiality addresses the idea that personal information in our care should be protected from unauthorized access. This includes following the principle of ‘least privilege.’ This principle states that access to student personal information should be granted to our personnel and to our third-party partners only on a need-to-know basis.
- Integrity means that we try to ensure that personal information remains accurate and up-to-date, including ensuring that the information is not tampered with or changed without authorization.
- Availability ensures that the core data services that contain personal information remain available to those who are authorized to access them.
Information Security and Privacy Committee
The Information Security and Privacy Committee is charged with evaluating the district’s information security and privacy policies, risk management practices, related procedures, and operations. The committee will identify potential areas of vulnerability and risk and set the strategic direction for information privacy and security programs for the District.
District 99 Board of Education Policies
- 7.15 - Student and Family Privacy Rights
- 7.340 - Student Records
- 7.345 - Use of Educational Technologies; Student Data Privacy and Security
IL Student Online Personal Protection Act (SOPPA)
- SOPPA regulates vendors (operators) who provide web-based sites, services, online and mobile applications that are used primarily for K to 12 purposes.
- Currently, SOPPA provides various prohibitions and responsibilities on these vendors, referred to in the law as “operators.” The law prohibits operators from engaging in targeted advertising to students, amassing a profile on students, selling or renting student information, or using student information except in limited ways. Additionally, operators must maintain certain security protocols when storing student data, delete student data when requested by the district, and maintain a public privacy policy.
- The law has been amended, effective July 1, 2021 not only to expand the responsibilities and prohibitions of operators, but also to place new responsibilities on school districts and on the Illinois State Board of Education (ISBE), as well as delineate the scope of parental rights.
- This 'What is SOPPA' video provides a nice overview of all the segments of this legislation.
Other Important Data Privacy Laws
District 99 implements and follows all applicable state and federal laws around data privacy. In addition to SOPPA (above), other notable protections include:
- Family Educational Rights and Privacy Act (FERPA)
- Governs information in a student’s education record, restricting access and use of student information.
- Provides parents with certain rights to their child’s education record, including the right to review their child’s education record and request to amend it if it is factually inaccurate.
- Children’s Internet Protection Act (CIPA)
- Requires that we filter our network to prevent students from accessing harmful content, provide an internet safety curriculum, and monitor electronic communications as part of a program that provides us with federal discounts for internet access and other technology services.
- Schools are legally required to keep student data secure and safe
Outside Applications Used by District 99
- We require all third-party vendors (operators) with which we share covered information, to sign a Data Privacy Agreement with us, which outlines what data is potentially shared, the purpose for collecting the data, what subcontractors they use and additional information.
- You can see all current executed agreements here. As we secure Data Privacy Agreements and amass the information required by SOPPA, agreements will be added to the list.
- At the start of each school year, District 99 will notify all families of what types of student data are collected and shared by providing access to our currently executed Data Privacy Agreements.
- Our efforts to evaluate all applications for SOPPA compliance and secure Data Privacy Agreements are focused, ongoing and done in good faith. We continue to work toward full compliance with SOPPA regulations, understanding the importance and immensity of the task.
Procedures for Inspecting, Correcting, or Deleting Covered Information Under SOPPA
Parents may request to inspect and review their student’s covered information. Requests for reviewing records must be made in writing and include the date of the request, the parent’s name, address, phone number, student’s name, and the name of the school from which the request is being made. Please use this online form to submit your request to inspect, copy or challenge covered information. Parents will be required to provide proof of identity and relationship to the student before access to the covered information is granted.
The District shall provide an electronic copy of the records within 45 days of receiving a request for the covered information. If a parent requests a paper copy, the District will charge .35 cents per page. No parent will be denied a paper copy due to an inability to pay.
A parent may make a request to review and receive copies of covered information no more than two requests per student per quarter.
Parents may request corrections of factual inaccuracies contained in their student’s covered information. The District will review the request, determine if an inaccuracy exists, and if so, will make any necessary corrections within 90 days of the request. If the correction needs to be made by the Illinois State Board of Education or a District’s vendor, any necessary corrections will also be made within 90 days of the request and the District will notify the parent of any necessary corrections within 10 days after receiving confirmation of the corrections.
If a parent requests the deletion of any covered information, the District will review the request to determine whether such a deletion would violate the law or result in the student being unable to articipate in the District’s curriculum.
Parents may also consult the District’s procedures on reviewing and challenging student records if the covered information also constitutes student records.
Data Breach Notification Process
In the unlikely situation that an operator experiences a potential data breach, they must notify District 99 as soon as possible. After receiving notice of a potential breach, we will evaluate their report and if confirmed, provide notifications to parents. Information on past breaches will be publicly displayed below and contain the following information.
- Date or estimated date/range of the breach
- Description of covered information breached
- The number of students unless disclosure would violate the Personal Information Protection Act
- Contact information of the operator for questions
- Toll-free numbers, addresses, and websites of consumer reporting agencies and the FTC
The District will also notify parents and post information in the event the District’s data systems are breached.
Note: A notice of breach may be delayed if a law enforcement agency determines that the notification will interfere with a criminal investigation. If a breach impacts less than 10% of the student enrollment, by law it does not need to be disclosed in the manner described above.
Data Breaches
There are no known data breaches at this time impacting District 99 covered information.
Questions? Contact the District 99 Data Privacy Officer
This site provides information using PDF, visit this link to download the Adobe Acrobat Reader DC software.