Student Data Privacy
Lemont High School is committed to ensuring students' privacy and maintaining the confidentiality of student data.
Effective July 1, 2021, Illinois school districts are required by the Student Online Personal Protection Act (SOPPA) to provide additional guarantees that student data is protected when collected by educational technology companies, and that data is used for beneficial purposes only (105 ILCS 85/). In compliance, Lemont High School only collects information that directly relates to school activities and safeguards the privacy of students and confidentiality of student data.
- Technology Policies and Guidelines
- Student Data and Privacy Laws
- Data Privacy Officer
- App Vetting Criteria
- District-Approved Web-Based Tools/Applications and Written Agreements
- District Student Data Elements
- Rights of Parents/Guardians
- Data Breaches
- Parent Guides
Lemont High School adheres to the following applicable laws regarding student data and privacy:
State and Federal law govern the protection of student data, including school student records and/or covered information. The sale, rental, lease, or trading of any school student records or covered information by the District is prohibited. Protecting such information is important for legal compliance, District operations, and maintaining the trust of District stakeholders, including parents/guardians, students and staff.
The District's Data Privacy Officer ensures the District complies with its duties and responsibilities under the Student Online Personal Protection Act. The District's Data Privacy Officer may be reached at email@example.com.
Education Framework uses a rubric to determine a product's privacy quality score using eight variables. Five of those variables are critical decision points for Lemont High School District 210 when determining if a product meets its standards for use. A product must pass all five of these tests to be cleared for use by District 210 students, faculty and staff:
- Data Used For School Purposes Only: A district cannot allow a vendor to use its data for non-educational purposes except those allowed by the state law (using de-identified data to improve the product, for example). Federal and Illinois law also prohibit targeting advertising to all students K-12. This is non-negotiable and no wiggle room exists; if a product doesn’t pass this test, it cannot be used.
- Parents Can Request Deletion of Data: Parents/guardians have the right to review data and request deletions under various Federal and Illinois laws, but those requests go through the District. This Education Framework metric specifies whether the District and/or parents/guardians own the data and can request review and deletion. This is also required by state law. If a product doesn’t pass this test, it cannot be used.
- Data Retention for School Purposes Only: This also is required under state law but the law does allow the vendor to retain de-identified data for purposes of making the product better, etc. The Education Framework metric checks for the retention of Personally Identifiable Information (PII) for non-school related purposes. Specifically, policy verbiage must explain if/when student data is deleted/de-identified after it is no longer needed for educational purposes. If a product doesn’t pass this test, it cannot be used.
- Student Data Is Securely Protected: Data being securely protected is obviously very important and also required by Federal and Illinois law. If a product doesn’t pass this test, it cannot be used.
For critical products, ones already widely used, or where the above scoring is suspect, vendor privacy policies may need to be manually reviewed to determine compliance. Administrative discussions and decisions may occur that potentially override any of the above criteria, based on reasonable best practices and the District's needs.
Vendors also may need to sign a data privacy agreement in order to be fully compliant. Administrative discussions and decisions may occur that potentially override this requirement for free products, those products with complete, fully compliant policy documents, or other factors, based on reasonable best practices and the District's needs.
Lemont High School leverages the Student Data Privacy Consortium (SDPC), which is a unique collaborative of schools, districts, regional, territorial and state agencies, policymakers, trade organizations, and marketplace providers addressing real-world, adaptable, and implementable solutions to growing data privacy concerns.
Through the SDPC, Lemont High School has entered into contracts with third party vendors who handle our students' data. For a list of the school's approved Web-based tools, written agreements with operators, and a list of data elements, please click below.
- Why does Lemont High School collect student information?
- What student information does Lemont High School collect?
- How is student information used?
- How is the information safeguarded?
- Who has access to student data?
- When is individual student information archived or deleted?
- Meeting Federal and state student privacy laws
- State or Federal Law
- Statute or Regulation
Using data effectively and responsibly is foundational for decision making and improving student performance. Capturing accurate information is essential for public, state and Federal reporting, along with accurate school and district performance reports. The Family Educational Rights and Privacy Act (FERPA), Illinois School Student Records Act (ISSRA) and Health Insurance Portability and Accountability Act (HIPAA) establishes baseline parameters for what is permissible when sharing student information.
Lemont High School uses strict processes to protect the privacy of every student to ensure the confidentiality and security of all data collected and managed. Data collected by Lemont High School meet policy, practice, and service requirements of state and Federal laws.
- Core Data Collection Categories for Every Student
- Only for Students Participating in Specific Programs
- Student Information System Student ID (SIS-ID)
- Grade level
- Entry/Exit date/type
- Courses completed
- Course Educator ID
- Title I
- Special Education/Gifted
- Free or reduced lunch
- English Language Learner
- Disability/Gifted type(s)
- Services received
- Discipline incidents
- Parent contact information
- Select data from Individualized Education Program (transition planning, levels of performance, accommodations and modifications, assistive and instructional technology needs)
- Student & parent name, address, phone number, email
- Diagnosis and name/phone number of diagnostician (doctor, physical therapist)
- Related services (social work, nursing assistance, transportation)
- Classroom accommodations
English Language Learners
- Primary language
- English language proficiency level
- Participating institution
Career and Technical Education
State Assessment (students in assessed grades) and Alternative/Special Needs
(Includes ACCESS, PSAT 9, PSAT 10, PSAT-NMSQT, SAT, ACT, Advanced Placement, ISA, MAP, DLM, Alternate ACCESS)
- Testing accommodations
- Student growth percentiles
Individual Student Data Uses
● Allocation of state funding
● Administering state assessments
● Calculating individual student growth
● Coursework and placement
● Post-secondary enrollment and remediation feedback
Aggregated Student Data Uses
● School and District performance reports
● Program evaluation and measurement
● School and District improvement plans
● Special Education Cooperative plan
● Federal reporting/funding
● Public reporting
- Identification required
- Enforced password complexity
- Staff password expiration
- Two factor authentication
- Security Groups define accessible data
Social Engineering Attacks
- All staff security awareness notification and training
- Testing includes phishing and vishing
- Testing quarterly to measure effectiveness
- Maintains secure server room
- Limited access to authorized users
Data at Rest
- Mobile devices require password access to unlock encrypted drives
Data in Motion
- Secure File Transfer Protocol (SFTP)
- Hypertext Transfer Protocol with Secure Socket Layer (HTTPS)
- Controlled building and Data Center access
- Video surveillance
- Endpoint protection and Response
- Air Gap copies
Student privacy procedures fully adhere to the guidelines set forth in Federal and State law, but Lemont High School is working to include additional safeguards such as:
- Formal information security policy
- District guidance for student data security and privacy policies
- Policy review and revision by national experts and advisors
- Data governance committee to determine internal accountability for student data
- Institutional Review Board to review research requests and ensure confidentiality
- Data breach notification and liability clauses in vendor contracts and agreements that involve individual student data
- Annual independent security audits
Parents/guardians have the right to inspect, review, and correct information maintained by the school, operator, and the Illinois State Board of Education.
Please direct any requests to the District's Data Privacy Officer at firstname.lastname@example.org.
Parents/guardians play a key role in overseeing the online safety of their children. ConnectSafely, a nonprofit dedicated to educating users of connected technology about safety, privacy, security and digital wellness, developed a series of parent guides to help parents/guardians navigate the digital world with their children.