Data Security and Privacy at District 99

District 99 is entrusted with personal student information, and we take protecting this information very seriously. In addition to following strict security procedures internally and requiring that level of security from our external providers, we also comply with all security and privacy laws when using student information internally and when sharing it with our third-party partners.

It is the intent of the Department of Technology & Information Services to create an environment within the district that maintains system security, data integrity, and privacy by preventing unauthorized access to data and by preventing misuse of, damage to, or loss of data. The Superintendent has authorized the Director of Technology & Information Services and Data Privacy Officer to establish, implement, and maintain data and information security measures. These policies, standards, guidelines, processes, and procedures apply to all students and employees of the district, contractual third parties and agents of the district, and volunteers who have access to district data systems or data. The Data Security & Governance Guide (Draft) outlines procedures and standards regarding data governance, data security, and individual privacy protection for Community High School District 99.

The district subscribes to the data principles of CIA: Confidentiality, Integrity, and Availability 

  • Confidentiality revolves around the principle of ‘least privilege.’ This principle states that access to information, assets, etc. should be granted only on a need-to-know basis so that information that is only available to some should not be accessible by everyone
  • Integrity makes sure that the information is not tampered with whenever it travels from source to destination or even stored at rest. Information stored in underlying systems, databases, etc. must be protected through access controls and there should be an accepted procedure to change the stored/transit data 
  • Availability ensures that the core data services of an organization are accessible

 

Information Security and Privacy Committee
The Information Security and Privacy Committee is charged with evaluating the district’s information security and privacy policies, risk management practices, related procedures, and operations. The committee will identify potential areas of vulnerability and risk and set the strategic direction for information privacy and security programs for the District.

 

District 99 Board of Education Policies

 

IL Student Online Personal Protection Act (SOPPA)

  • SOPPA regulates vendors (operators) who provide web-based sites, services, online and mobile applications that are used primarily for K to 12 purposes. 
  • Currently, SOPPA provides various prohibitions and responsibilities on these vendors, referred to in the law as “operators.”  The law prohibits operators from engaging in targeted advertising to students, amassing a profile on students, selling or renting student information, or using student information except in limited ways. Additionally, operators must maintain certain security protocols when storing student data, delete student data when requested by the district, and maintain a public privacy policy.
  • The law has been amended, effective July 1, 2021 not only to expand the responsibilities and prohibitions of operators, but  also to place new responsibilities on school districts and on the Illinois State Board of Education (ISBE), as well as delineate the scope of parental rights.

 

Outside Applications Used by District 99

  • We require all third-party vendors (operators) with which we share covered information, to sign a Data Privacy Agreement with us, which outlines what data is potentially shared, the purpose for collecting the data, what subcontractors they use and additional information.
  • You can see all current executed agreements here. As we secure Data Privacy Agreements and amass the information required by SOPPA, agreements will be added to the list.
  • At the start of each school year, District 99 will notify all families of what types of student data are collected and shared by providing access to our currently executed Data Privacy Agreements
  • Our efforts to evaluate all applications for SOPPA compliance and secure Data Privacy Agreements are focused, ongoing and done in good faith. We continue to work toward full compliance with SOPPA regulations, understanding the importance and immensity of the task.
     

Procedures for Inspecting, Correcting, or Deleting Covered Information Under SOPPA

Parents may request to inspect and review their student’s covered information. Requests for reviewing records must be made in writing and include the date of the request, the parent’s name, address, phone number, student’s name, and the name of the school from which the request is being made. Please use this online form to submit your request to inspect, copy or challenge covered information. Parents will be required to provide proof of identity and relationship to the student before access to the covered information is granted. 

The District shall provide an electronic copy of the records within 45 days of receiving a request for the covered information. If a parent requests a paper copy, the District will charge .35 cents per page. No parent will be denied a paper copy due to an inability to pay. 

A parent may make a request to review and receive copies of covered information no more than two requests per student per quarter.

Parents may request corrections of factual inaccuracies contained in their student’s covered information. The District will review the request, determine if an inaccuracy exists, and if so, will make any necessary corrections within 90 days of the request. If the correction needs to be made by the Illinois State Board of Education or a District’s vendor, any necessary corrections will also be made within 90 days of the request and the District will notify the parent of any necessary corrections within 10 days after receiving confirmation of the corrections. 

If a parent requests the deletion of any covered information, the District will review the request to determine whether such a deletion would violate the law or result in the student being unable to articipate in the District’s curriculum. 

Parents may also consult the District’s procedures on reviewing and challenging student records if the covered information also constitutes student records.

 

Data Breach Notification Process

In the unlikely situation that an operator experiences  a potential data breach, they must notify District 99 as soon as possible. After receiving notice of a potential breach, we will evaluate their report and if confirmed, provide notifications to parents. Information on past breaches will be publicly displayed below and contain the following information.

  • Date or estimated date/range of the breach
  • Description of covered information breached
  • The number of students unless disclosure would violate the Personal Information Protection Act
  • Contact information of the operator for questions
  • Toll-free numbers, addresses, and websites of consumer reporting agencies and the FTC

The District will also notify parents and post information in the event the District’s data systems are breached.

Note:  A notice of breach may be delayed if a law enforcement agency determines that the notification will interfere with a criminal investigation. If a breach impacts less than 10% of the student enrollment, by law it does not need to be disclosed in the manner described above.

 

Data Breaches

There are no known data breaches at this time impacting District 99 covered information.

 

 

Questions? Contact the District 99 Data Privacy Officer

This site provides information using PDF, visit this link to download the Adobe Acrobat Reader DC software.