Student Data Privacy
For more information, click on the tabs below.
- How is access to student data managed?
- Where is student data held and where does it go?
- Data Services Agreement
- Student Online Personal Protection Act (SOPPA)
- Student Online Personal Protection Act (SOPPA) Notice
- Notice of Parent Rights Regarding Student Covered Information
District 86 follows best practices in establishing and managing system and network access security. An Information Security Policy governs all access and control measures to protect District data. Access to student data is managed and controlled through what is known as role-based security. This means that the type and amount of access to student data and other information is governed in our systems by the role which any staff member holds in the District along with what information they require to perform their job. Staff members must go through a process to gain access to authorized information that includes successfully logging into the District network or one of the systems they use as part of their job duties.
District 86’s authentication requires staff to use their District assigned Active Directory username and password or an application specific username and password to gain access to functionality and data residing in our systems. These usernames and passwords are specific to individual staff or system users. Once a staff member logs in using this method the internal application controls role based security.
Application permission restrictions are engaged which limit the data read, write, add or delete functionality and are specific to a staff member’s role in the District. This process is also used by our District 86 parents/guardians when accessing information specific to their students in any of our systems.
The district also follows all rules set forth by state and federal government such as the Family Educational Rights and Privacy Act (FERPA), Protection of Pupil Rights Amendment (PPRA), and the Health Insurance Portability and Accountability Act (HIPAA). For more information regarding these laws, please refer to the following links:
The primary repository of student data is our Student Information System, eSchoolPlus. eSchoolPlus maintains student demographics, household contact information, enrollments, attendance, grades, schedules, transcripts, discipline, bus, lockers, health, and LEP information. The District does not retain student Social Security Numbers within any system. In addition to the eSchoolPlus system, the Technology Services department also maintains multiple supporting systems that assist in running the daily operations of the District. Based on need, some excerpts of student data are routinely transferred between these applications through a variety of secure and encrypted system integration processes. Additionally, many of these applications are internally hosted in our secure primary and secondary data centers. Physical access to these data centers and the servers that house this data is limited to a small group of network and application administrators in the Technology Services department. D86 data centers are secured, include fire protection and power backup capabilities. Routine back-ups of key systems and data are processed on a regular schedule, which are securely stored and protected.
With the evolution of Cloud-based applications, the District also subscribes to some externally hosted applications which are integrated with our Student Information System through encrypted data communications. Below is a list of some of the various outside agencies that the district provides data to, and or receives data from, via secured, encrypted data transfer interfaces.
- Regular basis - Learning Management System (Canvas), Library Management System (Follett), and mass notification system (BlackBoard Connect). Data transferred includes basic student information such as student names, student schedules, teachers, and teacher
- Periodic basis - Testing agencies such as ACCESS, ACT, AP, PSAT, and These tests typically include basic student demographics to identify the student and student schedules used for test scheduling purposes.
- Occasional basis – Military, picture companies (LifeTouch), fundraising (Booster Clubs, D86 Foundation), institutions of higher education, and The Illinois High School Association (IHSA), which typically contains basic student information only.
- Government entities – Required data is shared on a daily, weekly, monthly, quarterly, and annual basis to the Illinois State Board of Education (ISBE). The Department of Education Office of Civil Rights requires the District to supply various data and/or This data can contain detailed student demographic data, enrollment data, discipline data, grades, IEP, 504, LEP, and Free and Reduced Lunch information.
If problems occur that require application support personnel from one of the District’s solution providers, access to these applications by the vendor is granted to correct issues or perform system maintenance and upgrades.
The District has established non-disclosure agreements with vendors as well as having information confidentiality language included in the Data Services Agreements. Additionally, when selecting new vendors the District requires that the vendor have a secure data transfer process, physically secured data centers, role- based security, and contract language that addresses information confidentiality and non-disclosure clauses.
What is SOPPA?
The Student Online Personal Protection Act is a new data privacy that went into effect on July 1, 2021. Websites, online services and mobile apps that are designed, marketed and used for K–12 school purposes must comply with SOPPA regardless of whether they have a contract with a school or district.
What does it mean to be SOPPA-compliant?
If a vendor states that they are SOPPA-compliant, that means that they are:
- Not using collected data to provide targeted ads;
- Not profiling students except in furtherance of school purposes;
- Not selling or renting student information;
- Not disclosing information unless required to by law or as part of the maintenance and development of its service;
- Using sound security practices;
- Deleting student data when requested by the school or district;
- Entered into a written agreement with the school district.
School districts throughout Illinois contract with different vendors for services that enable them to provide personalized learning, access innovative educational technologies and increase efficiency in school operations.
Under the state's Student Online Personal Protection Act (SOPPA), educational technology vendors and other entities that operate websites, online services, online applications, or mobile applications that are designed, marketed, and primarily used for K-12 school purposes are referred to in SOPPA as operators. SOPPA is intended to ensure that student data collected by operators is protected. It also requires those vendors, school districts and the Illinois State Board of Education to take a number of actions to protect online student data.
Depending on the educational technology that is being used, our district may need to collect different types of student data that is then shared with vendors through their online sites, services and/or applications. Under SOPPA, vendors are prohibited from selling, renting or engaging in targeted advertising using a student’s information. Such vendors may only disclose student data for K-12 school purposes and other limited purposes permitted under the law.
In general terms, the types of student data that may be collected and shared include personally identifiable information (PII) about students or information that can be linked to PII about students. Below are examples of this information.
- Basic identifying information for students and parents/guardians that includes their name, contact information, username/password and student ID number
- Demographic information
- Enrollment information
- Assessment data, grades and transcripts
- Attendance and class schedule
- Academic/extracurricular activities
- Special indicators (e.g., disability information, English language learner, free/reduced meals or homeless/foster care status)
- Conduct/behavioral data
- Health information
- Food purchases
- Transportation information
- In-application performance data
- Student-generated work
- Online communications
- Application metadata and application use statistics
- Permanent and temporary student record information for school
Operators may collect and use student data only for K-12 purposes that aid in the administration of school activities such as:
- Instruction in the classroom or at home (including remote learning)
- Administrative activities
- Collaboration between students, school personnel and/or parents/guardians
- Other activities that are for the use and benefit of the school district
The contact information for the District’s Privacy Officer or other staff member designated to respond to parent/guardian requests for their child’s covered information follows:
5500 S. Grant Street, Hinsdale, IL 60521
Under the Illinois Student Online Personal Protection Act (SOPPA), you have the right to review your child’s covered information. Covered information means personally identifiable information (PII) or information linked to PII in any media or format that is not publicly available and is any of the following: (1) created by or provided to an operator by a student or the student’s parent/guardian in the course of the student’s or parent/guardian’s use of the operator’s site, service or application; (2) created by or provided to an operator by an employee or agent of the District; or (3) gathered by an operator through the operation of its site, service, or application. Operators are entities (such as educational technology vendors) that operate Internet websites, online services, online applications, or mobile applications that are designed, marketed, and primarily used for K-12 school purposes.
Under SOPPA, you have a right to:
- Request to inspect and review your child’s covered information, whether it is maintained by the District, the Ill. State Board of Education (ISBE), or an operator.
- The District will provide you with the opportunity to inspect and review your child’s covered information within the timeframe prescribed by State rules.
- If the covered information requested includes data on other students, your access will be limited to the covered information relevant to your child.
- If the covered information you request includes your child’s school student records, the District will permit you to inspect and review any school student records of your child in accordance with the District’s procedures for student records requests.
- Request a copy of your child’s covered information, in electronic or paper form.
- The District will provide the copy to you within the timeframe prescribed by State rules.
- If you request an electronic copy, the District will provide you the copy in an electronic format, unless the District does not maintain the information in electronic format and reproducing it in an electronic format would be unduly burdensome to the District.
- If you request a paper copy, the District will charge you the reasonable cost of copying in the amount authorized by State rules. However, you will not be denied a copy if you have an inability to pay.
- You are limited to the number and frequency of copying requests provided by State rules.
- If the covered information you request includes your child’s school student records, the District will provide a copy of your child’s school student records to you in accordance with the District’s procedures for student records requests.
- Request corrections to factual inaccuracies contained in your child’s covered information. Upon receipt of a request, the District will take the following steps:
- The District will review your request and determine if the factual inaccuracy exists.
- If the District determines that a factual inaccuracy exists, and the District maintains or possesses the covered information, it will correct the inaccuracy and confirm the correction with you within 90 calendar days after receiving your request.
- If the District determines that a factual inaccuracy exists and an operator or ISBE maintains the information, the District will notify the operator or ISBE of the factual inaccuracy and the correction to be made. The operator or ISBE is required to confirm the correction with the District within 90 calendar days after it receives the District’s notice. The District will then confirm the correction with you within 10 business days after it receives the confirmation of the correction from the operator or ISBE.
- If the covered information you are requesting be corrected includes your child’s school student records, the District will follow its procedures for amendment of student records with respect to those school student records.
To make a request to inspect and review, copy, and/or correct your child’s covered information, please contact the staff member identified above and specify the nature of your request. You will need to submit your request in writing, utilizing any form the District requires.