Naperville 203 Student Data Privacy Overview

  • Our Commitment

    Naperville Community Unit School District 203 is committed to protecting all student data from individuals or organizations who have no legal or educational purpose for that data.  District 203 is required to protect student data by several state and federal laws and guidelines including SOPPA, FERPA, COPPA, CIPA, and HIPPA, which are summarized below.  District 203 is subject to strict penalties if student information is misused or compromised.  District 203 protects student data through comprehensive privacy policies and multiple layers of security measures such as firewalls, data encryption, secure servers, external monitoring, access auditing, and intrusion detection/remediation software.

    State and Federal Laws & Guidelines

    Naperville Community Unit School District 203 is required by law to follow a variety of state and federal law and guidelines regarding the protection of student data.

    SOPPA Student Online Personal Protection Act (State of Illinois)

    Defines how schools, the State Board of Education, and external entities must protect student data.

    External entities must:

    • Protect student data
    • List student data used
    • Describe the usage of student data
    • Delete student data when no longer required
    • Report breaches of data

    External entities are prohibited from:

    • Selling, renting, leasing, trading student data
    • Creating student profile
    • Targeting advertising to students

    District 203 must:

    • Publish a list of data elements used
    • Publish a list of vendor agreements
    • Publish parent’s rights of student data

    District 203 is prohibited from:

    • Selling, renting, leasing, trading student data
    • Sharing data with external entities without a signed agreement

    State Board of Education must:

    • Publish a list of data elements used

    FERPA Family Education Rights Privacy Act (US Department of Education)

    Guarantees that parents have the right to review and make changes to their children’s education records. 

    FERPA also restricts who can use and access student information. 

    FERPA provides parents with 4 basic rights: 

    • To inspect and review education records; 
    • To challenge the content of education records and to correct or delete inaccurate data; 
    • To control the disclosure of education records containing their child’s PII via consent; 
    • To file a complaint regarding noncompliance with FERPA with the Department of Education.

    COPPA Children’s Online Privacy Protection Act (Federal Trade Commission)

    Controls what information is collected from children under the age of 13 by companies operating websites, games, and mobile apps.

    It is specifically for website operators that collect information from children or operate a general audience website and have actual knowledge that personal information from children is being collected or have:

    • Child targeted websites or those that have visual or audio content
    • Child models
    • Advertising directed to children
    • Information regarding the age of the actual or intended audience
    • Animated characters or other child-oriented features.

    Web site operators must include a privacy policy, when and how to seek verifiable consent from a parent, and what responsibilities an operator has to protect children’s privacy and safety online.

    Naperville 203 inspects websites for COPPA compliance prior to permitting student access.

    CIPA Children’s Internet Protection Act (Federal Communications Commission)

    Addresses children’s access to obscene or harmful content over the Internet.

    CIPA imposes certain requirements on schools or libraries that receive discounts for Internet access or internal connections through the eRate program, a program that makes certain communications services and products more affordable for eligible schools and libraries.

    Naperville 203 filters student access to the Internet with CIPA compliant products and processes.

    HIPAA Health Insurance Portability and Accountability Act (US Department of Health & Human Services)

    Prohibits the disclosure of protected health information to third parties without written authorization.

    HIPPA’s application to K12 schools is limited. Education records covered by FERPA are specifically excluded from the definition of protected health information.

    Schools are subject to HIPPA if they provide health services and electronically transmit “health information” for a reason specifically listed in the rule.

    What Student Data is Collected?

    • First and last name
    • Home address
    • Telephone numbers
    • Email addresses
    • Other information that allows physical or online contact
    • Student identifiers
    • Discipline records
    • Assessment results
    • Special education records
    • Juvenile dependency records
    • Grades
    • Evaluations 
    • Medical records
    • Health records
    • Biometric information
    • Disabilities 
    • Socioeconomic information
    • Food purchases
    • Text messages
    • Documents
    • Search activity
    • Photos
    • Voice recordings
    • Geolocation information

    Why is This Student Data Collected?

    Data is collected, but may not be limited to, for the following reasons:

    • For the educational purpose of determining the needs of a student
    • For determining student placement into various programs
    • For special education determination purposes
    • For providing communications to students and families
    • For reporting required by state or federal agencies such as the Illinois State Board of Education, the United State Department of Education, Regional Office of Education, Illinois Department of Health, etc.
    • For reporting to colleges and universities for acceptance purposes

    Who has Access to Student Data?

    Policies are in place that limits access to student data based on an individual’s role within District 203 and what is referred to as their “legitimate educational interest” in information. Access to data is restricted to trained, qualified individuals who only have access to the specific data they need in order to do their jobs. Teachers, principals, and other administrators have access to the widest range of information, allowing them to monitor a student’s progress in school. 

    District 203 works with a variety of outside entities that provide services or applications necessary for delivering instruction and District operations, which requires sharing of student data.  These outside entities receive only the information about a student that is required to provide particular services. Some entities such as School board members, the Illinois Department of Education, and the U.S.

    Department of Education receive aggregated information that allows them to understand how our schools are performing and make decisions about programs and resources. 

    Parents have the right to inspect their student’s data for accuracy at any time and in some cases may have the right to prevent student data from being shared.  In the event a parent does choose to not have their student’s data shared, this may result in degraded experience and/or limit student’s access to tools and learning aids used in their education.