A new Illinois law going into effect in 2021 is meant to safeguard student data from breaches and ransomware.
With this update to the Student Online Personal Protection Act, parents will be able to review and correct their kids’ data held by schools or operators of online services who work with the school.
Parents can also request data be deleted in some cases. State Rep. John Carroll was a co-sponsor of the act.
“Data privacy is our new frontier. It's going to be something that we're gonna have to constantly monitor and make sure it's safe.”
The Illinois State Board of Education will have to provide guidance to schools on reasonable security procedures and practices.
School districts will annually post a list of those companies along with what data is being disclosed and a reason why they need to give them student data.
Schools must also inform parents of a data breach within 30 days or 60 if a third-party operator is responsible.
“As a person, myself, who's had his identity stolen now twice, trying to get back to a level of normality is exceptionally difficult,” said Carroll. “I mean, I think any time our data is stolen, we deal with the ramifications of it over an extended period of time.”
If they share data with a third-party service, schools must have a written agreement with the company.
Those online service operators also can’t use that data to run targeted advertisements at students.
Many districts, like Rockford Public Schools, have been targeted by ransomware attacks over the past several years. The plan also comes as a response to the data breach of the education publisher Pearson in 2019.