Data Privacy

The Learning Technology Center provides support and services specifically designed to assist school districts and schools with cybersecurity, data security, and student data safety. Our work focuses on:

  • Connecting districts and schools with the resources and services that they need in order to ensure student data safety.
  • Disseminating practical solutions and training for districts and schools.


Related Projects

Contact Information

Chris Wherley
Network and Technology Services Coordinator

  • Laws
  • Districts & Schools
  • Teachers
  • Parents
  • Training

Essential Privacy Laws

Family Educational Rights and Privacy Act (FERPA) governs information in a student’s education record, restricting access and use of student information.

  • Generally prohibits districts from disclosing students’ education records without written parent or eligible student consent.
    “Education records” are broadly defined to include any records, files, or documents maintained by a school district that contain personally identifiable information on students.
  • Grants parents and guardians the right to inspect and review education records; request that a school amend the student’s records; consent in writing to the disclosure of personally identifiable information from the student’s records, subject to certain enumerated exceptions.

(20 U.S.C. § 1232g; 34 C.F.R. Part 99.)

Student Online Personal Protection Act (SOPPA) protects the privacy and security of student data when collected by companies operating websites, online services, or online/mobile applications primarily used for K-12 school purposes.

  • Prohibits the use of student data for targeted advertising, the sale of student information gathered during the students’ use of the educational technology, and the use of data collected to amass a profile about a student.
  • Effective July 1, 2021, school districts will be required (among other things) to post a list of operators with which the district has written agreements, copies of those written agreements, and other information about such operators on the school’s website; as well as to notify students and parents of any breach of student data by an operator of the school.

(105 ILCS 85/1 et seq.)

Children’s Online Privacy Protection Act (COPPA) restricts the collection of personal information from children under 13 by companies operating websites, games, mobile applications, and digital services that are directed to children or that collect personal information from individuals known to be children.

  • COPPA requires companies to have a clear privacy policy, provide direct notice to parents, and obtain parental consent before collecting information from children under 13.

(P.L. 105-277; 15 U.S.C. § 6501 et seq.; 16 C.F.R. part 312.)

Children’s Internet Protection Act (CIPA) imposes certain requirements on schools that utilize the federal E-Rate program to receive discounts for internet access and other technology services, or that receive federal grants for other technology expenses.

  • Requires that districts adopt an internet safety policy that includes protection measures to block or filter internet access to visual depictions that are obscene, child pornography, or harmful to minors.
  • School districts must monitor the online activities of children and educate children about appropriate online behavior, including interacting with other individuals on social networking websites and cyber bullying awareness and response.

(47 U.S.C. §254(h); 47 C.F.R. §54.520.)

Illinois School Student Records Act (ISSRA) is similar to FERPA and ensure parent/guardian access to their child’s records and the confidentiality of student records and the information in those records.

(105 ILCS 10/1 et seq.; 23 Ill Admin. Code Part 375.)

Related Privacy Laws

The Protection of Pupil Rights Amendment (PPRA) restricts the administration of surveys, analyses, or evaluations to students that concern specified protected topics, and requires notification to parents and parental consent when information is collected related to those topics.

(20 U.S.C. § 1232h; 34 C.F.R. part 98.)

Right to Privacy in the School Setting Act requires elementary and secondary schools to provide notification to the student and his or her parent or guardian that:

  • The school may not request or require a student to provide a password or other account information to gain access to the student’s account or profile on a social networking website.
  • The school MAY require the student to cooperate in an investigation if there is specific information about activity on the student’s social media account that violates a school disciplinary rule or policy, including requiring the student to share the content of the social media site.

(105 ILCS 75/1 et seq.)

Children’s Privacy Protection and Parental Empowerment Act prohibits the sale or purchase of personal information of a child under age 16 without parent/guardian consent, unless an exception applies.

(325 ILCS 17/1 et seq.)

Illinois Mental Health and Developmental Disabilities Confidentiality Act (MHDDCA) governs the confidentiality of communications and records concerning mental health or developmental disability services provided to a student by school personnel who meet the definition of a “therapist”.

  • “Therapist” includes school psychologist, social worker, or nurse.
  • Parents/guardians (and students age 12 or older) have the right to access records and provide written consent prior to disclosure of records or communications, except under specific circumstances.

(740 ILCS 110/1 et seq.)

Health Insurance Portability and Accountability Act (HIPAA) protects the privacy and security of individually identifiable health information. HIPPA and subsequent rules like the HIPPA Privacy rule established national standards to protect individual’s medical records and other personal health information.

  • The HIPPA Privacy Rule specifically excludes from its coverage records that are protected by FERPA, making it so that HIPPA does not generally apply to K-12 schools. Schools are also excluded from HIPAA’s reach because they very rarely would constitute “covered entities” as that term is defined by the law.

(Pub. L. 104-191; 45 CFR Parts 160, 164.)

General Data Protection Regulation (GDPR) is a European Union (EU) regulation that broadly provides data privacy and security protection to residents of EU member states. EU residents living outside of the EU are still granted the same protections.

  • GDPR generally does not apply to K-12 schools in the United States. Exceptions include anytime an educator communicates with someone living in a EU member country, like a high school exchange student.

((EU) 2016/679)

Local Records Act provides requirements for how school districts maintain day-to-day recordkeeping.

  • School districts must obtain written approval of the appropriate local records commission before destroying or deleting digital or physical student records and other public records in control of the school district.

(50 ILCS 205/1 et seq.; 44 Ill. Admin. Code Part 4500.)

General Data Protection Regulation (GDPR) is a European Union (EU) regulation that broadly provides data privacy and security protection to residents of EU member states. EU residents living outside of the EU are still granted the same protections.

  • GDPR generally does not apply to K-12 schools in the United States. Exceptions include anytime an educator communicates with someone living in a EU member country, like a high school exchange student.

((EU) 2016/679)

District Resources

  • Protecting Student Privacy
    The U.S. Department of Education’s website to provide schools and school districts with best practices to use in their management of information about students. This site aims to assist stakeholders in protecting the privacy of students by providing official guidance on FERPA, technical best practices and the answers to Frequently Asked Questions.
  • Privacy Contract Framework
    The Privacy Contract Framework will assist schools, districts, and state agencies in developing common contracts for districts to use throughout the state.
  • Forum Guide to Education Data Privacy
    The National Forum on Education Statistics (Forum) organized the Education Data Privacy Working Group to explore how state and local education agencies (SEAs and LEAs) can support best practices at the school level to protect the confidentiality of student data in day-to-day instructional and administrative tasks. The Working Group created this guide in order to highlight common privacy issues related to the use of student data and to present basic approaches to managing those issues.
  • How do you Communicate the Data Message?
    Words matter. What you say, how you say it, and when you say it are critical to effectively communicating with your audience. DQC has crafted language and tools to help you better talk to peers, press, and the public about data and meeting education goals.
  • What is Student Data?
    There are many types of data that support student learning—and they’re so much more than test scores. However, individual data points don’t give the full picture needed to support the incredibly important education goals of parents, students, educators, and policymakers. See the types of data that can come together—under requirements like privacy and security—to form a full picture of student learning.
  • Data Breach Response Training Kit
    Any organization with electronic records is vulnerable to security breaches, and education agencies are no exception. The PTAC Data Breach Scenario is one of a series of exercises intended to assist schools, districts, and other educational organizations with internal data security training.
  • PTAC Toolkits
    The Privacy Technical Assistance Center (PTAC) has developed a body of best practice resources to help education stakeholders, including State educational agencies, local education agencies, and the postsecondary education community involved in building and using education data systems, learn more about data privacy, confidentiality, and security practices related to student-level longitudinal data systems. The PTAC Toolkit is updated regularly with new resources, including case studies, webinars, checklists, technical briefs, issue briefs, and other useful information.
  • Protecting Student Privacy While Using Online Educational Services: Model Terms of Service
    This document is a framework for evaluating online “Terms of Service” agreements. This document is designed to assist educators, schools, and districts in understanding how an online service or application may collect, use, and/or transmit user information. The guidance will assist users in deciding whether or not to sign-up for specific services.

Resources for Teaching Students



  • FERPA 101: For Local Education Agencies
    The U.S. Department of Education’s FERPA training focused on K-12 schools, districts and local education agencies.
  • FERPA 201: Data Sharing under FERPA
    The U.S. Department of Education’s training focused on the intricacies of sharing data in compliance with FERPA requirements.
  • Email and Student Privacy
    Email is an easy way to communicate with students and parents. Prior to sending an email, it’s important to evaluate the risk associated with sending student information and recognizing if it is personally identifiable information (PII). This video walks you through best practices on how to email student information.
  • Developing a Privacy Policy for Your District
    This video provides an overview and rationale for why districts need to develop a program to protect student data.
  • How to Use your District’s Website to Communicate with Parents about Data Use and Security
    Parents need to feel confident that the education information collected and stored by your district is securely maintained and only used for educational purposes. This video highlights common parent questions, and provides best practices that districts can implement to communicate with parents about data privacy.
  • The A-B-C’s of Student Directory Information
    FERPA allows schools and districts to designate certain basic student information as directory information, and share that information without consent if certain additional requirements are met. This video describes why a school would want to use designated student directory information and the types of information that fall into this category. It also explains the process that schools and districts must adhere to when designating directory information.
  • Protecting Student Privacy While Using Online Educational Services
    This Privacy Technical Assistance Center teacher training video is aimed at helping K-12 school officials to better protect student privacy while using online educational services and applications. The video, intended for use during teacher in-service days or professional development meetings, offers a short summary of the issue and provides some examples to help educators identify which online educational services and applications are privacy-friendly and protect student data from improper use and disclosure.