Student Data Privacy Laws, Policies and Processes

Effective July 1, 2021, school districts will be required by the Student Online Personal Protection Act (SOPPA) to provide additional guarantees that student data is protected when collected by educational technology companies, and that data is used for beneficial purposes only (105 ILCS 85).

Students, teachers and administrators alike make daily use of digital and online resources for collaboration, communication, consumption and creation of instructional materials and practices. These services are available through agreements between the resources and Tri-County Special Education Cooperative (TCSE).

TCSE staff will monitor student use of these resources when students are at school. Parents are responsible for monitoring their child’s use of these tools when at home. Students are responsible for their own behavior at all times. Student safety is our highest priority.

A summary of other privacy acts are below and a list of Software and Privacy Agreements.

Children’s Internet Protection Act (CIPA)

Imposes certain requirements on schools that utilize the federal E-Rate program to receive discounts for internet access and other technology services, or that receive federal grants for other technology expenses.

Children’s Online Privacy Protection Act (COPPA)

Restricts the collection of personal information from children under 13 by companies operating websites, games, mobile applications, and digital services that are directed to children or that collect personal information from individuals known to be children.

Family Educational Rights and Privacy Act (FERPA)

Governs information in a student’s education record, restricting access and use of student information.

Student Online Personal Protection Act (SOPPA)

Guarantees that student data is protected when collected by educational technology companies, and that data is used for beneficial purposes only.

Please click the link below to view current DPA's

Tri-County Special Education DPA's

Breach Notifications

A breach refers to the unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of covered information maintained by an operator or school.

Parents will be notified of breaches of covered information within 30 calendar days of receipt of notice that a breach has occurred. Notification may be delayed if this would interfere with a criminal investigation. Notification will include, but is not limited to:

  • The date of the breach
  • The description of the covered information that was compromised
  • Information that the parent may use to contact the operator and the school about the breach

Data breaches that meet the threshold set by the Student Online Personal Protection Act (SOPPA) will be posted below as soon as the district is notified.

January 14th, 2025

PowerSchool, the vendor providing TCSE’s Student Information System, announced this week that they experienced a nationwide data breach. TCSE was one of many schools affected by this breach.

On December 22, 2024, an unauthorized individual gained administrative access to our PowerSchool SIS through a vulnerability in PowerSchool’s support portal. This vulnerability, a maintenance access feature intended for authorized PowerSchool support staff, was exploited to access data. This vulnerability impacted numerous schools using PowerSchool, both those hosted by PowerSchool and those hosted locally. PowerSchool first notified us of the incident on January 7, 2025. Two separate queries were run against the PowerSchool database, resulting in the potential export of the following data:

Student Data (917 records): This included data for currently active/inactive students. The data potentially accessed encompassed 150 data fields, including:

  • Personal Identifiers: First, middle, and last names, TCSE student number, TCSE login ID/username.
  • Demographic Information: Gender, date of birth, race and ethnicity. Academic Information: TCSE grade year (class of), exit status (graduated, withdrawn).
  • Contact Information: Home address, home phone number, parent/guardian email addresses.
  • Other Information: Lunch status (free/reduced), parent web ID and encrypted password, medical “alert” summary (e.g., inhaler use, allergies), parent alert summary (parent access restrictions), other “alert” summary (e.g., checkout restrictions, Ed Plan status), and doctor name and phone number (rarely used).

Staff Data (935 records): This included data for currently active and former staff members. The data potentially accessed encompassed 97 data fields, including:

  • Personal Identifiers: First, middle, and last names, TCSE login ID/username, staff/teacher number.
  • Contact Information: TCSE email address, home address, home phone number Professional Information: Title, active/inactive status.

Our Response and Due Diligence:

Upon learning of the breach, we immediately began working with PowerSchool to understand the scope and impact of the incident. We have also undertaken the following steps: Collaboration with PowerSchool - We are actively collaborating with PowerSchool as they investigate the vulnerability and implement necessary security enhancements. Internal Review - We have initiated a comprehensive internal review of our data security policies and procedures to identify areas for improvement. Although the breach stemmed from a third-party vulnerability, we are committed to strengthening our overall security posture. Notification and Support - We are notifying all affected individuals and providing resources and support to address any concerns. Enhanced Security Measures (Post-Incident): We are evaluating additional security measures for our data systems, including but not limited to: multi-factor authentication, enhanced logging and monitoring.

PowerSchool’s Role and Responsibility:

It is crucial to emphasize that the intrusion exploited a vulnerability within PowerSchool’s own systems, specifically a maintenance access feature within their support portal. This vulnerability was not under our direct control. We are holding PowerSchool accountable for this security lapse and are working with them to ensure that they take all necessary steps to prevent future incidents.

What You Can Do:

We recommend that all affected individuals take the following precautions: Remain vigilant - Be cautious of any unsolicited emails, phone calls, or text messages that request personal information. Monitor your accounts - Regularly review your financial accounts and credit reports for any unauthorized activity.

Ongoing Communication:

We understand that you may have questions and concerns. We sincerely apologize for any concern or inconvenience this incident may cause. We are committed to protecting the privacy and security of your information and are taking all necessary steps to address this situation. In the interest of providing more information, here is a selection of articles about the incident:

The Register

Newsweek

TechCrunch

In order to provide support, we recommend that you review the Federal Trade Commission Consumer Advice on what to do after a data breach.

If you have any questions, please reach out to Tri-County’s Technology Coordinator.