BPD3 Logo

🔒 Student Data Privacy Training

Beach Park CCSD 3  |  Learn Lead Succeed

🏠 Welcome, BPD3 Educators!

This interactive training is designed for all Beach Park District 3 educators and administrators at Beach Park Middle School, Howe Elementary, Kenneth Murphy Elementary, Newport Elementary, and Oak Crest Elementary. Complete all modules to earn your BPD3 Certificate of Completion. Your progress is saved automatically in your browser.

Mission

We empower our students to learn, lead, and succeed as a connected community.

Vision

BPD3 is dedicated to the success of everyone by creating pathways of learning through:

  • fostering student engagement through challenging academic experiences
  • developing community pride and partnerships
  • creating a responsive and nurturing environment
  • advancing a culture centered on relationships and inclusion
📜

FERPA

Family Educational Rights and Privacy Act — protecting student education records, parental rights, consent requirements, and penalties for violations.

Not Started
👤

COPPA

Children's Online Privacy Protection Act — rules for digital tools used with BPD3 students under 13 and your school's responsibilities as an educator.

Not Started
⚖️

Other Laws

CIPA, PPRA, and Illinois SOPPA — BPD3 compliance requirements for internet filtering, surveys, and vendor data privacy agreements.

Not Started
🔐

MFA Security

Multi-Factor Authentication for Google Workspace, PowerSchool, and Skyward — protecting BPD3 student data from breaches and credential attacks.

Not Started

Best Practices

Data minimization, DPAs, incident response using BPD3 See Something Say Something, secure sharing with @bpd3.org accounts, and password hygiene.

Not Started
📝

Knowledge Quiz

Test your BPD3 student data privacy knowledge. A score of 80% or higher (8 out of 10) is required to pass and earn your BPD3 Certificate of Completion.

Not Started

📜 FERPA — Family Educational Rights and Privacy Act

Enacted in 1974, FERPA is the primary federal law protecting the privacy of student education records at institutions that receive federal funding — including all five BPD3 schools.

📌 What Is FERPA?
FERPA (20 U.S.C. § 1232g) grants parents and eligible students the right to access and control education records.

  • Applies to all schools receiving federal funding — including all BPD3 schools
  • Rights transfer from parents to students when the student turns 18 or attends a postsecondary institution
  • Administered by the U.S. Department of Education's Student Privacy Policy Office (SPPO)
  • Violations can result in loss of federal funding for the entire district
📄 What Are Education Records?
Education records are records, files, documents, and other materials directly related to a student and maintained by an educational agency or institution.

Covered records include:
  • Grades, transcripts, class lists, and report cards
  • Student schedules and course enrollment data (including in PowerSchool/Skyward)
  • Disciplinary records
  • Financial aid information and student fee records
  • Special education records (IEPs)
  • Health and medical records held by the school
NOT covered (sole-possession records):
  • Personal teacher notes not shared with others
  • Law enforcement unit records
  • Employee records (for staff who are also students, work records are excluded)
👤 Key Rights Under FERPA
Parents and eligible students have the right to:
  • Inspect and review education records within 45 days of a formal written request
  • Request amendment of records believed to be inaccurate or misleading
  • Consent to disclosures of personally identifiable information (PII) to third parties before it is shared
  • File a complaint with the SPPO for alleged FERPA violations at any BPD3 school
📡 Directory Information & Consent
BPD3 may designate certain information as "directory information" and disclose it without consent — BUT only after providing annual notice and an opt-out opportunity.

Examples of directory information:
  • Student name, address, telephone number
  • Date and place of birth
  • Participation in school activities and sports
  • Dates of attendance, degrees, awards
Consent exceptions (permitted disclosures without written consent):
  • BPD3 school officials with a legitimate educational interest
  • Other schools where the student is transferring
  • Authorized federal/state educational authorities
  • Health and safety emergencies
  • Judicial orders or lawfully issued subpoenas
🚫 Penalties for Violations
  • Institutions found in violation may lose all federal funding
  • The SPPO investigates complaints and works with schools on corrective action plans
  • Repeated or willful violations can result in permanent ineligibility for federal funds
  • BPD3 staff who violate FERPA may face disciplinary action, up to and including termination
  • Incidents must be reported to the BPD3 District Office and Technology Office promptly

💡 What Would You Do? — FERPA Scenario

A parent calls Howe Elementary asking for their child's schedule and grades over the phone. The front office secretary reads the information without verifying the caller's identity. Is this a potential FERPA violation?

Yes — this is a potential FERPA concern. Before disclosing education records, BPD3 staff must verify the identity of the requester. The secretary should have asked the parent to come in with a government-issued ID or used an established secure verification process. Always follow BPD3 district procedures before releasing any student information. When in doubt, contact the District Office at 847-599-5005.

🌟 FERPA Key Takeaways for BPD3 Staff

  • Always verify identity before sharing any student records — in person, by phone, or digitally
  • Written consent is required before sharing PII with third parties (with limited exceptions)
  • Send annual FERPA notifications to BPD3 parents at the start of each school year
  • Only share records with staff who have a documented "legitimate educational interest"
  • FERPA violations can cost BPD3 its federal funding — take this seriously

👤 COPPA — Children's Online Privacy Protection Act

COPPA (15 U.S.C. §§ 6501-6506) protects the personal information of children under 13 collected online. It impacts every ed-tech tool deployed in BPD3 classrooms.

🎯 Who Does COPPA Apply To?
COPPA applies to online services and websites directed to children under 13, or that knowingly collect personal information from children under 13.

  • Enforced by the Federal Trade Commission (FTC)
  • Applies to operators of ed-tech apps and websites used in BPD3 classrooms
  • Schools and districts may act as intermediaries providing consent on behalf of parents for educational purposes only
  • The "school official" exception: BPD3 can authorize ed-tech operators to collect student data IF it is for an educational purpose and the vendor makes no commercial use of the data
🔒 What Is Personal Information Under COPPA?
  • Full name, home address, email address, phone number
  • Social Security number
  • Photos, videos, or audio files containing a child's image or voice
  • Geolocation data (precise location)
  • Persistent identifiers such as cookies, device IDs, or IP addresses used to track behavior across sites
  • Screen names or usernames that could reveal a child's real identity
✅ School Authority vs. Parental Consent
BPD3 CAN provide COPPA consent when:
  • The app or tool is used solely for educational purposes within BPD3
  • The operator does not use student data commercially (no ads, no profiling, no data sales)
  • A signed BPD3 Data Privacy Agreement (DPA) is in place with the vendor
  • Parents have been notified of the digital tools used in the classroom
BPD3 CANNOT provide consent when:
  • The tool is used for personal or non-educational purposes
  • The operator could use student data for advertising, profiling, or data brokerage
  • There is no signed DPA between BPD3 and the vendor
  • The tool has not been reviewed and approved by the BPD3 Technology Office
📋 Operator Responsibilities
  • Post a clear, comprehensive privacy policy on their website
  • Obtain verifiable parental consent before collecting data from under-13 users (or school consent for school purposes)
  • Allow parents to review and delete their child's personal data upon request
  • Keep data only as long as necessary and then delete it securely
  • Maintain confidentiality and security of children's personal data at all times
  • FTC penalties for COPPA violations: up to $50,120 per violation per day

💡 What Would You Do? — COPPA Scenario

An Oak Crest Elementary 5th-grade teacher wants students to use a free app for a writing project. The app collects usernames, profile photos, and posts publicly. No BPD3 Data Privacy Agreement (DPA) exists with this vendor. Is this acceptable under COPPA?

No — this raises serious COPPA concerns. Oak Crest 5th graders are typically 10-11 years old (under 13). Using an app that collects photos and creates public posts without a DPA is a COPPA violation. The teacher should: (1) check if BPD3 has approved the tool at bpd3.org/page/parents, (2) ensure a DPA is in place before any students use it, and (3) notify parents. When in doubt, contact the BPD3 Technology Office before deploying any new app with students.

🌟 COPPA Key Takeaways for BPD3 Staff

  • Never sign up a BPD3 student under 13 for an app without a verified BPD3 DPA with the vendor
  • BPD3 can provide COPPA consent — but only for legitimate educational purposes with no commercial data use
  • Profile photos, location data, and device identifiers all count as personal information under COPPA
  • Always notify parents of digital tools used in your classroom
  • Check bpd3.org/page/parents for the approved BPD3 technology tools and vendor list

⚖️ Other Federal & State Student Privacy Laws

Beyond FERPA and COPPA, several additional laws govern how BPD3 handles internet access, surveys, vendor relationships, special education records, and digital equity.

📻 CIPA — Children's Internet Protection Act Federal

CIPA (2000) requires K-12 schools and libraries receiving E-Rate discounts to have internet safety policies and technology protection measures in place. BPD3 receives E-Rate funding and must comply.

  • BPD3 must filter or block internet access to obscene or harmful content on all district devices and networks
  • Must adopt and maintain an Internet Safety Policy addressing: access by minors to inappropriate content, online safety, unauthorized disclosure, hacking, and cyberbullying
  • BPD3's Acceptable Use Policy (AUP) — found in the Parent Student Handbook at bpd3.org — applies to all students, staff, and devices
  • Students using BPD3 Chromebooks or the school network must comply with the AUP at all times

💡 CIPA Scenario

A student at Beach Park Middle School accesses a social media site on their BPD3 Chromebook during class. The filter didn't block it. What should happen?

The teacher should address the AUP violation with the student per BPD3 policy. The gap in filtering should be reported to the building principal and the BPD3 Technology Office so the filter can be updated. CIPA requires active management of technology protection measures — not just a one-time setup.

📃 PPRA — Protection of Pupil Rights Amendment Federal

PPRA gives parents important rights regarding their children's participation in surveys, analyses, or evaluations that collect sensitive personal information.

  • Parents must provide consent before students participate in ED-funded surveys that reveal: political views, mental health, sexual behavior, income, criminal history, religious beliefs, or anti-social behaviors
  • Parents have the right to inspect surveys, instructional materials, and instruments used to collect personal information before they are used
  • Protects against marketing surveys: BPD3 may not collect student personal information for commercial marketing without prior parental consent
  • BPD3 must notify parents annually of their PPRA rights and provide an opt-out mechanism for surveys

💻 Illinois SOPPA — Student Online Personal Protection Act BPD3 Compliance Requirement ★ Illinois State Law

SOPPA (105 ILCS 85) is the primary Illinois state law governing student data privacy for ed-tech vendors. As an Illinois district, BPD3 must comply with SOPPA for all operators serving our students.

  • Prohibits operators from using BPD3 student data for targeted advertising or selling student data to third parties
  • Requires operators to have a signed Data Privacy Agreement (DPA) with BPD3 before collecting any student data
  • Operators must delete BPD3 student data upon the district's request within required timelines
  • BPD3 maintains a published list of all approved vendors and their DPAs at bpd3.org
  • SOPPA requires operators to notify BPD3 of any data breach involving student information — BPD3 then has legal obligations to notify affected parents within mandated timeframes
  • Violations can result in significant fines and loss of the operator's authorization to serve Illinois schools

📚 IDEA & Section 504 / ADA — Special Education & Accessibility Federal

  • IDEA (Individuals with Disabilities Education Act): IEP records are education records under FERPA. Apply all FERPA protections to IEP documents, evaluation results, and meeting notes for BPD3 students receiving special education services.
  • Access to IEP records must be strictly limited to BPD3 staff with a documented legitimate educational interest
  • Section 508 / ADA: All BPD3 digital tools and platforms must be accessible to students with disabilities. Deploying inaccessible ed-tech can constitute an ADA violation.
  • Always review accessibility compliance (WCAG 2.1 AA) before recommending or deploying new digital tools at any BPD3 school

🌟 Other Laws — Key Takeaways for BPD3 Staff

  • CIPA requires internet filtering and an Internet Safety Policy — report filtering gaps to the BPD3 Technology Office
  • PPRA requires annual parent notification and opt-out rights for surveys that collect sensitive information
  • Illinois SOPPA is a BPD3 compliance requirement — every vendor must have a signed DPA before interacting with student data
  • IEP records carry the same FERPA protections as all other education records — treat them with extra care and limit access strictly
  • All digital tools deployed at BPD3 should be reviewed for ADA/Section 508 accessibility compliance before use

🔐 Multi-Factor Authentication (MFA) — BPD3 Security

Enabling MFA on all BPD3 systems — especially Google Workspace, PowerSchool, and Skyward — is the single most effective step to prevent unauthorized access to BPD3 student data.

🚫 Why MFA Matters for BPD3

Passwords alone are no longer sufficient. Attackers use stolen password databases, phishing, and credential attacks to gain access to school systems. BPD3's PowerSchool and Skyward systems contain the personal records of all 1,980 BPD3 students — these are high-value targets.

1,619
K-12 cybersecurity incidents in the US (2016-2022)
45%
Of incidents involve unauthorized access via stolen credentials
99.9%
Of account compromise attacks blocked by MFA (Microsoft data)
$2.5M+
Average cost of a K-12 data breach (IBM Security 2023)
📱 Types of MFA Available to BPD3 Staff
  • SMS / Text Message Code: A one-time code sent via text. Convenient but weakest option — can be intercepted via SIM swapping. Better than no MFA.
  • Authenticator App (TOTP): Apps like Google Authenticator generate time-based 6-digit codes every 30 seconds. Recommended for all BPD3 Google Workspace accounts.
  • Google Push Notification: A prompt is sent to your phone — you tap "Yes, it's me." Fast and user-friendly. Available for BPD3 Google Workspace accounts.
  • Hardware Security Key: A physical USB/NFC device (e.g., YubiKey). Strongest protection available. Recommended for BPD3 admin accounts with PowerSchool and Skyward access.
  • Biometrics: Fingerprint or face recognition as a second factor — available on most modern BPD3 devices.
🚀 How Credential Attacks Target BPD3

Attackers don't need to hack BPD3 directly — they buy stolen passwords from past data breaches on the dark web and try them against BPD3 systems.

  • Credential Stuffing: Using username/password combinations from breach databases against BPD3 Google Workspace, PowerSchool, or Skyward portals
  • Phishing: Fake BPD3 login pages emailed to staff trick them into entering real credentials
  • Password Spraying: Trying common passwords like "Fall2024!" or "BPD3!" against many staff accounts simultaneously
  • Insider/Compromised Account: A single compromised BPD3 staff account can expose the records of hundreds of students

⚠ PowerSchool and Skyward contain ALL BPD3 student records — protecting those login credentials is a top priority.

MFA stops all of these attacks — even if an attacker has your password, they cannot access your account without the second factor.

⚙️ Setting Up MFA on BPD3 Systems — Step by Step
  1. For Google Workspace (BPD3 primary): Go to myaccount.google.com → Security → 2-Step Verification → Get Started
  2. For PowerSchool or Skyward: Navigate to your account security settings or contact the BPD3 Technology Office for guided setup
  3. Download the Google Authenticator app on your personal phone from the App Store or Google Play
  4. Scan the QR code displayed on screen with the Google Authenticator app
  5. Enter the 6-digit code from the app to verify and activate 2-Step Verification
  6. Save your backup codes in a secure location — NOT on a sticky note, and NOT in an unlocked desk drawer
  7. Test the login on a different browser or incognito window to confirm MFA is working correctly
  8. Report any unexpected MFA prompts IMMEDIATELY to the BPD3 Technology Office at 847-599-5005 — this means someone has your password

💡 What Would You Do? — MFA Scenario

At 2 AM on a Sunday, a Kenneth Murphy Elementary teacher receives an unexpected Google Workspace Authenticator push notification asking them to approve a sign-in. They did not try to log in. What should they do?

Deny the request immediately and take action. This is a strong signal that someone has the teacher's BPD3 Google Workspace password and is attempting to access their account and potentially student records.

Steps to take: (1) Tap "No" or "Deny" on the notification, (2) Change your Google Workspace password immediately at myaccount.google.com, (3) Call or email the BPD3 Technology Office at 847-599-5005 — even if it's early morning, security incidents are urgent, (4) Check your account for any unauthorized email forwarding rules, sent messages, or file access. This is exactly why MFA is critical — without it, the attacker would already be inside your account.

🌟 MFA Key Takeaways for BPD3 Staff

  • Enable MFA on ALL BPD3 accounts: Google Workspace, PowerSchool, Skyward, and any other system with student data
  • Use Google Authenticator app for BPD3 Google Workspace — it is more secure than SMS codes
  • Admins with PowerSchool or Skyward access should use a hardware security key (YubiKey)
  • Any unexpected MFA push notification means someone has your password — deny, change password, and report to BPD3 Technology Office immediately
  • MFA blocks 99.9% of automated credential attacks — enabling it is non-negotiable for BPD3 staff

✅ Best Practices for BPD3 Student Data Privacy

Everyday habits and processes that every BPD3 educator and administrator should follow to protect student privacy at all five District 3 schools.

📋 Data Minimization

Collect only what you need. Every additional piece of student data collected is a liability for BPD3 and a risk to our students.

  • Only collect student data that is necessary for a specific, documented educational purpose
  • Avoid requesting Social Security numbers, home addresses, or health information unless explicitly required by law or district policy
  • Delete student data when it is no longer needed, in accordance with BPD3's data retention policies
  • Never store student PII in personal Gmail, personal Google Drive, or any app/service that does not have a BPD3-approved DPA
  • Always use your official @bpd3.org Google Workspace account for all school-related communications and file storage

📝 Vendor Agreements & Data Privacy Agreements (DPAs)

  • Every third-party vendor or app that accesses BPD3 student data must have a signed DPA with the district before any data is shared
  • DPAs must specify: what data is collected, permitted uses, data deletion timelines, and breach notification requirements
  • Use resources like StudentDPA.org or the Illinois Student Privacy Alliance to find state-reviewed, pre-negotiated agreements
  • BPD3 Teachers: Always check with the BPD3 Technology Office before using any new app with students — even free apps collect data. Visit bpd3.org/page/parents for the approved Technology Resources list.
  • Review vendor DPAs annually — vendors update their privacy policies and terms of service, sometimes significantly

🚨 Incident Response — See Something, Say Something

If you suspect a data breach or unauthorized disclosure of BPD3 student data, follow these steps immediately:

  1. Don't panic — act promptly. Every minute matters in limiting the scope of a data breach.
  2. Report to your building principal AND the BPD3 Technology Office at 847-599-5005 right away
  3. Use BPD3's See Something, Say Something reporting system at bpd3.org to formally document the incident
  4. Document all known details: what data was involved, who may have accessed it, when it occurred, and how it was discovered
  5. Do NOT attempt to handle the breach yourself — involve the Technology Office and district leadership immediately
  6. BPD3 has legal obligations under Illinois SOPPA to notify affected parents within mandated timeframes following a data breach — early reporting is essential

📨 Secure Sharing of Student Records

  • Always use your official @bpd3.org Google Workspace account for sharing, storing, and communicating about student records
  • Never share student records via personal Gmail, personal Google Drive, Dropbox, or any unapproved file-sharing service
  • Before sharing records with another school, agency, or outside organization, confirm you have the appropriate FERPA authorization in writing
  • When printing student records, collect them immediately from the printer and store or shred them appropriately — never leave printed records unattended
  • Be especially careful with IEP documents, health records, and disciplinary files — these require the highest level of protection
  • For questions about sharing protocols, contact the BPD3 District Office at 847-599-5005 or visit bpd3.org/page/parents for Student Records resources

🔐 Password Hygiene

  • Use a unique, long password for every BPD3 account — minimum 14 characters
  • Use a password manager (e.g., Bitwarden, 1Password) to create and store complex passwords securely
  • Never reuse passwords from personal accounts (personal Gmail, social media, banking) on BPD3 systems
  • Seasonal passwords like Fall2024!, BPD3Spring! or Welcome1! are easily guessable — avoid them
  • Never share your BPD3 account credentials with colleagues — every staff member must have their own individual account
  • Change any temporary or default passwords immediately upon first login to a new BPD3 system

🌟 Best Practices Key Takeaways for BPD3 Staff

  • Collect the minimum student data required — every data point is a BPD3 responsibility
  • Require a BPD3-approved DPA before any vendor can access student data — check bpd3.org/page/parents
  • Use the BPD3 See Something, Say Something system and call 847-599-5005 if you suspect a data incident
  • Use only your @bpd3.org Google Workspace account for all student record communications and storage
  • Enable MFA and use a password manager on all BPD3 accounts — strong passwords + MFA = strong protection

📝 Knowledge Check Quiz — Beach Park District 3

Answer all 10 questions. You need a score of 80% or higher (8 out of 10) to pass and earn your BPD3 Certificate of Completion. Click Submit Quiz when you are finished.

Question 1 of 10

Under FERPA, within how many days must a school allow a parent to inspect education records after a formal request?

FERPA requires schools to allow parents to inspect education records within 45 days of a formal written request.
Question 2 of 10

COPPA establishes privacy protections for children under what age?

COPPA (Children's Online Privacy Protection Act) protects the personal information of children under 13 years of age collected online.
Question 3 of 10

Which law requires K-12 schools using E-Rate funding to implement internet filtering and an Internet Safety Policy?

CIPA (Children's Internet Protection Act) requires schools receiving E-Rate discounts to filter internet access and maintain an Internet Safety Policy. BPD3 must comply as an E-Rate recipient.
Question 4 of 10

A BPD3 teacher wants to use a new free app with students. What should the teacher do FIRST?

Always verify that BPD3 has a signed Data Privacy Agreement (DPA) with any vendor before using an app with students — especially those under 13. Visit bpd3.org/page/parents for the approved tool list.
Question 5 of 10

Under FERPA, when do educational rights transfer from parents to students?

Under FERPA, rights transfer from parents to eligible students when the student turns 18 or begins attending a postsecondary institution.
Question 6 of 10

What percentage of account compromise attacks does Multi-Factor Authentication block, according to Microsoft?

Microsoft reports that MFA blocks 99.9% of automated account compromise attacks — making it one of the single most effective security controls for BPD3 accounts.
Question 7 of 10

PPRA (Protection of Pupil Rights Amendment) primarily addresses which of the following?

PPRA gives parents rights concerning their children's participation in surveys, protects against marketing data collection, and grants parents the right to inspect instructional materials.
Question 8 of 10

A Kenneth Murphy Elementary teacher receives an unexpected BPD3 Google Workspace MFA push at 2 AM on a Sunday. What is the BEST action?

An unexpected MFA push at an unusual time strongly signals that someone has your BPD3 password. Deny the request, change your Google Workspace password at myaccount.google.com immediately, and contact the BPD3 Technology Office at 847-599-5005.
Question 9 of 10

Under COPPA, which of the following is considered personal information for a child?

COPPA defines personal information broadly, including persistent identifiers like cookies and device IDs that track a child's online behavior — not just traditional PII like names and addresses.
Question 10 of 10

Which best describes a Data Privacy Agreement (DPA)?

A DPA is a contractual agreement between BPD3 and a third-party vendor outlining what data is collected, permitted uses, retention and deletion timelines, and breach notification requirements. BPD3 requires a DPA for every vendor that accesses student data.

🎉 Certificate of Completion

Enter your full name and title below, then click Generate Certificate. Use the Print Certificate button to save a physical or PDF copy for your professional development records.

BPD3 Logo

Certificate of Completion

Student Data Privacy Awareness Training

Beach Park Community Consolidated School District 3

This certifies that

Your Name

Has successfully completed the BPD3 Student Data Privacy Awareness Training, demonstrating knowledge of FERPA, COPPA, CIPA, PPRA, Illinois SOPPA, MFA Security, and student data best practices in alignment with District 3 compliance requirements.

📜 FERPA 👤 COPPA ⚖️ Other Laws 🔐 MFA Security ✅ Best Practices

Date Completed:

Issued by: Beach Park Community Consolidated School District 3 — Office of Technology
Micah Miner, Director of Technology  |  www.bpd3.org  |  847-599-5005
BPD3 Beach Park Community Consolidated School District 3
11315 W. Wadsworth Rd., Beach Park, IL 60099  |  📞 847-599-5005  |  🌐 www.bpd3.org  |  Superintendent: Dr. Denise Wilcox  |  Learn Lead Succeed