Bill Amendment: IL HB3606 | 2019-2020 | 101st General Assembly
NOTE: For additional amemendments please see the Bill Drafting List
Bill Title: STUDENT ONLINE PROTECTION
Status: 2019-08-23 - Public Act . . . . . . . . . 101-0516 [HB3606 Detail]
Download: Illinois-2019-HB3606-House_Amendment_001.html
Bill Title: STUDENT ONLINE PROTECTION
Status: 2019-08-23 - Public Act . . . . . . . . . 101-0516 [HB3606 Detail]
Download: Illinois-2019-HB3606-House_Amendment_001.html
| |||||||
| |||||||
| |||||||
1 | AMENDMENT TO HOUSE BILL 3606
| ||||||
2 | AMENDMENT NO. ______. Amend House Bill 3606 by replacing | ||||||
3 | everything after the enacting clause with the following:
| ||||||
4 | "Section 5. The Student Online Personal Protection Act is | ||||||
5 | amended by changing Sections 5, 10, and 15 and by adding | ||||||
6 | Sections 26, 27, 28, 33, and 37 as follows:
| ||||||
7 | (105 ILCS 85/5)
| ||||||
8 | Sec. 5. Definitions. In this Act: | ||||||
9 | "Breach" means the unauthorized disclosure of data or | ||||||
10 | unauthorized provision of physical or electronic means of | ||||||
11 | gaining access to data that compromises the security, | ||||||
12 | confidentiality, or integrity of covered information. | ||||||
13 | "Covered information" means personally identifiable | ||||||
14 | information or material or information that is linked to | ||||||
15 | personally identifiable information or material in any media or | ||||||
16 | format that is not publicly available and is any of the |
| |||||||
| |||||||
1 | following: | ||||||
2 | (1) Created by or provided to an operator by a student | ||||||
3 | or the student's parent or legal guardian in the course of | ||||||
4 | the student's, parent's, or legal guardian's use of the | ||||||
5 | operator's site, service, or application for K through 12 | ||||||
6 | school purposes. | ||||||
7 | (2) Created by or provided to an operator by an | ||||||
8 | employee or agent of a school or school district for K | ||||||
9 | through 12 school purposes. | ||||||
10 | (3) Gathered by an operator through the operation of | ||||||
11 | its site, service, or application for K through 12 school | ||||||
12 | purposes and personally identifies a student, including, | ||||||
13 | but not limited to, information in the student's | ||||||
14 | educational record or electronic mail, first and last name, | ||||||
15 | home address, telephone number, electronic mail address, | ||||||
16 | or other information that allows physical or online | ||||||
17 | contact, discipline records, test results, special | ||||||
18 | education data, juvenile dependency records, grades, | ||||||
19 | evaluations, criminal records, medical records, health | ||||||
20 | records, a social security number, biometric information, | ||||||
21 | disabilities, socioeconomic information, food purchases, | ||||||
22 | political affiliations, religious information, text | ||||||
23 | messages, documents, student identifiers, search activity, | ||||||
24 | photos, voice recordings, or geolocation information. | ||||||
25 | "Destroy" means the removal of covered information so that | ||||||
26 | it is permanently irretrievable in the normal course of |
| |||||||
| |||||||
1 | business. | ||||||
2 | "Interactive computer service" has the meaning ascribed to | ||||||
3 | that term in Section 230 of the federal Communications Decency | ||||||
4 | Act of 1996 (47 U.S.C. 230). | ||||||
5 | "K through 12 school purposes" means purposes that are | ||||||
6 | directed by or that customarily take place at the direction of | ||||||
7 | a school, teacher, or school district; aid in the | ||||||
8 | administration of school activities, including, but not | ||||||
9 | limited to, instruction in the classroom or at home, | ||||||
10 | administrative activities, and collaboration between students, | ||||||
11 | school personnel, or parents; or are otherwise for the use and | ||||||
12 | benefit of the school. Advertising that is not otherwise | ||||||
13 | specifically authorized in this Act is not a K through 12 | ||||||
14 | school purpose. | ||||||
15 | "Longitudinal data system" has the meaning given to that | ||||||
16 | term under the P-20 Longitudinal Education Data System Act. | ||||||
17 | "Operator" means, to the extent that an entity is operating | ||||||
18 | in this capacity, the operator of an Internet website, online | ||||||
19 | service, online application, or mobile application with actual | ||||||
20 | knowledge that the site, service, or application is used | ||||||
21 | primarily for K through 12 school purposes and was designed and | ||||||
22 | marketed for K through 12 school purposes. | ||||||
23 | "Parent" has the meaning given to that term under the | ||||||
24 | Illinois School Student Records Act. | ||||||
25 | "School" means (1) any preschool, public kindergarten, | ||||||
26 | elementary or secondary educational institution, vocational |
| |||||||
| |||||||
1 | school, special educational facility, or any other elementary | ||||||
2 | or secondary educational agency or institution or (2) any | ||||||
3 | person, agency, or institution that maintains school student | ||||||
4 | records from more than one school. "School" includes a private | ||||||
5 | or nonpublic school. | ||||||
6 | "State Board" means the State Board of Education. | ||||||
7 | "Student" has the meaning given to that term under the | ||||||
8 | Illinois School Student Records Act. | ||||||
9 | "Targeted advertising" means presenting advertisements to | ||||||
10 | a student where the advertisement is selected based on | ||||||
11 | information obtained or inferred over time from that student's | ||||||
12 | online behavior, usage of applications, or covered | ||||||
13 | information. The term does not include advertising to a student | ||||||
14 | at an online location based upon that student's current visit | ||||||
15 | to that location or in response to that student's request for | ||||||
16 | information or feedback, without the retention of that | ||||||
17 | student's online activities or requests over time for the | ||||||
18 | purpose of targeting subsequent ads.
| ||||||
19 | (Source: P.A. 100-315, eff. 8-24-17.)
| ||||||
20 | (105 ILCS 85/10)
| ||||||
21 | Sec. 10. Operator prohibitions. An operator shall not | ||||||
22 | knowingly do any of the following: | ||||||
23 | (1) Engage in targeted advertising on the operator's | ||||||
24 | site, service, or application or target advertising on any | ||||||
25 | other site, service, or application if the targeting of the |
| |||||||
| |||||||
1 | advertising is based on any information, including covered | ||||||
2 | information and persistent unique identifiers, that the | ||||||
3 | operator has acquired because of the use of that operator's | ||||||
4 | site, service, or application for K through 12 school | ||||||
5 | purposes. | ||||||
6 | (2) Use information, including persistent unique | ||||||
7 | identifiers, created or gathered by the operator's site, | ||||||
8 | service, or application to amass a profile about a student, | ||||||
9 | except in furtherance of K through 12 school purposes. | ||||||
10 | "Amass a profile" does not include the collection and | ||||||
11 | retention of account information that remains under the | ||||||
12 | control of the student, the student's parent or legal | ||||||
13 | guardian, or the school. | ||||||
14 | (3) Sell or rent a student's information, including | ||||||
15 | covered information. This subdivision (3) does not apply to | ||||||
16 | the purchase, merger, or other type of acquisition of an | ||||||
17 | operator by another entity if the operator and the or | ||||||
18 | successor entity comply complies with this Act regarding | ||||||
19 | previously acquired student information. | ||||||
20 | (4) Except as otherwise provided in Section 20 of this | ||||||
21 | Act, disclose covered information, unless the disclosure | ||||||
22 | is made for the following purposes: | ||||||
23 | (A) In furtherance of the K through 12 school | ||||||
24 | purposes of the site, service, or application if the | ||||||
25 | recipient of the covered information disclosed under | ||||||
26 | this clause (A) does not further disclose the |
| |||||||
| |||||||
1 | information, unless done to allow or improve | ||||||
2 | operability and functionality of the operator's site, | ||||||
3 | service, or application. | ||||||
4 | (B) To ensure legal and regulatory compliance or | ||||||
5 | take precautions
against liability. | ||||||
6 | (C) To respond to the judicial process. | ||||||
7 | (D) To protect the safety or integrity of users of | ||||||
8 | the site or others or the security of the site, | ||||||
9 | service, or application. | ||||||
10 | (E) For a school, educational, or employment | ||||||
11 | purpose requested by the student or the student's | ||||||
12 | parent or legal guardian, provided that the | ||||||
13 | information is not used or further disclosed for any | ||||||
14 | other purpose. | ||||||
15 | (F) To a third party if the operator contractually | ||||||
16 | prohibits the third party from using any covered | ||||||
17 | information for any purpose other than providing the | ||||||
18 | contracted service to or on behalf of the operator, | ||||||
19 | prohibits the third party from disclosing any covered | ||||||
20 | information provided by the operator with subsequent | ||||||
21 | third parties, and requires the third party to | ||||||
22 | implement and maintain reasonable security procedures | ||||||
23 | and practices as required under Section 15 . | ||||||
24 | Nothing in this Section prohibits the operator's use of | ||||||
25 | information for maintaining, developing, supporting, | ||||||
26 | improving, or diagnosing the operator's site, service, or |
| |||||||
| |||||||
1 | application.
| ||||||
2 | (Source: P.A. 100-315, eff. 8-24-17.)
| ||||||
3 | (105 ILCS 85/15)
| ||||||
4 | Sec. 15. Operator duties. An operator shall do the | ||||||
5 | following: | ||||||
6 | (1) Implement and maintain reasonable security | ||||||
7 | procedures and practices appropriate to the nature of the | ||||||
8 | covered information and designed to protect that covered | ||||||
9 | information from unauthorized access, destruction, use, | ||||||
10 | modification, or disclosure that, based on the sensitivity | ||||||
11 | of the data and the risk from unauthorized access, (i) uses | ||||||
12 | technologies and methodologies that are consistent with | ||||||
13 | the U.S. Department of Commerce's National Institute of | ||||||
14 | Standards and Technology's Framework for Improving | ||||||
15 | Critical Infrastructure Cybersecurity Version 1.1 and any | ||||||
16 | updates to it, (ii) maintains technical safeguards as it | ||||||
17 | relates to the possession of covered information in a | ||||||
18 | manner consistent with the provisions of 45 CFR 164.312, | ||||||
19 | and (iii) otherwise meets or exceeds industry standards . | ||||||
20 | (2) Destroy Delete , within a reasonable time period, a | ||||||
21 | student's covered information if the school or school | ||||||
22 | district requests destruction deletion of covered | ||||||
23 | information under the control of the school or school | ||||||
24 | district, unless a student or his or her parent or legal | ||||||
25 | guardian consents to the maintenance of the covered |
| |||||||
| |||||||
1 | information. | ||||||
2 | (3) Publicly disclose material information about its | ||||||
3 | collection, use, and disclosure of covered information, | ||||||
4 | including, but not limited to, publishing a terms of | ||||||
5 | service agreement, privacy policy, or similar document. | ||||||
6 | (4) For any operator who seeks to receive from a | ||||||
7 | school, school district, or the State Board in any manner | ||||||
8 | any covered information, enter into a written agreement | ||||||
9 | with the school, school district, or State Board before any | ||||||
10 | covered information may be transferred. The written | ||||||
11 | agreement may be created in electronic form and signed with | ||||||
12 | an electronic or digital signature or may be a click wrap | ||||||
13 | agreement that is used with software licenses, downloaded | ||||||
14 | or online applications and transactions for educational | ||||||
15 | technologies, or other technologies in which a user must | ||||||
16 | agree to terms and conditions prior to using the product or | ||||||
17 | service. The written agreement must contain all of the | ||||||
18 | following: | ||||||
19 | (A) Provisions consistent with each duty, | ||||||
20 | prohibition, or requirement set forth in this Act. | ||||||
21 | (B) A listing of the categories or types of covered | ||||||
22 | information to be provided to the operator. | ||||||
23 | (C) A statement of the product or service being | ||||||
24 | provided to the school by the operator. | ||||||
25 | (D) A statement that the operator is acting as a | ||||||
26 | school official with a legitimate educational |
| |||||||
| |||||||
1 | interest, is performing an institutional service or | ||||||
2 | function for which the school would otherwise use | ||||||
3 | employees, under the direct control of the school, with | ||||||
4 | respect to the use and maintenance of covered | ||||||
5 | information, and is using the covered information only | ||||||
6 | for an authorized purpose and may not re-disclose it to | ||||||
7 | third parties or affiliates, unless otherwise | ||||||
8 | permitted under this Act, without permission from the | ||||||
9 | school or pursuant to court order. | ||||||
10 | (E) A description of the actions the operator must | ||||||
11 | take, including a description of the training the | ||||||
12 | operator will provide to anyone who receives or has | ||||||
13 | access to covered information, to ensure the security | ||||||
14 | and confidentiality of covered information. Compliance | ||||||
15 | with this subparagraph (E) shall not, in itself, | ||||||
16 | absolve the operator of liability if an unauthorized | ||||||
17 | disclosure of covered information occurs. | ||||||
18 | (F) A description of how, if a breach is attributed | ||||||
19 | to the operator, any costs and expenses incurred by the | ||||||
20 | school in investigating and remediating the breach | ||||||
21 | must be shared between the operator and the school. The | ||||||
22 | costs and expenses may include, but are not limited to: | ||||||
23 | (i) providing notification to the parents of | ||||||
24 | those students whose covered information was | ||||||
25 | compromised and to regulatory agencies or other | ||||||
26 | entities as required by law or contract; |
| |||||||
| |||||||
1 | (ii) providing credit monitoring to those | ||||||
2 | students whose covered information was exposed in | ||||||
3 | a manner during the breach that a reasonable person | ||||||
4 | would believe that it could impact his or her | ||||||
5 | credit or financial security; | ||||||
6 | (iii) legal fees, audit costs, fines, and any | ||||||
7 | other fees or damages imposed against the school as | ||||||
8 | a result of the security breach; and | ||||||
9 | (iv) providing any other notifications or | ||||||
10 | fulfilling any other requirements adopted by the | ||||||
11 | State Board or of any other State or federal laws. | ||||||
12 | (G) A statement that the operator must destroy or | ||||||
13 | transfer to the school all covered information if the | ||||||
14 | information is no longer needed for the purposes of the | ||||||
15 | written agreement and to specify the time period in | ||||||
16 | which the information must be destroyed or returned. | ||||||
17 | (H) A statement that the school must publish the | ||||||
18 | written agreement on the school's website. | ||||||
19 | (I) A statement that the agreement is the entire | ||||||
20 | agreement with the school, including school employees | ||||||
21 | and other end users, and the operator. | ||||||
22 | (5) In case of any breach, within the most expedient | ||||||
23 | time possible and without unreasonable delay, but no later | ||||||
24 | than 5 calendar days after the determination that a breach | ||||||
25 | has occurred, notify the school of any breach of the | ||||||
26 | students' covered information.
|
| |||||||
| |||||||
1 | (Source: P.A. 100-315, eff. 8-24-17.)
| ||||||
2 | (105 ILCS 85/26 new) | ||||||
3 | Sec. 26. School prohibitions. A school may not do any of | ||||||
4 | the following: | ||||||
5 | (1) Sell, rent, lease, or trade covered information. | ||||||
6 | (2) Share, transfer, disclose, or provide access to a | ||||||
7 | student's covered information to an entity or individual, | ||||||
8 | other than the student's parent or the State Board, without | ||||||
9 | a written agreement, unless the disclosure or transfer is: | ||||||
10 | (A) to the extent permitted by federal law, to law | ||||||
11 | enforcement officials to protect the safety of users or | ||||||
12 | others or the security or integrity of the operator's | ||||||
13 | service; | ||||||
14 | (B) required by court order or State or federal | ||||||
15 | law; or | ||||||
16 | (C) to ensure legal or regulatory compliance.
| ||||||
17 | (105 ILCS 85/27 new) | ||||||
18 | Sec. 27. School duties. | ||||||
19 | (a) Each school shall post and maintain on its website all | ||||||
20 | of the following information: | ||||||
21 | (1) An explanation, that is clear and understandable by | ||||||
22 | a layperson, of the data elements of covered information | ||||||
23 | that the school collects, maintains, or discloses to any | ||||||
24 | person, entity, third party, or governmental agency. The |
| |||||||
| |||||||
1 | information must explain how the school uses, to whom or | ||||||
2 | what entities it discloses, and for what purpose it | ||||||
3 | discloses the covered information. | ||||||
4 | (2) A list of operators that the school has written | ||||||
5 | agreements with, a copy of each written agreement, and a | ||||||
6 | business address and telephone number for each operator. | ||||||
7 | (3) For each operator, a list of any subcontractors to | ||||||
8 | whom covered information may be disclosed under Section 15. | ||||||
9 | (4) A written description of the procedures that a | ||||||
10 | parent may use to carry out the rights enumerated under | ||||||
11 | Section 45. | ||||||
12 | The school must, at a minimum, update the items under | ||||||
13 | paragraphs (1), (3), and (4) of this subsection no later than | ||||||
14 | 30 calendar days following the start of a school year and no | ||||||
15 | later than 30 days following the beginning of a calendar year. | ||||||
16 | (b) Each school must adopt a policy designating which | ||||||
17 | school employees are authorized to enter into written | ||||||
18 | agreements with operators. This subsection may not be construed | ||||||
19 | to limit individual school employees outside of the scope of | ||||||
20 | their employment from entering into agreements with operators | ||||||
21 | on their own behalf and for non-K through 12 school purposes, | ||||||
22 | provided that no covered information is provided to the | ||||||
23 | operators. Any agreement or contract entered into in violation | ||||||
24 | of this Act is void and unenforceable as against public policy. | ||||||
25 | (c) A school must post on its website each written | ||||||
26 | agreement entered into under this Act, along with any |
| |||||||
| |||||||
1 | information required under subsection (a), no later than 5 | ||||||
2 | business days after entering into the agreement. | ||||||
3 | (d) After receipt of notice of a breach under Section 15 or | ||||||
4 | determination of a breach of covered information maintained by | ||||||
5 | the school, a school shall electronically notify, no later than | ||||||
6 | 5 calendar days after receipt of the notice or determination | ||||||
7 | that a breach has occurred, the parent of any student whose | ||||||
8 | covered information is involved in the breach. The school must | ||||||
9 | also post the notice on the school's website. The notification | ||||||
10 | must include, but is not limited to, all of the following: | ||||||
11 | (1) The date, estimated date, or estimated date range | ||||||
12 | of the breach. | ||||||
13 | (2) A description of the covered information that was | ||||||
14 | compromised or reasonably believed to have been | ||||||
15 | compromised in the breach. | ||||||
16 | (3) Information that the parent may use to contact the | ||||||
17 | operator and school to inquire about the breach. | ||||||
18 | (4) The toll-free numbers, addresses, and websites for | ||||||
19 | consumer reporting agencies. | ||||||
20 | (5) The toll-free number, address, and website for the | ||||||
21 | Federal Trade Commission. | ||||||
22 | (6) A statement that the parent may obtain information | ||||||
23 | from the Federal Trade Commission and consumer reporting | ||||||
24 | agencies about fraud alerts and security freezes. | ||||||
25 | (e) Each school must implement and maintain security | ||||||
26 | procedures and practices designed to protect covered |
| |||||||
| |||||||
1 | information from unauthorized access, destruction, use, | ||||||
2 | modification, or disclosure that, based on the sensitivity of | ||||||
3 | the covered information and the risk from unauthorized access, | ||||||
4 | (i) uses technologies and methodologies that are consistent | ||||||
5 | with the U.S. Department of Commerce's National Institute of | ||||||
6 | Standards and Technology's Framework for Improving Critical | ||||||
7 | Infrastructure Cybersecurity Version 1.1 and any updates to it, | ||||||
8 | (ii) maintain technical safeguards as they relate to the | ||||||
9 | possession of student records in a manner consistent with the | ||||||
10 | provisions of 45 CFR 164.312, and (iii) otherwise meet or | ||||||
11 | exceed industry standards. | ||||||
12 | (f) Each school shall designate an appropriate staff person | ||||||
13 | as a privacy officer, who may also be an official records | ||||||
14 | custodian as designated under the Illinois School Student | ||||||
15 | Records Act, to carry out the duties and responsibilities | ||||||
16 | assigned to schools and to ensure compliance with the | ||||||
17 | requirements of this Section and Section 26. | ||||||
18 | (g) A school shall make a request, pursuant to paragraph | ||||||
19 | (2) of Section 15, to an operator to destroy covered | ||||||
20 | information on behalf of a student's parent if the parent | ||||||
21 | requests from the school that the student's covered information | ||||||
22 | held by the operator be destroyed, so long as the destruction | ||||||
23 | of the covered information is not in violation of the Illinois | ||||||
24 | School Student Records Act.
| ||||||
25 | (105 ILCS 85/28 new) |
| |||||||
| |||||||
1 | Sec. 28. State Board duties. | ||||||
2 | (a) The State Board may not sell, rent, lease, or trade | ||||||
3 | covered information. | ||||||
4 | (b) The State Board may not share, transfer, disclose, or | ||||||
5 | provide covered information to an entity or individual without | ||||||
6 | a contract or written agreement, except for disclosures | ||||||
7 | required by federal law to federal agencies. | ||||||
8 | (c) The State Board must publish and maintain on its | ||||||
9 | website a list of all of the entities or individuals, | ||||||
10 | including, but not limited to, operators, individual | ||||||
11 | researchers, research organizations, institutions of higher | ||||||
12 | education, or government agencies, that the State Board | ||||||
13 | contracts with or has agreements with and that hold covered | ||||||
14 | information and a copy of each contract or agreement. The list | ||||||
15 | must include all of the following information: | ||||||
16 | (1) The name of the entity or individual. In naming an | ||||||
17 | individual, the list must include the entity that sponsors | ||||||
18 | the individual or with which the individual is affiliated, | ||||||
19 | if any. If the individual is conducting research at an | ||||||
20 | institution of higher education, the list may include the | ||||||
21 | name of that institution and a contact person in the | ||||||
22 | department that is associated with the research in lieu of | ||||||
23 | the name of the researcher. If the entity is an operator, | ||||||
24 | the list must include a business address and telephone | ||||||
25 | number for the operator. | ||||||
26 | (2) The purpose and scope of the contract or agreement. |
| |||||||
| |||||||
1 | (3) The duration of the contract or agreement. | ||||||
2 | (4) The types of covered information that the entity or | ||||||
3 | individual holds under the contract or agreement. | ||||||
4 | (5) The use of the covered information under the | ||||||
5 | contract or agreement. | ||||||
6 | (6) The length of time for which the entity or | ||||||
7 | individual may hold the covered information. | ||||||
8 | (7) A list of any subcontractors to whom covered | ||||||
9 | information may be disclosed under Section 15. | ||||||
10 | (d) The State Board shall create, publish, and make | ||||||
11 | publicly available an inventory, along with a dictionary or | ||||||
12 | index of data elements and their definitions, of covered | ||||||
13 | information collected or maintained by the State Board, | ||||||
14 | including, but not limited to, both of the following: | ||||||
15 | (1) Covered information that schools are required to | ||||||
16 | report to the State Board by State or federal law. | ||||||
17 | (2) Covered information in the State longitudinal data | ||||||
18 | system or any data warehouse used by the State Board to | ||||||
19 | populate the longitudinal data system. | ||||||
20 | The inventory shall make clear for what purposes the State | ||||||
21 | Board uses the covered information. | ||||||
22 | (e) The State Board shall develop, publish, and make | ||||||
23 | publicly available, for the benefit of schools, model student | ||||||
24 | data privacy policies and procedures that comply with relevant | ||||||
25 | State and federal law, including, but not limited to, a model | ||||||
26 | notice that schools must use to provide notice to parents and |
| |||||||
| |||||||
1 | students about operators. The notice must state, in general | ||||||
2 | terms, the types of student data that are collected by the | ||||||
3 | schools and shared with operators under this Act and the | ||||||
4 | purposes of collecting and using the student data. After | ||||||
5 | creation of the notice under this subsection, a schools shall, | ||||||
6 | at the beginning of each school year, provide the notice to | ||||||
7 | parents by the same means generally used to send notices to | ||||||
8 | them.
| ||||||
9 | (105 ILCS 85/33 new) | ||||||
10 | Sec. 33. Parent and student rights. | ||||||
11 | (a) A student's covered information is the sole property of | ||||||
12 | the student's parent. | ||||||
13 | (b) A student's covered information shall be collected only | ||||||
14 | for specified, explicit, and legitimate school purposes and not | ||||||
15 | further processed in a manner that is incompatible with those | ||||||
16 | purposes. | ||||||
17 | (c) A student's covered information shall only be adequate, | ||||||
18 | relevant, and limited to what is necessary in relation to the | ||||||
19 | school purpose for which it is processed. | ||||||
20 | (d) The parent of a student enrolled in a school has the | ||||||
21 | right to all of the following: | ||||||
22 | (1) Inspect and review the student's student data, | ||||||
23 | regardless of whether it is maintained by the school, the | ||||||
24 | State Board, or an operator. | ||||||
25 | (2) Request from a school a paper or electronic copy of |
| |||||||
| |||||||
1 | the student's covered information, including covered | ||||||
2 | information maintained by an operator or the State Board. | ||||||
3 | If a parent requests an electronic copy of the student's | ||||||
4 | covered information under this paragraph, the school must | ||||||
5 | provide an electronic copy of that information, unless the | ||||||
6 | school does not maintain the information in an electronic | ||||||
7 | format and reproducing the information in an electronic | ||||||
8 | format would be unduly burdensome to the school. If a | ||||||
9 | parent requests a paper copy of the student's covered | ||||||
10 | information, the school may charge the parent the | ||||||
11 | reasonable cost for copying the information in an amount | ||||||
12 | not to exceed the amount fixed in a schedule adopted by the | ||||||
13 | State Board, except that no parent may be denied a copy of | ||||||
14 | the information due to the parent's inability to bear the | ||||||
15 | cost of the copying. | ||||||
16 | (3) Request corrections of factual inaccuracies | ||||||
17 | contained in the student's covered information. After | ||||||
18 | receiving a request for corrections that documents a | ||||||
19 | factual inaccuracy, a school must do either of the | ||||||
20 | following: | ||||||
21 | (A) Confirm the correction with the parent within | ||||||
22 | 90 days after receiving the parent's request if the | ||||||
23 | school or State Board maintains the covered | ||||||
24 | information that contains the factual inaccuracy. | ||||||
25 | (B) Notify the operator who must confirm the | ||||||
26 | correction with the parent within 90 days after |
| |||||||
| |||||||
1 | receiving the parent's request if the covered | ||||||
2 | information that contains the factual inaccuracy is | ||||||
3 | maintained by an operator. | ||||||
4 | (e) Nothing in this Section shall be construed to limit the | ||||||
5 | rights granted to parents and students under the Illinois | ||||||
6 | School Student Records Act.
| ||||||
7 | (105 ILCS 85/37 new) | ||||||
8 | Sec. 37. Oversight. | ||||||
9 | (a) There is created a Student Data Protection Oversight | ||||||
10 | Committee that consists of all of the following members, | ||||||
11 | appointed by the State Board of Education: | ||||||
12 | (1) A high school student enrolled in a public school | ||||||
13 | in this State. | ||||||
14 | (2) A parent of a student in a school district | ||||||
15 | organized under Article 34 of the School Code. | ||||||
16 | (3) A parent of a student in a school district located | ||||||
17 | in whole or in part in Lake, Kane, Will, DuPage, McHenry, | ||||||
18 | or Cook County, but not in a school district organized | ||||||
19 | under Article 34 of the School Code. | ||||||
20 | (4) A parent of a student enrolled in a small, rural | ||||||
21 | school district. | ||||||
22 | (5) An expert in school information technology | ||||||
23 | systems. | ||||||
24 | (6) An expert in digital privacy law. | ||||||
25 | (7) A representative of a computer and information |
| |||||||
| |||||||
1 | technology trade group. | ||||||
2 | (8) A representative of a civil rights advocacy | ||||||
3 | organization. | ||||||
4 | (9) A representative of a different civil rights or a | ||||||
5 | privacy rights advocacy organization. | ||||||
6 | (10) A representative of an association representing | ||||||
7 | principals in a city having a population exceeding 500,000. | ||||||
8 | (11) A representative of a statewide association | ||||||
9 | representing school administrators. | ||||||
10 | (12) A representative of a statewide professional | ||||||
11 | teachers' organization. | ||||||
12 | (13) A representative of a different statewide | ||||||
13 | professional teachers' organization. | ||||||
14 | (14) A representative of a professional teachers'
| ||||||
15 | organization in a city having a population exceeding | ||||||
16 | 500,000. | ||||||
17 | (15) A representative of a statewide association | ||||||
18 | representing school boards. | ||||||
19 | (16) A representative of a school district organized | ||||||
20 | under Article 34 of the School Code. | ||||||
21 | The Committee shall also consist of the Attorney General or | ||||||
22 | his or her designee and the State Superintendent of Education | ||||||
23 | or his or her designee. | ||||||
24 | The State Board, in consultation with the Committee, may | ||||||
25 | appoint no more than 2 additional individuals to the Committee | ||||||
26 | who shall serve in an advisory role and may not have voting or |
| |||||||
| |||||||
1 | other decision-making rights. | ||||||
2 | (b) The Committee shall initially meet at the call of the | ||||||
3 | Governor, at which meeting it shall designate a chairperson. | ||||||
4 | The Committee shall meet thereafter at the call of the | ||||||
5 | chairperson, but no less than 4 times within one year after the | ||||||
6 | effective date of this amendatory Act of the 101st General | ||||||
7 | Assembly and at least once per year thereafter to study, | ||||||
8 | review, and make recommendations to the General Assembly about | ||||||
9 | laws and rules in light of technological and legal developments | ||||||
10 | related to the privacy and security of school student data. The | ||||||
11 | members of the Committee shall serve without compensation but | ||||||
12 | may be reimbursed for reasonable and necessary expenses | ||||||
13 | incurred in performing their duties from funds appropriated to | ||||||
14 | the State Board for that purpose. The State Board must provide | ||||||
15 | administrative and other support to the Committee. | ||||||
16 | (c) The Committee shall submit an annual report to the | ||||||
17 | General Assembly and the State Board no later than December 15, | ||||||
18 | 2020, and on or before each December 15 thereafter, with | ||||||
19 | recommendations, if any, for policy revisions and legislative | ||||||
20 | amendments that would carry out the intent of this Act. | ||||||
21 | (d) The Committee is subject to the Open Meetings Act and | ||||||
22 | the Freedom of Information Act.
| ||||||
23 | Section 99. Effective date. This Act takes effect July 1, | ||||||
24 | 2020.".
|