Bill Amendment: IL HB3606 | 2019-2020 | 101st General Assembly
NOTE: For additional amemendments please see the Bill Drafting List
Bill Title: STUDENT ONLINE PROTECTION
Status: 2019-08-23 - Public Act . . . . . . . . . 101-0516 [HB3606 Detail]
Download: Illinois-2019-HB3606-House_Amendment_003.html
Bill Title: STUDENT ONLINE PROTECTION
Status: 2019-08-23 - Public Act . . . . . . . . . 101-0516 [HB3606 Detail]
Download: Illinois-2019-HB3606-House_Amendment_003.html
| |||||||
| |||||||
| |||||||
| 1 | AMENDMENT TO HOUSE BILL 3606
| ||||||
| 2 | AMENDMENT NO. ______. Amend House Bill 3606 by replacing | ||||||
| 3 | everything after the enacting clause with the following:
| ||||||
| 4 | "Section 5. The Student Online Personal Protection Act is | ||||||
| 5 | amended by changing Sections 5, 10, and 15 and by adding | ||||||
| 6 | Sections 26, 27, 28, and 33 as follows:
| ||||||
| 7 | (105 ILCS 85/5)
| ||||||
| 8 | Sec. 5. Definitions. In this Act: | ||||||
| 9 | "Breach" means the unauthorized disclosure of data or | ||||||
| 10 | unauthorized provision of physical or electronic means of | ||||||
| 11 | gaining access to data that compromises the security, | ||||||
| 12 | confidentiality, or integrity of covered information. | ||||||
| 13 | "Covered information" means personally identifiable | ||||||
| 14 | information or material or information that is linked to | ||||||
| 15 | personally identifiable information or material in any media or | ||||||
| 16 | format that is not publicly available and is any of the | ||||||
| |||||||
| |||||||
| 1 | following: | ||||||
| 2 | (1) Created by or provided to an operator by a student | ||||||
| 3 | or the student's parent or legal guardian in the course of | ||||||
| 4 | the student's, parent's, or legal guardian's use of the | ||||||
| 5 | operator's site, service, or application for K through 12 | ||||||
| 6 | school purposes. | ||||||
| 7 | (2) Created by or provided to an operator by an | ||||||
| 8 | employee or agent of a school or school district for K | ||||||
| 9 | through 12 school purposes. | ||||||
| 10 | (3) Gathered by an operator through the operation of | ||||||
| 11 | its site, service, or application for K through 12 school | ||||||
| 12 | purposes and personally identifies a student, including, | ||||||
| 13 | but not limited to, information in the student's | ||||||
| 14 | educational record or electronic mail, first and last name, | ||||||
| 15 | home address, telephone number, electronic mail address, | ||||||
| 16 | or other information that allows physical or online | ||||||
| 17 | contact, discipline records, test results, special | ||||||
| 18 | education data, juvenile dependency records, grades, | ||||||
| 19 | evaluations, criminal records, medical records, health | ||||||
| 20 | records, a social security number, biometric information, | ||||||
| 21 | disabilities, socioeconomic information, food purchases, | ||||||
| 22 | political affiliations, religious information, text | ||||||
| 23 | messages, documents, student identifiers, search activity, | ||||||
| 24 | photos, voice recordings, or geolocation information. | ||||||
| 25 | "Interactive computer service" has the meaning ascribed to | ||||||
| 26 | that term in Section 230 of the federal Communications Decency | ||||||
| |||||||
| |||||||
| 1 | Act of 1996 (47 U.S.C. 230). | ||||||
| 2 | "K through 12 school purposes" means purposes that are | ||||||
| 3 | directed by or that customarily take place at the direction of | ||||||
| 4 | a school, teacher, or school district; aid in the | ||||||
| 5 | administration of school activities, including, but not | ||||||
| 6 | limited to, instruction in the classroom or at home, | ||||||
| 7 | administrative activities, and collaboration between students, | ||||||
| 8 | school personnel, or parents; or are otherwise for the use and | ||||||
| 9 | benefit of the school. | ||||||
| 10 | "Longitudinal data system" has the meaning given to that | ||||||
| 11 | term under the P-20 Longitudinal Education Data System Act. | ||||||
| 12 | "Operator" means, to the extent that an entity is operating | ||||||
| 13 | in this capacity, the operator of an Internet website, online | ||||||
| 14 | service, online application, or mobile application with actual | ||||||
| 15 | knowledge that the site, service, or application is used | ||||||
| 16 | primarily for K through 12 school purposes and was designed and | ||||||
| 17 | marketed for K through 12 school purposes. | ||||||
| 18 | "Parent" has the meaning given to that term under the | ||||||
| 19 | Illinois School Student Records Act. | ||||||
| 20 | "School" means (1) any preschool, public kindergarten, | ||||||
| 21 | elementary or secondary educational institution, vocational | ||||||
| 22 | school, special educational facility, or any other elementary | ||||||
| 23 | or secondary educational agency or institution or (2) any | ||||||
| 24 | person, agency, or institution that maintains school student | ||||||
| 25 | records from more than one school. Except as otherwise provided | ||||||
| 26 | in this Act, "school" "School" includes a private or nonpublic | ||||||
| |||||||
| |||||||
| 1 | school. | ||||||
| 2 | "State Board" means the State Board of Education. | ||||||
| 3 | "Student" has the meaning given to that term under the | ||||||
| 4 | Illinois School Student Records Act. | ||||||
| 5 | "Targeted advertising" means presenting advertisements to | ||||||
| 6 | a student where the advertisement is selected based on | ||||||
| 7 | information obtained or inferred over time from that student's | ||||||
| 8 | online behavior, usage of applications, or covered | ||||||
| 9 | information. The term does not include advertising to a student | ||||||
| 10 | at an online location based upon that student's current visit | ||||||
| 11 | to that location or in response to that student's request for | ||||||
| 12 | information or feedback, without the retention of that | ||||||
| 13 | student's online activities or requests over time for the | ||||||
| 14 | purpose of targeting subsequent ads.
| ||||||
| 15 | (Source: P.A. 100-315, eff. 8-24-17.)
| ||||||
| 16 | (105 ILCS 85/10)
| ||||||
| 17 | Sec. 10. Operator prohibitions. An operator shall not | ||||||
| 18 | knowingly do any of the following: | ||||||
| 19 | (1) Engage in targeted advertising on the operator's | ||||||
| 20 | site, service, or application or target advertising on any | ||||||
| 21 | other site, service, or application if the targeting of the | ||||||
| 22 | advertising is based on any information, including covered | ||||||
| 23 | information and persistent unique identifiers, that the | ||||||
| 24 | operator has acquired because of the use of that operator's | ||||||
| 25 | site, service, or application for K through 12 school | ||||||
| |||||||
| |||||||
| 1 | purposes. | ||||||
| 2 | (2) Use information, including persistent unique | ||||||
| 3 | identifiers, created or gathered by the operator's site, | ||||||
| 4 | service, or application to amass a profile about a student, | ||||||
| 5 | except in furtherance of K through 12 school purposes. | ||||||
| 6 | "Amass a profile" does not include the collection and | ||||||
| 7 | retention of account information that remains under the | ||||||
| 8 | control of the student, the student's parent or legal | ||||||
| 9 | guardian, or the school. | ||||||
| 10 | (3) Sell or rent a student's information, including | ||||||
| 11 | covered information. This subdivision (3) does not apply to | ||||||
| 12 | the purchase, merger, or other type of acquisition of an | ||||||
| 13 | operator by another entity if the operator or successor | ||||||
| 14 | entity complies with this Act regarding previously | ||||||
| 15 | acquired student information. | ||||||
| 16 | (4) Except as otherwise provided in Section 20 of this | ||||||
| 17 | Act, disclose covered information, unless the disclosure | ||||||
| 18 | is made for the following purposes: | ||||||
| 19 | (A) In furtherance of the K through 12 school | ||||||
| 20 | purposes of the site, service, or application if the | ||||||
| 21 | recipient of the covered information disclosed under | ||||||
| 22 | this clause (A) does not further disclose the | ||||||
| 23 | information, unless done to allow or improve | ||||||
| 24 | operability and functionality of the operator's site, | ||||||
| 25 | service, or application. | ||||||
| 26 | (B) To ensure legal and regulatory compliance or | ||||||
| |||||||
| |||||||
| 1 | take precautions
against liability. | ||||||
| 2 | (C) To respond to the judicial process. | ||||||
| 3 | (D) To protect the safety or integrity of users of | ||||||
| 4 | the site or others or the security of the site, | ||||||
| 5 | service, or application. | ||||||
| 6 | (E) For a school, educational, or employment | ||||||
| 7 | purpose requested by the student or the student's | ||||||
| 8 | parent or legal guardian, provided that the | ||||||
| 9 | information is not used or further disclosed for any | ||||||
| 10 | other purpose. | ||||||
| 11 | (F) To a third party if the operator contractually | ||||||
| 12 | prohibits the third party from using any covered | ||||||
| 13 | information for any purpose other than providing the | ||||||
| 14 | contracted service to or on behalf of the operator, | ||||||
| 15 | prohibits the third party from disclosing any covered | ||||||
| 16 | information provided by the operator with subsequent | ||||||
| 17 | third parties, and requires the third party to | ||||||
| 18 | implement and maintain reasonable security procedures | ||||||
| 19 | and practices as required under Section 15. | ||||||
| 20 | Nothing in this Section prohibits the operator's use of | ||||||
| 21 | information for maintaining, developing, supporting, | ||||||
| 22 | improving, or diagnosing the operator's site, service, or | ||||||
| 23 | application.
| ||||||
| 24 | (Source: P.A. 100-315, eff. 8-24-17.)
| ||||||
| 25 | (105 ILCS 85/15)
| ||||||
| |||||||
| |||||||
| 1 | Sec. 15. Operator duties. An operator shall do the | ||||||
| 2 | following: | ||||||
| 3 | (1) Implement and maintain reasonable security | ||||||
| 4 | procedures and practices appropriate to the nature of the | ||||||
| 5 | covered information and designed to protect that covered | ||||||
| 6 | information from unauthorized access, destruction, use, | ||||||
| 7 | modification, or disclosure that, based on the sensitivity | ||||||
| 8 | of the data and the risk from unauthorized access, (i) use | ||||||
| 9 | technologies and methodologies that are consistent with | ||||||
| 10 | the U.S. Department of Commerce's National Institute of | ||||||
| 11 | Standards and Technology's Framework for Improving | ||||||
| 12 | Critical Infrastructure Cybersecurity Version 1.1 and any | ||||||
| 13 | updates to it or (ii) maintain technical safeguards as they | ||||||
| 14 | relate to the possession of covered information in a manner | ||||||
| 15 | consistent with the provisions of 45 CFR 164.312. | ||||||
| 16 | (2) Delete, within a reasonable time period, a | ||||||
| 17 | student's covered information if the school or school | ||||||
| 18 | district requests deletion of covered information under | ||||||
| 19 | the control of the school or school district, unless a | ||||||
| 20 | student or his or her parent or legal guardian consents to | ||||||
| 21 | the maintenance of the covered information. | ||||||
| 22 | (3) Publicly disclose material information about its | ||||||
| 23 | collection, use, and disclosure of covered information, | ||||||
| 24 | including, but not limited to, publishing a terms of | ||||||
| 25 | service agreement, privacy policy, or similar document. | ||||||
| 26 | (4) Except for a nonpublic school, for any operator who | ||||||
| |||||||
| |||||||
| 1 | seeks to receive from a school, school district, or the | ||||||
| 2 | State Board in any manner any covered information, enter | ||||||
| 3 | into a written agreement with the school, school district, | ||||||
| 4 | or State Board before the covered information may be | ||||||
| 5 | transferred. The written agreement may be created in | ||||||
| 6 | electronic form and signed with an electronic or digital | ||||||
| 7 | signature or may be a click wrap agreement that is used | ||||||
| 8 | with software licenses, downloaded or online applications | ||||||
| 9 | and transactions for educational technologies, or other | ||||||
| 10 | technologies in which a user must agree to terms and | ||||||
| 11 | conditions before using the product or service. The written | ||||||
| 12 | agreement must contain all of the following: | ||||||
| 13 | (A) A listing of the categories or types of covered | ||||||
| 14 | information to be provided to the operator. | ||||||
| 15 | (B) A statement of the product or service being | ||||||
| 16 | provided to the school by the operator. | ||||||
| 17 | (C) A statement that the operator is acting as a | ||||||
| 18 | school official with a legitimate educational | ||||||
| 19 | interest, is performing an institutional service or | ||||||
| 20 | function for which the school would otherwise use | ||||||
| 21 | employees, under the direct control of the school, with | ||||||
| 22 | respect to the use and maintenance of covered | ||||||
| 23 | information, and is using the covered information only | ||||||
| 24 | for an authorized purpose and may not re-disclose it to | ||||||
| 25 | third parties or affiliates, unless otherwise | ||||||
| 26 | permitted under this Act, without permission from the | ||||||
| |||||||
| |||||||
| 1 | school or pursuant to court order. | ||||||
| 2 | (D) A description of how, if a breach is attributed | ||||||
| 3 | to the operator, any costs and expenses incurred by the | ||||||
| 4 | school in investigating and remediating the breach | ||||||
| 5 | will be allocated between the operator and the school. | ||||||
| 6 | The costs and expenses may include, but are not limited | ||||||
| 7 | to: | ||||||
| 8 | (i) providing notification to the parents of | ||||||
| 9 | those students whose covered information was | ||||||
| 10 | compromised and to regulatory agencies or other | ||||||
| 11 | entities as required by law or contract; | ||||||
| 12 | (ii) providing credit monitoring to those | ||||||
| 13 | students whose covered information was exposed in | ||||||
| 14 | a manner during the breach that a reasonable person | ||||||
| 15 | would believe that it could impact his or her | ||||||
| 16 | credit or financial security; | ||||||
| 17 | (iii) legal fees, audit costs, fines, and any | ||||||
| 18 | other fees or damages imposed against the school as | ||||||
| 19 | a result of the security breach; and | ||||||
| 20 | (iv) providing any other notifications or | ||||||
| 21 | fulfilling any other requirements adopted by the | ||||||
| 22 | State Board or of any other State or federal laws. | ||||||
| 23 | (E) A statement that the operator must delete or | ||||||
| 24 | transfer to the school all covered information if the | ||||||
| 25 | information is no longer needed for the purposes of the | ||||||
| 26 | written agreement and to specify the time period in | ||||||
| |||||||
| |||||||
| 1 | which the information must be deleted or transferred | ||||||
| 2 | once the operator is made aware that the information is | ||||||
| 3 | no longer needed for the purposes of the written | ||||||
| 4 | agreement. | ||||||
| 5 | (F) A statement that the school must publish the | ||||||
| 6 | written agreement on the school's website. If mutually | ||||||
| 7 | agreed upon by the school and the operator, provisions | ||||||
| 8 | of the written agreement, other than those under | ||||||
| 9 | subparagraphs (A), (B), and (C), may be redacted in the | ||||||
| 10 | copy of the written agreement published on the school's | ||||||
| 11 | website. | ||||||
| 12 | (5) In case of any breach, within the most expedient | ||||||
| 13 | time possible and without unreasonable delay, but no later | ||||||
| 14 | than 30 calendar days after the determination that a breach | ||||||
| 15 | has occurred, notify the school of any breach of the | ||||||
| 16 | students' covered information.
| ||||||
| 17 | (Source: P.A. 100-315, eff. 8-24-17.)
| ||||||
| 18 | (105 ILCS 85/26 new) | ||||||
| 19 | Sec. 26. School prohibitions. A school may not do either of | ||||||
| 20 | the following: | ||||||
| 21 | (1) Sell, rent, lease, or trade covered information. | ||||||
| 22 | (2) Share, transfer, disclose, or provide access to a | ||||||
| 23 | student's covered information to an entity or individual, | ||||||
| 24 | other than the student's parent or the State Board, without | ||||||
| 25 | a written agreement, unless the disclosure or transfer is: | ||||||
| |||||||
| |||||||
| 1 | (A) to the extent permitted by federal law, to law | ||||||
| 2 | enforcement officials to protect the safety of users or | ||||||
| 3 | others or the security or integrity of the operator's | ||||||
| 4 | service; | ||||||
| 5 | (B) required by court order or State or federal | ||||||
| 6 | law; or | ||||||
| 7 | (C) to ensure legal or regulatory compliance. | ||||||
| 8 | This paragraph (2) does not apply to nonpublic schools.
| ||||||
| 9 | (105 ILCS 85/27 new) | ||||||
| 10 | Sec. 27. School duties. | ||||||
| 11 | (a) Each school shall post and maintain on its website all | ||||||
| 12 | of the following information: | ||||||
| 13 | (1) An explanation, that is clear and understandable by | ||||||
| 14 | a layperson, of the data elements of covered information | ||||||
| 15 | that the school collects, maintains, or discloses to any | ||||||
| 16 | person, entity, third party, or governmental agency. The | ||||||
| 17 | information must explain how the school uses, to whom or | ||||||
| 18 | what entities it discloses, and for what purpose it | ||||||
| 19 | discloses the covered information. | ||||||
| 20 | (2) A list of operators that the school has written | ||||||
| 21 | agreements with, a copy of each written agreement, and a | ||||||
| 22 | business address for each operator. | ||||||
| 23 | (3) For each operator, a list of any subcontractors to | ||||||
| 24 | whom covered information may be disclosed under Section 15. | ||||||
| 25 | (4) A written description of the procedures that a | ||||||
| |||||||
| |||||||
| 1 | parent may use to carry out the rights enumerated under | ||||||
| 2 | Section 33. | ||||||
| 3 | (5) A list of any breaches of covered information | ||||||
| 4 | maintained by the school or breaches under Section 15 that | ||||||
| 5 | includes, but is not limited to, all of the following | ||||||
| 6 | information: | ||||||
| 7 | (A) The number of students whose covered | ||||||
| 8 | information is involved in the breach. | ||||||
| 9 | (B) The date, estimated date, or estimated date | ||||||
| 10 | range of the breach. | ||||||
| 11 | (C) For a breach under Section 15, the name of the | ||||||
| 12 | operator. | ||||||
| 13 | The school must, at a minimum, update the items under | ||||||
| 14 | paragraphs (1), (3), (4), and (5) no later than 30 calendar | ||||||
| 15 | days following the start of a school year and no later than 30 | ||||||
| 16 | days following the beginning of a calendar year. | ||||||
| 17 | (b) Each school must adopt a policy designating which | ||||||
| 18 | school employees are authorized to enter into written | ||||||
| 19 | agreements with operators. This subsection may not be construed | ||||||
| 20 | to limit individual school employees outside of the scope of | ||||||
| 21 | their employment from entering into agreements with operators | ||||||
| 22 | on their own behalf and for non-K through 12 school purposes, | ||||||
| 23 | provided that no covered information is provided to the | ||||||
| 24 | operators. Any agreement or contract entered into in violation | ||||||
| 25 | of this Act is void and unenforceable as against public policy. | ||||||
| 26 | (c) A school must post on its website each written | ||||||
| |||||||
| |||||||
| 1 | agreement entered into under this Act, along with any | ||||||
| 2 | information required under subsection (a), no later than 5 | ||||||
| 3 | business days after entering into the agreement. | ||||||
| 4 | (d) After receipt of notice of a breach under Section 15 or | ||||||
| 5 | determination of a breach of covered information maintained by | ||||||
| 6 | the school, a school shall electronically notify, no later than | ||||||
| 7 | 30 calendar days after receipt of the notice or determination | ||||||
| 8 | that a breach has occurred, the parent of any student whose | ||||||
| 9 | covered information is involved in the breach. The notification | ||||||
| 10 | must include, but is not limited to, all of the following: | ||||||
| 11 | (1) The date, estimated date, or estimated date range | ||||||
| 12 | of the breach. | ||||||
| 13 | (2) A description of the covered information that was | ||||||
| 14 | compromised or reasonably believed to have been | ||||||
| 15 | compromised in the breach. | ||||||
| 16 | (3) Information that the parent may use to contact the | ||||||
| 17 | operator and school to inquire about the breach. | ||||||
| 18 | (4) The toll-free numbers, addresses, and websites for | ||||||
| 19 | consumer reporting agencies. | ||||||
| 20 | (5) The toll-free number, address, and website for the | ||||||
| 21 | Federal Trade Commission. | ||||||
| 22 | (6) A statement that the parent may obtain information | ||||||
| 23 | from the Federal Trade Commission and consumer reporting | ||||||
| 24 | agencies about fraud alerts and security freezes. | ||||||
| 25 | (e) Each school must implement and maintain security | ||||||
| 26 | procedures and practices designed to protect covered | ||||||
| |||||||
| |||||||
| 1 | information from unauthorized access, destruction, use, | ||||||
| 2 | modification, or disclosure that, based on the sensitivity of | ||||||
| 3 | the covered information and the risk from unauthorized access, | ||||||
| 4 | (i) use technologies and methodologies that are consistent with | ||||||
| 5 | the U.S. Department of Commerce's National Institute of | ||||||
| 6 | Standards and Technology's Framework for Improving Critical | ||||||
| 7 | Infrastructure Cybersecurity Version 1.1 and any updates to it | ||||||
| 8 | or (ii) maintain technical safeguards as they relate to the | ||||||
| 9 | possession of student records in a manner consistent with the | ||||||
| 10 | provisions of 45 CFR 164.312. | ||||||
| 11 | (f) Each school shall designate an appropriate staff person | ||||||
| 12 | as a privacy officer, who may also be an official records | ||||||
| 13 | custodian as designated under the Illinois School Student | ||||||
| 14 | Records Act, to carry out the duties and responsibilities | ||||||
| 15 | assigned to schools and to ensure compliance with the | ||||||
| 16 | requirements of this Section and Section 26. | ||||||
| 17 | (g) A school shall make a request, pursuant to paragraph | ||||||
| 18 | (2) of Section 15, to an operator to delete covered information | ||||||
| 19 | on behalf of a student's parent if the parent requests from the | ||||||
| 20 | school that the student's covered information held by the | ||||||
| 21 | operator be deleted, so long as the deletion of the covered | ||||||
| 22 | information is not in violation of the Illinois School Student | ||||||
| 23 | Records Act. | ||||||
| 24 | (h) This Section does not apply to nonpublic schools.
| ||||||
| 25 | (105 ILCS 85/28 new) | ||||||
| |||||||
| |||||||
| 1 | Sec. 28. State Board duties. | ||||||
| 2 | (a) The State Board may not sell, rent, lease, or trade | ||||||
| 3 | covered information. | ||||||
| 4 | (b) The State Board may not share, transfer, disclose, or | ||||||
| 5 | provide covered information to an entity or individual without | ||||||
| 6 | a contract or written agreement, except for disclosures | ||||||
| 7 | required by federal law to federal agencies. | ||||||
| 8 | (c) At least twice annually, the State Board must publish | ||||||
| 9 | and maintain on its website a list of all of the entities or | ||||||
| 10 | individuals, including, but not limited to, operators, | ||||||
| 11 | individual researchers, research organizations, institutions | ||||||
| 12 | of higher education, or government agencies, that the State | ||||||
| 13 | Board contracts with or has agreements with and that hold | ||||||
| 14 | covered information and a copy of each contract or agreement. | ||||||
| 15 | The list must include all of the following information: | ||||||
| 16 | (1) The name of the entity or individual. In naming an | ||||||
| 17 | individual, the list must include the entity that sponsors | ||||||
| 18 | the individual or with which the individual is affiliated, | ||||||
| 19 | if any. If the individual is conducting research at an | ||||||
| 20 | institution of higher education, the list may include the | ||||||
| 21 | name of that institution and a contact person in the | ||||||
| 22 | department that is associated with the research in lieu of | ||||||
| 23 | the name of the researcher. If the entity is an operator, | ||||||
| 24 | the list must include its business address. | ||||||
| 25 | (2) The purpose and scope of the contract or agreement. | ||||||
| 26 | (3) The duration of the contract or agreement. | ||||||
| |||||||
| |||||||
| 1 | (4) The types of covered information that the entity or | ||||||
| 2 | individual holds under the contract or agreement. | ||||||
| 3 | (5) The use of the covered information under the | ||||||
| 4 | contract or agreement. | ||||||
| 5 | (6) The length of time for which the entity or | ||||||
| 6 | individual may hold the covered information. | ||||||
| 7 | (7) A list of any subcontractors to whom covered | ||||||
| 8 | information may be disclosed under Section 15. | ||||||
| 9 | (d) The State Board shall create, publish, and make | ||||||
| 10 | publicly available an inventory, along with a dictionary or | ||||||
| 11 | index of data elements and their definitions, of covered | ||||||
| 12 | information collected or maintained by the State Board, | ||||||
| 13 | including, but not limited to, both of the following: | ||||||
| 14 | (1) Covered information that schools are required to | ||||||
| 15 | report to the State Board by State or federal law. | ||||||
| 16 | (2) Covered information in the State longitudinal data | ||||||
| 17 | system or any data warehouse used by the State Board to | ||||||
| 18 | populate the longitudinal data system. | ||||||
| 19 | The inventory shall make clear for what purposes the State | ||||||
| 20 | Board uses the covered information. | ||||||
| 21 | (e) The State Board shall develop, publish, and make | ||||||
| 22 | publicly available, for the benefit of schools, model student | ||||||
| 23 | data privacy policies and procedures that comply with relevant | ||||||
| 24 | State and federal law, including, but not limited to, a model | ||||||
| 25 | notice that schools must use to provide notice to parents and | ||||||
| 26 | students about operators. The notice must state, in general | ||||||
| |||||||
| |||||||
| 1 | terms, the types of student data that are collected by the | ||||||
| 2 | schools and shared with operators under this Act and the | ||||||
| 3 | purposes of collecting and using the student data. After | ||||||
| 4 | creation of the notice under this subsection, a school shall, | ||||||
| 5 | at the beginning of each school year, provide the notice to | ||||||
| 6 | parents by the same means generally used to send notices to | ||||||
| 7 | them. This subsection does not apply to nonpublic schools.
| ||||||
| 8 | (105 ILCS 85/33 new) | ||||||
| 9 | Sec. 33. Parent and student rights. | ||||||
| 10 | (a) A student's covered information is the sole property of | ||||||
| 11 | the student's parent. | ||||||
| 12 | (b) A student's covered information shall be collected only | ||||||
| 13 | for K through 12 school purposes and not further processed in a | ||||||
| 14 | manner that is incompatible with those purposes. | ||||||
| 15 | (c) A student's covered information shall only be adequate, | ||||||
| 16 | relevant, and limited to what is necessary in relation to the K | ||||||
| 17 | through 12 school purposes for which it is processed. | ||||||
| 18 | (d) Except for a parent of a student enrolled in a | ||||||
| 19 | nonpublic school, the parent of a student enrolled in a school | ||||||
| 20 | has the right to all of the following: | ||||||
| 21 | (1) Inspect and review the student's covered | ||||||
| 22 | information, regardless of whether it is maintained by the | ||||||
| 23 | school, the State Board, or an operator. | ||||||
| 24 | (2) Request from a school a paper or electronic copy of | ||||||
| 25 | the student's covered information, including covered | ||||||
| |||||||
| |||||||
| 1 | information maintained by an operator or the State Board. | ||||||
| 2 | If a parent requests an electronic copy of the student's | ||||||
| 3 | covered information under this paragraph, the school must | ||||||
| 4 | provide an electronic copy of that information, unless the | ||||||
| 5 | school does not maintain the information in an electronic | ||||||
| 6 | format and reproducing the information in an electronic | ||||||
| 7 | format would be unduly burdensome to the school. If a | ||||||
| 8 | parent requests a paper copy of the student's covered | ||||||
| 9 | information, the school may charge the parent the | ||||||
| 10 | reasonable cost for copying the information in an amount | ||||||
| 11 | not to exceed the amount fixed in a schedule adopted by the | ||||||
| 12 | State Board, except that no parent may be denied a copy of | ||||||
| 13 | the information due to the parent's inability to bear the | ||||||
| 14 | cost of the copying. The State Board must adopt rules on | ||||||
| 15 | the methodology and frequency of requests under this | ||||||
| 16 | paragraph. | ||||||
| 17 | (3) Request corrections of factual inaccuracies | ||||||
| 18 | contained in the student's covered information. After | ||||||
| 19 | receiving a request for corrections that documents a | ||||||
| 20 | factual inaccuracy, a school must do either of the | ||||||
| 21 | following: | ||||||
| 22 | (A) Confirm the correction with the parent within | ||||||
| 23 | 90 calendar days after receiving the parent's request | ||||||
| 24 | if the school or State Board maintains the covered | ||||||
| 25 | information that contains the factual inaccuracy. | ||||||
| 26 | (B) Notify the operator who must confirm the | ||||||
| |||||||
| |||||||
| 1 | correction with the parent within 90 calendar days | ||||||
| 2 | after receiving the parent's request if the covered | ||||||
| 3 | information that contains the factual inaccuracy is | ||||||
| 4 | maintained by an operator. | ||||||
| 5 | (e) Nothing in this Section shall be construed to limit the | ||||||
| 6 | rights granted to parents and students under the Illinois | ||||||
| 7 | School Student Records Act.
| ||||||
| 8 | Section 99. Effective date. This Act takes effect July 1, | ||||||
| 9 | 2021.".
| ||||||
