Bill Text: IL HB3606 | 2019-2020 | 101st General Assembly | Engrossed
NOTE: There are more recent revisions of this legislation. Read Latest Draft
Bill Title: Reinserts the provisions of the engrossed bill as amended by Senate Amendment No. 1 with the following changes. Provides that certain information that is required to be posted on a school's website must be made available at a school's administrative office for inspection by the general public if the school does not maintain a website. Provides that a school may omit from its list of breaches of covered information any breach in which the date, estimated date, or estimated date range in which it occurred is earlier than July 1, 2021 or any breach previously posted on a list no more than 5 years prior to the school updating the current list. Provides that a notice of breach may be delayed if an appropriate law enforcement agency determines that the notification will interfere with a criminal investigation and provides the school with a written request for a delay of notice. Allows the State Board of Education to share, transfer, disclose, or provide covered information to its employees or officials acting within their official capacity. Removes a provision stating that a student's covered information is the sole property of the student's parent. Makes changes to a parent's and student's rights. Makes other changes. Effective July 1, 2021.
Spectrum: Partisan Bill (Democrat 40-1)
Status: (Passed) 2019-08-23 - Public Act . . . . . . . . . 101-0516 [HB3606 Detail]
Download: Illinois-2019-HB3606-Engrossed.html
Bill Title: Reinserts the provisions of the engrossed bill as amended by Senate Amendment No. 1 with the following changes. Provides that certain information that is required to be posted on a school's website must be made available at a school's administrative office for inspection by the general public if the school does not maintain a website. Provides that a school may omit from its list of breaches of covered information any breach in which the date, estimated date, or estimated date range in which it occurred is earlier than July 1, 2021 or any breach previously posted on a list no more than 5 years prior to the school updating the current list. Provides that a notice of breach may be delayed if an appropriate law enforcement agency determines that the notification will interfere with a criminal investigation and provides the school with a written request for a delay of notice. Allows the State Board of Education to share, transfer, disclose, or provide covered information to its employees or officials acting within their official capacity. Removes a provision stating that a student's covered information is the sole property of the student's parent. Makes changes to a parent's and student's rights. Makes other changes. Effective July 1, 2021.
Spectrum: Partisan Bill (Democrat 40-1)
Status: (Passed) 2019-08-23 - Public Act . . . . . . . . . 101-0516 [HB3606 Detail]
Download: Illinois-2019-HB3606-Engrossed.html
| |||||||
| |||||||
| |||||||
| 1 | AN ACT concerning education.
| ||||||
| 2 | Be it enacted by the People of the State of Illinois,
| ||||||
| 3 | represented in the General Assembly:
| ||||||
| 4 | Section 5. The Student Online Personal Protection Act is | ||||||
| 5 | amended by changing Sections 5, 10, and 15 and by adding | ||||||
| 6 | Sections 26, 27, 28, and 33 as follows:
| ||||||
| 7 | (105 ILCS 85/5)
| ||||||
| 8 | Sec. 5. Definitions. In this Act: | ||||||
| 9 | "Breach" means the unauthorized disclosure of data or | ||||||
| 10 | unauthorized provision of physical or electronic means of | ||||||
| 11 | gaining access to data that compromises the security, | ||||||
| 12 | confidentiality, or integrity of covered information. | ||||||
| 13 | "Covered information" means personally identifiable | ||||||
| 14 | information or material or information that is linked to | ||||||
| 15 | personally identifiable information or material in any media or | ||||||
| 16 | format that is not publicly available and is any of the | ||||||
| 17 | following: | ||||||
| 18 | (1) Created by or provided to an operator by a student | ||||||
| 19 | or the student's parent or legal guardian in the course of | ||||||
| 20 | the student's, parent's, or legal guardian's use of the | ||||||
| 21 | operator's site, service, or application for K through 12 | ||||||
| 22 | school purposes. | ||||||
| 23 | (2) Created by or provided to an operator by an | ||||||
| |||||||
| |||||||
| 1 | employee or agent of a school or school district for K | ||||||
| 2 | through 12 school purposes. | ||||||
| 3 | (3) Gathered by an operator through the operation of | ||||||
| 4 | its site, service, or application for K through 12 school | ||||||
| 5 | purposes and personally identifies a student, including, | ||||||
| 6 | but not limited to, information in the student's | ||||||
| 7 | educational record or electronic mail, first and last name, | ||||||
| 8 | home address, telephone number, electronic mail address, | ||||||
| 9 | or other information that allows physical or online | ||||||
| 10 | contact, discipline records, test results, special | ||||||
| 11 | education data, juvenile dependency records, grades, | ||||||
| 12 | evaluations, criminal records, medical records, health | ||||||
| 13 | records, a social security number, biometric information, | ||||||
| 14 | disabilities, socioeconomic information, food purchases, | ||||||
| 15 | political affiliations, religious information, text | ||||||
| 16 | messages, documents, student identifiers, search activity, | ||||||
| 17 | photos, voice recordings, or geolocation information. | ||||||
| 18 | "Interactive computer service" has the meaning ascribed to | ||||||
| 19 | that term in Section 230 of the federal Communications Decency | ||||||
| 20 | Act of 1996 (47 U.S.C. 230). | ||||||
| 21 | "K through 12 school purposes" means purposes that are | ||||||
| 22 | directed by or that customarily take place at the direction of | ||||||
| 23 | a school, teacher, or school district; aid in the | ||||||
| 24 | administration of school activities, including, but not | ||||||
| 25 | limited to, instruction in the classroom or at home, | ||||||
| 26 | administrative activities, and collaboration between students, | ||||||
| |||||||
| |||||||
| 1 | school personnel, or parents; or are otherwise for the use and | ||||||
| 2 | benefit of the school. | ||||||
| 3 | "Longitudinal data system" has the meaning given to that | ||||||
| 4 | term under the P-20 Longitudinal Education Data System Act. | ||||||
| 5 | "Operator" means, to the extent that an entity is operating | ||||||
| 6 | in this capacity, the operator of an Internet website, online | ||||||
| 7 | service, online application, or mobile application with actual | ||||||
| 8 | knowledge that the site, service, or application is used | ||||||
| 9 | primarily for K through 12 school purposes and was designed and | ||||||
| 10 | marketed for K through 12 school purposes. | ||||||
| 11 | "Parent" has the meaning given to that term under the | ||||||
| 12 | Illinois School Student Records Act. | ||||||
| 13 | "School" means (1) any preschool, public kindergarten, | ||||||
| 14 | elementary or secondary educational institution, vocational | ||||||
| 15 | school, special educational facility, or any other elementary | ||||||
| 16 | or secondary educational agency or institution or (2) any | ||||||
| 17 | person, agency, or institution that maintains school student | ||||||
| 18 | records from more than one school. Except as otherwise provided | ||||||
| 19 | in this Act, "school" "School" includes a private or nonpublic | ||||||
| 20 | school. | ||||||
| 21 | "State Board" means the State Board of Education. | ||||||
| 22 | "Student" has the meaning given to that term under the | ||||||
| 23 | Illinois School Student Records Act. | ||||||
| 24 | "Targeted advertising" means presenting advertisements to | ||||||
| 25 | a student where the advertisement is selected based on | ||||||
| 26 | information obtained or inferred over time from that student's | ||||||
| |||||||
| |||||||
| 1 | online behavior, usage of applications, or covered | ||||||
| 2 | information. The term does not include advertising to a student | ||||||
| 3 | at an online location based upon that student's current visit | ||||||
| 4 | to that location or in response to that student's request for | ||||||
| 5 | information or feedback, without the retention of that | ||||||
| 6 | student's online activities or requests over time for the | ||||||
| 7 | purpose of targeting subsequent ads.
| ||||||
| 8 | (Source: P.A. 100-315, eff. 8-24-17.)
| ||||||
| 9 | (105 ILCS 85/10)
| ||||||
| 10 | Sec. 10. Operator prohibitions. An operator shall not | ||||||
| 11 | knowingly do any of the following: | ||||||
| 12 | (1) Engage in targeted advertising on the operator's | ||||||
| 13 | site, service, or application or target advertising on any | ||||||
| 14 | other site, service, or application if the targeting of the | ||||||
| 15 | advertising is based on any information, including covered | ||||||
| 16 | information and persistent unique identifiers, that the | ||||||
| 17 | operator has acquired because of the use of that operator's | ||||||
| 18 | site, service, or application for K through 12 school | ||||||
| 19 | purposes. | ||||||
| 20 | (2) Use information, including persistent unique | ||||||
| 21 | identifiers, created or gathered by the operator's site, | ||||||
| 22 | service, or application to amass a profile about a student, | ||||||
| 23 | except in furtherance of K through 12 school purposes. | ||||||
| 24 | "Amass a profile" does not include the collection and | ||||||
| 25 | retention of account information that remains under the | ||||||
| |||||||
| |||||||
| 1 | control of the student, the student's parent or legal | ||||||
| 2 | guardian, or the school. | ||||||
| 3 | (3) Sell or rent a student's information, including | ||||||
| 4 | covered information. This subdivision (3) does not apply to | ||||||
| 5 | the purchase, merger, or other type of acquisition of an | ||||||
| 6 | operator by another entity if the operator or successor | ||||||
| 7 | entity complies with this Act regarding previously | ||||||
| 8 | acquired student information. | ||||||
| 9 | (4) Except as otherwise provided in Section 20 of this | ||||||
| 10 | Act, disclose covered information, unless the disclosure | ||||||
| 11 | is made for the following purposes: | ||||||
| 12 | (A) In furtherance of the K through 12 school | ||||||
| 13 | purposes of the site, service, or application if the | ||||||
| 14 | recipient of the covered information disclosed under | ||||||
| 15 | this clause (A) does not further disclose the | ||||||
| 16 | information, unless done to allow or improve | ||||||
| 17 | operability and functionality of the operator's site, | ||||||
| 18 | service, or application. | ||||||
| 19 | (B) To ensure legal and regulatory compliance or | ||||||
| 20 | take precautions
against liability. | ||||||
| 21 | (C) To respond to the judicial process. | ||||||
| 22 | (D) To protect the safety or integrity of users of | ||||||
| 23 | the site or others or the security of the site, | ||||||
| 24 | service, or application. | ||||||
| 25 | (E) For a school, educational, or employment | ||||||
| 26 | purpose requested by the student or the student's | ||||||
| |||||||
| |||||||
| 1 | parent or legal guardian, provided that the | ||||||
| 2 | information is not used or further disclosed for any | ||||||
| 3 | other purpose. | ||||||
| 4 | (F) To a third party if the operator contractually | ||||||
| 5 | prohibits the third party from using any covered | ||||||
| 6 | information for any purpose other than providing the | ||||||
| 7 | contracted service to or on behalf of the operator, | ||||||
| 8 | prohibits the third party from disclosing any covered | ||||||
| 9 | information provided by the operator with subsequent | ||||||
| 10 | third parties, and requires the third party to | ||||||
| 11 | implement and maintain reasonable security procedures | ||||||
| 12 | and practices as required under Section 15. | ||||||
| 13 | Nothing in this Section prohibits the operator's use of | ||||||
| 14 | information for maintaining, developing, supporting, | ||||||
| 15 | improving, or diagnosing the operator's site, service, or | ||||||
| 16 | application.
| ||||||
| 17 | (Source: P.A. 100-315, eff. 8-24-17.)
| ||||||
| 18 | (105 ILCS 85/15)
| ||||||
| 19 | Sec. 15. Operator duties. An operator shall do the | ||||||
| 20 | following: | ||||||
| 21 | (1) Implement and maintain reasonable security | ||||||
| 22 | procedures and practices appropriate to the nature of the | ||||||
| 23 | covered information and designed to protect that covered | ||||||
| 24 | information from unauthorized access, destruction, use, | ||||||
| 25 | modification, or disclosure that, based on the sensitivity | ||||||
| |||||||
| |||||||
| 1 | of the data and the risk from unauthorized access, (i) use | ||||||
| 2 | technologies and methodologies that are consistent with | ||||||
| 3 | the U.S. Department of Commerce's National Institute of | ||||||
| 4 | Standards and Technology's Framework for Improving | ||||||
| 5 | Critical Infrastructure Cybersecurity Version 1.1 and any | ||||||
| 6 | updates to it or (ii) maintain technical safeguards as they | ||||||
| 7 | relate to the possession of covered information in a manner | ||||||
| 8 | consistent with the provisions of 45 CFR 164.312. | ||||||
| 9 | (2) Delete, within a reasonable time period, a | ||||||
| 10 | student's covered information if the school or school | ||||||
| 11 | district requests deletion of covered information under | ||||||
| 12 | the control of the school or school district, unless a | ||||||
| 13 | student or his or her parent or legal guardian consents to | ||||||
| 14 | the maintenance of the covered information. | ||||||
| 15 | (3) Publicly disclose material information about its | ||||||
| 16 | collection, use, and disclosure of covered information, | ||||||
| 17 | including, but not limited to, publishing a terms of | ||||||
| 18 | service agreement, privacy policy, or similar document. | ||||||
| 19 | (4) Except for a nonpublic school, for any operator who | ||||||
| 20 | seeks to receive from a school, school district, or the | ||||||
| 21 | State Board in any manner any covered information, enter | ||||||
| 22 | into a written agreement with the school, school district, | ||||||
| 23 | or State Board before the covered information may be | ||||||
| 24 | transferred. The written agreement may be created in | ||||||
| 25 | electronic form and signed with an electronic or digital | ||||||
| 26 | signature or may be a click wrap agreement that is used | ||||||
| |||||||
| |||||||
| 1 | with software licenses, downloaded or online applications | ||||||
| 2 | and transactions for educational technologies, or other | ||||||
| 3 | technologies in which a user must agree to terms and | ||||||
| 4 | conditions before using the product or service. The written | ||||||
| 5 | agreement must contain all of the following: | ||||||
| 6 | (A) A listing of the categories or types of covered | ||||||
| 7 | information to be provided to the operator. | ||||||
| 8 | (B) A statement of the product or service being | ||||||
| 9 | provided to the school by the operator. | ||||||
| 10 | (C) A statement that the operator is acting as a | ||||||
| 11 | school official with a legitimate educational | ||||||
| 12 | interest, is performing an institutional service or | ||||||
| 13 | function for which the school would otherwise use | ||||||
| 14 | employees, under the direct control of the school, with | ||||||
| 15 | respect to the use and maintenance of covered | ||||||
| 16 | information, and is using the covered information only | ||||||
| 17 | for an authorized purpose and may not re-disclose it to | ||||||
| 18 | third parties or affiliates, unless otherwise | ||||||
| 19 | permitted under this Act, without permission from the | ||||||
| 20 | school or pursuant to court order. | ||||||
| 21 | (D) A description of how, if a breach is attributed | ||||||
| 22 | to the operator, any costs and expenses incurred by the | ||||||
| 23 | school in investigating and remediating the breach | ||||||
| 24 | will be allocated between the operator and the school. | ||||||
| 25 | The costs and expenses may include, but are not limited | ||||||
| 26 | to: | ||||||
| |||||||
| |||||||
| 1 | (i) providing notification to the parents of | ||||||
| 2 | those students whose covered information was | ||||||
| 3 | compromised and to regulatory agencies or other | ||||||
| 4 | entities as required by law or contract; | ||||||
| 5 | (ii) providing credit monitoring to those | ||||||
| 6 | students whose covered information was exposed in | ||||||
| 7 | a manner during the breach that a reasonable person | ||||||
| 8 | would believe that it could impact his or her | ||||||
| 9 | credit or financial security; | ||||||
| 10 | (iii) legal fees, audit costs, fines, and any | ||||||
| 11 | other fees or damages imposed against the school as | ||||||
| 12 | a result of the security breach; and | ||||||
| 13 | (iv) providing any other notifications or | ||||||
| 14 | fulfilling any other requirements adopted by the | ||||||
| 15 | State Board or of any other State or federal laws. | ||||||
| 16 | (E) A statement that the operator must delete or | ||||||
| 17 | transfer to the school all covered information if the | ||||||
| 18 | information is no longer needed for the purposes of the | ||||||
| 19 | written agreement and to specify the time period in | ||||||
| 20 | which the information must be deleted or transferred | ||||||
| 21 | once the operator is made aware that the information is | ||||||
| 22 | no longer needed for the purposes of the written | ||||||
| 23 | agreement. | ||||||
| 24 | (F) A statement that the school must publish the | ||||||
| 25 | written agreement on the school's website. If mutually | ||||||
| 26 | agreed upon by the school and the operator, provisions | ||||||
| |||||||
| |||||||
| 1 | of the written agreement, other than those under | ||||||
| 2 | subparagraphs (A), (B), and (C), may be redacted in the | ||||||
| 3 | copy of the written agreement published on the school's | ||||||
| 4 | website. | ||||||
| 5 | (5) In case of any breach, within the most expedient | ||||||
| 6 | time possible and without unreasonable delay, but no later | ||||||
| 7 | than 30 calendar days after the determination that a breach | ||||||
| 8 | has occurred, notify the school of any breach of the | ||||||
| 9 | students' covered information.
| ||||||
| 10 | (Source: P.A. 100-315, eff. 8-24-17.)
| ||||||
| 11 | (105 ILCS 85/26 new) | ||||||
| 12 | Sec. 26. School prohibitions. A school may not do either of | ||||||
| 13 | the following: | ||||||
| 14 | (1) Sell, rent, lease, or trade covered information. | ||||||
| 15 | (2) Share, transfer, disclose, or provide access to a | ||||||
| 16 | student's covered information to an entity or individual, | ||||||
| 17 | other than the student's parent or the State Board, without | ||||||
| 18 | a written agreement, unless the disclosure or transfer is: | ||||||
| 19 | (A) to the extent permitted by federal law, to law | ||||||
| 20 | enforcement officials to protect the safety of users or | ||||||
| 21 | others or the security or integrity of the operator's | ||||||
| 22 | service; | ||||||
| 23 | (B) required by court order or State or federal | ||||||
| 24 | law; or | ||||||
| 25 | (C) to ensure legal or regulatory compliance. | ||||||
| |||||||
| |||||||
| 1 | This paragraph (2) does not apply to nonpublic schools.
| ||||||
| 2 | (105 ILCS 85/27 new) | ||||||
| 3 | Sec. 27. School duties. | ||||||
| 4 | (a) Each school shall post and maintain on its website all | ||||||
| 5 | of the following information: | ||||||
| 6 | (1) An explanation, that is clear and understandable by | ||||||
| 7 | a layperson, of the data elements of covered information | ||||||
| 8 | that the school collects, maintains, or discloses to any | ||||||
| 9 | person, entity, third party, or governmental agency. The | ||||||
| 10 | information must explain how the school uses, to whom or | ||||||
| 11 | what entities it discloses, and for what purpose it | ||||||
| 12 | discloses the covered information. | ||||||
| 13 | (2) A list of operators that the school has written | ||||||
| 14 | agreements with, a copy of each written agreement, and a | ||||||
| 15 | business address for each operator. | ||||||
| 16 | (3) For each operator, a list of any subcontractors to | ||||||
| 17 | whom covered information may be disclosed under Section 15. | ||||||
| 18 | (4) A written description of the procedures that a | ||||||
| 19 | parent may use to carry out the rights enumerated under | ||||||
| 20 | Section 33. | ||||||
| 21 | (5) A list of any breaches of covered information | ||||||
| 22 | maintained by the school or breaches under Section 15 that | ||||||
| 23 | includes, but is not limited to, all of the following | ||||||
| 24 | information: | ||||||
| 25 | (A) The number of students whose covered | ||||||
| |||||||
| |||||||
| 1 | information is involved in the breach. | ||||||
| 2 | (B) The date, estimated date, or estimated date | ||||||
| 3 | range of the breach. | ||||||
| 4 | (C) For a breach under Section 15, the name of the | ||||||
| 5 | operator. | ||||||
| 6 | The school must, at a minimum, update the items under | ||||||
| 7 | paragraphs (1), (3), (4), and (5) no later than 30 calendar | ||||||
| 8 | days following the start of a school year and no later than 30 | ||||||
| 9 | days following the beginning of a calendar year. | ||||||
| 10 | (b) Each school must adopt a policy designating which | ||||||
| 11 | school employees are authorized to enter into written | ||||||
| 12 | agreements with operators. This subsection may not be construed | ||||||
| 13 | to limit individual school employees outside of the scope of | ||||||
| 14 | their employment from entering into agreements with operators | ||||||
| 15 | on their own behalf and for non-K through 12 school purposes, | ||||||
| 16 | provided that no covered information is provided to the | ||||||
| 17 | operators. Any agreement or contract entered into in violation | ||||||
| 18 | of this Act is void and unenforceable as against public policy. | ||||||
| 19 | (c) A school must post on its website each written | ||||||
| 20 | agreement entered into under this Act, along with any | ||||||
| 21 | information required under subsection (a), no later than 5 | ||||||
| 22 | business days after entering into the agreement. | ||||||
| 23 | (d) After receipt of notice of a breach under Section 15 or | ||||||
| 24 | determination of a breach of covered information maintained by | ||||||
| 25 | the school, a school shall electronically notify, no later than | ||||||
| 26 | 30 calendar days after receipt of the notice or determination | ||||||
| |||||||
| |||||||
| 1 | that a breach has occurred, the parent of any student whose | ||||||
| 2 | covered information is involved in the breach. The notification | ||||||
| 3 | must include, but is not limited to, all of the following: | ||||||
| 4 | (1) The date, estimated date, or estimated date range | ||||||
| 5 | of the breach. | ||||||
| 6 | (2) A description of the covered information that was | ||||||
| 7 | compromised or reasonably believed to have been | ||||||
| 8 | compromised in the breach. | ||||||
| 9 | (3) Information that the parent may use to contact the | ||||||
| 10 | operator and school to inquire about the breach. | ||||||
| 11 | (4) The toll-free numbers, addresses, and websites for | ||||||
| 12 | consumer reporting agencies. | ||||||
| 13 | (5) The toll-free number, address, and website for the | ||||||
| 14 | Federal Trade Commission. | ||||||
| 15 | (6) A statement that the parent may obtain information | ||||||
| 16 | from the Federal Trade Commission and consumer reporting | ||||||
| 17 | agencies about fraud alerts and security freezes. | ||||||
| 18 | (e) Each school must implement and maintain security | ||||||
| 19 | procedures and practices designed to protect covered | ||||||
| 20 | information from unauthorized access, destruction, use, | ||||||
| 21 | modification, or disclosure that, based on the sensitivity of | ||||||
| 22 | the covered information and the risk from unauthorized access, | ||||||
| 23 | (i) use technologies and methodologies that are consistent with | ||||||
| 24 | the U.S. Department of Commerce's National Institute of | ||||||
| 25 | Standards and Technology's Framework for Improving Critical | ||||||
| 26 | Infrastructure Cybersecurity Version 1.1 and any updates to it | ||||||
| |||||||
| |||||||
| 1 | or (ii) maintain technical safeguards as they relate to the | ||||||
| 2 | possession of student records in a manner consistent with the | ||||||
| 3 | provisions of 45 CFR 164.312. | ||||||
| 4 | (f) Each school shall designate an appropriate staff person | ||||||
| 5 | as a privacy officer, who may also be an official records | ||||||
| 6 | custodian as designated under the Illinois School Student | ||||||
| 7 | Records Act, to carry out the duties and responsibilities | ||||||
| 8 | assigned to schools and to ensure compliance with the | ||||||
| 9 | requirements of this Section and Section 26. | ||||||
| 10 | (g) A school shall make a request, pursuant to paragraph | ||||||
| 11 | (2) of Section 15, to an operator to delete covered information | ||||||
| 12 | on behalf of a student's parent if the parent requests from the | ||||||
| 13 | school that the student's covered information held by the | ||||||
| 14 | operator be deleted, so long as the deletion of the covered | ||||||
| 15 | information is not in violation of the Illinois School Student | ||||||
| 16 | Records Act. | ||||||
| 17 | (h) This Section does not apply to nonpublic schools.
| ||||||
| 18 | (105 ILCS 85/28 new) | ||||||
| 19 | Sec. 28. State Board duties. | ||||||
| 20 | (a) The State Board may not sell, rent, lease, or trade | ||||||
| 21 | covered information. | ||||||
| 22 | (b) The State Board may not share, transfer, disclose, or | ||||||
| 23 | provide covered information to an entity or individual without | ||||||
| 24 | a contract or written agreement, except for disclosures | ||||||
| 25 | required by federal law to federal agencies. | ||||||
| |||||||
| |||||||
| 1 | (c) At least twice annually, the State Board must publish | ||||||
| 2 | and maintain on its website a list of all of the entities or | ||||||
| 3 | individuals, including, but not limited to, operators, | ||||||
| 4 | individual researchers, research organizations, institutions | ||||||
| 5 | of higher education, or government agencies, that the State | ||||||
| 6 | Board contracts with or has agreements with and that hold | ||||||
| 7 | covered information and a copy of each contract or agreement. | ||||||
| 8 | The list must include all of the following information: | ||||||
| 9 | (1) The name of the entity or individual. In naming an | ||||||
| 10 | individual, the list must include the entity that sponsors | ||||||
| 11 | the individual or with which the individual is affiliated, | ||||||
| 12 | if any. If the individual is conducting research at an | ||||||
| 13 | institution of higher education, the list may include the | ||||||
| 14 | name of that institution and a contact person in the | ||||||
| 15 | department that is associated with the research in lieu of | ||||||
| 16 | the name of the researcher. If the entity is an operator, | ||||||
| 17 | the list must include its business address. | ||||||
| 18 | (2) The purpose and scope of the contract or agreement. | ||||||
| 19 | (3) The duration of the contract or agreement. | ||||||
| 20 | (4) The types of covered information that the entity or | ||||||
| 21 | individual holds under the contract or agreement. | ||||||
| 22 | (5) The use of the covered information under the | ||||||
| 23 | contract or agreement. | ||||||
| 24 | (6) The length of time for which the entity or | ||||||
| 25 | individual may hold the covered information. | ||||||
| 26 | (7) A list of any subcontractors to whom covered | ||||||
| |||||||
| |||||||
| 1 | information may be disclosed under Section 15. | ||||||
| 2 | (d) The State Board shall create, publish, and make | ||||||
| 3 | publicly available an inventory, along with a dictionary or | ||||||
| 4 | index of data elements and their definitions, of covered | ||||||
| 5 | information collected or maintained by the State Board, | ||||||
| 6 | including, but not limited to, both of the following: | ||||||
| 7 | (1) Covered information that schools are required to | ||||||
| 8 | report to the State Board by State or federal law. | ||||||
| 9 | (2) Covered information in the State longitudinal data | ||||||
| 10 | system or any data warehouse used by the State Board to | ||||||
| 11 | populate the longitudinal data system. | ||||||
| 12 | The inventory shall make clear for what purposes the State | ||||||
| 13 | Board uses the covered information. | ||||||
| 14 | (e) The State Board shall develop, publish, and make | ||||||
| 15 | publicly available, for the benefit of schools, model student | ||||||
| 16 | data privacy policies and procedures that comply with relevant | ||||||
| 17 | State and federal law, including, but not limited to, a model | ||||||
| 18 | notice that schools must use to provide notice to parents and | ||||||
| 19 | students about operators. The notice must state, in general | ||||||
| 20 | terms, the types of student data that are collected by the | ||||||
| 21 | schools and shared with operators under this Act and the | ||||||
| 22 | purposes of collecting and using the student data. After | ||||||
| 23 | creation of the notice under this subsection, a school shall, | ||||||
| 24 | at the beginning of each school year, provide the notice to | ||||||
| 25 | parents by the same means generally used to send notices to | ||||||
| 26 | them. This subsection does not apply to nonpublic schools.
| ||||||
| |||||||
| |||||||
| 1 | (105 ILCS 85/33 new) | ||||||
| 2 | Sec. 33. Parent and student rights. | ||||||
| 3 | (a) A student's covered information is the sole property of | ||||||
| 4 | the student's parent. | ||||||
| 5 | (b) A student's covered information shall be collected only | ||||||
| 6 | for K through 12 school purposes and not further processed in a | ||||||
| 7 | manner that is incompatible with those purposes. | ||||||
| 8 | (c) A student's covered information shall only be adequate, | ||||||
| 9 | relevant, and limited to what is necessary in relation to the K | ||||||
| 10 | through 12 school purposes for which it is processed. | ||||||
| 11 | (d) Except for a parent of a student enrolled in a | ||||||
| 12 | nonpublic school, the parent of a student enrolled in a school | ||||||
| 13 | has the right to all of the following: | ||||||
| 14 | (1) Inspect and review the student's covered | ||||||
| 15 | information, regardless of whether it is maintained by the | ||||||
| 16 | school, the State Board, or an operator. | ||||||
| 17 | (2) Request from a school a paper or electronic copy of | ||||||
| 18 | the student's covered information, including covered | ||||||
| 19 | information maintained by an operator or the State Board. | ||||||
| 20 | If a parent requests an electronic copy of the student's | ||||||
| 21 | covered information under this paragraph, the school must | ||||||
| 22 | provide an electronic copy of that information, unless the | ||||||
| 23 | school does not maintain the information in an electronic | ||||||
| 24 | format and reproducing the information in an electronic | ||||||
| 25 | format would be unduly burdensome to the school. If a | ||||||
| |||||||
| |||||||
| 1 | parent requests a paper copy of the student's covered | ||||||
| 2 | information, the school may charge the parent the | ||||||
| 3 | reasonable cost for copying the information in an amount | ||||||
| 4 | not to exceed the amount fixed in a schedule adopted by the | ||||||
| 5 | State Board, except that no parent may be denied a copy of | ||||||
| 6 | the information due to the parent's inability to bear the | ||||||
| 7 | cost of the copying. The State Board must adopt rules on | ||||||
| 8 | the methodology and frequency of requests under this | ||||||
| 9 | paragraph. | ||||||
| 10 | (3) Request corrections of factual inaccuracies | ||||||
| 11 | contained in the student's covered information. After | ||||||
| 12 | receiving a request for corrections that documents a | ||||||
| 13 | factual inaccuracy, a school must do either of the | ||||||
| 14 | following: | ||||||
| 15 | (A) Confirm the correction with the parent within | ||||||
| 16 | 90 calendar days after receiving the parent's request | ||||||
| 17 | if the school or State Board maintains the covered | ||||||
| 18 | information that contains the factual inaccuracy. | ||||||
| 19 | (B) Notify the operator who must confirm the | ||||||
| 20 | correction with the parent within 90 calendar days | ||||||
| 21 | after receiving the parent's request if the covered | ||||||
| 22 | information that contains the factual inaccuracy is | ||||||
| 23 | maintained by an operator. | ||||||
| 24 | (e) Nothing in this Section shall be construed to limit the | ||||||
| 25 | rights granted to parents and students under the Illinois | ||||||
| 26 | School Student Records Act.
| ||||||
| |||||||
| |||||||
