Bill Text: IL SB2089 | 2019-2020 | 101st General Assembly | Introduced
Bill Title: Creates the Student Online Personal Protection Act of 2019. Provides for legislative intent and definitions. Provides for operator prohibitions, operator duties, school authority prohibitions, school authority duties, State Board of Education duties, and parent rights. Creates the Student Data Protection Oversight Committee and provides for the Committee's membership and support. Requires the Committee to submit an annual report to the General Assembly and the State Board of Education with recommendations, if any, for policy revisions and legislative amendments that would carry out the intent of the Act. Amends the Illinois School Student Records Act. Adds a definition of record. Requires written consent of a student's parent to publish student directories that list student names, addresses, and other identifying information and similar publications. Amends the Consumer Fraud and Deceptive Business Practices Act to make a conforming change. Repeals the Student Online Personal Protection Act. Effective immediately.
Spectrum: Partisan Bill (Democrat 11-0)
Status: (Failed) 2021-01-13 - Session Sine Die [SB2089 Detail]
Download: Illinois-2019-SB2089-Introduced.html
| |||||||||||||||||||||||||||||||||
| |||||||||||||||||||||||||||||||||
| |||||||||||||||||||||||||||||||||
| |||||||||||||||||||||||||||||||||
| |||||||||||||||||||||||||||||||||
| 1 | AN ACT concerning education.
| ||||||||||||||||||||||||||||||||
| 2 | Be it enacted by the People of the State of Illinois,
| ||||||||||||||||||||||||||||||||
| 3 | represented in the General Assembly:
| ||||||||||||||||||||||||||||||||
| 4 | Section 1. Short title. This Act may be cited as the | ||||||||||||||||||||||||||||||||
| 5 | Student Online Personal Protection Act of 2019.
| ||||||||||||||||||||||||||||||||
| 6 | Section 5. Legislative intent. Schools today are | ||||||||||||||||||||||||||||||||
| 7 | increasingly using a wide range of technologies to help | ||||||||||||||||||||||||||||||||
| 8 | students learn, but concerns have been raised about whether | ||||||||||||||||||||||||||||||||
| 9 | sufficient safeguards exist to protect the privacy and security | ||||||||||||||||||||||||||||||||
| 10 | of data about students and their families. This Act is intended | ||||||||||||||||||||||||||||||||
| 11 | to ensure that students' and families' data will be protected, | ||||||||||||||||||||||||||||||||
| 12 | safeguarded, and kept private and disclosed only to appropriate | ||||||||||||||||||||||||||||||||
| 13 | educational authorities or to properly authorized designees | ||||||||||||||||||||||||||||||||
| 14 | under their control to serve the best interests of the student | ||||||||||||||||||||||||||||||||
| 15 | and that no student shall be required to disclose data or be | ||||||||||||||||||||||||||||||||
| 16 | required to consent to a school authority sharing covered | ||||||||||||||||||||||||||||||||
| 17 | information with an operator in order to receive a free, | ||||||||||||||||||||||||||||||||
| 18 | high-quality public education.
| ||||||||||||||||||||||||||||||||
| 19 | Section 10. Definitions. In this Act: | ||||||||||||||||||||||||||||||||
| 20 | "Biometric information" has the meaning given to that term | ||||||||||||||||||||||||||||||||
| 21 | under Section 10-20.40 of the School Code. | ||||||||||||||||||||||||||||||||
| 22 | "Breach" means the unauthorized disclosure of data or | ||||||||||||||||||||||||||||||||
| |||||||
| |||||||
| 1 | unauthorized provision of physical or electronic means of | ||||||
| 2 | gaining access to data that compromises the security, | ||||||
| 3 | confidentiality, or integrity of covered information or a | ||||||
| 4 | school student record. | ||||||
| 5 | "Covered information" means any information or records | ||||||
| 6 | regarding a student or generated by a student collected by or | ||||||
| 7 | provided to an operator, school authority, or the State Board | ||||||
| 8 | of Education for or in connection with a school purpose, | ||||||
| 9 | including personally identifiable information and information | ||||||
| 10 | that is linked to personally identifiable information. | ||||||
| 11 | "Covered information" does not include aggregated information | ||||||
| 12 | or records to the extent no student may be individually | ||||||
| 13 | identified from the information or records in any manner or | ||||||
| 14 | other information or records that do not include personally | ||||||
| 15 | identifiable information or other data by which a student may | ||||||
| 16 | be identified in any manner. "Covered information" does include | ||||||
| 17 | aggregated information or records that are capable of being | ||||||
| 18 | de-aggregated or reconstructed to the point that any student | ||||||
| 19 | may be individually identified from the information or records. | ||||||
| 20 | "Criminal records" means any criminal record or criminal | ||||||
| 21 | history, including, but not limited to, juvenile delinquency | ||||||
| 22 | records. | ||||||
| 23 | "Destroy" means to remove covered information so that it is | ||||||
| 24 | permanently irretrievable in the normal course of business. | ||||||
| 25 | "Educational benefit" means an educational or | ||||||
| 26 | instructional program, service, curriculum, course, material, | ||||||
| |||||||
| |||||||
| 1 | aid, or intervention provided by a school authority. | ||||||
| 2 | "Electronic network activity information" means any | ||||||
| 3 | information collected via the use of a technological device, | ||||||
| 4 | including keystroke log, browsing history, search history, | ||||||
| 5 | information regarding the user's interaction with a website, | ||||||
| 6 | application, or advertisement and any persistent identifiers | ||||||
| 7 | used to recognize a user over time and across different | ||||||
| 8 | websites or online services. Persistent identifiers may | ||||||
| 9 | include, but are not limited to, a user number held in a | ||||||
| 10 | cookie, an Internet Protocol address, a processor or device | ||||||
| 11 | serial number, or unique device identifier. | ||||||
| 12 | "Geolocation information" means information that (i) is | ||||||
| 13 | not the contents of a communication, (ii) is generated by or | ||||||
| 14 | derived from, in whole or in part, the operation of a | ||||||
| 15 | technological device, and (iii) is sufficient to determine or | ||||||
| 16 | infer the precise location of that device. | ||||||
| 17 | "Health information" means information or records about | ||||||
| 18 | the past, present, or future physical or mental health | ||||||
| 19 | condition or disability of a student or the provision of health | ||||||
| 20 | care or medical treatment of a student. | ||||||
| 21 | "Highly sensitive student information" means covered | ||||||
| 22 | information that includes, but is not limited to, all of the | ||||||
| 23 | following types of information: | ||||||
| 24 | (1) Criminal records. | ||||||
| 25 | (2) Disciplinary records. | ||||||
| 26 | (3) Health information. | ||||||
| |||||||
| |||||||
| 1 | (4) Immigration and citizenship status. | ||||||
| 2 | (5) Information protected under the federal Protection | ||||||
| 3 | of Pupil Rights Amendment of 1978. | ||||||
| 4 | (6) Personally identifiable information. | ||||||
| 5 | (7) Geolocation information. | ||||||
| 6 | (8) Electronic network activity information. | ||||||
| 7 | (9) Photograph, video, or audio files in which the file | ||||||
| 8 | contains a student's image or voice. | ||||||
| 9 | "Longitudinal data system" has the meaning given to that | ||||||
| 10 | term under the P-20 Longitudinal Education Data System Act. | ||||||
| 11 | "Operator" means any entity that, for a fee or free of | ||||||
| 12 | charge: | ||||||
| 13 | (1) provides a product or service to a school authority | ||||||
| 14 | that collects, maintains, utilizes, or discloses covered | ||||||
| 15 | information; | ||||||
| 16 | (2) designs or markets a product or service for use by | ||||||
| 17 | a school authority or, with the school authority's or its | ||||||
| 18 | officials' involvement, by the student that collects, | ||||||
| 19 | maintains, utilizes, or discloses covered information; or | ||||||
| 20 | (3) knows or reasonably should know that a product or | ||||||
| 21 | service that collects, retains, or uses covered | ||||||
| 22 | information will be used for a school purpose. | ||||||
| 23 | "Parent" has the meaning given to that term in the Illinois | ||||||
| 24 | School Student Records Act. | ||||||
| 25 | "Personally identifiable information" means any data | ||||||
| 26 | concerning a student by which a student may be individually or | ||||||
| |||||||
| |||||||
| 1 | personally identified and includes, but is not limited to, any | ||||||
| 2 | of the following: | ||||||
| 3 | (1) The student's name. | ||||||
| 4 | (2) The name of the student's parent or other family | ||||||
| 5 | members. | ||||||
| 6 | (3) The address of the student or the student's family. | ||||||
| 7 | (4) A personal identifier, such as the student's social | ||||||
| 8 | security number, student number, or biometric information. | ||||||
| 9 | (5) Other indirect identifiers, such as the student's | ||||||
| 10 | date of birth, place of birth, or mother's maiden name. | ||||||
| 11 | (6) Other information that, alone or in combination, is | ||||||
| 12 | linked or linkable to a specific student and that would | ||||||
| 13 | allow a reasonable person in the school community who does | ||||||
| 14 | not have personal knowledge of the relevant circumstances | ||||||
| 15 | to identify the student with reasonable certainty. | ||||||
| 16 | (7) Information requested by a person whom a school | ||||||
| 17 | reasonably believes knows the identity of the student to | ||||||
| 18 | whom the school student record relates. | ||||||
| 19 | "Profile" means a file or other mechanism used to collect | ||||||
| 20 | and retain, and that uses, covered information or other | ||||||
| 21 | information by which to identify or otherwise keep track of an | ||||||
| 22 | individual student or group of students. | ||||||
| 23 | "Publicly available" means information that is lawfully | ||||||
| 24 | made available from federal, State, or local government | ||||||
| 25 | records. "Publicly available" does not mean biometric | ||||||
| 26 | information collected by an operator about a student without | ||||||
| |||||||
| |||||||
| 1 | the parent's knowledge. "Publicly available" does not include | ||||||
| 2 | information that is used for a purpose that is not compatible | ||||||
| 3 | with the purpose for which the data is maintained and made | ||||||
| 4 | available in the government records or for which it is publicly | ||||||
| 5 | maintained and aggregate information or information that is | ||||||
| 6 | de-identified in a manner that precludes the possibility of | ||||||
| 7 | re-identification. | ||||||
| 8 | "Record" has the meaning given to that term under the | ||||||
| 9 | Illinois School Student Records Act. | ||||||
| 10 | "School" means (i) any preschool, day care center, nursery, | ||||||
| 11 | kindergarten, elementary or secondary educational institution, | ||||||
| 12 | vocational school, or special educational facility or any other | ||||||
| 13 | elementary or secondary educational agency or institution or | ||||||
| 14 | (ii) any person, agency, or institution that maintains school | ||||||
| 15 | student records from more than one school. "School" includes a | ||||||
| 16 | private or nonpublic school. | ||||||
| 17 | "School authority" means any school board, school | ||||||
| 18 | district, board of directors, or other governing body of a | ||||||
| 19 | school established under the School Code or through any other | ||||||
| 20 | means. | ||||||
| 21 | "School purpose" means any activity that is directed by or | ||||||
| 22 | takes place at the direction of a school authority or its | ||||||
| 23 | employees or designees. "School purpose" does not include | ||||||
| 24 | advertising that is not otherwise specifically authorized in | ||||||
| 25 | this Act is not a school purpose. | ||||||
| 26 | "School student record" has the meaning given to that term | ||||||
| |||||||
| |||||||
| 1 | under the Illinois School Student Records Act. | ||||||
| 2 | "State Board" means the State Board of Education. | ||||||
| 3 | "Student" has the meaning given to that term under the | ||||||
| 4 | Illinois School Student Records Act. | ||||||
| 5 | "Targeted advertising" means advertising to an individual | ||||||
| 6 | student or group of students in which the advertisements are | ||||||
| 7 | selected based on a known or assumed trait of the student or | ||||||
| 8 | group of students or information obtained or inferred from the | ||||||
| 9 | student's or group of students' online behavior within an | ||||||
| 10 | operator's product or service or the student's or group of | ||||||
| 11 | students' use of an operator's products or services, whether | ||||||
| 12 | over time or at the time of access. "Targeted advertising" does | ||||||
| 13 | not include providing a response to a request for information | ||||||
| 14 | or feedback or a recommendation from a student, provided the | ||||||
| 15 | response or recommendation is not determined in whole or in | ||||||
| 16 | part by payment or other consideration from a third party. | ||||||
| 17 | "Technological device" means any computer, cellular phone, | ||||||
| 18 | smart phone, digital camera, video camera, audio recording | ||||||
| 19 | device, radio frequency identification tag reader, or other | ||||||
| 20 | electronic device that can be used for creating, storing, or | ||||||
| 21 | transmitting information in the form of electronic data.
| ||||||
| 22 | Section 15. Operator prohibitions. An operator may not do | ||||||
| 23 | any of the following: | ||||||
| 24 | (1) Sell, lease, or rent covered information. | ||||||
| 25 | (2) Disclose covered information to any person, | ||||||
| |||||||
| |||||||
| 1 | entity, or third party other than the school authority or | ||||||
| 2 | State Board. | ||||||
| 3 | (3) Unless it is already publicly available, use, | ||||||
| 4 | disclose, or share covered information, including | ||||||
| 5 | de-identified or aggregated student information, for any | ||||||
| 6 | commercial purpose that is not a school purpose, including, | ||||||
| 7 | without limitation: | ||||||
| 8 | (A) to develop, maintain, support, improve, | ||||||
| 9 | evaluate, or diagnose the operator's software or | ||||||
| 10 | website; | ||||||
| 11 | (B) for adaptive learning purposes or customized | ||||||
| 12 | student learning; | ||||||
| 13 | (C) to provide recommendation engines to recommend | ||||||
| 14 | content or services; | ||||||
| 15 | (D) to demonstrate or market the effectiveness of | ||||||
| 16 | the operator's website, online service, or mobile | ||||||
| 17 | application; or | ||||||
| 18 | (E) for targeted advertising. | ||||||
| 19 | (4) Disclose or otherwise allow any third party to have | ||||||
| 20 | access to covered information, unless such disclosure is: | ||||||
| 21 | (A) made only in furtherance of a school purpose | ||||||
| 22 | with the school authority's prior consent and the | ||||||
| 23 | recipient of the covered information is legally | ||||||
| 24 | required to comply with this Act; | ||||||
| 25 | (B) to the extent permitted by federal law, to law | ||||||
| 26 | enforcement to protect the safety of users or others or | ||||||
| |||||||
| |||||||
| 1 | the security or integrity of the operator's service; | ||||||
| 2 | (C) required by court order or State or federal | ||||||
| 3 | law; | ||||||
| 4 | (D) to ensure legal or regulatory compliance; or | ||||||
| 5 | (E) to a subcontractor, agent, independent | ||||||
| 6 | contractor or other entity hired by the operator for | ||||||
| 7 | the purpose of enabling the operator to meet its | ||||||
| 8 | contractual obligations to the school authority if | ||||||
| 9 | that entity first acknowledges in writing that it has | ||||||
| 10 | read and understands the requirements of this Act and | ||||||
| 11 | agrees in writing to be bound by its provisions and the | ||||||
| 12 | terms of any agreement entered into between the | ||||||
| 13 | operator and the school authority and a copy of that | ||||||
| 14 | written acknowledgment and agreement is provided to | ||||||
| 15 | the school authority.
| ||||||
| 16 | Section 20. Operator duties. An operator must do the | ||||||
| 17 | following: | ||||||
| 18 | (1) For any operator who seeks to receive from a school | ||||||
| 19 | authority or the State Board in any manner any covered | ||||||
| 20 | information, enter into a written agreement with the school | ||||||
| 21 | authority before any covered information may be | ||||||
| 22 | transferred, which agreement must contain all of the | ||||||
| 23 | following: | ||||||
| 24 | (A) Provisions consistent with each prohibition or | ||||||
| 25 | requirement set forth in this Act. | ||||||
| |||||||
| |||||||
| 1 | (B) A listing of the categories or types of covered | ||||||
| 2 | information to be provided to the operator. | ||||||
| 3 | (C) A statement of the product or service being | ||||||
| 4 | provided to the school authority by the operator. | ||||||
| 5 | (D) A statement that the operator is acting as a | ||||||
| 6 | school official with a legitimate educational | ||||||
| 7 | interest, is performing an institutional service or | ||||||
| 8 | function for which the school authority would | ||||||
| 9 | otherwise use employees, under the direct control of | ||||||
| 10 | the school authority, with respect to the use and | ||||||
| 11 | maintenance of covered information, and is using the | ||||||
| 12 | covered information for only an authorized purpose and | ||||||
| 13 | will not re-disclose it to third parties or affiliates, | ||||||
| 14 | unless otherwise permitted under this Act, without | ||||||
| 15 | permission from the school authority or pursuant to | ||||||
| 16 | court order. | ||||||
| 17 | (E) A description of the actions the operator will | ||||||
| 18 | take, including a description of the training the | ||||||
| 19 | operator will provide to anyone who receives or has | ||||||
| 20 | access to covered information, to ensure the security | ||||||
| 21 | and confidentiality of covered information. Compliance | ||||||
| 22 | with this subparagraph shall not, in itself, absolve | ||||||
| 23 | the operator of liability in the event of an | ||||||
| 24 | unauthorized disclosure of covered information. | ||||||
| 25 | (F) A statement that the operator will destroy or | ||||||
| 26 | transfer to the school authority all covered | ||||||
| |||||||
| |||||||
| 1 | information if the information is no longer needed for | ||||||
| 2 | the purposes of the contract and to specify the time | ||||||
| 3 | period in which the information must be destroyed or | ||||||
| 4 | returned. | ||||||
| 5 | (G) A statement that the school authority will | ||||||
| 6 | publish the contract on the school authority's | ||||||
| 7 | website. | ||||||
| 8 | (H) A statement that the agreement is the entire | ||||||
| 9 | agreement with the school authority, including school | ||||||
| 10 | authority employees and other end users, and the | ||||||
| 11 | operator. | ||||||
| 12 | (2) For any operator with covered information in its | ||||||
| 13 | possession, implement and maintain security procedures and | ||||||
| 14 | practices designed to protect covered information from | ||||||
| 15 | unauthorized access, destruction, use, modification or | ||||||
| 16 | disclosure that, based on the sensitivity of the data and | ||||||
| 17 | the risk from unauthorized access (i) uses technologies and | ||||||
| 18 | methodologies that are consistent with the guidance issued | ||||||
| 19 | pursuant to the federal American Recovery and Reinvestment | ||||||
| 20 | Act of 2009, (ii) maintains technical safeguards as it | ||||||
| 21 | relates to the possession of covered information in a | ||||||
| 22 | manner consistent with the provisions of 45 CFR 164.312, | ||||||
| 23 | and (iii) otherwise meets or exceeds industry standards. | ||||||
| 24 | (3) Destroy, within a reasonable time period, a | ||||||
| 25 | student's covered information if the school authority | ||||||
| 26 | requests destruction of covered information under the | ||||||
| |||||||
| |||||||
| 1 | control of the operator, unless the student's parent | ||||||
| 2 | consents in writing to the maintenance of the covered | ||||||
| 3 | information. A school authority shall make such a request | ||||||
| 4 | to the operator on behalf of a student's parent if the | ||||||
| 5 | parent requests that the student's covered information be | ||||||
| 6 | destroyed, if the destruction is not in violation of the | ||||||
| 7 | Illinois School Student Records Act. | ||||||
| 8 | (4) In the case of any breach, within the most | ||||||
| 9 | expedient time possible and without unreasonable delay, | ||||||
| 10 | but no later than 72 hours after the determination that a | ||||||
| 11 | breach has occurred, notify the school authority of the | ||||||
| 12 | breach of the school authority's student's covered | ||||||
| 13 | information. | ||||||
| 14 | (5) Permit a school authority or its designee to audit | ||||||
| 15 | and inspect, on an annual basis or after any breach, the | ||||||
| 16 | operator's practices with respect to any covered | ||||||
| 17 | information received by the operator from the school | ||||||
| 18 | authority or any student profiles, provided that this | ||||||
| 19 | requirement shall be satisfied if the operator provides the | ||||||
| 20 | school authority with an independent, third-party audit | ||||||
| 21 | acceptable to the school authority that has been conducted | ||||||
| 22 | within the previous 12 months or, in the case of a breach, | ||||||
| 23 | within 3 months after the breach. | ||||||
| 24 | (6) In the event of a breach resulting, in whole or in | ||||||
| 25 | part, from the operator's conduct, in addition to any other | ||||||
| 26 | remedies available to the school authority under law or | ||||||
| |||||||
| |||||||
| 1 | equity, reimburse the school authority in full for all | ||||||
| 2 | reasonable costs and expenses incurred by the school | ||||||
| 3 | authority as a result of the operator's conduct in | ||||||
| 4 | investigating and remediating the breach, including, but | ||||||
| 5 | not limited to: | ||||||
| 6 | (A) providing notification to the parents of those | ||||||
| 7 | students whose covered information was compromised and | ||||||
| 8 | to regulatory agencies or other entities as required by | ||||||
| 9 | law or contract; | ||||||
| 10 | (B) providing one year of credit monitoring to | ||||||
| 11 | those students whose covered information was exposed | ||||||
| 12 | in such a manner during the breach that a reasonable | ||||||
| 13 | person would believe that it could impact his or her | ||||||
| 14 | credit or financial security; | ||||||
| 15 | (C) legal fees, audit costs, fines, and any other | ||||||
| 16 | fees or damages imposed against the school authority as | ||||||
| 17 | a result of the security breach; and | ||||||
| 18 | (D) providing any other notifications or | ||||||
| 19 | fulfilling any other requirements adopted by the State | ||||||
| 20 | Board or of any other State or federal laws.
| ||||||
| 21 | Section 25. School authority prohibitions. A school | ||||||
| 22 | authority may not do any of the following: | ||||||
| 23 | (1) Access, search, read, inspect, copy, monitor, log | ||||||
| 24 | or otherwise use information transmitted via a | ||||||
| 25 | technological device unless it is owned by a school | ||||||
| |||||||
| |||||||
| 1 | authority and the information is used for a school purpose. | ||||||
| 2 | Information obtained or collected in violation of this | ||||||
| 3 | paragraph must be promptly destroyed and may not be used by | ||||||
| 4 | a school authority in any legal proceeding, disciplinary | ||||||
| 5 | action, or administrative hearing or for any other purpose. | ||||||
| 6 | (2) Require that any student must, as part of any | ||||||
| 7 | applicable program, disclose highly sensitive student | ||||||
| 8 | information to an operator without prior written consent of | ||||||
| 9 | the student's parent, which must include an explanation | ||||||
| 10 | that is clear and understandable by a layperson of the data | ||||||
| 11 | elements of highly sensitive student information to be | ||||||
| 12 | shared and for what purpose and to whom it will be | ||||||
| 13 | disclosed. | ||||||
| 14 | (3) Withhold an educational benefit from or take a | ||||||
| 15 | punitive measure against a student or a student's parent | ||||||
| 16 | based in whole or in part upon the student's or parent's | ||||||
| 17 | (i) refusal to allow disclosure or sharing of covered | ||||||
| 18 | information to an operator, (ii) revocation of consent for | ||||||
| 19 | disclosure or sharing of covered information to an | ||||||
| 20 | operator, or (iii) request for destruction of covered | ||||||
| 21 | information maintained by an operator. | ||||||
| 22 | (4) Sell, rent, lease, or trade covered information. | ||||||
| 23 | (5) Share, transfer, disclose, or provide access to a | ||||||
| 24 | student's covered information to an entity or individual, | ||||||
| 25 | other than the student's parent or the State Board, without | ||||||
| 26 | a contract, unless such disclosure or transfer is: | ||||||
| |||||||
| |||||||
| 1 | (A) to the extent permitted by federal law, to law | ||||||
| 2 | enforcement to protect the safety of users or others or | ||||||
| 3 | the security or integrity of the operator's service; | ||||||
| 4 | (B) required by court order or State or federal | ||||||
| 5 | law; or | ||||||
| 6 | (C) to ensure legal or regulatory compliance.
| ||||||
| 7 | Section 30. School authority duties. | ||||||
| 8 | (a) Each school authority shall post and maintain on its | ||||||
| 9 | website all of the following information: | ||||||
| 10 | (1) An explanation that is clear and understandable by | ||||||
| 11 | a layperson of the data elements of covered information | ||||||
| 12 | that the school authority collects, maintains, or | ||||||
| 13 | discloses to any person, entity, third party, or | ||||||
| 14 | governmental agency. The information must explain how the | ||||||
| 15 | school authority uses, to whom it discloses, and for what | ||||||
| 16 | purpose it discloses the covered information. | ||||||
| 17 | (2) A list of operators that the school authority | ||||||
| 18 | contracts with, a copy of each contract, and a business | ||||||
| 19 | address and telephone number for each operator. | ||||||
| 20 | (3) For each operator, a list of any subcontractors to | ||||||
| 21 | whom covered information may be disclosed under Section 15. | ||||||
| 22 | (4) A written description of the procedures that a | ||||||
| 23 | parent may use to carry out the rights enumerated under | ||||||
| 24 | Section 40. | ||||||
| 25 | (5) An explanation that if a school authority does not | ||||||
| |||||||
| |||||||
| 1 | comply with the requirements of this subsection, a parent | ||||||
| 2 | may submit a complaint with the State Board in accordance | ||||||
| 3 | with the complaint policy adopted under Section 35. | ||||||
| 4 | (b) Each school authority must adopt a policy regarding | ||||||
| 5 | school employees who are authorized to enter into contracts | ||||||
| 6 | with operators. A school authority must post on its website | ||||||
| 7 | each contract, along with the information under subsection (a) | ||||||
| 8 | before the contract is implemented and before any covered | ||||||
| 9 | information is disclosed to an operator. Any agreement or | ||||||
| 10 | contract entered into in violation of this Act shall be void | ||||||
| 11 | and unenforceable as against public policy. This subsection may | ||||||
| 12 | not be construed to limit individual school employees outside | ||||||
| 13 | of the scope of their employment from entering into agreements | ||||||
| 14 | with operators on their own behalf and for a non-school | ||||||
| 15 | purpose, provided that no covered information is provided to | ||||||
| 16 | the operators. | ||||||
| 17 | (c) Upon receipt of notice of a breach under Section 20 or | ||||||
| 18 | determination of a breach of covered information maintained by | ||||||
| 19 | the school authority, a school authority shall electronically | ||||||
| 20 | notify, no later than 72 hours after receipt of the notice or | ||||||
| 21 | determination that a breach has occurred, the parent of any | ||||||
| 22 | student whose covered information is involved in the breach. | ||||||
| 23 | The school authority must also post the notice on the school | ||||||
| 24 | authority's website. The notification must include, but is not | ||||||
| 25 | limited to, all of the following: | ||||||
| 26 | (1) The date, estimated date, or estimated date range | ||||||
| |||||||
| |||||||
| 1 | of the breach. | ||||||
| 2 | (2) A description of the covered information that was | ||||||
| 3 | compromised or reasonably believed to have been | ||||||
| 4 | compromised in the breach. | ||||||
| 5 | (3) Information that the parent may use to contact the | ||||||
| 6 | operator and school authority to inquire about the breach. | ||||||
| 7 | (4) The toll-free numbers, addresses, and websites for | ||||||
| 8 | consumer reporting agencies. | ||||||
| 9 | (5) The toll-free number, address, and website for the | ||||||
| 10 | Federal Trade Commission. | ||||||
| 11 | (6) A statement that the parent may obtain information | ||||||
| 12 | from the Federal Trade Commission and credit reporting | ||||||
| 13 | agencies about fraud alerts and security freezes. | ||||||
| 14 | (d) Each school authority must implement and maintain | ||||||
| 15 | security procedures and practices designed to protect covered | ||||||
| 16 | information from unauthorized access, destruction, use, | ||||||
| 17 | modification, or disclosure that, based on the sensitivity of | ||||||
| 18 | the covered information and the risk from unauthorized access, | ||||||
| 19 | (i) use technologies and methodologies that are consistent with | ||||||
| 20 | the guidance issued pursuant to the federal American Recovery | ||||||
| 21 | and Reinvestment Act of 2009, (ii) maintain technical | ||||||
| 22 | safeguards as they relate to the possession of student records | ||||||
| 23 | in a manner consistent with the provisions of 45 CFR 164.312, | ||||||
| 24 | and (iii) otherwise meet or exceed industry standards. | ||||||
| 25 | (e) Each school authority shall designate an appropriate | ||||||
| 26 | staff person as a privacy officer, who may also be official | ||||||
| |||||||
| |||||||
| 1 | records custodian as designated under the Illinois School | ||||||
| 2 | Student Records Act, to carry out the duties and | ||||||
| 3 | responsibilities assigned to school authorities and to ensure | ||||||
| 4 | compliance with the requirements under Sections 25 and 30.
| ||||||
| 5 | Section 35. State Board duties. | ||||||
| 6 | (a) The State Board may not sell, rent, lease, or trade | ||||||
| 7 | covered information. | ||||||
| 8 | (b) The State Board may not share, transfer, disclose, or | ||||||
| 9 | provide covered information to an entity or individual without | ||||||
| 10 | a contract or agreement, with an exception for disclosures | ||||||
| 11 | required by federal law to federal agencies. | ||||||
| 12 | (c) The State Board must publish and maintain on its | ||||||
| 13 | website a list of all of the entities or individuals, | ||||||
| 14 | including, but not limited to, operators, individual | ||||||
| 15 | researchers, research organizations, institutions of higher | ||||||
| 16 | education, and government agencies, that the State Board | ||||||
| 17 | contracts with or has agreements with and that hold covered | ||||||
| 18 | information and a copy of each contract or agreement. The list | ||||||
| 19 | must include all of the following information: | ||||||
| 20 | (1) The name of the entity or individual. In naming an | ||||||
| 21 | individual, the list must include the entity that sponsors | ||||||
| 22 | the individual or with which the individual is affiliated, | ||||||
| 23 | if any. If the individual is conducting research at an | ||||||
| 24 | institution of higher education, the list may include the | ||||||
| 25 | name of that institution and a contact person in the | ||||||
| |||||||
| |||||||
| 1 | department that is associated with the research in lieu of | ||||||
| 2 | the name of the researcher. If the entity is an operator, | ||||||
| 3 | the list must include a business address and telephone | ||||||
| 4 | number for the operator. | ||||||
| 5 | (2) The purpose and scope of the contract or agreement. | ||||||
| 6 | (3) The duration of the contract or agreement. | ||||||
| 7 | (4) The types of covered information that the entity or | ||||||
| 8 | individual holds under the contract or agreement. | ||||||
| 9 | (5) The use of the covered information under the | ||||||
| 10 | contract. | ||||||
| 11 | (6) The length of time for which the entity or | ||||||
| 12 | individual may hold the covered information. | ||||||
| 13 | (7) A list of any subcontractors to whom covered | ||||||
| 14 | information may be disclosed under Section 15. | ||||||
| 15 | (d) The State Board shall create, publish, and make | ||||||
| 16 | publicly available an inventory, along with a dictionary or | ||||||
| 17 | index of data elements and their definitions, of covered | ||||||
| 18 | information collected or maintained by the State Board, | ||||||
| 19 | including, but not limited to, both of the following: | ||||||
| 20 | (1) Covered information that school authorities are | ||||||
| 21 | required to report to the State Board by State or federal | ||||||
| 22 | law. | ||||||
| 23 | (2) Covered information in the State longitudinal data | ||||||
| 24 | system or any data warehouse used by the State Board to | ||||||
| 25 | populate the longitudinal data system. | ||||||
| 26 | The inventory shall make clear for what purposes the State | ||||||
| |||||||
| |||||||
| 1 | Board uses the covered information. | ||||||
| 2 | (e) Within 180 days after the effective date of this Act, | ||||||
| 3 | the State Board shall develop, publish, and make publicly | ||||||
| 4 | available for the benefit of school authorities model student | ||||||
| 5 | data privacy policies and procedures that comply with relevant | ||||||
| 6 | State and federal law, including, but not limited to, all of | ||||||
| 7 | the following: | ||||||
| 8 | (1) A model notice that school authorities must use to | ||||||
| 9 | provide notice to parents and students about operators. The | ||||||
| 10 | notice must be titled "Student Data Shared With Operators" | ||||||
| 11 | and state, in general terms, the types of student data that | ||||||
| 12 | are collected by the school authority and shared with | ||||||
| 13 | operators under this Act and the purposes of collecting and | ||||||
| 14 | using the student data. Upon the creation of the notice | ||||||
| 15 | under this paragraph, a school authority shall, at the | ||||||
| 16 | beginning of each school year, provide the notice to | ||||||
| 17 | parents by the same means generally used to send notices to | ||||||
| 18 | them. | ||||||
| 19 | (2) A model consent form that school authorities may | ||||||
| 20 | use to obtain written consent from a parent to allow | ||||||
| 21 | disclosure of highly sensitive information to an operator, | ||||||
| 22 | as required under Section 25. The consent form must be | ||||||
| 23 | titled "Consent for Highly Sensitive Data Sharing with | ||||||
| 24 | Operators" and must include an explanation that is clear | ||||||
| 25 | and understandable by a layperson of the data elements of | ||||||
| 26 | highly sensitive student information to be shared and for | ||||||
| |||||||
| |||||||
| 1 | what purpose and to whom it will be disclosed. | ||||||
| 2 | (f) The State Board must adopt, implement, and administer a | ||||||
| 3 | policy for hearing complaints from a parent regarding a school | ||||||
| 4 | authority's compliance with Sections 25 and 30. At a minimum, | ||||||
| 5 | the policy must provide a parent the opportunity to submit | ||||||
| 6 | information and receive a hearing from the State Board and must | ||||||
| 7 | require the State Board to take action on the parent's | ||||||
| 8 | complaint no later than 60 days after the hearing.
| ||||||
| 9 | Section 40. Parent rights. | ||||||
| 10 | (a) A student's covered information is the sole property of | ||||||
| 11 | the student's parent. | ||||||
| 12 | (b) A student's covered information shall be collected only | ||||||
| 13 | for specified, explicit, and legitimate school purposes and not | ||||||
| 14 | further processed in a manner that is incompatible with those | ||||||
| 15 | purposes. | ||||||
| 16 | (c) A student's covered information shall only be adequate, | ||||||
| 17 | relevant, and limited to what is necessary in relation to the | ||||||
| 18 | school purpose for which it is processed. | ||||||
| 19 | (d) The parent of a student enrolled in a school has the | ||||||
| 20 | right to all of the following: | ||||||
| 21 | (1) Inspect and review the student's student data, | ||||||
| 22 | regardless of whether it is maintained by the school, the | ||||||
| 23 | school authority, the State Board, or an operator. | ||||||
| 24 | (2) Request from a school authority a paper or | ||||||
| 25 | electronic copy of the student's covered information, | ||||||
| |||||||
| |||||||
| 1 | including covered information maintained by an operator or | ||||||
| 2 | the State Board. If a parent requests an electronic copy of | ||||||
| 3 | the student's covered information under this paragraph, | ||||||
| 4 | the school authority must provide an electronic copy of | ||||||
| 5 | that information unless the school authority does not | ||||||
| 6 | maintain the information in an electronic format and | ||||||
| 7 | reproducing the information in an electronic format would | ||||||
| 8 | be unduly burdensome to the school authority. If a parent | ||||||
| 9 | requests a paper copy of the student's covered information, | ||||||
| 10 | the school authority may charge the parent the reasonable | ||||||
| 11 | cost for copying the information in an amount not to exceed | ||||||
| 12 | the amount fixed in a schedule adopted by the State Board, | ||||||
| 13 | except that no parent may be denied a copy of the | ||||||
| 14 | information due to the parent's inability to bear the cost | ||||||
| 15 | of the copying. | ||||||
| 16 | (3) Request corrections of factual inaccuracies | ||||||
| 17 | contained in the student's covered information. After | ||||||
| 18 | receiving a request for corrections that documents a | ||||||
| 19 | factual inaccuracy, a school authority must complete | ||||||
| 20 | either of the following: | ||||||
| 21 | (A) Confirm the correction with the parent within | ||||||
| 22 | 90 days after receiving the parent's request if the | ||||||
| 23 | school authority or State Board maintains the covered | ||||||
| 24 | information that contains the factual inaccuracy. | ||||||
| 25 | (B) Notify the operator who must confirm the | ||||||
| 26 | correction with the parent within 90 days after | ||||||
| |||||||
| |||||||
| 1 | receiving the parent's request if the covered | ||||||
| 2 | information that contains the factual inaccuracy is | ||||||
| 3 | maintained by an operator. | ||||||
| 4 | (e) Nothing in this Act shall be construed to limit the | ||||||
| 5 | rights granted to parents and students under the Illinois | ||||||
| 6 | School Student Records Act.
| ||||||
| 7 | Section 45. Right of action. | ||||||
| 8 | (a) Any person aggrieved by a violation of this Act shall | ||||||
| 9 | have a right of action in a State circuit court or as a | ||||||
| 10 | supplemental claim in federal district court against an | ||||||
| 11 | offending party. A prevailing party may recover for each | ||||||
| 12 | violation any of the following: | ||||||
| 13 | (1) Against a private entity that negligently violates | ||||||
| 14 | a provision of this Act, liquidated damages of $1,000 or | ||||||
| 15 | actual damages, whichever one is greater. | ||||||
| 16 | (2) Against a private entity that intentionally or | ||||||
| 17 | recklessly violates a provision of this Act, liquidated | ||||||
| 18 | damages of $5,000 or actual damages, whichever one is | ||||||
| 19 | greater. | ||||||
| 20 | (3) Reasonable attorney's fees and costs, including | ||||||
| 21 | expert witness fees and other litigation expenses. | ||||||
| 22 | (4) Other relief, including an injunction, as the State | ||||||
| 23 | or federal court deems appropriate. | ||||||
| 24 | (b) An individual who knowingly or intentionally permits | ||||||
| 25 | the unauthorized collecting, sharing, or using of covered | ||||||
| |||||||
| |||||||
| 1 | information under this Act is guilty of a class A misdemeanor.
| ||||||
| 2 | Section 50. Oversight. | ||||||
| 3 | (a) There is created a Student Data Protection Oversight | ||||||
| 4 | Committee that consists of all of the following members, | ||||||
| 5 | appointed by the State Board of Education: | ||||||
| 6 | (1) A high school student enrolled in a public school | ||||||
| 7 | in this State. | ||||||
| 8 | (2) A parent of a student in a school district | ||||||
| 9 | organized under Article 34 of the School Code. | ||||||
| 10 | (3) A parent of a student in a school district located | ||||||
| 11 | in Lake, Kane, Will, DuPage, McHenry, or Cook County, but | ||||||
| 12 | not in a school district organized under Article 34 of the | ||||||
| 13 | School Code. | ||||||
| 14 | (4) A parent of a student enrolled in a small, rural | ||||||
| 15 | school district. | ||||||
| 16 | (5) An expert in information technology systems. | ||||||
| 17 | (6) An expert in digital privacy law. | ||||||
| 18 | (7) A representative of a computer and information | ||||||
| 19 | technology trade group. | ||||||
| 20 | (8) A representative of a civil rights advocacy | ||||||
| 21 | organization. | ||||||
| 22 | (9) A representative of a different civil rights or a | ||||||
| 23 | privacy rights advocacy organization. | ||||||
| 24 | (10) A representative of an association representing | ||||||
| 25 | principals in a city having a population exceeding 500,000. | ||||||
| |||||||
| |||||||
| 1 | (11) A representative of a statewide association | ||||||
| 2 | representing school administrators. | ||||||
| 3 | (12) A representative of a statewide professional | ||||||
| 4 | teachers' organization. | ||||||
| 5 | (13) A representative of a different statewide | ||||||
| 6 | professional teachers' organization. | ||||||
| 7 | (14) A representative of a professional teachers' | ||||||
| 8 | organization in a city having a population exceeding | ||||||
| 9 | 500,000. | ||||||
| 10 | (15) A representative of a statewide association | ||||||
| 11 | representing school boards. | ||||||
| 12 | (16) A representative of a school district organized | ||||||
| 13 | under Article 34 of the School Code. | ||||||
| 14 | (17) The Attorney General or his or her designee. | ||||||
| 15 | (18) The State Superintendent of Education or his or | ||||||
| 16 | her designee. | ||||||
| 17 | The State Board, in consultation with the Committee, may | ||||||
| 18 | appoint no more than 2 additional individuals to the Committee | ||||||
| 19 | who shall serve in an advisory role and may not have voting or | ||||||
| 20 | other decision-making rights. | ||||||
| 21 | (b) The Committee shall initially meet at the call of the | ||||||
| 22 | Governor, at which meeting it shall designate a chairperson. | ||||||
| 23 | The Committee shall meet thereafter at the call of the | ||||||
| 24 | chairperson, but no less than 4 times within one year after the | ||||||
| 25 | effective date of this Act and at least once per year | ||||||
| 26 | thereafter to review existing laws and federal regulations on | ||||||
| |||||||
| |||||||
| 1 | covered information in light of technological and legal | ||||||
| 2 | developments. The Committee shall serve without compensation | ||||||
| 3 | but may be reimbursed for reasonable and necessary expenses | ||||||
| 4 | incurred in performing their duties from funds appropriated to | ||||||
| 5 | the State Board for that purpose. The State Board must provide | ||||||
| 6 | administrative and other support to the Committee. The | ||||||
| 7 | Committee shall submit an annual report to the General Assembly | ||||||
| 8 | and the State Board no later than December 15, 2019 and each | ||||||
| 9 | December 15 thereafter with recommendations, if any, for policy | ||||||
| 10 | revisions and legislative amendments that would carry out the | ||||||
| 11 | intent of this Act. The Committee is subject to the Open | ||||||
| 12 | Meetings Act.
| ||||||
| 13 | Section 100. Severability. The provisions of this Act are | ||||||
| 14 | severable under Section 1.31 of the Statute on Statutes.
| ||||||
| 15 | Section 105. The Illinois School Student Records Act is | ||||||
| 16 | amended by changing Sections 2 and 6 as follows:
| ||||||
| 17 | (105 ILCS 10/2) (from Ch. 122, par. 50-2)
| ||||||
| 18 | Sec. 2.
As used in this Act,
| ||||||
| 19 | (a) "Student" means any person enrolled or previously | ||||||
| 20 | enrolled in a school.
| ||||||
| 21 | (b) "School" means any public preschool, day care center,
| ||||||
| 22 | kindergarten, nursery, elementary or secondary educational | ||||||
| 23 | institution,
vocational school, special educational facility | ||||||
| |||||||
| |||||||
| 1 | or any other elementary or
secondary educational agency or | ||||||
| 2 | institution and any person, agency or
institution which | ||||||
| 3 | maintains school student records from more than one school,
but | ||||||
| 4 | does not include a private or non-public school.
| ||||||
| 5 | (c) "State Board" means the State Board of Education.
| ||||||
| 6 | (d) "School Student Record" means any writing or
other | ||||||
| 7 | recorded information concerning a student
and by which a | ||||||
| 8 | student may be individually identified or personally | ||||||
| 9 | identified that is ,
maintained by a school or at its direction | ||||||
| 10 | or by an employee of a
school, regardless of how or where the | ||||||
| 11 | information is stored.
The following shall not be deemed school | ||||||
| 12 | student records under
this Act: writings or other recorded | ||||||
| 13 | information maintained by an
employee of a school or other | ||||||
| 14 | person at the direction of a school for his or
her exclusive | ||||||
| 15 | use; provided that all such writings and other recorded
| ||||||
| 16 | information are destroyed not later than the student's | ||||||
| 17 | graduation or permanent
withdrawal from the school; and | ||||||
| 18 | provided further that no such records or
recorded information | ||||||
| 19 | may be released or disclosed to any person except a person
| ||||||
| 20 | designated by the school as
a substitute unless they are first | ||||||
| 21 | incorporated
in a school student record and made subject to all | ||||||
| 22 | of the
provisions of this Act.
School student records shall not | ||||||
| 23 | include information maintained by
law enforcement | ||||||
| 24 | professionals working in the school.
| ||||||
| 25 | (e) "Student Permanent Record" means the minimum personal
| ||||||
| 26 | information necessary to a school in the education of the | ||||||
| |||||||
| |||||||
| 1 | student
and contained in a school student record. Such | ||||||
| 2 | information
may include the student's name, birth date, | ||||||
| 3 | address, grades
and grade level, parents' names and addresses, | ||||||
| 4 | attendance
records, and such other entries as the State Board | ||||||
| 5 | may
require or authorize.
| ||||||
| 6 | (f) "Student Temporary Record" means all information | ||||||
| 7 | contained in
a school student record but not contained in
the | ||||||
| 8 | student permanent record. Such information may include
family | ||||||
| 9 | background information, intelligence test scores, aptitude
| ||||||
| 10 | test scores, psychological and personality test results, | ||||||
| 11 | teacher
evaluations, and other information of clear relevance | ||||||
| 12 | to the
education of the student, all subject to regulations of | ||||||
| 13 | the State Board.
The information shall include information | ||||||
| 14 | provided under Section 8.6 of the
Abused and Neglected Child | ||||||
| 15 | Reporting Act.
In addition, the student temporary record shall | ||||||
| 16 | include information regarding
serious disciplinary infractions | ||||||
| 17 | that resulted in expulsion, suspension, or the
imposition of | ||||||
| 18 | punishment or sanction. For purposes of this provision, serious
| ||||||
| 19 | disciplinary infractions means: infractions involving drugs, | ||||||
| 20 | weapons, or bodily
harm to another.
| ||||||
| 21 | (g) "Parent" means a person who is the natural parent of | ||||||
| 22 | the
student or other person who has the primary responsibility | ||||||
| 23 | for the
care and upbringing of the student. All rights and | ||||||
| 24 | privileges accorded
to a parent under this Act shall become | ||||||
| 25 | exclusively those of the student
upon his 18th birthday, | ||||||
| 26 | graduation from secondary school, marriage
or entry into | ||||||
| |||||||
| |||||||
| 1 | military service, whichever occurs first. Such
rights and | ||||||
| 2 | privileges may also be exercised by the student
at any time | ||||||
| 3 | with respect to the student's permanent school record.
| ||||||
| 4 | (h) "Record" means any information maintained in any way, | ||||||
| 5 | including, but not limited to, electronically-generated data, | ||||||
| 6 | handwriting, print, computer media, video or audio tape, film, | ||||||
| 7 | microfilm, and microfiche. | ||||||
| 8 | (Source: P.A. 92-295, eff. 1-1-02.)
| ||||||
| 9 | (105 ILCS 10/6) (from Ch. 122, par. 50-6)
| ||||||
| 10 | Sec. 6. (a) No school student records or information
| ||||||
| 11 | contained therein may be released, transferred, disclosed or | ||||||
| 12 | otherwise
disseminated, except as follows:
| ||||||
| 13 | (1) to a parent or student or person specifically
| ||||||
| 14 | designated as a representative by a parent, as provided in | ||||||
| 15 | paragraph (a)
of Section 5;
| ||||||
| 16 | (2) to an employee or official of the school or
school | ||||||
| 17 | district or State Board with current demonstrable | ||||||
| 18 | educational
or administrative interest in the student, in | ||||||
| 19 | furtherance of such interest;
| ||||||
| 20 | (3) to the official records custodian of another school | ||||||
| 21 | within
Illinois or an official with similar | ||||||
| 22 | responsibilities of a school
outside Illinois, in which the | ||||||
| 23 | student has enrolled, or intends to enroll,
upon the | ||||||
| 24 | request of such official or student;
| ||||||
| 25 | (4) to any person for the purpose of research,
| ||||||
| |||||||
| |||||||
| 1 | statistical reporting, or planning, provided that such | ||||||
| 2 | research, statistical reporting, or planning is | ||||||
| 3 | permissible under and undertaken in accordance with the | ||||||
| 4 | federal Family Educational Rights and Privacy Act (20 | ||||||
| 5 | U.S.C. 1232g);
| ||||||
| 6 | (5) pursuant to a court order, provided that the
parent | ||||||
| 7 | shall be given prompt written notice upon receipt
of such | ||||||
| 8 | order of the terms of the order, the nature and
substance | ||||||
| 9 | of the information proposed to be released
in compliance | ||||||
| 10 | with such order and an opportunity to
inspect and copy the | ||||||
| 11 | school student records and to
challenge their contents | ||||||
| 12 | pursuant to Section 7;
| ||||||
| 13 | (6) to any person as specifically required by State
or | ||||||
| 14 | federal law;
| ||||||
| 15 | (6.5) to juvenile authorities
when necessary for the | ||||||
| 16 | discharge of their official duties
who request information | ||||||
| 17 | prior to
adjudication of the student and who certify in | ||||||
| 18 | writing that the information
will not be disclosed to any | ||||||
| 19 | other party except as provided under law or order
of court. | ||||||
| 20 | For purposes of this Section "juvenile authorities" means:
| ||||||
| 21 | (i) a judge of
the circuit court and members of the staff | ||||||
| 22 | of the court designated by the
judge; (ii) parties to the | ||||||
| 23 | proceedings under the Juvenile Court Act of 1987 and
their | ||||||
| 24 | attorneys; (iii) probation
officers and court appointed | ||||||
| 25 | advocates for the juvenile authorized by the judge
hearing | ||||||
| 26 | the case; (iv) any individual, public or private agency | ||||||
| |||||||
| |||||||
| 1 | having custody
of the child pursuant to court order; (v) | ||||||
| 2 | any individual, public or private
agency providing | ||||||
| 3 | education, medical or mental health service to the child | ||||||
| 4 | when
the requested information is needed to determine the | ||||||
| 5 | appropriate service or
treatment for the minor; (vi) any | ||||||
| 6 | potential placement provider when such
release
is | ||||||
| 7 | authorized by the court for the limited purpose of | ||||||
| 8 | determining the
appropriateness of the potential | ||||||
| 9 | placement; (vii) law enforcement officers and
prosecutors;
| ||||||
| 10 | (viii) adult and juvenile prisoner review boards; (ix) | ||||||
| 11 | authorized military
personnel; (x)
individuals authorized | ||||||
| 12 | by court;
| ||||||
| 13 | (7) subject to regulations of the State Board,
in | ||||||
| 14 | connection with an emergency, to appropriate persons
if the | ||||||
| 15 | knowledge of such information is necessary to protect
the | ||||||
| 16 | health or safety of the student or other
persons;
| ||||||
| 17 | (8) to any person, with the prior specific dated
| ||||||
| 18 | written consent of the parent designating the person
to | ||||||
| 19 | whom the records may be released, provided that at
the time | ||||||
| 20 | any such consent is requested or obtained,
the parent shall | ||||||
| 21 | be advised in writing that he has the right
to inspect and | ||||||
| 22 | copy such records in accordance with Section 5, to
| ||||||
| 23 | challenge their contents in accordance with Section 7 and | ||||||
| 24 | to limit any such
consent to
designated records or | ||||||
| 25 | designated portions of the information contained
therein;
| ||||||
| 26 | (9) to a governmental agency, or social service agency | ||||||
| |||||||
| |||||||
| 1 | contracted by a
governmental agency, in furtherance of an | ||||||
| 2 | investigation of a student's school
attendance pursuant to | ||||||
| 3 | the compulsory student attendance laws of this State,
| ||||||
| 4 | provided that the records are released to the employee or | ||||||
| 5 | agent designated by
the agency;
| ||||||
| 6 | (10) to those SHOCAP committee members who fall within | ||||||
| 7 | the meaning of
"state and local officials and authorities", | ||||||
| 8 | as those terms are used within the
meaning of the federal | ||||||
| 9 | Family Educational Rights and Privacy Act, for
the
purposes | ||||||
| 10 | of identifying serious habitual juvenile offenders and | ||||||
| 11 | matching those
offenders with community resources pursuant | ||||||
| 12 | to Section 5-145 of the Juvenile
Court Act of 1987, but | ||||||
| 13 | only to the extent that the release, transfer,
disclosure, | ||||||
| 14 | or dissemination is consistent with the Family Educational | ||||||
| 15 | Rights
and Privacy Act;
| ||||||
| 16 | (11) to the Department of Healthcare and Family | ||||||
| 17 | Services in furtherance of the
requirements of Section | ||||||
| 18 | 2-3.131, 3-14.29, 10-28, or 34-18.26 of
the School Code or | ||||||
| 19 | Section 10 of the School Breakfast and Lunch
Program Act; | ||||||
| 20 | or
| ||||||
| 21 | (12) to the State Board or another State government | ||||||
| 22 | agency or between or among State government agencies in | ||||||
| 23 | order to evaluate or audit federal and State programs or | ||||||
| 24 | perform research and planning, but only to the extent that | ||||||
| 25 | the release, transfer, disclosure, or dissemination is | ||||||
| 26 | consistent with the federal Family Educational Rights and | ||||||
| |||||||
| |||||||
| 1 | Privacy Act (20 U.S.C. 1232g). | ||||||
| 2 | (b) No information may be released pursuant to subparagraph | ||||||
| 3 | (3) or
(6) of paragraph (a) of this Section 6 unless the parent | ||||||
| 4 | receives
prior written notice of the nature and substance of | ||||||
| 5 | the information
proposed to be released, and an opportunity to | ||||||
| 6 | inspect
and copy such records in accordance with Section 5 and | ||||||
| 7 | to
challenge their contents in accordance with Section 7. | ||||||
| 8 | Provided, however,
that such notice shall be sufficient if | ||||||
| 9 | published in a local newspaper of
general circulation or other | ||||||
| 10 | publication directed generally to the parents
involved where | ||||||
| 11 | the proposed release of information is pursuant to
subparagraph | ||||||
| 12 | (6) of paragraph (a) of this Section 6 and relates to more
than | ||||||
| 13 | 25 students.
| ||||||
| 14 | (c) A record of any release of information pursuant
to this | ||||||
| 15 | Section must be made and kept as a part of the
school student | ||||||
| 16 | record and subject to the access granted by Section 5.
Such | ||||||
| 17 | record of release shall be maintained for the life of the
| ||||||
| 18 | school student records and shall be available only to the | ||||||
| 19 | parent
and the official records custodian.
Each record of | ||||||
| 20 | release shall also include:
| ||||||
| 21 | (1) the nature and substance of the information | ||||||
| 22 | released;
| ||||||
| 23 | (2) the name and signature of the official records
| ||||||
| 24 | custodian releasing such information;
| ||||||
| 25 | (3) the name of the person requesting such information,
| ||||||
| 26 | the capacity in which such a request has been made, and the | ||||||
| |||||||
| |||||||
| 1 | purpose of such
request;
| ||||||
| 2 | (4) the date of the release; and
| ||||||
| 3 | (5) a copy of any consent to such release.
| ||||||
| 4 | (d) Except for the student and his parents, no person
to | ||||||
| 5 | whom information is released pursuant to this Section
and no | ||||||
| 6 | person specifically designated as a representative by a parent
| ||||||
| 7 | may permit any other person to have access to such information | ||||||
| 8 | without a prior
consent of the parent obtained in accordance | ||||||
| 9 | with the requirements
of subparagraph (8) of paragraph (a) of | ||||||
| 10 | this Section.
| ||||||
| 11 | (e) Nothing contained in this Act shall prohibit, with the | ||||||
| 12 | written consent of a student's parent, the
publication of | ||||||
| 13 | student directories which list student names, addresses
and | ||||||
| 14 | other identifying information and similar publications which
| ||||||
| 15 | comply with regulations issued by the State Board.
| ||||||
| 16 | (Source: P.A. 99-78, eff. 7-20-15.)
| ||||||
| 17 | (105 ILCS 85/Act rep.) | ||||||
| 18 | Section 110. The Student Online Personal Protection Act is | ||||||
| 19 | repealed.
| ||||||
| 20 | Section 115. The Consumer Fraud and Deceptive Business | ||||||
| 21 | Practices Act is amended by changing Section 2Z as follows:
| ||||||
| 22 | (815 ILCS 505/2Z) (from Ch. 121 1/2, par. 262Z)
| ||||||
| 23 | Sec. 2Z. Violations of other Acts. Any person who knowingly | ||||||
| |||||||
| |||||||
| 1 | violates
the Automotive Repair Act, the Automotive Collision | ||||||
| 2 | Repair Act,
the Home Repair and Remodeling Act,
the Dance | ||||||
| 3 | Studio Act,
the Physical Fitness Services Act,
the Hearing | ||||||
| 4 | Instrument Consumer Protection Act,
the Illinois Union Label | ||||||
| 5 | Act, the Installment Sales Contract Act,
the Job Referral and | ||||||
| 6 | Job Listing Services Consumer Protection Act,
the Travel | ||||||
| 7 | Promotion Consumer Protection Act,
the Credit Services | ||||||
| 8 | Organizations Act,
the Automatic Telephone Dialers Act,
the | ||||||
| 9 | Pay-Per-Call Services Consumer Protection Act,
the Telephone | ||||||
| 10 | Solicitations Act,
the Illinois Funeral or Burial Funds Act,
| ||||||
| 11 | the Cemetery Oversight Act, the Cemetery Care Act,
the Safe and | ||||||
| 12 | Hygienic Bed Act,
the Illinois Pre-Need Cemetery Sales Act,
the | ||||||
| 13 | High Risk Home Loan Act, the Payday Loan Reform Act, the | ||||||
| 14 | Mortgage Rescue Fraud Act, subsection (a) or (b) of Section | ||||||
| 15 | 3-10 of the
Cigarette Tax Act, subsection
(a) or (b) of Section | ||||||
| 16 | 3-10 of the Cigarette Use Tax Act, the Electronic
Mail Act, the | ||||||
| 17 | Internet Caller Identification Act, paragraph (6)
of
| ||||||
| 18 | subsection (k) of Section 6-305 of the Illinois Vehicle Code, | ||||||
| 19 | Section 11-1431, 18d-115, 18d-120, 18d-125, 18d-135, 18d-150, | ||||||
| 20 | or 18d-153 of the Illinois Vehicle Code, Article 3 of the | ||||||
| 21 | Residential Real Property Disclosure Act, the Automatic | ||||||
| 22 | Contract Renewal Act, the Reverse Mortgage Act, Section 25 of | ||||||
| 23 | the Youth Mental Health Protection Act, the Personal | ||||||
| 24 | Information Protection Act, or the Student Online Personal | ||||||
| 25 | Protection Act of 2019 commits an unlawful practice within the | ||||||
| 26 | meaning of this Act.
| ||||||
| |||||||
| |||||||
| 1 | (Source: P.A. 99-331, eff. 1-1-16; 99-411, eff. 1-1-16; 99-642, | ||||||
| 2 | eff. 7-28-16; 100-315, eff. 8-24-17; 100-416, eff. 1-1-18; | ||||||
| 3 | 100-863, eff. 8-14-18.)
| ||||||
| 4 | Section 999. Effective date. This Act takes effect upon | ||||||
| 5 | becoming law.
| ||||||
