|
|
|
|
96TH GENERAL ASSEMBLY
State of Illinois
2009 and 2010
HB0547
Introduced 2/4/2009, by Rep. Sandra M. Pihos SYNOPSIS AS INTRODUCED:
|
|
New Act |
|
30 ILCS 805/8.33 new |
|
|
Creates the Identity Protection Act. Prohibits a State or local government agency from using an individual's social security number in certain ways, subject to various exceptions. Requires each State or local government agency to develop and implement an identity protection policy. Provides that any employee of a State or local government agency who intentionally violates the provisions of the Act is guilty of a Class B misdemeanor. Preempts the concurrent exercise of home rule powers. Imposes conditions on any rulemaking authority. Amends the State Mandates Act to require implementation without reimbursement by the State. Effective immediately.
|
| |
|
|
| CORRECTIONAL BUDGET AND IMPACT NOTE ACT MAY APPLY |
FISCAL NOTE ACT MAY APPLY |
HOME RULE NOTE ACT MAY APPLY |
| STATE MANDATES ACT MAY REQUIRE REIMBURSEMENT
MAY APPLY
| |
|
|
|
A BILL FOR
|
|
|
|
|
HB0547 |
|
LRB096 05696 RLJ 15762 b |
|
|
| 1 |
| AN ACT concerning State government.
|
| 2 |
| Be it enacted by the People of the State of Illinois,
|
| 3 |
| represented in the General Assembly:
|
| 4 |
| Section 1. Short title. This Act may be cited as the |
| 5 |
| Identity Protection Act.
|
| 6 |
| Section 5. Definitions. In this Act: |
| 7 |
| "Local government agency" means that term as it is defined |
| 8 |
| in Section 1-8 of the Illinois State Auditing Act.
|
| 9 |
| "Person" means any individual in the employ of a State |
| 10 |
| agency or local government agency. |
| 11 |
| "Publicly post" or "publicly display" means to |
| 12 |
| intentionally communicate or otherwise intentionally make |
| 13 |
| available to the general public. |
| 14 |
| "State agency" means that term as it is defined in Section |
| 15 |
| 1-7 of the Illinois State Auditing Act.
|
| 16 |
| Section 10. Prohibited activities. |
| 17 |
| (a) Except as otherwise provided in this Act,
beginning |
| 18 |
| July 1, 2010, no
person or State or local government agency may |
| 19 |
| do any of the following: |
| 20 |
| (1) Publicly post or publicly display in any manner an |
| 21 |
| individual's social security number. |
| 22 |
| (2) Print an individual's social security number on any |
|
|
|
HB0547 |
- 2 - |
LRB096 05696 RLJ 15762 b |
|
|
| 1 |
| card
required for the individual to access products or |
| 2 |
| services provided by the person or entity; however, a |
| 3 |
| person or entity that provides an insurance card must print |
| 4 |
| on the card an identification number unique to the holder |
| 5 |
| of the card in the format prescribed by Section 15 of the
|
| 6 |
| Uniform Prescription Drug Information Card Act. |
| 7 |
| (3) Require an individual to transmit his or her social |
| 8 |
| security number over the Internet, unless the connection is |
| 9 |
| secure or the social security number is encrypted. |
| 10 |
| (4) Require an individual to use his or her social |
| 11 |
| security number to access an Internet web site, unless a |
| 12 |
| password or unique personal identification number or other |
| 13 |
| authentication device is also required to access the |
| 14 |
| Internet web site. |
| 15 |
| (5) Print an individual's social security number on any |
| 16 |
| materials that are mailed to the individual, through the |
| 17 |
| U.S. Postal Service, any private mail service, electronic |
| 18 |
| mail, or any similar method of delivery, unless State or |
| 19 |
| federal law requires the social security number to be on |
| 20 |
| the document to be mailed. Notwithstanding any provision in |
| 21 |
| this Section to the contrary, social security numbers may |
| 22 |
| be included in applications and forms sent by mail, |
| 23 |
| including, but not limited to, any material mailed in |
| 24 |
| connection with the administration of the Unemployment |
| 25 |
| Insurance Act, any material mailed in connection with any |
| 26 |
| tax administered by the Department of Revenue, and |
|
|
|
HB0547 |
- 3 - |
LRB096 05696 RLJ 15762 b |
|
|
| 1 |
| documents sent as part of an application or enrollment |
| 2 |
| process or to establish, amend, or terminate an account, |
| 3 |
| contract, or policy or to confirm the accuracy of the |
| 4 |
| social security number. A social security number that may |
| 5 |
| permissibly be mailed under this Section may not be |
| 6 |
| printed, in whole or in part, on a postcard or other mailer |
| 7 |
| that does not require an envelope or be visible on an |
| 8 |
| envelope or visible without the envelope having been |
| 9 |
| opened. |
| 10 |
| (6) Collect a social security number from an |
| 11 |
| individual, unless required to do so under State or federal |
| 12 |
| law, rules, or regulations, unless the collection of the |
| 13 |
| social security number is otherwise necessary for the |
| 14 |
| performance of that agency's duties and responsibilities. |
| 15 |
| Social security numbers collected by a State or local |
| 16 |
| government agency must be relevant to the purpose for which |
| 17 |
| the number was collected and must not be collected unless |
| 18 |
| and until the need for social security numbers for that |
| 19 |
| purpose has been clearly documented. |
| 20 |
| (7) Use the social security number for any purpose |
| 21 |
| other than the purpose for which it was collected. |
| 22 |
| (8) Intentionally communicate or otherwise make |
| 23 |
| available to the general public a person's social security |
| 24 |
| number. |
| 25 |
| (b) The prohibitions in subsection (a) do not apply in the |
| 26 |
| following circumstances: |
|
|
|
HB0547 |
- 4 - |
LRB096 05696 RLJ 15762 b |
|
|
| 1 |
| (1) The disclosure of social security numbers to |
| 2 |
| agents, employees, or contractors of a governmental entity |
| 3 |
| or disclosed by a governmental entity to another |
| 4 |
| governmental entity or its agents, employees, or |
| 5 |
| contractors if disclosure is necessary in order for the |
| 6 |
| entity to perform its duties and responsibilities and if |
| 7 |
| the governmental entity and its agents, employees, and |
| 8 |
| contractors maintain the confidential and exempt status of |
| 9 |
| the social security numbers. |
| 10 |
| (2) The disclosure of social security numbers pursuant |
| 11 |
| to a court order, warrant, or subpoena. |
| 12 |
| (3) The collection, use, or disclosure of social |
| 13 |
| security numbers in order to ensure the safety of: State |
| 14 |
| and local government employees; persons committed to |
| 15 |
| correctional facilities, local jails, and other |
| 16 |
| law-enforcement facilities or retention centers; wards of |
| 17 |
| the State; and all persons working in or visiting a State |
| 18 |
| or local government agency facility. |
| 19 |
| (4) The disclosure of social security numbers by a |
| 20 |
| State agency to any entity for the collection of delinquent |
| 21 |
| child support or of any State debt. |
| 22 |
| (5) The collection, use, or disclosure of social |
| 23 |
| security numbers to investigate or prevent fraud, to |
| 24 |
| conduct background checks, to conduct social or scientific |
| 25 |
| research, to collect a debt, to obtain a credit report from |
| 26 |
| or furnish data to a consumer reporting agency under the |
|
|
|
HB0547 |
- 5 - |
LRB096 05696 RLJ 15762 b |
|
|
| 1 |
| federal Fair Credit Reporting Act, to undertake any |
| 2 |
| permissible purpose that is enumerated under the federal |
| 3 |
| Gramm Leach Bliley Act, or to locate a missing person, a |
| 4 |
| lost relative, or a person who is due a benefit, such as a |
| 5 |
| pension benefit or an unclaimed-property benefit. |
| 6 |
| (c) If any State agency or local government agency has |
| 7 |
| adopted standards for the collection, use, or disclosure of |
| 8 |
| social security numbers that are stricter than the standards |
| 9 |
| under this Act with respect to the protection of that |
| 10 |
| identifying information, then, in the event of any conflict |
| 11 |
| with the provisions of this Act, the stricter standards adopted |
| 12 |
| by the State agency or local government agency shall control.
|
| 13 |
| Section 15. Public inspection and copying of information |
| 14 |
| and documents. Notwithstanding any other provision of this Act |
| 15 |
| to the contrary, a person or State or local government agency |
| 16 |
| must comply with the provisions of any other State law with |
| 17 |
| respect to allowing the public inspection and copying of |
| 18 |
| information or documents containing all or any portion of an |
| 19 |
| individual's social security number.
|
| 20 |
| Section 20. Applicability. |
| 21 |
| (a) This Act does not apply to the collection, use, or |
| 22 |
| release
of a social security number as required by State or |
| 23 |
| federal law, rule, or regulation, or
the use of a social |
| 24 |
| security number or other identifying information for internal |
|
|
|
HB0547 |
- 6 - |
LRB096 05696 RLJ 15762 b |
|
|
| 1 |
| verification or
administrative purposes. |
| 2 |
| (b) This Act does not apply to documents that are recorded |
| 3 |
| with a county recorder or
required to be open to the public |
| 4 |
| under any State or federal law, rule, or regulation, applicable |
| 5 |
| case law, Supreme Court Rule, or the Constitution of the State |
| 6 |
| of Illinois. Notwithstanding this Section, county recorders |
| 7 |
| must comply with the provisions of Section 35 of this Act.
|
| 8 |
| Section 25. Compliance with federal law. If a federal law |
| 9 |
| takes effect requiring any federal agency to establish a |
| 10 |
| national
unique patient health identifier program, any State or |
| 11 |
| local government agency that complies with the federal law |
| 12 |
| shall be deemed to be in compliance with this
Act.
|
| 13 |
| Section 30. Embedded social security numbers. Beginning |
| 14 |
| December 31, 2009, no person or State or local government |
| 15 |
| agency may encode or embed a social security
number in or on a |
| 16 |
| card or document, including, but not limited to,
using a bar |
| 17 |
| code, chip, magnetic strip, RFID technology, or other |
| 18 |
| technology, in place
of removing the social security number as |
| 19 |
| required by this Act.
|
| 20 |
| Section 35. Identity-protection policy; local government. |
| 21 |
| Each local government agency must establish an |
| 22 |
| identity-protection policy and must implement that policy on or |
| 23 |
| before December 31, 2009. The policy must do all of the |
|
|
|
HB0547 |
- 7 - |
LRB096 05696 RLJ 15762 b |
|
|
| 1 |
| following:
|
| 2 |
| (1) Identify all employees of the local government |
| 3 |
| agency who may have access to social security numbers in |
| 4 |
| the course of performing their duties. |
| 5 |
| (2) Require all employees of the local government |
| 6 |
| agency identified as having access to social security |
| 7 |
| numbers in the course of performing their duties to be |
| 8 |
| trained to protect the confidentiality of social security |
| 9 |
| numbers and to understand the requirements of this Section. |
| 10 |
| (3) Prohibit the unlawful disclosure of social |
| 11 |
| security numbers. |
| 12 |
| (4) Limit the number of employees who have access to |
| 13 |
| information or documents that contain social security |
| 14 |
| numbers. |
| 15 |
| (5) Describe how to properly dispose of information and |
| 16 |
| documents that contain social security numbers. |
| 17 |
| (6) Establish penalties for violation of the privacy |
| 18 |
| policy.
|
| 19 |
| (7) Prevent the intentional communication of or |
| 20 |
| ability of the general public to access an individual's |
| 21 |
| social security number. |
| 22 |
| (8) Require that social security numbers requested |
| 23 |
| from an individual be segregated on a separate page from |
| 24 |
| the rest of the record, provide a discrete location for a |
| 25 |
| social security number when required on a standardized |
| 26 |
| form, or otherwise place the number in a manner that makes |
|
|
|
HB0547 |
- 8 - |
LRB096 05696 RLJ 15762 b |
|
|
| 1 |
| it easily redacted if required to be released as part of a |
| 2 |
| public records request. |
| 3 |
| (9) Require that, when collecting a social security |
| 4 |
| number from an individual, at the time of or prior to the |
| 5 |
| actual collection of the social security number or upon |
| 6 |
| request by the individual, a statement of the purpose or |
| 7 |
| purposes for which the agency is collecting and using the |
| 8 |
| social security number be provided. |
| 9 |
| Each local government agency must file a written copy of |
| 10 |
| its privacy policy with the governing board of the unit of |
| 11 |
| local government. Each local government agency must also |
| 12 |
| provide a written copy of the policy to each of its employees, |
| 13 |
| and must also make its privacy policy available to any member |
| 14 |
| of the public, upon request. If a local government agency |
| 15 |
| amends its privacy policy, then that agency must file a written |
| 16 |
| copy of the amended policy with the appropriate entity and must |
| 17 |
| also provide each of its employees with a new written copy of |
| 18 |
| the amended policy.
|
| 19 |
| Section 37. Identity-protection policy; State. Each State |
| 20 |
| agency must recommend to the Social Security Number Task Force |
| 21 |
| an identity-protection policy on or before September 30, 2009. |
| 22 |
| The policy must do all of the following:
|
| 23 |
| (1) Identify all employees of the State agency who may |
| 24 |
| have access to social security numbers in the performance |
| 25 |
| of their duties. |
|
|
|
HB0547 |
- 9 - |
LRB096 05696 RLJ 15762 b |
|
|
| 1 |
| (2) Require all employees of the State agency |
| 2 |
| identified as having access to social security numbers in |
| 3 |
| the performance of their duties to be trained to protect |
| 4 |
| the confidentiality of social security numbers and to |
| 5 |
| understand the requirements of this Section. |
| 6 |
| (3) Prohibit the unlawful disclosure of social |
| 7 |
| security numbers. |
| 8 |
| (4) Limit the number of employees who have access to |
| 9 |
| information or documents that contain social security |
| 10 |
| numbers. |
| 11 |
| (5) Describe how to properly dispose of information and |
| 12 |
| documents that contain social security numbers. |
| 13 |
| (6) Establish penalties for violation of the privacy |
| 14 |
| policy.
|
| 15 |
| (7) Prevent the intentional communication of or |
| 16 |
| ability of the general public to access an individual's |
| 17 |
| social security number. |
| 18 |
| (8) Require that social security numbers requested |
| 19 |
| from an individual be segregated on a separate page from |
| 20 |
| the rest of the record, provide a discrete location for a |
| 21 |
| social security number when required on a standardized |
| 22 |
| form, or otherwise place the number in a manner that makes |
| 23 |
| it easily redacted if required to be released as part of a |
| 24 |
| public records request. |
| 25 |
| (9) Require that, when collecting a social security |
| 26 |
| number from an individual, at the time of or prior to the |
|
|
|
HB0547 |
- 10 - |
LRB096 05696 RLJ 15762 b |
|
|
| 1 |
| actual collection of the social security number or upon |
| 2 |
| request by the individual, a statement of the purpose or |
| 3 |
| purposes for which the agency is collecting and using the |
| 4 |
| social security number be provided. |
| 5 |
| The Task Force will study the recommendations from the |
| 6 |
| State agencies and will make its recommendation to the General |
| 7 |
| Assembly of the changes needed to implement the policies by |
| 8 |
| December 31, 2009.
|
| 9 |
| Section 40. Judicial branch and clerks of courts. The |
| 10 |
| judicial branch and clerks of the circuit court are not subject |
| 11 |
| to the provisions of this Act, except that the Supreme Court |
| 12 |
| shall, under its rulemaking authority or by administrative |
| 13 |
| order, adopt requirements applicable to the judicial branch, |
| 14 |
| including clerks of the circuit court, regulating the |
| 15 |
| disclosure of social security numbers consistent with the |
| 16 |
| intent of this Act and the unique circumstances relevant in the |
| 17 |
| judicial process.
|
| 18 |
| Section 45. Violation. Any person who intentionally |
| 19 |
| violates the prohibitions in Section 10 of this Act is guilty |
| 20 |
| of a Class B misdemeanor.
|
| 21 |
| Section 50. Home rule. A home rule unit of local |
| 22 |
| government, any non-home rule municipality, or any non-home |
| 23 |
| rule county may regulate the use of social security numbers, |
|
|
|
HB0547 |
- 11 - |
LRB096 05696 RLJ 15762 b |
|
|
| 1 |
| but that regulation must be no less restrictive than this Act. |
| 2 |
| This Act is a limitation under subsection (i) of Section 6 of |
| 3 |
| Article VII of the Illinois Constitution on the concurrent |
| 4 |
| exercise by home rule units of powers and functions exercised |
| 5 |
| by the State.
|
| 6 |
| Section 55. This Act does not supersede any more |
| 7 |
| restrictive law, rule, or regulation regarding the collection, |
| 8 |
| use, or release of social security numbers.
|
| 9 |
| Section 60. Rulemaking conditions. Rulemaking authority to |
| 10 |
| implement this Act, if any, is conditioned on the rules being |
| 11 |
| adopted in accordance with all provisions of the Illinois |
| 12 |
| Administrative Procedure Act and all rules and procedures of |
| 13 |
| the Joint Committee on Administrative Rules; any purported rule |
| 14 |
| not so adopted, for whatever reason, is unauthorized.
|
| 15 |
| Section 90. The State Mandates Act is amended by adding |
| 16 |
| Section 8.33 as follows:
|
| 17 |
| (30 ILCS 805/8.33 new) |
| 18 |
| Sec. 8.33. Exempt mandate. Notwithstanding Sections 6 and 8 |
| 19 |
| of this Act, no reimbursement by the State is required for the |
| 20 |
| implementation of any mandate created by the Identity |
| 21 |
| Protection Act.
|
| 22 |
| Section 99. Effective date. This Act takes effect upon |