|
||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||
| ||||||||||||||||||||||||||||||
| ||||||||||||||||||||||||||||||
| ||||||||||||||||||||||||||||||
1 | AN ACT concerning State government.
| |||||||||||||||||||||||||||||
2 | Be it enacted by the People of the State of Illinois,
| |||||||||||||||||||||||||||||
3 | represented in the General Assembly:
| |||||||||||||||||||||||||||||
4 | Section 1. Short title. This Act may be cited as the | |||||||||||||||||||||||||||||
5 | Identity Protection Act.
| |||||||||||||||||||||||||||||
6 | Section 5. Definitions. In this Act: | |||||||||||||||||||||||||||||
7 | "Local government agency" means that term as it is defined | |||||||||||||||||||||||||||||
8 | in Section 1-8 of the Illinois State Auditing Act.
| |||||||||||||||||||||||||||||
9 | "Person" means any individual in the employ of a State | |||||||||||||||||||||||||||||
10 | agency or local government agency. | |||||||||||||||||||||||||||||
11 | "Publicly post" or "publicly display" means to | |||||||||||||||||||||||||||||
12 | intentionally communicate or otherwise intentionally make | |||||||||||||||||||||||||||||
13 | available to the general public. | |||||||||||||||||||||||||||||
14 | "State agency" means that term as it is defined in Section | |||||||||||||||||||||||||||||
15 | 1-7 of the Illinois State Auditing Act.
| |||||||||||||||||||||||||||||
16 | Section 10. Prohibited activities. | |||||||||||||||||||||||||||||
17 | (a) Except as otherwise provided in this Act,
beginning | |||||||||||||||||||||||||||||
18 | July 1, 2010, no
person or State or local government agency may | |||||||||||||||||||||||||||||
19 | do any of the following: | |||||||||||||||||||||||||||||
20 | (1) Publicly post or publicly display in any manner an | |||||||||||||||||||||||||||||
21 | individual's social security number. | |||||||||||||||||||||||||||||
22 | (2) Print an individual's social security number on any |
| |||||||
| |||||||
1 | card
required for the individual to access products or | ||||||
2 | services provided by the person or entity; however, a | ||||||
3 | person or entity that provides an insurance card must print | ||||||
4 | on the card an identification number unique to the holder | ||||||
5 | of the card in the format prescribed by Section 15 of the
| ||||||
6 | Uniform Prescription Drug Information Card Act. | ||||||
7 | (3) Require an individual to transmit his or her social | ||||||
8 | security number over the Internet, unless the connection is | ||||||
9 | secure or the social security number is encrypted. | ||||||
10 | (4) Require an individual to use his or her social | ||||||
11 | security number to access an Internet web site, unless a | ||||||
12 | password or unique personal identification number or other | ||||||
13 | authentication device is also required to access the | ||||||
14 | Internet web site. | ||||||
15 | (5) Print an individual's social security number on any | ||||||
16 | materials that are mailed to the individual, through the | ||||||
17 | U.S. Postal Service, any private mail service, electronic | ||||||
18 | mail, or any similar method of delivery, unless State or | ||||||
19 | federal law requires the social security number to be on | ||||||
20 | the document to be mailed. Notwithstanding any provision in | ||||||
21 | this Section to the contrary, social security numbers may | ||||||
22 | be included in applications and forms sent by mail, | ||||||
23 | including, but not limited to, any material mailed in | ||||||
24 | connection with the administration of the Unemployment | ||||||
25 | Insurance Act, any material mailed in connection with any | ||||||
26 | tax administered by the Department of Revenue, and |
| |||||||
| |||||||
1 | documents sent as part of an application or enrollment | ||||||
2 | process or to establish, amend, or terminate an account, | ||||||
3 | contract, or policy or to confirm the accuracy of the | ||||||
4 | social security number. A social security number that may | ||||||
5 | permissibly be mailed under this Section may not be | ||||||
6 | printed, in whole or in part, on a postcard or other mailer | ||||||
7 | that does not require an envelope or be visible on an | ||||||
8 | envelope or visible without the envelope having been | ||||||
9 | opened. | ||||||
10 | (6) Collect a social security number from an | ||||||
11 | individual, unless required to do so under State or federal | ||||||
12 | law, rules, or regulations, unless the collection of the | ||||||
13 | social security number is otherwise necessary for the | ||||||
14 | performance of that agency's duties and responsibilities. | ||||||
15 | Social security numbers collected by a State or local | ||||||
16 | government agency must be relevant to the purpose for which | ||||||
17 | the number was collected and must not be collected unless | ||||||
18 | and until the need for social security numbers for that | ||||||
19 | purpose has been clearly documented. | ||||||
20 | (7) Use the social security number for any purpose | ||||||
21 | other than the purpose for which it was collected. | ||||||
22 | (8) Intentionally communicate or otherwise make | ||||||
23 | available to the general public a person's social security | ||||||
24 | number. | ||||||
25 | (b) The prohibitions in subsection (a) do not apply in the | ||||||
26 | following circumstances: |
| |||||||
| |||||||
1 | (1) The disclosure of social security numbers to | ||||||
2 | agents, employees, or contractors of a governmental entity | ||||||
3 | or disclosed by a governmental entity to another | ||||||
4 | governmental entity or its agents, employees, or | ||||||
5 | contractors if disclosure is necessary in order for the | ||||||
6 | entity to perform its duties and responsibilities and if | ||||||
7 | the governmental entity and its agents, employees, and | ||||||
8 | contractors maintain the confidential and exempt status of | ||||||
9 | the social security numbers. | ||||||
10 | (2) The disclosure of social security numbers pursuant | ||||||
11 | to a court order, warrant, or subpoena. | ||||||
12 | (3) The collection, use, or disclosure of social | ||||||
13 | security numbers in order to ensure the safety of: State | ||||||
14 | and local government employees; persons committed to | ||||||
15 | correctional facilities, local jails, and other | ||||||
16 | law-enforcement facilities or retention centers; wards of | ||||||
17 | the State; and all persons working in or visiting a State | ||||||
18 | or local government agency facility. | ||||||
19 | (4) The disclosure of social security numbers by a | ||||||
20 | State agency to any entity for the collection of delinquent | ||||||
21 | child support or of any State debt. | ||||||
22 | (5) The collection, use, or disclosure of social | ||||||
23 | security numbers to investigate or prevent fraud, to | ||||||
24 | conduct background checks, to conduct social or scientific | ||||||
25 | research, to collect a debt, to obtain a credit report from | ||||||
26 | or furnish data to a consumer reporting agency under the |
| |||||||
| |||||||
1 | federal Fair Credit Reporting Act, to undertake any | ||||||
2 | permissible purpose that is enumerated under the federal | ||||||
3 | Gramm Leach Bliley Act, or to locate a missing person, a | ||||||
4 | lost relative, or a person who is due a benefit, such as a | ||||||
5 | pension benefit or an unclaimed-property benefit. | ||||||
6 | (c) If any State agency or local government agency has | ||||||
7 | adopted standards for the collection, use, or disclosure of | ||||||
8 | social security numbers that are stricter than the standards | ||||||
9 | under this Act with respect to the protection of that | ||||||
10 | identifying information, then, in the event of any conflict | ||||||
11 | with the provisions of this Act, the stricter standards adopted | ||||||
12 | by the State agency or local government agency shall control. | ||||||
13 | Section 15. Public inspection and copying of information | ||||||
14 | and documents. Notwithstanding any other provision of this Act | ||||||
15 | to the contrary, a person or State or local government agency | ||||||
16 | must comply with the provisions of any other State law with | ||||||
17 | respect to allowing the public inspection and copying of | ||||||
18 | information or documents containing all or any portion of an | ||||||
19 | individual's social security number. | ||||||
20 | Section 20. Applicability. | ||||||
21 | (a) This Act does not apply to the collection, use, or | ||||||
22 | release
of a social security number as required by State or | ||||||
23 | federal law, rule, or regulation, or
the use of a social | ||||||
24 | security number or other identifying information for internal |
| |||||||
| |||||||
1 | verification or
administrative purposes. | ||||||
2 | (b) This Act does not apply to documents that are recorded | ||||||
3 | with a county recorder or
required to be open to the public | ||||||
4 | under any State or federal law, rule, or regulation, applicable | ||||||
5 | case law, Supreme Court Rule, or the Constitution of the State | ||||||
6 | of Illinois. Notwithstanding this Section, county recorders | ||||||
7 | must comply with the provisions of Section 35 of this Act. | ||||||
8 | Section 25. Compliance with federal law. If a federal law | ||||||
9 | takes effect requiring any federal agency to establish a | ||||||
10 | national
unique patient health identifier program, any State or | ||||||
11 | local government agency that complies with the federal law | ||||||
12 | shall be deemed to be in compliance with this
Act. | ||||||
13 | Section 30. Embedded social security numbers. Beginning | ||||||
14 | December 31, 2009, no person or State or local government | ||||||
15 | agency may encode or embed a social security
number in or on a | ||||||
16 | card or document, including, but not limited to,
using a bar | ||||||
17 | code, chip, magnetic strip, RFID technology, or other | ||||||
18 | technology, in place
of removing the social security number as | ||||||
19 | required by this Act. | ||||||
20 | Section 35. Identity-protection policy; local government. | ||||||
21 | Each local government agency must establish an | ||||||
22 | identity-protection policy and must implement that policy on or | ||||||
23 | before December 31, 2009. The policy must do all of the |
| |||||||
| |||||||
1 | following:
| ||||||
2 | (1) Identify all employees of the local government | ||||||
3 | agency who may have access to social security numbers in | ||||||
4 | the course of performing their duties. | ||||||
5 | (2) Require all employees of the local government | ||||||
6 | agency identified as having access to social security | ||||||
7 | numbers in the course of performing their duties to be | ||||||
8 | trained to protect the confidentiality of social security | ||||||
9 | numbers and to understand the requirements of this Section. | ||||||
10 | (3) Prohibit the unlawful disclosure of social | ||||||
11 | security numbers. | ||||||
12 | (4) Limit the number of employees who have access to | ||||||
13 | information or documents that contain social security | ||||||
14 | numbers. | ||||||
15 | (5) Describe how to properly dispose of information and | ||||||
16 | documents that contain social security numbers. | ||||||
17 | (6) Establish penalties for violation of the privacy | ||||||
18 | policy.
| ||||||
19 | (7) Prevent the intentional communication of or | ||||||
20 | ability of the general public to access an individual's | ||||||
21 | social security number. | ||||||
22 | (8) Require that social security numbers requested | ||||||
23 | from an individual be segregated on a separate page from | ||||||
24 | the rest of the record, provide a discrete location for a | ||||||
25 | social security number when required on a standardized | ||||||
26 | form, or otherwise place the number in a manner that makes |
| |||||||
| |||||||
1 | it easily redacted if required to be released as part of a | ||||||
2 | public records request. | ||||||
3 | (9) Require that, when collecting a social security | ||||||
4 | number from an individual, at the time of or prior to the | ||||||
5 | actual collection of the social security number or upon | ||||||
6 | request by the individual, a statement of the purpose or | ||||||
7 | purposes for which the agency is collecting and using the | ||||||
8 | social security number be provided. | ||||||
9 | Each local government agency must file a written copy of | ||||||
10 | its privacy policy with the governing board of the unit of | ||||||
11 | local government. Each local government agency must also | ||||||
12 | provide a written copy of the policy to each of its employees, | ||||||
13 | and must also make its privacy policy available to any member | ||||||
14 | of the public, upon request. If a local government agency | ||||||
15 | amends its privacy policy, then that agency must file a written | ||||||
16 | copy of the amended policy with the appropriate entity and must | ||||||
17 | also provide each of its employees with a new written copy of | ||||||
18 | the amended policy.
| ||||||
19 | Section 37. Identity-protection policy; State. Each State | ||||||
20 | agency must recommend to the Social Security Number Task Force | ||||||
21 | an identity-protection policy on or before September 30, 2009. | ||||||
22 | The policy must do all of the following:
| ||||||
23 | (1) Identify all employees of the State agency who may | ||||||
24 | have access to social security numbers in the performance | ||||||
25 | of their duties. |
| |||||||
| |||||||
1 | (2) Require all employees of the State agency | ||||||
2 | identified as having access to social security numbers in | ||||||
3 | the performance of their duties to be trained to protect | ||||||
4 | the confidentiality of social security numbers and to | ||||||
5 | understand the requirements of this Section. | ||||||
6 | (3) Prohibit the unlawful disclosure of social | ||||||
7 | security numbers. | ||||||
8 | (4) Limit the number of employees who have access to | ||||||
9 | information or documents that contain social security | ||||||
10 | numbers. | ||||||
11 | (5) Describe how to properly dispose of information and | ||||||
12 | documents that contain social security numbers. | ||||||
13 | (6) Establish penalties for violation of the privacy | ||||||
14 | policy.
| ||||||
15 | (7) Prevent the intentional communication of or | ||||||
16 | ability of the general public to access an individual's | ||||||
17 | social security number. | ||||||
18 | (8) Require that social security numbers requested | ||||||
19 | from an individual be segregated on a separate page from | ||||||
20 | the rest of the record, provide a discrete location for a | ||||||
21 | social security number when required on a standardized | ||||||
22 | form, or otherwise place the number in a manner that makes | ||||||
23 | it easily redacted if required to be released as part of a | ||||||
24 | public records request. | ||||||
25 | (9) Require that, when collecting a social security | ||||||
26 | number from an individual, at the time of or prior to the |
| |||||||
| |||||||
1 | actual collection of the social security number or upon | ||||||
2 | request by the individual, a statement of the purpose or | ||||||
3 | purposes for which the agency is collecting and using the | ||||||
4 | social security number be provided. | ||||||
5 | The Task Force will study the recommendations from the | ||||||
6 | State agencies and will make its recommendation to the General | ||||||
7 | Assembly of the changes needed to implement the policies by | ||||||
8 | December 31, 2009. | ||||||
9 | Section 40. Judicial branch and clerks of courts. The | ||||||
10 | judicial branch and clerks of the circuit court are not subject | ||||||
11 | to the provisions of this Act, except that the Supreme Court | ||||||
12 | shall, under its rulemaking authority or by administrative | ||||||
13 | order, adopt requirements applicable to the judicial branch, | ||||||
14 | including clerks of the circuit court, regulating the | ||||||
15 | disclosure of social security numbers consistent with the | ||||||
16 | intent of this Act and the unique circumstances relevant in the | ||||||
17 | judicial process. | ||||||
18 | Section 45. Violation. Any person who intentionally | ||||||
19 | violates the prohibitions in Section 10 of this Act is guilty | ||||||
20 | of a Class B misdemeanor. | ||||||
21 | Section 50. Home rule. A home rule unit of local | ||||||
22 | government, any non-home rule municipality, or any non-home | ||||||
23 | rule county may regulate the use of social security numbers, |
| |||||||
| |||||||
1 | but that regulation must be no less restrictive than this Act. | ||||||
2 | This Act is a limitation under subsection (i) of Section 6 of | ||||||
3 | Article VII of the Illinois Constitution on the concurrent | ||||||
4 | exercise by home rule units of powers and functions exercised | ||||||
5 | by the State.
| ||||||
6 | Section 55. This Act does not supersede any more | ||||||
7 | restrictive law, rule, or regulation regarding the collection, | ||||||
8 | use, or release of social security numbers. | ||||||
9 | Section 60. Rulemaking conditions. Rulemaking authority to | ||||||
10 | implement this Act, if any, is conditioned on the rules being | ||||||
11 | adopted in accordance with all provisions of the Illinois | ||||||
12 | Administrative Procedure Act and all rules and procedures of | ||||||
13 | the Joint Committee on Administrative Rules; any purported rule | ||||||
14 | not so adopted, for whatever reason, is unauthorized. | ||||||
15 | Section 90. The State Mandates Act is amended by adding | ||||||
16 | Section 8.33 as follows: | ||||||
17 | (30 ILCS 805/8.33 new) | ||||||
18 | Sec. 8.33. Exempt mandate. Notwithstanding Sections 6 and 8 | ||||||
19 | of this Act, no reimbursement by the State is required for the | ||||||
20 | implementation of any mandate created by the Identity | ||||||
21 | Protection Act.
| ||||||
22 | Section 99. Effective date. This Act takes effect upon |
| |||||||
| |||||||
1 | becoming law.
|