96TH GENERAL ASSEMBLY
State of Illinois
2009 and 2010
HB0547


 
Introduced 2/4/2009, by Rep. Sandra M. Pihos
 
SYNOPSIS AS INTRODUCED:
 		













New Act






30 ILCS 805/8.33 new











    Creates the Identity Protection Act. Prohibits a State or local government agency from using an individual's social security number in certain ways, subject to various exceptions. Requires each State or local government agency to develop and implement an identity protection policy. Provides that any employee of a State or local government agency who intentionally violates the provisions of the Act is guilty of a Class B misdemeanor. Preempts the concurrent exercise of home rule powers. Imposes conditions on any rulemaking authority. Amends the State Mandates Act to require implementation without reimbursement by the State. Effective immediately.


















LRB096 05696 RLJ 15762 b

















CORRECTIONAL BUDGET AND IMPACT NOTE ACT MAY APPLY


FISCAL NOTE ACT MAY APPLY


HOME RULE NOTE ACT MAY APPLY






STATE MANDATES ACT MAY REQUIRE REIMBURSEMENT
MAY APPLY
					
















 


 


A BILL FOR









 











HB0547

LRB096 05696 RLJ 15762 b






1
    AN ACT concerning State government.

 
2
    Be it enacted by the People of the State of Illinois,
 
3
represented in the General Assembly:



 
4
    Section 1. Short title. This Act may be cited as the 
5
Identity Protection Act.

 
6
    Section 5. Definitions.  In this Act:
7
    "Local government agency" means that term as it is defined 
8
in Section 1-8 of the Illinois State Auditing Act.

9
    "Person" means any individual in the employ of a State 
10
agency or local government agency.
11
    "Publicly post" or "publicly display" means to 
12
intentionally communicate or otherwise intentionally make 
13
available to the general public.
14
    "State agency" means that term as it is defined in Section 
15
1-7 of the Illinois State Auditing Act.

 
16
    Section 10. Prohibited activities. 
17
    (a) Except as otherwise provided in this Act,
beginning 
18
July 1, 2010, no
person or State or local government agency may 
19
do any of the following:
20
        (1) Publicly post or publicly display in any manner an 
21
    individual's social security number.  
22
        (2) Print an individual's social security number on any 
 


 






HB0547
- 2 -
LRB096 05696 RLJ 15762 b




1
    card
required for the individual to access products or 
2
    services provided by the person or entity; however, a 
3
    person or entity that provides an insurance card must print 
4
    on the card an identification number unique to the holder 
5
    of the card in the format prescribed by Section 15 of the

6
    Uniform Prescription Drug Information Card Act.
7
        (3) Require an individual to transmit his or her social 
8
    security number over the Internet, unless the connection is 
9
    secure or the social security number is encrypted.
10
        (4) Require an individual to use his or her social 
11
    security number to access an Internet web site, unless a 
12
    password or unique personal identification number or other 
13
    authentication device is also required to access the 
14
    Internet web site.
15
        (5) Print an individual's social security number on any 
16
    materials that are mailed to the individual, through the 
17
    U.S. Postal Service, any private mail service, electronic 
18
    mail, or any similar method of delivery, unless State or 
19
    federal law requires the social security number to be on 
20
    the document to be mailed.  Notwithstanding any provision in 
21
    this Section to the contrary, social security numbers may 
22
    be included in applications and forms sent by mail, 
23
    including, but not limited to, any material mailed in 
24
    connection with the administration of the Unemployment 
25
    Insurance Act, any material mailed in connection with any 
26
    tax administered by the Department of Revenue, and 
 


 






HB0547
- 3 -
LRB096 05696 RLJ 15762 b




1
    documents sent as part of an application or enrollment 
2
    process or to establish, amend, or terminate an account, 
3
    contract, or policy or to confirm the accuracy of the 
4
    social security number.  A social security number that may 
5
    permissibly be mailed under this Section may not be 
6
    printed, in whole or in part, on a postcard or other mailer 
7
    that does not require an envelope or be visible on an 
8
    envelope or visible without the envelope having been 
9
    opened.
10
        (6) Collect a social security number from an 
11
    individual, unless required to do so under State or federal 
12
    law, rules, or regulations, unless the collection of the 
13
    social security number is otherwise necessary for the 
14
    performance of that agency's duties and responsibilities. 
15
    Social security numbers collected by a State or local 
16
    government agency must be relevant to the purpose for which 
17
    the number was collected and must not be collected unless 
18
    and until the need for social security numbers for that 
19
    purpose has been clearly documented.
20
        (7) Use the social security number for any purpose 
21
    other than the purpose for which it was collected.
22
        (8) Intentionally communicate or otherwise make 
23
    available to the general public a person's social security 
24
    number. 
25
    (b) The prohibitions in subsection (a) do not apply in the 
26
following circumstances:
 


 






HB0547
- 4 -
LRB096 05696 RLJ 15762 b




1
        (1) The disclosure of  social security numbers to 
2
    agents, employees, or contractors of a governmental entity 
3
    or disclosed by a governmental entity to another 
4
    governmental entity or its agents, employees, or 
5
    contractors if disclosure is necessary in order  for the 
6
    entity to perform its duties and responsibilities and if 
7
    the governmental entity and its agents, employees, and 
8
    contractors maintain the confidential and exempt status of 
9
    the social security numbers.
10
        (2) The disclosure of social security numbers pursuant 
11
    to a court order, warrant, or subpoena.
12
        (3) The collection, use, or disclosure of social 
13
    security numbers in order to ensure the safety of: State 
14
    and local government employees; persons committed to 
15
    correctional facilities, local jails, and other 
16
    law-enforcement facilities or retention centers; wards of 
17
    the State; and all persons working in or visiting a State 
18
    or local government agency facility. 
19
        (4) The disclosure of social security numbers by a 
20
    State agency to any entity for the collection of delinquent 
21
    child support or of any State debt.
22
        (5) The collection, use, or disclosure of social 
23
    security numbers to investigate or prevent fraud, to 
24
    conduct background checks, to conduct social or scientific 
25
    research, to collect a debt, to obtain a credit report from 
26
    or furnish data to a consumer reporting agency under the 
 


 






HB0547
- 5 -
LRB096 05696 RLJ 15762 b




1
    federal Fair Credit Reporting Act, to undertake any 
2
    permissible purpose that is enumerated under the federal 
3
    Gramm Leach Bliley Act, or to locate a missing person, a 
4
    lost relative, or a person who is due a benefit, such as a 
5
    pension benefit  or an unclaimed-property benefit.
6
    (c) If any State agency or local government agency has 
7
adopted standards for the collection, use, or disclosure of 
8
social security numbers that are stricter than the standards 
9
under this Act with respect to the protection of that 
10
identifying information, then, in the event of any conflict 
11
with the provisions of this Act,  the stricter standards adopted 
12
by the State agency or local government agency shall control.
 
13
    Section 15. Public inspection and copying of information 
14
and documents.  Notwithstanding any other provision of this Act 
15
to the contrary, a  person or State or local government agency  
16
must comply with the provisions of any other State law with 
17
respect to allowing the public inspection and copying of 
18
information or documents containing all or any portion of an 
19
individual's social security number.
 
20
    Section 20. Applicability.  
21
    (a) This Act does not apply to the collection, use, or 
22
release
of a social security number as required by State or 
23
federal law, rule, or regulation, or
the use of a social 
24
security number or other identifying information for internal 
 


 






HB0547
- 6 -
LRB096 05696 RLJ 15762 b




1
verification or
administrative purposes. 
2
    (b) This Act does not apply to documents that are recorded 
3
with a county recorder or
required to be open to the public 
4
under any State or federal law, rule, or regulation, applicable 
5
case law, Supreme Court Rule, or the Constitution of the State 
6
of Illinois.  Notwithstanding this Section, county recorders 
7
must comply with the provisions of Section 35 of this Act.
 
8
    Section 25. Compliance with federal law. If a federal law 
9
takes effect requiring any federal agency to establish a 
10
national
unique patient health identifier program, any State or 
11
local government agency that complies with the federal law 
12
shall be deemed to be in compliance with this
Act.
 
13
    Section 30. Embedded social security numbers. Beginning 
14
December 31, 2009, no person or State or local government 
15
agency may encode or embed a social security
number in or on a 
16
card or document, including, but not limited to,
using a bar 
17
code, chip, magnetic strip, RFID technology, or other 
18
technology, in place
of removing the social security number as 
19
required by this Act.
 
20
    Section 35. Identity-protection policy; local government.  
21
Each local government agency must establish an 
22
identity-protection policy and must implement that policy on or 
23
before December 31, 2009. The policy must do all of the 
 


 






HB0547
- 7 -
LRB096 05696 RLJ 15762 b




1
following:

2
        (1) Identify all employees of the local government 
3
    agency who may have access to social security numbers in 
4
    the course of performing their duties.
5
        (2) Require all employees of the local government 
6
    agency identified as having access to social security 
7
    numbers in the course of performing their duties to be 
8
    trained to protect the confidentiality of social security 
9
    numbers and to understand the requirements of this Section.
10
        (3) Prohibit the unlawful disclosure of social 
11
    security numbers.
12
        (4) Limit the number of employees who have access to 
13
    information or documents that contain social security 
14
    numbers.
15
        (5) Describe how to properly dispose of information and 
16
    documents that contain social security numbers.
17
        (6) Establish penalties for violation of the privacy 
18
    policy.

19
        (7) Prevent the intentional communication of or 
20
    ability of the general public to access an individual's 
21
    social security number. 
22
        (8) Require that  social security numbers requested 
23
    from an individual be segregated on a separate page from 
24
    the rest of the record, provide a discrete location for a 
25
    social security number when required on a standardized 
26
    form, or otherwise place the number in a manner that makes 
 


 






HB0547
- 8 -
LRB096 05696 RLJ 15762 b




1
    it easily redacted if required to be released as part of a 
2
    public records request. 
3
        (9) Require that, when collecting a social security 
4
    number from an individual, at the time of or prior to the 
5
    actual collection of the social security number or upon 
6
    request by the individual, a statement of the purpose or 
7
    purposes for which the agency is collecting and using the 
8
    social security number be provided.
9
    Each local government agency must file a written copy of 
10
its privacy policy with the governing board of the unit of 
11
local government. Each local government agency must also 
12
provide a written copy of the policy to each of its employees, 
13
and  must also make its privacy policy  available to any member 
14
of the public, upon request. If a local government agency 
15
amends its privacy policy, then that agency must file a written 
16
copy of the amended policy with the appropriate entity and must 
17
also provide each of its employees with a new written copy of 
18
the amended policy.

 
19
    Section 37. Identity-protection policy; State.  Each State 
20
agency must recommend to the Social Security Number Task Force 
21
an identity-protection policy on or before September 30, 2009. 
22
The policy must do all of the following:

23
        (1) Identify all employees of the State agency who may 
24
    have access to social security numbers in the performance 
25
    of their duties.
 


 






HB0547
- 9 -
LRB096 05696 RLJ 15762 b




1
        (2) Require all employees of the State agency 
2
    identified as having access to social security numbers in 
3
    the performance of their duties to be trained to protect 
4
    the confidentiality of social security numbers and to 
5
    understand the requirements of this Section.
6
        (3) Prohibit the unlawful disclosure of social 
7
    security numbers.
8
        (4) Limit the number of employees who have access to 
9
    information or documents that contain social security 
10
    numbers.
11
        (5) Describe how to properly dispose of information and 
12
    documents that contain social security numbers.
13
        (6) Establish penalties for violation of the privacy 
14
    policy.

15
        (7) Prevent the intentional communication of or 
16
    ability of the general public to access an individual's 
17
    social security number. 
18
        (8) Require that  social security numbers requested 
19
    from an individual be segregated on a separate page from 
20
    the rest of the record, provide a discrete location for a 
21
    social security number when required on a standardized 
22
    form, or otherwise place the number in a manner that makes 
23
    it easily redacted if required to be released as part of a 
24
    public records request. 
25
        (9) Require that, when collecting a social security 
26
    number from an individual, at the time of or prior to the 
 


 






HB0547
- 10 -
LRB096 05696 RLJ 15762 b




1
    actual collection of the social security number or upon 
2
    request by the individual, a statement of the purpose or 
3
    purposes for which the agency is collecting and using the 
4
    social security number be provided.
5
    The Task Force will study the recommendations from the 
6
State agencies and will make its recommendation to the General 
7
Assembly of the changes needed to implement the policies by 
8
December 31, 2009.
 
9
    Section 40. Judicial branch and clerks of courts.  The 
10
judicial branch and clerks of the circuit court are not subject 
11
to the provisions of this Act, except that the Supreme Court 
12
shall, under its rulemaking authority or by administrative 
13
order, adopt requirements applicable to the judicial branch, 
14
including clerks of the circuit court, regulating the 
15
disclosure of social security numbers consistent with the 
16
intent of this Act and the unique circumstances relevant in the 
17
judicial process.
 
18
    Section 45. Violation.  Any person who intentionally 
19
violates the prohibitions in Section 10 of this Act is guilty 
20
of a Class B misdemeanor.
 
21
    Section 50. Home rule.  A home rule unit of local 
22
government, any non-home rule municipality, or any non-home 
23
rule county may regulate the use of social security numbers, 
 


 






HB0547
- 11 -
LRB096 05696 RLJ 15762 b




1
but that regulation must be no less restrictive than this Act. 
2
This Act is a limitation under subsection (i) of Section 6 of 
3
Article VII of the Illinois Constitution on the concurrent 
4
exercise by home rule units of powers and functions exercised 
5
by the State.

 
6
    Section 55. This Act does not supersede any more 
7
restrictive law, rule, or regulation regarding the collection, 
8
use, or release of social security numbers.
 
9
    Section 60. Rulemaking conditions. Rulemaking authority to 
10
implement this Act, if any, is conditioned on the rules being 
11
adopted in accordance with all provisions of the Illinois 
12
Administrative Procedure Act and all rules and procedures of 
13
the Joint Committee on Administrative Rules; any purported rule 
14
not so adopted, for whatever reason, is unauthorized. 
 
15
    Section 90. The State Mandates Act is amended by adding 
16
Section 8.33 as follows:
 
17
    (30 ILCS 805/8.33 new)
18
    Sec. 8.33. Exempt mandate. Notwithstanding Sections 6 and 8 
19
of this Act, no reimbursement by the State is required for the 
20
implementation of any mandate created by the Identity 
21
Protection Act.
 

22
    Section 99. Effective date. This Act takes effect upon 
 


 






HB0547
- 12 -
LRB096 05696 RLJ 15762 b




1
becoming law.