HB0547 Engrossed

LRB096 05696 RLJ 15762 b






1
    AN ACT concerning State government.

 
2
    Be it enacted by the People of the State of Illinois,
 
3
represented in the General Assembly:



 
4
    Section 1. Short title. This Act may be cited as the 
5
Identity Protection Act.
 
6
    Section 5. Definitions. In this Act:
7
    "Identity-protection policy" means any policy created to 
8
protect social security numbers from unauthorized disclosure.

9
    "Local government agency" means that term as it is defined 
10
in Section 1-8 of the Illinois State Auditing Act.

11
    "Person" means any individual in the employ of a State 
12
agency or local government agency.

13
    "Publicly post" or "publicly display" means to 
14
intentionally communicate or otherwise intentionally make 
15
available to the general public.

16
    "State agency" means that term as it is defined in Section 
17
1-7 of the Illinois State Auditing Act.

 
18
    Section 10. Prohibited Activities. 
19
    (a) Beginning July 1, 2010, no person or State or local 
20
government agency may do any of the following:

21
        (1) Publicly post or publicly display in any manner an 
22
    individual's social security number.

 


 






HB0547 Engrossed
- 2 -
LRB096 05696 RLJ 15762 b




1
        (2) Print an individual's social security number on any 
2
    card required for the individual to access products or 
3
    services provided by the person or entity.

4
        (3) Require an individual to transmit his or her social 
5
    security number over the Internet, unless the connection is 
6
    secure or the social security number is encrypted.

7
        (4) Print an individual's social security number on any 
8
    materials that are mailed to the individual, through the 
9
    U.S. Postal Service, any private mail service, electronic 
10
    mail, or any similar method of delivery, unless State or 
11
    federal law requires the social security number to be on 
12
    the document to be mailed.  Notwithstanding any provision in 
13
    this Section to the contrary, social security numbers may 
14
    be included in applications forms sent by mail, including, 
15
    but not limited to, any material mailed in connection with 
16
    the administration of the Unemployment Insurance Act, any 
17
    material mailed in connection with any tax administered by 
18
    the Department of Revenue, and documents sent as part of an 
19
    application or enrollment process or to establish, amend, 
20
    or terminate an account, contract, or policy or to confirm 
21
    the accuracy of the social security number.  A social 
22
    security number that may permissibly be mailed under this 
23
    Section may not be printed, in whole or in part, on a 
24
    postcard or other mailer that does not require an envelope 
25
    or be visible on an envelope without the envelope having 
26
    been opened.

 


 






HB0547 Engrossed
- 3 -
LRB096 05696 RLJ 15762 b




1
    (b) Except as otherwise provided in this Act, beginning 
2
July 1, 2010, no person or State or local government agency may 
3
do any of the following:

4
        (1) Collect, use, or disclose a social security number 
5
    from an individual, unless (i) required to do so under 
6
    State or federal law, rules, or regulations, or the 
7
    collection, use, or disclosure of the social security 
8
    number is otherwise necessary for the performance of that 
9
    agency's duties and responsibilities; (ii) the need and 
10
    purpose for the social security number is documented before 
11
    collection of the social security number; and (iii) the 
12
    social security number collected is relevant to the 
13
    documented need and purpose.

14
        (2) Require an individual to use his or her social 
15
    security number to access an Internet website.

16
        (3) Use the social security number for any purpose 
17
    other than the purpose for which it was collected.

18
    (c)  The prohibitions in subsection (b) do not apply in the 
19
following circumstances:

20
        (1) The disclosure of social security numbers to 
21
    agents, employees, contractors, or subcontractors of a 
22
    governmental entity or disclosure by a governmental entity 
23
    to another governmental entity or its agents, employees, 
24
    contractors, or subcontractors if disclosure is necessary 
25
    in order for the entity to perform its duties and 
26
    responsibilities; and, if disclosing to a contractor or 
 


 






HB0547 Engrossed
- 4 -
LRB096 05696 RLJ 15762 b




1
    subcontractor, prior to such disclosure, the governmental 
2
    entity must first receive from the contractor or 
3
    subcontractor a copy of the contractor's or 
4
    subcontractor's policy that sets forth how the 
5
    requirements imposed under this Act on a governmental 
6
    entity to protect an individual's social security number 
7
    will be achieved.

8
        (2) The disclosure of social security numbers pursuant 
9
    to a court order, warrant, or subpoena.

10
        (3) The collection, use, or disclosure of social 
11
    security numbers in order to ensure the safety of: State 
12
    and local government employees; persons committed to 
13
    correctional facilities, local jails, and other 
14
    law-enforcement facilities or retention centers; wards of 
15
    the State; and all persons working in or visiting a State 
16
    or local government agency facility.

17
        (4) The collection, use, or disclosure of social 
18
    security numbers for internal verification or 
19
    administrative purposes.

20
        (5) The disclosure of social security numbers by a 
21
    State agency to any entity for the collection of delinquent 
22
    child support or of any State debt or to a governmental 
23
    agency to assist with an investigation or the prevention of 
24
    fraud.

25
        (6) The collection or use of social security numbers to 
26
    investigate or prevent fraud, to conduct background 
 


 






HB0547 Engrossed
- 5 -
LRB096 05696 RLJ 15762 b




1
    checks, to collect a debt, to obtain a credit report from a 
2
    consumer reporting agency under the federal Fair Credit 
3
    Reporting Act, to undertake any permissible purpose that is 
4
    enumerated under the federal Gramm Leach Bliley Act, or to 
5
    locate a missing person, a lost relative, or a person who 
6
    is due a benefit, such as a pension benefit or an unclaimed 
7
    property benefit.

8
    (d) If any State or local government agency has adopted 
9
standards for the collection, use, or disclosure of social 
10
security numbers that are stricter than the standards under 
11
this Act with respect to the protection of those social 
12
security numbers, then, in the event of any conflict with the 
13
provisions of this Act, the stricter standards adopted by the 
14
State or local government agency shall control.

 
15
    Section 15. Public inspection and copying of documents. 
16
Notwithstanding any other provision of this Act to the 
17
contrary, a person or State or local government agency must 
18
comply with the provisions of any other State law with respect 
19
to allowing the public inspection and copying of information or 
20
documents containing all or any portion of an individual's 
21
social security number. A person or State or local government 
22
agency must redact social security numbers from the information 
23
or documents before allowing the public inspection or copying 
24
of the information or documents.
 
 


 






HB0547 Engrossed
- 6 -
LRB096 05696 RLJ 15762 b




1
    Section 20. Applicability. 
2
    (a) This Act does not apply to the collection, use, or 
3
disclosure of a social security number as required by State or 
4
federal law, rule, or regulation.

5
    (b) This Act does not apply to documents that are recorded 
6
with a county recorder or required to be open to the public 
7
under any State or federal law, rule, or regulation, applicable 
8
case law, Supreme Court Rule, or the Constitution of the State 
9
of Illinois. Notwithstanding this Section, county recorders 
10
must comply with Section 35 of this Act.

 
11
    Section 25. Compliance with federal law. If a federal law 
12
takes effect requiring any federal agency to establish a 
13
national unique patient health identifier program, any State or 
14
local government agency that complies with the federal law 
15
shall be deemed to be in compliance with this Act.
 
16
    Section 30. Embedded social security numbers. Beginning 
17
December 31, 2009, no person or State or local government 
18
agency may encode or embed a social security number in or on a 
19
card or document, including, but not limited to, using a bar 
20
code, chip, magnetic strip, RFID technology, or other 
21
technology, in place of removing the social security number as 
22
required by this Act.
 
23
    Section 35. Identity-protection policy; local government. 
 


 






HB0547 Engrossed
- 7 -
LRB096 05696 RLJ 15762 b




1
    (a) Each local government agency must draft and approve an 
2
identity-protection policy within 12 months after the 
3
effective date of this Act.  The policy must do all of the 
4
following:

5
        (1) Identify this Act.

6
        (2) Require all employees of the local government 
7
    agency identified as having access to social security 
8
    numbers in the course of performing their duties to be 
9
    trained to protect the confidentiality of social security 
10
    numbers.  Training should include instructions on the 
11
    proper handling of information that contains social 
12
    security numbers from the time of collection through the 
13
    destruction of the information.

14
        (3) Direct that only employees who are required to use 
15
    or handle information or documents that contain social 
16
    security numbers have access to such information or 
17
    documents.
18
        (4) Require that social security numbers requested 
19
    from an individual be provided in a manner that makes the 
20
    social security number easily redacted if required to be 
21
    released as part of a public records request.

22
        (5) Require that, when collecting a social security 
23
    number or upon request by the individual, a statement of 
24
    the purpose or purposes for which the agency is collecting 
25
    and using the social security number be provided.

26
    (b) Each local government agency must file a written copy 
 


 






HB0547 Engrossed
- 8 -
LRB096 05696 RLJ 15762 b




1
of its privacy policy with the governing board of the unit of 
2
local government within 30 days after approval of the policy.  
3
Each local government agency must advise its employees of the 
4
existence of the policy and make a copy of the policy available 
5
to each of its employees, and must also make its privacy policy 
6
available to any member of the public, upon request.  If a local 
7
government agency amends its privacy policy, then that agency 
8
must file a written copy of the amended policy with the 
9
appropriate entity and must also advise its employees of the 
10
existence of the amended policy and make a copy of the amended 
11
policy available to each of its employees.

12
    (c) Each local government agency must implement the 
13
components of its identity-protection policy that are 
14
necessary to meet the requirements of this Act within 12 months 
15
after the date the identity-protection policy is approved. This 
16
subsection (c) shall not affect the requirements of Section 10 
17
of this Act.

 
18
    Section 37. Identity-protection policy; State. 
19
    (a) Each State agency must draft and approve an 
20
identity-protection policy within 12 months after the 
21
effective date of this Act.  The policy must do all of the 
22
following:

23
        (1) Identify this Act.

24
        (2) Require all employees of the State agency 
25
    identified as having access to social security numbers in 
 


 






HB0547 Engrossed
- 9 -
LRB096 05696 RLJ 15762 b




1
    the course of performing their duties to be trained to 
2
    protect the confidentiality of social security numbers.  
3
    Training should include instructions on proper handling of 
4
    information that contains social security numbers from the 
5
    time of collection through the destruction of the 
6
    information.

7
        (3) Direct that only employees who are required to use 
8
    or handle information or documents that contain social 
9
    security numbers have access to such information or 
10
    documents.

11
        (4) Require that social security numbers requested 
12
    from an individual be placed in a manner that makes the 
13
    social security number easily redacted if required to be 
14
    released as part of a public records request.

15
        (5) Require that, when collecting a social security 
16
    number or upon request by the individual, a statement of 
17
    the purpose or purposes for which the agency is collecting 
18
    and using the social security number be provided.

19
    (b) Each State agency must provide a copy of its 
20
identity-protection policy to the Social Security Number 
21
Protection Task Force within 30 days after the approval of the 
22
policy.

23
    (c) Each State agency must implement the components of its 
24
identity-protection policy that are necessary to meet the 
25
requirements of this Act within 12 months after the date the 
26
identity-protection policy is approved.  This subsection (c) 
 


 






HB0547 Engrossed
- 10 -
LRB096 05696 RLJ 15762 b




1
shall not affect the requirements of Section 10 of this Act.

 
2
    Section 40. Judicial branch and clerks of courts. The 
3
judicial branch and clerks of the circuit court are not subject 
4
to the provisions of this Act, except that the Supreme Court 
5
shall, under its rulemaking authority or by administrative 
6
order, adopt requirements applicable to the judicial branch, 
7
including clerks of the circuit court, regulating the 
8
disclosure of social security numbers consistent with the 
9
intent of this Act and the unique circumstances relevant in the 
10
judicial process.
 
11
    Section 45. Violation. Any person who intentionally 
12
violates the prohibitions in Section 10 of this Act is guilty 
13
of a Class B misdemeanor.
 
14
    Section 50. Home rule. A home rule unit of local 
15
government, any non-home rule municipality, or any non-home 
16
rule county may regulate the use of social security numbers, 
17
but that regulation must be no less restrictive than this Act.  
18
This Act is a limitation under subsection (i) of Section 6 of 
19
Article VII of the Illinois Constitution on the concurrent 
20
exercise by home rule units of powers and functions exercised 
21
by the State.
 
22
    Section 55. This Act does not supersede any more 
 


 






HB0547 Engrossed
- 11 -
LRB096 05696 RLJ 15762 b




1
restrictive law, rule, or regulation regarding the collection, 
2
use, or disclosure of social security numbers.
 
3
    Section 60. Rulemaking conditions. Rulemaking authority to 
4
implement this Act, if any, is conditioned on the rules being 
5
adopted in accordance with all provisions of the Illinois 
6
Administrative Procedure Act and all rules and procedures of 
7
the Joint Committee on Administrative Rules; any purported rule 
8
not so adopted, for whatever reason, is unauthorized.
 
9
    Section 90. The State Mandates Act is amended by adding 
10
Section 8.33 as follows:
 
11
    (30 ILCS 805/8.33 new)
12
    Sec. 8.33. Exempt mandate. Notwithstanding Sections 6 and 8 
13
of this Act, no reimbursement by the State is required for the 
14
implementation of any mandate created by the Identity 
15
Protection Act.