|
|
|
09600HB0547ham001 |
- 2 - |
LRB096 05696 RLJ 24761 a |
|
|
1 |
| 1-7 of the Illinois State Auditing Act.
|
2 |
| Section 10. Prohibited Activities. |
3 |
| (a) Beginning July 1, 2010, no person or State or local |
4 |
| government agency may do any of the following:
|
5 |
| (1) Publicly post or publicly display in any manner an |
6 |
| individual's social security number.
|
7 |
| (2) Print an individual's social security number on any |
8 |
| card required for the individual to access products or |
9 |
| services provided by the person or entity.
|
10 |
| (3) Require an individual to transmit his or her social |
11 |
| security number over the Internet, unless the connection is |
12 |
| secure or the social security number is encrypted.
|
13 |
| (4) Print an individual's social security number on any |
14 |
| materials that are mailed to the individual, through the |
15 |
| U.S. Postal Service, any private mail service, electronic |
16 |
| mail, or any similar method of delivery, unless State or |
17 |
| federal law requires the social security number to be on |
18 |
| the document to be mailed. Notwithstanding any provision in |
19 |
| this Section to the contrary, social security numbers may |
20 |
| be included in applications forms sent by mail, including, |
21 |
| but not limited to, any material mailed in connection with |
22 |
| the administration of the Unemployment Insurance Act, any |
23 |
| material mailed in connection with any tax administered by |
24 |
| the Department of Revenue, and documents sent as part of an |
25 |
| application or enrollment process or to establish, amend, |
|
|
|
09600HB0547ham001 |
- 3 - |
LRB096 05696 RLJ 24761 a |
|
|
1 |
| or terminate an account, contract, or policy or to confirm |
2 |
| the accuracy of the social security number. A social |
3 |
| security number that may permissibly be mailed under this |
4 |
| Section may not be printed, in whole or in part, on a |
5 |
| postcard or other mailer that does not require an envelope |
6 |
| or be visible on an envelope without the envelope having |
7 |
| been opened.
|
8 |
| (b) Except as otherwise provided in this Act, beginning |
9 |
| July 1, 2010, no person or State or local government agency may |
10 |
| do any of the following:
|
11 |
| (1) Collect, use, or disclose a social security number |
12 |
| from an individual, unless (i) required to do so under |
13 |
| State or federal law, rules, or regulations, or the |
14 |
| collection, use, or disclosure of the social security |
15 |
| number is otherwise necessary for the performance of that |
16 |
| agency's duties and responsibilities; (ii) the need and |
17 |
| purpose for the social security number is documented before |
18 |
| collection of the social security number; and (iii) the |
19 |
| social security number collected is relevant to the |
20 |
| documented need and purpose.
|
21 |
| (2) Require an individual to use his or her social |
22 |
| security number to access an Internet website.
|
23 |
| (3) Use the social security number for any purpose |
24 |
| other than the purpose for which it was collected.
|
25 |
| (c) The prohibitions in subsection (b) do not apply in the |
26 |
| following circumstances:
|
|
|
|
09600HB0547ham001 |
- 4 - |
LRB096 05696 RLJ 24761 a |
|
|
1 |
| (1) The disclosure of social security numbers to |
2 |
| agents, employees, contractors, or subcontractors of a |
3 |
| governmental entity or disclosure by a governmental entity |
4 |
| to another governmental entity or its agents, employees, |
5 |
| contractors, or subcontractors if disclosure is necessary |
6 |
| in order for the entity to perform its duties and |
7 |
| responsibilities; and, if disclosing to a contractor or |
8 |
| subcontractor, prior to such disclosure, the governmental |
9 |
| entity must first receive from the contractor or |
10 |
| subcontractor a copy of the contractor's or |
11 |
| subcontractor's policy that sets forth how the |
12 |
| requirements imposed under this Act on a governmental |
13 |
| entity to protect an individual's social security number |
14 |
| will be achieved.
|
15 |
| (2) The disclosure of social security numbers pursuant |
16 |
| to a court order, warrant, or subpoena.
|
17 |
| (3) The collection, use, or disclosure of social |
18 |
| security numbers in order to ensure the safety of: State |
19 |
| and local government employees; persons committed to |
20 |
| correctional facilities, local jails, and other |
21 |
| law-enforcement facilities or retention centers; wards of |
22 |
| the State; and all persons working in or visiting a State |
23 |
| or local government agency facility.
|
24 |
| (4) The collection, use, or disclosure of social |
25 |
| security numbers for internal verification or |
26 |
| administrative purposes.
|
|
|
|
09600HB0547ham001 |
- 5 - |
LRB096 05696 RLJ 24761 a |
|
|
1 |
| (5) The disclosure of social security numbers by a |
2 |
| State agency to any entity for the collection of delinquent |
3 |
| child support or of any State debt or to a governmental |
4 |
| agency to assist with an investigation or the prevention of |
5 |
| fraud.
|
6 |
| (6) The collection or use of social security numbers to |
7 |
| investigate or prevent fraud, to conduct background |
8 |
| checks, to collect a debt, to obtain a credit report from a |
9 |
| consumer reporting agency under the federal Fair Credit |
10 |
| Reporting Act, to undertake any permissible purpose that is |
11 |
| enumerated under the federal Gramm Leach Bliley Act, or to |
12 |
| locate a missing person, a lost relative, or a person who |
13 |
| is due a benefit, such as a pension benefit or an unclaimed |
14 |
| property benefit.
|
15 |
| (d) If any State or local government agency has adopted |
16 |
| standards for the collection, use, or disclosure of social |
17 |
| security numbers that are stricter than the standards under |
18 |
| this Act with respect to the protection of those social |
19 |
| security numbers, then, in the event of any conflict with the |
20 |
| provisions of this Act, the stricter standards adopted by the |
21 |
| State or local government agency shall control.
|
22 |
| Section 15. Public inspection and copying of documents. |
23 |
| Notwithstanding any other provision of this Act to the |
24 |
| contrary, a person or State or local government agency must |
25 |
| comply with the provisions of any other State law with respect |
|
|
|
09600HB0547ham001 |
- 6 - |
LRB096 05696 RLJ 24761 a |
|
|
1 |
| to allowing the public inspection and copying of information or |
2 |
| documents containing all or any portion of an individual's |
3 |
| social security number. A person or State or local government |
4 |
| agency must redact social security numbers from the information |
5 |
| or documents before allowing the public inspection or copying |
6 |
| of the information or documents. |
7 |
| Section 20. Applicability. |
8 |
| (a) This Act does not apply to the collection, use, or |
9 |
| disclosure of a social security number as required by State or |
10 |
| federal law, rule, or regulation.
|
11 |
| (b) This Act does not apply to documents that are recorded |
12 |
| with a county recorder or required to be open to the public |
13 |
| under any State or federal law, rule, or regulation, applicable |
14 |
| case law, Supreme Court Rule, or the Constitution of the State |
15 |
| of Illinois. Notwithstanding this Section, county recorders |
16 |
| must comply with Section 35 of this Act.
|
17 |
| Section 25. Compliance with federal law. If a federal law |
18 |
| takes effect requiring any federal agency to establish a |
19 |
| national unique patient health identifier program, any State or |
20 |
| local government agency that complies with the federal law |
21 |
| shall be deemed to be in compliance with this Act. |
22 |
| Section 30. Embedded social security numbers. Beginning |
23 |
| December 31, 2009, no person or State or local government |
|
|
|
09600HB0547ham001 |
- 7 - |
LRB096 05696 RLJ 24761 a |
|
|
1 |
| agency may encode or embed a social security number in or on a |
2 |
| card or document, including, but not limited to, using a bar |
3 |
| code, chip, magnetic strip, RFID technology, or other |
4 |
| technology, in place of removing the social security number as |
5 |
| required by this Act. |
6 |
| Section 35. Identity-protection policy; local government. |
7 |
| (a) Each local government agency must draft and approve an |
8 |
| identity-protection policy within 12 months after the |
9 |
| effective date of this Act. The policy must do all of the |
10 |
| following:
|
11 |
| (1) Identify this Act.
|
12 |
| (2) Require all employees of the local government |
13 |
| agency identified as having access to social security |
14 |
| numbers in the course of performing their duties to be |
15 |
| trained to protect the confidentiality of social security |
16 |
| numbers. Training should include instructions on the |
17 |
| proper handling of information that contains social |
18 |
| security numbers from the time of collection through the |
19 |
| destruction of the information.
|
20 |
| (3) Direct that only employees who are required to use |
21 |
| or handle information or documents that contain social |
22 |
| security numbers have access to such information or |
23 |
| documents. |
24 |
| (4) Require that social security numbers requested |
25 |
| from an individual be provided in a manner that makes the |
|
|
|
09600HB0547ham001 |
- 8 - |
LRB096 05696 RLJ 24761 a |
|
|
1 |
| social security number easily redacted if required to be |
2 |
| released as part of a public records request.
|
3 |
| (5) Require that, when collecting a social security |
4 |
| number or upon request by the individual, a statement of |
5 |
| the purpose or purposes for which the agency is collecting |
6 |
| and using the social security number be provided.
|
7 |
| (b) Each local government agency must file a written copy |
8 |
| of its privacy policy with the governing board of the unit of |
9 |
| local government within 30 days after approval of the policy. |
10 |
| Each local government agency must advise its employees of the |
11 |
| existence of the policy and make a copy of the policy available |
12 |
| to each of its employees, and must also make its privacy policy |
13 |
| available to any member of the public, upon request. If a local |
14 |
| government agency amends its privacy policy, then that agency |
15 |
| must file a written copy of the amended policy with the |
16 |
| appropriate entity and must also advise its employees of the |
17 |
| existence of the amended policy and make a copy of the amended |
18 |
| policy available to each of its employees.
|
19 |
| (c) Each local government agency must implement the |
20 |
| components of its identity-protection policy that are |
21 |
| necessary to meet the requirements of this Act within 12 months |
22 |
| after the date the identity-protection policy is approved. This |
23 |
| subsection (c) shall not affect the requirements of Section 10 |
24 |
| of this Act.
|
25 |
| Section 37. Identity-protection policy; State. |
|
|
|
09600HB0547ham001 |
- 9 - |
LRB096 05696 RLJ 24761 a |
|
|
1 |
| (a) Each State agency must draft and approve an |
2 |
| identity-protection policy within 12 months after the |
3 |
| effective date of this Act. The policy must do all of the |
4 |
| following:
|
5 |
| (1) Identify this Act.
|
6 |
| (2) Require all employees of the State agency |
7 |
| identified as having access to social security numbers in |
8 |
| the course of performing their duties to be trained to |
9 |
| protect the confidentiality of social security numbers. |
10 |
| Training should include instructions on proper handling of |
11 |
| information that contains social security numbers from the |
12 |
| time of collection through the destruction of the |
13 |
| information.
|
14 |
| (3) Direct that only employees who are required to use |
15 |
| or handle information or documents that contain social |
16 |
| security numbers have access to such information or |
17 |
| documents.
|
18 |
| (4) Require that social security numbers requested |
19 |
| from an individual be placed in a manner that makes the |
20 |
| social security number easily redacted if required to be |
21 |
| released as part of a public records request.
|
22 |
| (5) Require that, when collecting a social security |
23 |
| number or upon request by the individual, a statement of |
24 |
| the purpose or purposes for which the agency is collecting |
25 |
| and using the social security number be provided.
|
26 |
| (b) Each State agency must provide a copy of its |
|
|
|
09600HB0547ham001 |
- 10 - |
LRB096 05696 RLJ 24761 a |
|
|
1 |
| identity-protection policy to the Social Security Number |
2 |
| Protection Task Force within 30 days after the approval of the |
3 |
| policy.
|
4 |
| (c) Each State agency must implement the components of its |
5 |
| identity-protection policy that are necessary to meet the |
6 |
| requirements of this Act within 12 months after the date the |
7 |
| identity-protection policy is approved. This subsection (c) |
8 |
| shall not affect the requirements of Section 10 of this Act.
|
9 |
| Section 40. Judicial branch and clerks of courts. The |
10 |
| judicial branch and clerks of the circuit court are not subject |
11 |
| to the provisions of this Act, except that the Supreme Court |
12 |
| shall, under its rulemaking authority or by administrative |
13 |
| order, adopt requirements applicable to the judicial branch, |
14 |
| including clerks of the circuit court, regulating the |
15 |
| disclosure of social security numbers consistent with the |
16 |
| intent of this Act and the unique circumstances relevant in the |
17 |
| judicial process. |
18 |
| Section 45. Violation. Any person who intentionally |
19 |
| violates the prohibitions in Section 10 of this Act is guilty |
20 |
| of a Class B misdemeanor. |
21 |
| Section 50. Home rule. A home rule unit of local |
22 |
| government, any non-home rule municipality, or any non-home |
23 |
| rule county may regulate the use of social security numbers, |
|
|
|
09600HB0547ham001 |
- 11 - |
LRB096 05696 RLJ 24761 a |
|
|
1 |
| but that regulation must be no less restrictive than this Act. |
2 |
| This Act is a limitation under subsection (i) of Section 6 of |
3 |
| Article VII of the Illinois Constitution on the concurrent |
4 |
| exercise by home rule units of powers and functions exercised |
5 |
| by the State. |
6 |
| Section 55. This Act does not supersede any more |
7 |
| restrictive law, rule, or regulation regarding the collection, |
8 |
| use, or disclosure of social security numbers. |
9 |
| Section 60. Rulemaking conditions. Rulemaking authority to |
10 |
| implement this Act, if any, is conditioned on the rules being |
11 |
| adopted in accordance with all provisions of the Illinois |
12 |
| Administrative Procedure Act and all rules and procedures of |
13 |
| the Joint Committee on Administrative Rules; any purported rule |
14 |
| not so adopted, for whatever reason, is unauthorized. |
15 |
| Section 90. The State Mandates Act is amended by adding |
16 |
| Section 8.33 as follows: |
17 |
| (30 ILCS 805/8.33 new) |
18 |
| Sec. 8.33. Exempt mandate. Notwithstanding Sections 6 and 8 |
19 |
| of this Act, no reimbursement by the State is required for the |
20 |
| implementation of any mandate created by the Identity |
21 |
| Protection Act. ".
|