|
| | 98TH GENERAL ASSEMBLY
State of Illinois
2013 and 2014
SB3092 Introduced 2/7/2014, by Sen. William Delgado SYNOPSIS AS INTRODUCED:
|
| |
Amends the P-20 Longitudinal Education Data System Act. Provides that if an audit or evaluation or a compliance or enforcement activity in connection with legal requirements that relate to State-supported or school district-supported educational programs requires or is used as the basis for granting access to personally identifiable information, the State Board of Education or a public school shall designate parties only under its direct control to act as authorized representatives to conduct the audit, evaluation, or activity. Limits the disclosure of personally identifiable information by the State Board or a public school with respect to (i) a contractor, consultant, or other party to whom the State Board or school has outsourced services or functions; (ii) a party conducting certain studies for or on behalf of the State Board or school; (iii) any party for a commercial use; or (iv) the provision of services other than contracting, studies, and audits or evaluations. Limits the maintenance of personally identifiable information and provides for disclosure and notification. Limits appending education records with personally identifiable information obtained from other federal or State agencies through data matches. Provides for civil penalties. Effective immediately.
|
| |
| | | FISCAL NOTE ACT MAY APPLY | | STATE MANDATES ACT MAY REQUIRE REIMBURSEMENT |
| | A BILL FOR |
|
|
| | SB3092 | | LRB098 15075 NHT 50039 b |
|
|
| 1 | | AN ACT concerning education.
|
| 2 | | Be it enacted by the People of the State of Illinois,
|
| 3 | | represented in the General Assembly:
|
| 4 | | Section 5. The P-20 Longitudinal Education Data System Act |
| 5 | | is amended by adding Section 32 as follows:
|
| 6 | | (105 ILCS 13/32 new) |
| 7 | | Sec. 32. Personally identifiable information limitations. |
| 8 | | (a) In this Section: |
| 9 | | "Education records" has the meaning ascribed to that term |
| 10 | | in 34 CFR 99.3. |
| 11 | | "Personally identifiable information" means (i) any |
| 12 | | personally identifiable information under the federal Family |
| 13 | | Educational Rights and Privacy Act of 1974 and (ii) the |
| 14 | | personally identifiable information of teachers, other |
| 15 | | educators, and school administrators, other than publicly |
| 16 | | available, school-related information such as the name, school |
| 17 | | location, and grade levels or subjects taught. |
| 18 | | (b) If an audit or evaluation or a compliance or |
| 19 | | enforcement activity in connection with legal requirements |
| 20 | | that relate to State-supported or school district-supported |
| 21 | | educational programs requires or is used as the basis for |
| 22 | | granting access to personally identifiable information, the |
| 23 | | State Board or a school shall designate parties only under |
|
| | SB3092 | - 2 - | LRB098 15075 NHT 50039 b |
|
|
| 1 | | their direct control to act as authorized representatives to |
| 2 | | conduct the audit, evaluation, or activity. |
| 3 | | (c) The State Board or schools may not disclose any |
| 4 | | personally identifiable information, including personally |
| 5 | | identifiable information from education records of students, |
| 6 | | without the written consent of eligible students, parents, or |
| 7 | | guardians to a contractor, consultant, or other party to whom |
| 8 | | the State Board or school has outsourced services or functions, |
| 9 | | unless that outside party: |
| 10 | | (1) performs an institutional service or function for |
| 11 | | which the State Board or the school would otherwise use |
| 12 | | employees; |
| 13 | | (2) is under the direct control of the State Board or |
| 14 | | the school with respect to the use and maintenance of |
| 15 | | education records; |
| 16 | | (3) limits internal access to education records to |
| 17 | | those individuals who are determined to have legitimate |
| 18 | | educational interests; |
| 19 | | (4) does not use the education records for any purposes |
| 20 | | other than those explicitly authorized in its contract; |
| 21 | | (5) does not disclose any personally identifiable |
| 22 | | information to any other party (i) without the prior |
| 23 | | written consent of the eligible student, parent, or |
| 24 | | guardian or (ii) unless required by statute or court order |
| 25 | | and the party provides a notice of the disclosure to the |
| 26 | | State Board or school board that provided the information |
|
| | SB3092 | - 3 - | LRB098 15075 NHT 50039 b |
|
|
| 1 | | no later than the time the information is disclosed, unless |
| 2 | | providing notice of the disclosure is expressly prohibited |
| 3 | | by the statute or court order; |
| 4 | | (6) maintains reasonable administrative, technical, |
| 5 | | and physical safeguards to protect the security, |
| 6 | | confidentiality, and integrity of personally identifiable |
| 7 | | information in its custody; |
| 8 | | (7) uses encryption technologies to protect data while |
| 9 | | in motion or in its custody from unauthorized disclosure |
| 10 | | using a technology or methodology specified by the U.S. |
| 11 | | Secretary of Health and Human Services under Section |
| 12 | | 13402(h)(2) of Public Law 111-5; |
| 13 | | (8) has sufficient administrative and technical |
| 14 | | procedures to monitor continuously the security of |
| 15 | | personally identifiable information in its custody; |
| 16 | | (9) conducts a security audit annually and provides the |
| 17 | | results of that audit to the State Board or the school that |
| 18 | | provided personally identifiable information; |
| 19 | | (10) provides the State Board or school with a breach |
| 20 | | remediation plan acceptable to the State Board or school |
| 21 | | prior to initial receipts of the personally identifiable |
| 22 | | information; |
| 23 | | (11) reports all suspected security breaches to the |
| 24 | | State Board or the school that provided personally |
| 25 | | identifiable information and education records as soon as |
| 26 | | possible, but no later than 48 hours after a suspected |
|
| | SB3092 | - 4 - | LRB098 15075 NHT 50039 b |
|
|
| 1 | | breach was known or would have been known by exercising |
| 2 | | reasonable diligence; |
| 3 | | (12) reports all actual security breaches to the State |
| 4 | | Board or the school that provided personally identifiable |
| 5 | | information and education records as soon as possible, but |
| 6 | | no later than 24 hours after an actual breach was known or |
| 7 | | would have been known by exercising reasonable diligence; |
| 8 | | (13) agrees, in the event of a security breach or an |
| 9 | | unauthorized disclosure of personally identifiable |
| 10 | | information, to pay all costs and liabilities incurred by |
| 11 | | the State Board or school related to the security breach or |
| 12 | | unauthorized disclosure, including without limitation the |
| 13 | | costs of responding to inquiries about the security breach |
| 14 | | or unauthorized disclosure, of notifying the subjects of |
| 15 | | personally identifiable information about the breach, of |
| 16 | | mitigating the effects of the breach for the subjects of |
| 17 | | personally identifiable information, and of investigating |
| 18 | | the cause or consequences of the security breach or |
| 19 | | unauthorized disclosure; and |
| 20 | | (14) destroys or returns to the State Board or school |
| 21 | | all personally identifiable information in its custody |
| 22 | | upon request and at the termination of the contract. |
| 23 | | (d) The State Board or schools may disclose personally |
| 24 | | identifiable information from an education record of a student |
| 25 | | without the consent of the eligible student, parent, or |
| 26 | | guardian to a party conducting studies for or on behalf of the |
|
| | SB3092 | - 5 - | LRB098 15075 NHT 50039 b |
|
|
| 1 | | State Board or school to (i) develop, validate, or administer |
| 2 | | predictive tests, (ii) administer student aid programs, or (3) |
| 3 | | improve instruction, provided that the outside party |
| 4 | | conducting the study meets all of the requirements for |
| 5 | | contractors set forth in subsection (c) of this Section. |
| 6 | | (e) The State Board or schools may not disclose any |
| 7 | | personally identifiable information, including personally |
| 8 | | identifiable information from education records of students, |
| 9 | | without the written consent of eligible students, parents, or |
| 10 | | guardians to any party for a commercial use, including without |
| 11 | | limitation marketing products or services, compiling lists for |
| 12 | | sale or rental, developing products or services, or creating |
| 13 | | individual, household, or group profiles, nor may such |
| 14 | | disclosure be made for the provision of services other than |
| 15 | | contracting, studies, and audits or evaluations as authorized |
| 16 | | and limited by subsections (c) and (d) of this Section. Any |
| 17 | | consent from an eligible student, parent, or guardian must be |
| 18 | | signed and dated, must not have been signed more than 6 months |
| 19 | | prior to the disclosure, must identify the recipient and the |
| 20 | | purpose of the disclosure, and must state that the information |
| 21 | | will be used only for that purpose and will not be used or |
| 22 | | disclosed for any other purpose. |
| 23 | | (f) The State Board or schools may not, directly or through |
| 24 | | contracts with outside parties, maintain personally |
| 25 | | identifiable information, including personally identifiable |
| 26 | | information from education records of students, without the |
|
| | SB3092 | - 6 - | LRB098 15075 NHT 50039 b |
|
|
| 1 | | written consent of eligible students, parents, or guardians, |
| 2 | | unless the maintenance of the information is: |
| 3 | | (1) explicitly mandated in federal or State statute; |
| 4 | | (2) administratively required for the proper |
| 5 | | performance of their duties under the law and is relevant |
| 6 | | to and necessary for the delivery of services; or |
| 7 | | (3) designed to support a study of students or former |
| 8 | | students, provided that no personally identifiable |
| 9 | | information is retained on former students for longer than |
| 10 | | 5 years
after the date of the student's last enrollment in |
| 11 | | a school. |
| 12 | | (g) The State Board and schools shall publicly and |
| 13 | | conspicuously disclose on their Internet websites and through |
| 14 | | annual electronic notification to the chairperson of the House |
| 15 | | of Representatives Elementary & Secondary Education Committee |
| 16 | | and the chairperson of the Senate Education Committee the |
| 17 | | existence and character of any personally identifiable |
| 18 | | information that they, directly or through contracts with |
| 19 | | outside parties, maintain. The disclosure and notification |
| 20 | | shall include: |
| 21 | | (1) the name and location of the data repository where |
| 22 | | the information is maintained; |
| 23 | | (2) the legal authority that authorizes the |
| 24 | | establishment and existence of the data repository; |
| 25 | | (3) the principal purpose or purposes for which the |
| 26 | | information is intended to be used; |
|
| | SB3092 | - 7 - | LRB098 15075 NHT 50039 b |
|
|
| 1 | | (4) the categories of individuals on whom records are |
| 2 | | maintained in the data repository; |
| 3 | | (5) the categories of records maintained in the data |
| 4 | | repository; |
| 5 | | (6) each expected disclosure of the records contained |
| 6 | | in the data repository, including the categories of |
| 7 | | recipients and the purpose of each disclosure; |
| 8 | | (7) the policies and practices of the State Board or |
| 9 | | school regarding storage, retrievability, access controls, |
| 10 | | retention, and disposal of the records; |
| 11 | | (8) the title and business address of the State Board |
| 12 | | or school official who is responsible for the data |
| 13 | | repository and the name and business address of any |
| 14 | | contractor or other outside party maintaining the data |
| 15 | | repository for or on behalf of the State Board or school; |
| 16 | | (9) the procedures whereby eligible students, parents, |
| 17 | | or guardians can be notified at their request if the data |
| 18 | | repository contains a record pertaining to the student, |
| 19 | | parent, or guardian; |
| 20 | | (10) the procedures whereby eligible students, |
| 21 | | parents, or guardians can be notified at their request on |
| 22 | | how to gain access to any record pertaining to the student, |
| 23 | | parent, or guardian contained in the data repository and |
| 24 | | how they can contest its content; and |
| 25 | | (11) the categories of sources of records in the data |
| 26 | | repository. |
|
| | SB3092 | - 8 - | LRB098 15075 NHT 50039 b |
|
|
| 1 | | (h) The State Board and schools may not append education |
| 2 | | records with personally identifiable information obtained from |
| 3 | | other federal or State agencies through data matches without |
| 4 | | the written consent of eligible students, parents, or guardians |
| 5 | | unless the data matches are: |
| 6 | | (1) explicitly mandated in federal or State statute; or |
| 7 | | (2) administratively required for the proper |
| 8 | | performance of their duties under the law and are relevant |
| 9 | | to and necessary for the delivery of services. |
| 10 | | (i) Each violation of this Section by an organization or |
| 11 | | entity that is not the State Board or a school is subject to a |
| 12 | | civil penalty of up to $1,000 for a first violation, up to |
| 13 | | $5,000 for a second violation, and up to $10,000 for a third or |
| 14 | | subsequent violation. Each violation involving a different |
| 15 | | individual's personally identifiable information shall be |
| 16 | | considered a separate violation for purposes of civil |
| 17 | | penalties. |
| 18 | | (j) The Attorney General shall have the authority to |
| 19 | | enforce compliance with this Section by investigation and |
| 20 | | subsequent commencement of a civil action to seek civil |
| 21 | | penalties for violations of this Section and to seek |
| 22 | | appropriate injunctive relief, including without limitation a |
| 23 | | prohibition on obtaining personally identifiable information |
| 24 | | for an appropriate time period. In carrying out an |
| 25 | | investigation and in maintaining a civil action, the Attorney |
| 26 | | General or any deputy or assistant Attorney General is |
|
| | SB3092 | - 9 - | LRB098 15075 NHT 50039 b |
|
|
| 1 | | authorized to subpoena witnesses, compel their attendance, |
| 2 | | examine them under oath, and require that any books, records, |
| 3 | | documents, papers, or electronic records relevant or material |
| 4 | | to the inquiry be turned over for inspection, examination, or |
| 5 | | audit, pursuant to the Civil Practice Law and rules. Subpoenas |
| 6 | | issued pursuant to this subsection (j) may be enforced pursuant |
| 7 | | to the Civil Practice Law and rules. |
| 8 | | (k) Nothing contained in this Section shall be construed as |
| 9 | | creating a private right of action against the State Board or a |
| 10 | | school. |
| 11 | | (l) Nothing in this Section shall limit the administrative |
| 12 | | use of personally identifiable information by a person acting |
| 13 | | exclusively in the person's capacity as an employee of a |
| 14 | | school, this State, a court, or the federal government that is |
| 15 | | otherwise required by law.
|
| 16 | | Section 99. Effective date. This Act takes effect upon |
| 17 | | becoming law.
|