|
| | 09800SB3092sam001 | - 2 - | LRB098 15075 NHT 58512 a |
|
|
| 1 | | federal regulations implementing FERPA (34 CFR 99.3), and (ii) |
| 2 | | the personally identifiable information of teachers, other |
| 3 | | educators, and school administrators, other than publicly |
| 4 | | available, school-related information such as the name, school |
| 5 | | location, and grade levels or subjects taught. |
| 6 | | (b) If an audit or evaluation or a compliance or |
| 7 | | enforcement activity in connection with legal requirements |
| 8 | | that relate to State-supported or school district-supported |
| 9 | | educational programs requires or is used as the basis for |
| 10 | | granting access to personally identifiable information, the |
| 11 | | State Board or a school shall designate parties only under |
| 12 | | their direct control to act as authorized representatives to |
| 13 | | conduct the audit, evaluation, or activity. |
| 14 | | (c) The State Board or schools may not disclose any |
| 15 | | personally identifiable information, including personally |
| 16 | | identifiable information from education records of students, |
| 17 | | to a contractor, consultant, or other party to whom the State |
| 18 | | Board or school has outsourced services or functions without |
| 19 | | providing notice to parents, guardians, and eligible students |
| 20 | | by posting the intent to disclose the information on the |
| 21 | | Internet website of the school or State Board at least 30 days |
| 22 | | in advance or as soon as practicable, unless that outside |
| 23 | | party: |
| 24 | | (1) performs an institutional service or function for |
| 25 | | which the State Board or the school would otherwise use |
| 26 | | employees; |
|
| | 09800SB3092sam001 | - 3 - | LRB098 15075 NHT 58512 a |
|
|
| 1 | | (2) is under the direct control of the State Board or |
| 2 | | the school with respect to the use and maintenance of |
| 3 | | education records; |
| 4 | | (3) limits internal access to education records to |
| 5 | | those individuals who are determined to have legitimate |
| 6 | | educational interests; |
| 7 | | (4) does not use the education records for any purposes |
| 8 | | other than those authorized in its contract; |
| 9 | | (5) does not disclose any personally identifiable |
| 10 | | information to any other party (i) without the prior |
| 11 | | notification to the eligible student, parent, or guardian |
| 12 | | or (ii) unless required by law and the party provides a |
| 13 | | notice of the disclosure to the State Board or school board |
| 14 | | that provided the information no later than the time the |
| 15 | | information is disclosed, to the extent allowed by law or |
| 16 | | by the terms of a court order; |
| 17 | | (6) maintains reasonable administrative, technical, |
| 18 | | and physical safeguards to protect the security, |
| 19 | | confidentiality, and integrity of personally identifiable |
| 20 | | information in its custody and conducts regular security |
| 21 | | audits to confirm the efficacy of those safeguards; |
| 22 | | (7) uses appropriate encryption technologies to |
| 23 | | protect data while in motion or in its custody from |
| 24 | | unauthorized disclosure; |
| 25 | | (8) has sufficient administrative and technical |
| 26 | | procedures to monitor continuously the security of |
|
| | 09800SB3092sam001 | - 4 - | LRB098 15075 NHT 58512 a |
|
|
| 1 | | personally identifiable information in its custody; |
| 2 | | (9) maintains a breach remediation plan prior to |
| 3 | | initial receipts of the personally identifiable |
| 4 | | information and reports breaches as specified by the |
| 5 | | Personal Information Protection Act; |
| 6 | | (10) reports all actual security breaches to the State |
| 7 | | Board or the school that provided personally identifiable |
| 8 | | information and education records as soon as possible, but |
| 9 | | no later than 72 hours after an actual breach was known or |
| 10 | | in the most expedient amount of time possible under the |
| 11 | | circumstances; |
| 12 | | (11) agrees, in the event of a security breach or an |
| 13 | | unauthorized disclosure of personally identifiable |
| 14 | | information, to pay all costs and liabilities incurred by |
| 15 | | the State Board or school related to the security breach or |
| 16 | | unauthorized disclosure, including without limitation the |
| 17 | | costs of responding to inquiries about the security breach |
| 18 | | or unauthorized disclosure, of notifying the subjects of |
| 19 | | personally identifiable information about the breach, of |
| 20 | | mitigating the effects of the breach for the subjects of |
| 21 | | personally identifiable information, and of investigating |
| 22 | | the cause or consequences of the security breach or |
| 23 | | unauthorized disclosure; and |
| 24 | | (12) destroys or returns to the State Board or school |
| 25 | | all personally identifiable information in its custody |
| 26 | | upon request and at the termination of the contract. |
|
| | 09800SB3092sam001 | - 5 - | LRB098 15075 NHT 58512 a |
|
|
| 1 | | (d) The State Board or schools may disclose personally |
| 2 | | identifiable information from an education record of a student |
| 3 | | without the consent of the eligible student, parent, or |
| 4 | | guardian to a party conducting studies for or on behalf of the |
| 5 | | State Board or school to (i) develop, validate, or administer |
| 6 | | predictive tests, (ii) administer student aid programs, or |
| 7 | | (iii) improve instruction, provided that the outside party |
| 8 | | conducting the study meets all of the requirements for |
| 9 | | contractors set forth in subsection (c) of this Section. |
| 10 | | (d-5) The State Board or schools may disclose personally |
| 11 | | identifiable information from an education record of a student |
| 12 | | to researchers at an organization or accredited post-secondary |
| 13 | | educational institution conducting research pursuant to a |
| 14 | | specific, written agreement with the school or State Board and |
| 15 | | in accordance with the federal Family Educational Rights and |
| 16 | | Privacy Act of 1974, provided that: |
| 17 | | (1) the nature of the research is first publicly |
| 18 | | disclosed to parents, guardians, and eligible students on |
| 19 | | the Internet website of the school or State Board at least |
| 20 | | 30 days in advance of the research being conducted or as |
| 21 | | soon as practicable; |
| 22 | | (2) the organization or institution and the school or |
| 23 | | State Board enter into a data use agreement that complies |
| 24 | | with the federal Family Educational Rights and Privacy Act |
| 25 | | of 1974 and its accompanying rules and includes, at a |
| 26 | | minimum, the following: |
|
| | 09800SB3092sam001 | - 6 - | LRB098 15075 NHT 58512 a |
|
|
| 1 | | (A) the purpose, scope, and duration of the study |
| 2 | | or studies and the information to be disclosed; |
| 3 | | (B) provisions requiring the organization or |
| 4 | | institution to use personally identifiable information |
| 5 | | from school student records only to meet the purpose or |
| 6 | | purposes of the study as stated in the written |
| 7 | | agreement; |
| 8 | | (C) provisions requiring the organization or |
| 9 | | institution to conduct the study in a manner that does |
| 10 | | not permit personal identification of parents or |
| 11 | | guardians and students by anyone other than |
| 12 | | representatives of the organization with legitimate |
| 13 | | interests; |
| 14 | | (D) provisions requiring the organization or |
| 15 | | institution to destroy all personally identifiable |
| 16 | | information when the information is no longer needed |
| 17 | | for the purposes for which the study was conducted and |
| 18 | | specifying the time period in which the information |
| 19 | | must be destroyed; |
| 20 | | (E) provisions requiring the organization or |
| 21 | | institution to certify that it has the capacity to and |
| 22 | | will restrict access to the school student records and |
| 23 | | maintain the security of electronic information; and |
| 24 | | (F) provisions requiring the organization or |
| 25 | | institution to develop, implement, maintain, and use |
| 26 | | appropriate administrative, technical, and physical |
|
| | 09800SB3092sam001 | - 7 - | LRB098 15075 NHT 58512 a |
|
|
| 1 | | security measures to preserve the confidentiality, |
| 2 | | integrity, and availability of all school student |
| 3 | | records; and |
| 4 | | (3) the organization or institution uses personally |
| 5 | | identifiable information from school student records only |
| 6 | | to meet the purpose or purposes of the study as stated in |
| 7 | | the written agreement. |
| 8 | | For purposes of this subsection (d-5), any information by |
| 9 | | which a student may be individually or personally identified |
| 10 | | may only be released, transferred, disclosed, or otherwise |
| 11 | | disseminated as contemplated by the agreement between the |
| 12 | | parties. The school student records must be redacted prior to |
| 13 | | analysis by the organization or institution. Any personally |
| 14 | | identifiable information used to link data sets must be stored |
| 15 | | in a secure data file or location outside of the secure data |
| 16 | | storage where redacted information from the school regarding |
| 17 | | student records is stored. The organization or institution |
| 18 | | shall implement and adhere to policies and procedures that |
| 19 | | restrict access to information by which a student may be |
| 20 | | individually or personally identified. The organization or |
| 21 | | institution shall designate an individual to act as the |
| 22 | | custodian of the personally identifiable information who is |
| 23 | | responsible for restricting access to that information. |
| 24 | | Nothing in this subsection (d-5) prohibits or limits the |
| 25 | | ability of the State Board or any school to provide personally |
| 26 | | identifiable information about individual students to a school |
|
| | 09800SB3092sam001 | - 8 - | LRB098 15075 NHT 58512 a |
|
|
| 1 | | official, organization, or institution for the purposes of |
| 2 | | developing, administering, scoring, or interpreting results of |
| 3 | | student assessments or predictive tests if those assessments or |
| 4 | | tests require individualized development or administration |
| 5 | | based on the needs of individual students. |
| 6 | | (e) The State Board or schools may not disclose any |
| 7 | | personally identifiable information, including personally |
| 8 | | identifiable information from education records of students, |
| 9 | | without the written consent of eligible students, parents, or |
| 10 | | guardians to any party for a commercial use, including without |
| 11 | | limitation marketing products or services, compiling lists for |
| 12 | | sale or rental, developing products or services, or creating |
| 13 | | individual, household, or group profiles, nor may such |
| 14 | | disclosure be made for the provision of services other than |
| 15 | | contracting, studies, and audits or evaluations as authorized |
| 16 | | and limited by subsections (c), (d), and (d-5) of this Section. |
| 17 | | (f) The State Board or schools may not, directly or through |
| 18 | | contracts with outside parties, maintain personally |
| 19 | | identifiable information, including personally identifiable |
| 20 | | information from education records of students, without the |
| 21 | | proper notification to eligible students, parents, or |
| 22 | | guardians, unless the maintenance of the information is: |
| 23 | | (1) explicitly mandated in federal or State statute; |
| 24 | | (2) administratively required for the proper |
| 25 | | performance of their duties under the law and is relevant |
| 26 | | to and necessary for the delivery of services; or |
|
| | 09800SB3092sam001 | - 9 - | LRB098 15075 NHT 58512 a |
|
|
| 1 | | (3) designed to support a study of students or former |
| 2 | | students. |
| 3 | | (g) The State Board and schools shall publicly and |
| 4 | | conspicuously disclose on their Internet websites and through |
| 5 | | annual electronic notification to the chairperson of the House |
| 6 | | of Representatives Elementary & Secondary Education Committee |
| 7 | | and the chairperson of the Senate Education Committee the |
| 8 | | existence and character of any personally identifiable |
| 9 | | information that they, directly or through contracts with |
| 10 | | outside parties, maintain. The disclosure and notification |
| 11 | | shall include: |
| 12 | | (1) the name and location of the data repository where |
| 13 | | the information is maintained; |
| 14 | | (2) the legal authority that authorizes the |
| 15 | | establishment and existence of the data repository; |
| 16 | | (3) the principal purpose or purposes for which the |
| 17 | | information is intended to be used; |
| 18 | | (4) the categories of individuals on whom records are |
| 19 | | maintained in the data repository; |
| 20 | | (5) the categories of records maintained in the data |
| 21 | | repository; |
| 22 | | (6) each expected disclosure of the records contained |
| 23 | | in the data repository, including the categories of |
| 24 | | recipients and the purpose of each disclosure; |
| 25 | | (7) the policies and practices of the State Board or |
| 26 | | school regarding storage, retrievability, access controls, |
|
| | 09800SB3092sam001 | - 10 - | LRB098 15075 NHT 58512 a |
|
|
| 1 | | retention, and disposal of the records; |
| 2 | | (8) the title and business address of the State Board |
| 3 | | or school official who is responsible for the data |
| 4 | | repository and the name and business address of any |
| 5 | | contractor or other outside party maintaining the data |
| 6 | | repository for or on behalf of the State Board or school; |
| 7 | | (9) the procedures whereby eligible students, parents, |
| 8 | | or guardians can be notified at their request if the data |
| 9 | | repository contains a record pertaining to the student, |
| 10 | | parent, or guardian; |
| 11 | | (10) the procedures whereby eligible students, |
| 12 | | parents, or guardians can be notified at their request on |
| 13 | | how to gain access to any record pertaining to the student, |
| 14 | | parent, or guardian contained in the data repository and |
| 15 | | how they can contest its content; and |
| 16 | | (11) the categories of sources of records in the data |
| 17 | | repository. |
| 18 | | (h) The State Board and schools may not append education |
| 19 | | records with personally identifiable information obtained from |
| 20 | | other federal or State agencies through data matches without |
| 21 | | the proper notification to eligible students, parents, or |
| 22 | | guardians unless the data matches are: |
| 23 | | (1) explicitly mandated in federal or State statute; or |
| 24 | | (2) administratively required for the proper |
| 25 | | performance of their duties under the law and are relevant |
| 26 | | to and necessary for the delivery of services. |
|
| | 09800SB3092sam001 | - 11 - | LRB098 15075 NHT 58512 a |
|
|
| 1 | | (i) Each violation of this Section by an organization or |
| 2 | | entity that is not the State Board or a school is subject to a |
| 3 | | civil penalty of up to $1,000 for a first violation, up to |
| 4 | | $5,000 for a second violation, and up to $10,000 for a third or |
| 5 | | subsequent violation. Each violation involving a different |
| 6 | | individual's personally identifiable information shall be |
| 7 | | considered a separate violation for purposes of civil |
| 8 | | penalties. |
| 9 | | (j) The Attorney General shall have the authority to |
| 10 | | enforce compliance with this Section by investigation and |
| 11 | | subsequent commencement of a civil action to seek civil |
| 12 | | penalties for violations of this Section and to seek |
| 13 | | appropriate injunctive relief, including without limitation a |
| 14 | | prohibition on obtaining personally identifiable information |
| 15 | | for an appropriate time period. In carrying out an |
| 16 | | investigation and in maintaining a civil action, the Attorney |
| 17 | | General or any deputy or assistant Attorney General is |
| 18 | | authorized to subpoena witnesses, compel their attendance, |
| 19 | | examine them under oath, and require that any books, records, |
| 20 | | documents, papers, or electronic records relevant or material |
| 21 | | to the inquiry be turned over for inspection, examination, or |
| 22 | | audit, pursuant to the Civil Practice Law and rules. Subpoenas |
| 23 | | issued pursuant to this subsection (j) may be enforced pursuant |
| 24 | | to the Civil Practice Law and rules. |
| 25 | | (k) Nothing contained in this Section shall be construed as |
| 26 | | creating a private right of action against the State Board or a |
|
| | 09800SB3092sam001 | - 12 - | LRB098 15075 NHT 58512 a |
|
|
| 1 | | school. |
| 2 | | (l) Nothing in this Section shall limit the administrative |
| 3 | | use of personally identifiable information by a person acting |
| 4 | | exclusively in the person's capacity as an employee of a |
| 5 | | school, this State, a court, or the federal government that is |
| 6 | | otherwise required by law.
|
| 7 | | Section 99. Effective date. This Act takes effect upon |
| 8 | | becoming law.".
|