Illinois General Assembly - Full Text of HB0332
Illinois General Assembly

Previous General Assemblies

Full Text of HB0332  100th General Assembly

HB0332 100TH GENERAL ASSEMBLY

  
  

 


 
100TH GENERAL ASSEMBLY
State of Illinois
2017 and 2018
HB0332

 

Introduced , by Rep. Scott Drury

 

SYNOPSIS AS INTRODUCED:
 
105 ILCS 5/22-83 new
105 ILCS 10/2  from Ch. 122, par. 50-2
105 ILCS 10/6  from Ch. 122, par. 50-6
105 ILCS 10/9  from Ch. 122, par. 50-9
325 ILCS 17/5

    Amends the School Code to add provisions concerning student data privacy. Amends the Illinois School Student Records Act. Makes changes to the definition provisions. Sets forth provisions allowing disclosure of student records to researchers at an accredited post-secondary educational institution or an organization conducting research if specified requirements are met. Amends the Children's Privacy Protection and Parental Empowerment Act to change the definition of "child" to mean a person under the age of 18 (instead of 16).


LRB100 04231 MLM 14237 b

FISCAL NOTE ACT MAY APPLY

 

 

A BILL FOR

 

HB0332LRB100 04231 MLM 14237 b

1    AN ACT concerning privacy protection.
 
2    Be it enacted by the People of the State of Illinois,
3represented in the General Assembly:
 
4    Section 5. The School Code is amended by adding Section
522-83 as follows:
 
6    (105 ILCS 5/22-83 new)
7    Sec. 22-83. Student data privacy.
8    (a) It is the intent of the General Assembly to help ensure
9that information generated by and about students in the course
10of and in connection with their education is safeguarded and
11that student privacy is honored, respected, and protected. The
12General Assembly finds the following:
13        (1) Information generated by and about students in the
14    course of and in connection with their education is a vital
15    resource for teachers and school staff in planning
16    education programs and services, scheduling students into
17    appropriate classes, and completing reports for
18    educational agencies.
19        (2) Information generated by and about students in the
20    course of and in connection with their education is
21    critical to educators in helping students successfully
22    graduate from high school and being ready to enter the
23    workforce or postsecondary education.

 

 

HB0332- 2 -LRB100 04231 MLM 14237 b

1        (3) While information generated by and about students
2    in the course of and in connection with their education is
3    important for educational purposes, it is also critically
4    important to ensure that the information is protected,
5    safeguarded, and kept private and used only by appropriate
6    educational authorities or their permitted designees, and
7    then only to serve the best interests of the student.
8To that end, this Section helps ensure that information
9generated by and about students in the course of and in
10connection with their education is protected and expectations
11of privacy are honored.
12    (b) In this Section:
13    "Breach" means the unauthorized acquisition of
14computerized data that compromises the security,
15confidentiality, or integrity of personally identifiable
16information, student data, or a school student record.
17    "Eligible student" has the meaning set forth in the
18Illinois School Student Records Act.
19    "Parent" has the meaning set forth in the Illinois School
20Student Records Act.
21    "Personally identifiable information" has the meaning set
22forth in the Illinois School Student Records Act.
23    "Profile" means a file or other mechanism used to collect,
24retain, and use student data or other information by which to
25identify or otherwise keep track of an individual student or
26group of students.

 

 

HB0332- 3 -LRB100 04231 MLM 14237 b

1    "Record" has the meaning set forth in the Illinois School
2Student Records Act.
3    "School" has the meaning set forth in the Illinois School
4Student Records Act.
5    "School authority" has the meaning set forth in the
6Illinois School Student Records Act.
7    "School purpose" means any activity that is directed by or
8takes place at the direction of a school authority. Advertising
9that is not otherwise specifically authorized in this Section
10is not a school purpose.
11    "School student record" has the meaning set forth in the
12Illinois School Student Records Act.
13    "State Board" means the State Board of Education.
14    "Student" has the meaning set forth in the Illinois School
15Student Records Act.
16    "Student data" means any information or records regarding a
17student collected by or provided to a vendor for or in
18connection with a school purpose, including personally
19identifiable information and information that is linked to
20personally identifiable information. "Student data" does not
21include aggregated information or records to the extent no
22student may be individually identified therefrom in any manner
23whatsoever or other information or records that do not include
24personally identifiable information or other data by which a
25student may be identified in any manner whatsoever. "Student
26data" does include aggregated information or records that are

 

 

HB0332- 4 -LRB100 04231 MLM 14237 b

1capable of being de-aggregated or reconstructed to the point
2that any student may be individually identified therefrom.
3    "Targeted advertising" means advertising to an individual
4student or group of students in which the advertisements are
5selected based on a known or assumed trait of the student or
6group of students or information obtained or inferred from the
7student's or group of students' online behavior within a
8vendor's product or service or the student's or group of
9students' use of a vendor's products or services. This term
10does not include:
11        (1) information sent by a vendor to a specific
12    individual or group of individuals to advise them of
13    updates or improvements to products, sites, or services
14    that are already being utilized by the individual or group
15    of individuals, provided that the school authority or the
16    individual or group of individuals have consented to
17    receiving information about updates and improvements; or
18        (2) school purpose advertisements at an online
19    location based on a student's current visit to that
20    location without collection and retention of the student's
21    online activities over time.
22    "Vendor" means any entity that, for a fee or free of
23charge:
24        (1) provides a product or service to a school authority
25    that collects, retains, or uses student data;
26        (2) designs or markets a product or service for use by

 

 

HB0332- 5 -LRB100 04231 MLM 14237 b

1    a school authority that collects, retains, or uses student
2    data; or
3        (3) knows or reasonably should know that a product or
4    service that collects, retains, or uses student data will
5    be used for a school purpose.
6    (c) It shall be unlawful for any vendor in possession of
7student data or any subcontractor, agent, independent
8contractor, or other entity that receives student data from a
9vendor to:
10        (1) engage in targeted advertising based in whole or in
11    part on student data;
12        (2) sell, lease, provide, or rent student data to any
13    person, entity, or third party other than the school
14    authority or State Board, unless there has been a purchase,
15    merger, or other type of acquisition of the vendor by
16    another entity, in which case the sale of previously
17    collected student data is permitted, provided that the
18    successor entity agrees in writing to be subject to and
19    bound by the provisions of this Section and any agreement
20    governed by this Section and a copy of the successor
21    entity's agreement with the vendor that relates to this
22    Section is provided to the school authority, redacted to
23    prevent disclosure of confidential or proprietary
24    information;
25        (3) exercise or claim any rights, implied or otherwise,
26    to any student data, unless otherwise authorized by this

 

 

HB0332- 6 -LRB100 04231 MLM 14237 b

1    Section;
2        (4) disclose or otherwise allow any third party to have
3    access to student data, unless such disclosure is:
4            (A) made only in furtherance of a school purpose
5        and the recipient of the student data is legally
6        required to comply with this Section;
7            (B) to the extent permitted by federal law, to law
8        enforcement to protect the safety of users or others or
9        the security or integrity of the vendor's service;
10            (C) required by court order or State or federal
11        law;
12            (D) made in connection with research being
13        conducted pursuant to and in compliance with
14        subsection (a-5) of Section 6 of the Illinois School
15        Student Records Act;
16            (E) to ensure legal or regulatory compliance; or
17            (F) to a subcontractor, agent, independent
18        contractor or other entity, for the purposes of
19        enabling the vendor to meet its contractual
20        obligations to the school authority, that first
21        acknowledges in writing that it has read and
22        understands the requirements of this Section and
23        agrees in writing to be bound by its provisions and the
24        terms of any agreement entered into between the vendor
25        and the school authority, with a copy of such written
26        acknowledgement and agreement being provided to the

 

 

HB0332- 7 -LRB100 04231 MLM 14237 b

1        school authority;
2        (5) create, generate, or otherwise amass a profile
3    about any student if the profile is based on any student
4    data, for any purpose other than a school purpose;
5        (6) require a school authority or its employees,
6    agents, volunteers, or students to indemnify a vendor or
7    pay the vendor's attorney's fees or costs in connection
8    with any dispute arising out of or otherwise connected to
9    student data, except in the case of willful or wanton
10    conduct by a school authority or its employee or agent, in
11    which case indemnification by the school authority may be
12    permitted;
13        (7) require a school authority or its employees,
14    agents, volunteers, or students to arbitrate any dispute
15    arising out of or otherwise connected to student data;
16        (8) enter into any agreement with a school authority
17    that authorizes in any manner activities prohibited by this
18    Section; and
19        (9) modify or otherwise alter the terms and conditions
20    of any agreement with a school authority related to student
21    data without the express consent of the school authority or
22    its designee, which may not be the vendor.
23    (d) Any vendor who receives any student data in any manner
24shall:
25        (1) implement and maintain appropriate administrative,
26    physical, and technical safeguards to secure the student

 

 

HB0332- 8 -LRB100 04231 MLM 14237 b

1    data from unauthorized access, destruction, use,
2    modification, or disclosure in a manner that is at least as
3    protective as any rules adopted by the State Board and any
4    guidance provided by the United States Department of
5    Education Privacy and Technical Assistance Center;
6        (2) within the most expedient time possible and without
7    unreasonable delay, notify the school authority of any
8    breach, regardless of whether it is the school authority's
9    student data;
10        (3) to the extent feasible, delete the student data,
11    school student record, or personally identifiable
12    information of a specific student at the request of the
13    student's school or school authority;
14        (4) designate an officer or employee as a responsible
15    person who shall be trained in a manner so as to ensure
16    compliance with this Section and ensure the security and
17    confidentiality of student data and who shall work with the
18    official records custodian of the school authority under
19    subsection (a) of Section 4 of the Illinois School Student
20    Records Act;
21        (5) unless otherwise required by federal or State law,
22    within a reasonable amount of time after the completion or
23    termination of the terms of any agreement with a school
24    authority under which a vendor gained access to student
25    data, not to exceed 60 days:
26            (A) delete or return to the school authority all

 

 

HB0332- 9 -LRB100 04231 MLM 14237 b

1        student data, unless the student data is stored on a
2        backup tape or other backup medium, in which case the
3        data shall be overwritten in the most expedient manner
4        possible in the normal course of business; and
5            (B) provide a written certification that such
6        deletion has occurred;
7        (6) if directed by the school authority, correct or
8    delete student data that the student's parents or guardians
9    or the eligible student would be permitted to access and
10    correct in the student's school student records with the
11    school authority under federal or State law;
12        (7) permit a school authority or its designee to audit
13    and inspect, on an annual basis or after any breach, the
14    vendor's practices with respect to any student data
15    received by the vendor from the school authority or any
16    student profiles, provided that this requirement shall be
17    satisfied if the vendor provides the school authority with
18    an independent, third-party audit acceptable to the school
19    authority that has been conducted within the previous 12
20    months or, in the case of a breach, within 3 months after
21    the breach;
22        (8) permit the school authority access to any student
23    data provided by the school authority, provided that the
24    student data is stored with the vendor, in order for the
25    school authority to comply with any law that may require
26    disclosure;

 

 

HB0332- 10 -LRB100 04231 MLM 14237 b

1        (9) consistent with the provisions of this Section, be
2    permitted to diagnose, evaluate, or correct problems with
3    or otherwise modify or improve the vendor's product or
4    service;
5        (10) be permitted to use student data that does not
6    contain any personally identifiable information and has
7    otherwise been stripped of or does not contain identifying
8    information for the purpose of:
9            (A) adaptive, personalized, or customized
10        learning;
11            (B) demonstrating the effectiveness of the product
12        or service; or
13            (C) developing, supporting, and improving
14        educational sites, services, or applications;
15        (11) agree that any dispute arising out of or otherwise
16    connected to student data shall be litigated using Illinois
17    law, the proper venue is in the county or federal court
18    district in which the school district is located, and the
19    court in the proper venue shall have jurisdiction over the
20    vendor; and
21        (12) agree that the student data continues to be the
22    property of and under the control of the school authority
23    and that the vendor has a limited, nonexclusive license to
24    the student data solely for the purpose of performing its
25    obligations under the agreement required by subsection (e)
26    of this Section or supporting, maintaining, diagnosing, or

 

 

HB0332- 11 -LRB100 04231 MLM 14237 b

1    improving the vendor's product or service.
2    (e) Any vendor who seeks to receive from a school authority
3or the State Board in any manner any student data is required
4to enter into a written agreement with the school authority
5before any records may be transferred, which agreement shall
6contain the following:
7        (1) provisions consistent with each prohibition or
8    requirement set forth in subsections (c) and (d) of this
9    Section;
10        (2) a listing of the categories or types of student
11    data to be provided to the vendor;
12        (3) a statement of the product or service being
13    provided to the school authority by the vendor;
14        (4) a statement that the vendor is acting as a school
15    official with a legitimate educational interest, is
16    performing an institutional service or function for which
17    the school authority would otherwise use employees, under
18    the direct control of the school authority with respect to
19    the use and maintenance of student data, and is using such
20    student data only for an authorized purpose and will not
21    re-disclose it to third parties or affiliates, unless
22    otherwise permitted under this Section, without permission
23    from the school authority or pursuant to court order;
24        (5) a description of the actions the vendor will take,
25    including a description of the training the vendor will
26    provide to anyone who will receive or have access to

 

 

HB0332- 12 -LRB100 04231 MLM 14237 b

1    student data, to ensure the security and confidentiality of
2    student data; compliance with this subdivision (5) shall
3    not, in itself, absolve the vendor of liability in the
4    event of an unauthorized disclosure of student data; and
5        (6) a statement that the agreement is the entire
6    agreement between the school authority, including school
7    authority employees and other end users, and the vendor.
8    (f) Each school authority shall adopt a policy regarding
9which school employees have the power to bind the school
10authority to the terms of any non-verbal agreements, whether
11electronic, click-through, click-wrap, or in writing and
12require an original copy of each agreement's terms and
13conditions to be maintained at the school authority's primary
14place of business. Each school authority shall prohibit
15individual school employees not authorized to bind the school
16authority to such agreements from entering into any agreement
17with vendors without written authorization from the school
18authority and require that any school entering into any
19agreement with a vendor is subject to the requirements of this
20Section and that oral agreements are prohibited. Any oral
21agreement is void as against public policy. If a vendor enters
22into an agreement with an employee or other end users who are
23not authorized through the school authority's policy to enter
24into such an agreement, then the school authority shall have
25the authority to unilaterally cancel the agreement. This
26Section shall not be construed to limit individual school

 

 

HB0332- 13 -LRB100 04231 MLM 14237 b

1employees outside of the scope of their employment from
2entering into agreements with vendors on their own behalf and
3for a non-school purpose, provided that no student data is
4provided to the vendors.
5    (g) The State Board shall create, publish, and make
6publicly available all categories of data collected by the
7State Board that contain personally identifiable information.
8    (h) In the event of a breach resulting, in whole or in
9part, from the vendor's conduct, in addition to any other
10remedies available to the school authority under law or equity,
11the vendor shall reimburse the school authority in full for all
12reasonable costs and expenses incurred by the school authority
13as a result of the vendor's conduct in investigating and
14remediating the breach, including, but not limited to:
15        (1) providing notification to those students whose
16    personally identifiable information was compromised, to
17    their parents or guardians in the event a student is under
18    the age of 18, and to regulatory agencies or other entities
19    as required by law or contract;
20        (2) providing one year's credit monitoring to those
21    students and eligible students whose student data was
22    exposed in such a manner during the breach that a
23    reasonable person would have cause to believe that it could
24    impact his or her credit or financial security;
25        (3) legal fees, audit costs, fines, and other fees or
26    damages imposed against the school authority as a result of

 

 

HB0332- 14 -LRB100 04231 MLM 14237 b

1    the security breach; and
2        (4) providing any other notifications or fulfilling
3    any other requirements adopted by the State Board or under
4    State or federal laws.
5    (i) The State Board shall develop, publish, and make
6publicly available model student data privacy policies and
7procedures that comply with relevant State and federal law.
8    (j) Within 180 days after the effective date of this
9amendatory Act of the 100th General Assembly, the State Board
10shall create a model notice that school authorities shall use
11to provide notice to parents, guardians, and eligible students
12about vendors. It shall be titled "Student Data Shared With
13Vendors" and state, in general terms, what types of student
14data are collected by the school authority and shared with
15vendors under this Section and the purposes of collecting and
16using the student data. Upon the creation of the notice
17described in this subsection (j), a school authority shall, at
18the beginning of each school year, provide such notice to
19parents, guardians, and eligible students by the same means
20generally used to send notices to them.
21    (k) In addition to any other penalties, any agreement
22governed by this Section that fails to comply with the
23requirements of this Section shall be rendered void if, upon
24notice and a reasonable opportunity to cure, the noncompliant
25party fails to cure any defect. Written notice of noncompliance
26may be provided by either party to the agreement. Any vendor

 

 

HB0332- 15 -LRB100 04231 MLM 14237 b

1subject to an agreement voided under this subsection (k) is
2required, within 60 days, to delete or return to the school
3authority all student data and information contained in student
4profiles and, in the event of deletion, provide a written
5certification that such deletion has occurred. Any vendor that
6fails to cure any defect in the agreement is not be entitled to
7any further payment required under the agreement and shall
8return to the school authority all payments made from the date
9of notification of non-compliance by the school authority.
10    (l) Nothing in this Section shall be construed to:
11        (1) restrict adaptive, personalized, or customized
12    learning, subject to the requirements of this Section;
13        (2) prohibit a vendor from complying with its
14    obligations under federal or State law;
15        (3) impose a duty on a provider of an interactive
16    computer service, as defined in Chapter 5 of Title 47 of
17    the United States Code, to review or enforce compliance
18    with this Section by third-party content providers,
19    provided that this subdivision (3) has no impact on the
20    obligations of vendors;
21        (4) impose a duty on a provider of an electronic store,
22    a gateway, a marketplace, or any other means of purchasing
23    or downloading software or applications to review or
24    enforce compliance with this Section, unless the provider
25    described in this subdivision (4) is also a vendor subject
26    to the provisions of this Section or has a financial

 

 

HB0332- 16 -LRB100 04231 MLM 14237 b

1    interest in or control over a vendor subject to the
2    provisions of this Section;
3        (5) impede the ability of students to download,
4    transfer, or otherwise save or maintain their own student
5    data, provided that nothing in this subdivision (5) shall
6    allow a vendor to circumvent or engage in conduct
7    prohibited by this Section;
8        (6) limit Internet service providers from providing
9    Internet connectivity to school authorities, students, and
10    students' parents or guardians, provided that the
11    provision of such Internet connectivity does not violate
12    any of the provisions of this Section; and
13        (7) apply to an entity acting entirely outside of its
14    vendor capacity.
 
15    Section 10. The Illinois School Student Records Act is
16amended by changing Sections 2, 6, and 9 as follows:
 
17    (105 ILCS 10/2)  (from Ch. 122, par. 50-2)
18    Sec. 2. As used in this Act: ,
19    "Biometric information" has the meaning set forth in
20subsection (a) of Section 10-20.40 of the School Code.
21    "Eligible student" means a student who has reached 18 years
22of age or is attending a post-secondary educational
23institution.
24    "Parent" means a person who is the natural parent of a

 

 

HB0332- 17 -LRB100 04231 MLM 14237 b

1student or other person who has the primary responsibility for
2the care and upbringing of a student. All rights and privileges
3accorded to a parent under this Act shall become exclusively
4those of the student upon his or her 18th birthday or upon
5attendance at a post-secondary educational institution. Such
6rights and privileges may also be exercised by the student at
7any time with respect to the student's permanent school record.
8    "Personally identifiable information" means any data
9concerning a student by which a student may be individually or
10personally identified and includes, but is not limited to:
11        (1) the student's name;
12        (2) the name of the student's parent or other family
13    members;
14        (3) the address of the student or the student's family;
15        (4) a personal identifier, such as the student's social
16    security number, student number, or biometric information;
17        (5) other indirect identifiers, such as the student's
18    date of birth, place of birth, or mother's maiden name;
19        (6) other information that, alone or in combination, is
20    linked or linkable to a specific student and that would
21    allow a reasonable person in the school community who does
22    not have personal knowledge of the relevant circumstances
23    to identify the student with reasonable certainty; or
24        (7) information requested by a person whom a school
25    reasonably believes knows the identity of the student to
26    whom the school student record relates.

 

 

HB0332- 18 -LRB100 04231 MLM 14237 b

1    "Record" means any information maintained in any way,
2including, but not limited to, electronically-generated data,
3handwriting, print, computer media, video or audio tape, film,
4microfilm, and microfiche.
5    "Research entity" means an accredited post-secondary
6educational institution or an organization conducting research
7for or on behalf of a school authority or the State Board.
8    "Research study" means the gathering of data, information,
9and facts by a research entity for the advancement of
10knowledge.
11    "School" means any preschool, day care center,
12kindergarten, nursery, elementary or secondary educational
13institution, vocational school, special education facility, or
14other elementary or secondary educational agency or
15institution that receives public funds, as well as any person,
16agency, or institution that maintains school student records
17from more than one school, but does not include a private or
18non-public school.
19    "School authority" means any school board, school
20district, board of directors, or other governing body of a
21school established under the School Code or through any other
22means.
23    "School student record" means any writing or other recorded
24information concerning a student by which a student may be
25individually or personally identified that is maintained by a
26school or at its direction or by an employee of a school,

 

 

HB0332- 19 -LRB100 04231 MLM 14237 b

1regardless of how or where the information is stored. Writings
2or other recorded information maintained by an employee of a
3school or other person at the direction of a school for his or
4her exclusive use shall not be deemed school student records
5under this Act; provided that all such writings and other
6recorded information are destroyed not later than the student's
7graduation or permanent withdrawal from the school and provided
8further that no such records or recorded information may be
9released or disclosed to any person except a person designated
10by the school as a substitute, unless they are first
11incorporated in a school student record and made subject to all
12of the provisions of this Act. "School student record" does not
13include information maintained by law enforcement
14professionals working in the school.
15    "State Board" means the State Board of Education.
16    "Student" means any person enrolled or previously enrolled
17in a school.
18    "Student permanent record" means the minimum personal
19information necessary to a school in the education of a student
20and contained in a school student record. Such information may
21include the student's name, birth date, address, grades and
22grade level, parents' names and addresses, and attendance
23records and such other entries as the State Board may require
24or authorize.
25    "Student temporary record" means all information contained
26in a school student record but not contained in the student

 

 

HB0332- 20 -LRB100 04231 MLM 14237 b

1permanent record. Such information may include family
2background information, intelligence test scores, aptitude
3test scores, psychological and personality test results,
4teacher evaluations, and other information of clear relevance
5to the education of the student, all subject to rules of the
6State Board. The information shall include information
7provided under Section 8.6 of the Abused and Neglected Child
8Reporting Act and information regarding serious disciplinary
9infractions that resulted in expulsion, suspension, or the
10imposition of a punishment or sanction. For purposes of this
11definition, "serious disciplinary infractions" means
12infractions involving drugs, weapons, or bodily harm to
13another.
14    (a) "Student" means any person enrolled or previously
15enrolled in a school.
16    (b) "School" means any public preschool, day care center,
17kindergarten, nursery, elementary or secondary educational
18institution, vocational school, special educational facility
19or any other elementary or secondary educational agency or
20institution and any person, agency or institution which
21maintains school student records from more than one school, but
22does not include a private or non-public school.
23    (c) "State Board" means the State Board of Education.
24    (d) "School Student Record" means any writing or other
25recorded information concerning a student and by which a
26student may be individually identified, maintained by a school

 

 

HB0332- 21 -LRB100 04231 MLM 14237 b

1or at its direction or by an employee of a school, regardless
2of how or where the information is stored. The following shall
3not be deemed school student records under this Act: writings
4or other recorded information maintained by an employee of a
5school or other person at the direction of a school for his or
6her exclusive use; provided that all such writings and other
7recorded information are destroyed not later than the student's
8graduation or permanent withdrawal from the school; and
9provided further that no such records or recorded information
10may be released or disclosed to any person except a person
11designated by the school as a substitute unless they are first
12incorporated in a school student record and made subject to all
13of the provisions of this Act. School student records shall not
14include information maintained by law enforcement
15professionals working in the school.
16    (e) "Student Permanent Record" means the minimum personal
17information necessary to a school in the education of the
18student and contained in a school student record. Such
19information may include the student's name, birth date,
20address, grades and grade level, parents' names and addresses,
21attendance records, and such other entries as the State Board
22may require or authorize.
23    (f) "Student Temporary Record" means all information
24contained in a school student record but not contained in the
25student permanent record. Such information may include family
26background information, intelligence test scores, aptitude

 

 

HB0332- 22 -LRB100 04231 MLM 14237 b

1test scores, psychological and personality test results,
2teacher evaluations, and other information of clear relevance
3to the education of the student, all subject to regulations of
4the State Board. The information shall include information
5provided under Section 8.6 of the Abused and Neglected Child
6Reporting Act. In addition, the student temporary record shall
7include information regarding serious disciplinary infractions
8that resulted in expulsion, suspension, or the imposition of
9punishment or sanction. For purposes of this provision, serious
10disciplinary infractions means: infractions involving drugs,
11weapons, or bodily harm to another.
12    (g) "Parent" means a person who is the natural parent of
13the student or other person who has the primary responsibility
14for the care and upbringing of the student. All rights and
15privileges accorded to a parent under this Act shall become
16exclusively those of the student upon his 18th birthday,
17graduation from secondary school, marriage or entry into
18military service, whichever occurs first. Such rights and
19privileges may also be exercised by the student at any time
20with respect to the student's permanent school record.
21(Source: P.A. 92-295, eff. 1-1-02.)
 
22    (105 ILCS 10/6)  (from Ch. 122, par. 50-6)
23    Sec. 6. (a) No school student records or information
24contained therein may be released, transferred, disclosed or
25otherwise disseminated, except as follows:

 

 

HB0332- 23 -LRB100 04231 MLM 14237 b

1        (1) to a parent or student or person specifically
2    designated as a representative by a parent, as provided in
3    paragraph (a) of Section 5;
4        (2) to an employee or official of the school or school
5    district or State Board with current demonstrable
6    educational or administrative interest in the student, in
7    furtherance of such interest;
8        (3) to the official records custodian of another school
9    within Illinois or an official with similar
10    responsibilities of a school outside Illinois, in which the
11    student has enrolled, or intends to enroll, upon the
12    request of such official or student;
13        (4) to any person for the purpose of research,
14    statistical reporting, or planning, provided that such
15    research, statistical reporting, or planning is
16    permissible under and undertaken in accordance with the
17    federal Family Educational Rights and Privacy Act (20
18    U.S.C. 1232g);
19        (5) pursuant to a court order, provided that the parent
20    shall be given prompt written notice upon receipt of such
21    order of the terms of the order, the nature and substance
22    of the information proposed to be released in compliance
23    with such order and an opportunity to inspect and copy the
24    school student records and to challenge their contents
25    pursuant to Section 7;
26        (6) to any person as specifically required by State or

 

 

HB0332- 24 -LRB100 04231 MLM 14237 b

1    federal law;
2        (6.5) to juvenile authorities when necessary for the
3    discharge of their official duties who request information
4    prior to adjudication of the student and who certify in
5    writing that the information will not be disclosed to any
6    other party except as provided under law or order of court.
7    For purposes of this Section "juvenile authorities" means:
8    (i) a judge of the circuit court and members of the staff
9    of the court designated by the judge; (ii) parties to the
10    proceedings under the Juvenile Court Act of 1987 and their
11    attorneys; (iii) probation officers and court appointed
12    advocates for the juvenile authorized by the judge hearing
13    the case; (iv) any individual, public or private agency
14    having custody of the child pursuant to court order; (v)
15    any individual, public or private agency providing
16    education, medical or mental health service to the child
17    when the requested information is needed to determine the
18    appropriate service or treatment for the minor; (vi) any
19    potential placement provider when such release is
20    authorized by the court for the limited purpose of
21    determining the appropriateness of the potential
22    placement; (vii) law enforcement officers and prosecutors;
23    (viii) adult and juvenile prisoner review boards; (ix)
24    authorized military personnel; (x) individuals authorized
25    by court;
26        (7) subject to regulations of the State Board, in

 

 

HB0332- 25 -LRB100 04231 MLM 14237 b

1    connection with an emergency, to appropriate persons if the
2    knowledge of such information is necessary to protect the
3    health or safety of the student or other persons;
4        (8) to any person, with the prior specific dated
5    written consent of the parent designating the person to
6    whom the records may be released, provided that at the time
7    any such consent is requested or obtained, the parent shall
8    be advised in writing that he has the right to inspect and
9    copy such records in accordance with Section 5, to
10    challenge their contents in accordance with Section 7 and
11    to limit any such consent to designated records or
12    designated portions of the information contained therein;
13        (9) to a governmental agency, or social service agency
14    contracted by a governmental agency, in furtherance of an
15    investigation of a student's school attendance pursuant to
16    the compulsory student attendance laws of this State,
17    provided that the records are released to the employee or
18    agent designated by the agency;
19        (10) to those SHOCAP committee members who fall within
20    the meaning of "state and local officials and authorities",
21    as those terms are used within the meaning of the federal
22    Family Educational Rights and Privacy Act, for the purposes
23    of identifying serious habitual juvenile offenders and
24    matching those offenders with community resources pursuant
25    to Section 5-145 of the Juvenile Court Act of 1987, but
26    only to the extent that the release, transfer, disclosure,

 

 

HB0332- 26 -LRB100 04231 MLM 14237 b

1    or dissemination is consistent with the Family Educational
2    Rights and Privacy Act;
3        (11) to the Department of Healthcare and Family
4    Services in furtherance of the requirements of Section
5    2-3.131, 3-14.29, 10-28, or 34-18.26 of the School Code or
6    Section 10 of the School Breakfast and Lunch Program Act;
7    or
8        (12) to the State Board or another State government
9    agency or between or among State government agencies in
10    order to evaluate or audit federal and State programs or
11    perform research and planning, but only to the extent that
12    the release, transfer, disclosure, or dissemination is
13    consistent with the federal Family Educational Rights and
14    Privacy Act (20 U.S.C. 1232g).
15    (a-5) Pursuant to subparagraph (4) of paragraph (a) of this
16Section, a school authority or the State Board may provide
17school student records to researchers at a research entity
18conducting research for, or on behalf of, a school, school
19authority, or the State Board if any such research is conducted
20in accordance with the federal Family Educational Rights and
21Privacy Act and does not take place until the following
22requirements are complied with:
23        (1) For those school authorities that maintain a
24    website, the school authority shall maintain a webpage on
25    the website that contains a short description of all
26    current and scheduled research studies using personally

 

 

HB0332- 27 -LRB100 04231 MLM 14237 b

1    identifiable information obtained from the school
2    authority without obtaining consent from parents,
3    including the nature of each study, the categories of
4    students whose records will be used in each listed study,
5    and the names of all research entities involved in each
6    listed study. The school authority shall update the website
7    to include any new or approved research studies at least 3
8    months but not more than 4 months after issuing the notice
9    described in subparagraph (3) of this paragraph (a-5) and
10    again at least 6 months but not more than 7 months after
11    issuing the notice described in subparagraph (3) of this
12    paragraph (a-5).
13        (2) For those school authorities that do not maintain a
14    website, the school authority shall provide the
15    information described in subparagraph (1) of this
16    paragraph (a-5) in the same notice required in subparagraph
17    (3) of this paragraph (a-5). The school authority shall
18    provide supplemental notices that include any new or
19    approved research studies at least 3 months but not more
20    than 4 months after issuing the notice described in
21    subparagraph (3) of this paragraph (a-5) and again at least
22    6 months but not more than 7 months after issuing the
23    notice described in subparagraph (3) of this paragraph
24    (a-5).
25        (3) Prior to the beginning of each school year, the
26    school authority shall provide notice to parents,

 

 

HB0332- 28 -LRB100 04231 MLM 14237 b

1    guardians and eligible students regarding current and
2    scheduled research studies using personally identifiable
3    information obtained from the school authority without
4    obtaining consent from parents. The notice shall be sent by
5    the same means generally used to send notices to parent,
6    guardians, and eligible students and shall contain the
7    following:
8            (A) the general purposes of conducting the
9        educational research;
10            (B) the website address containing the information
11        described in subparagraph (1) of this paragraph (a-5),
12        if applicable, which website address shall also be set
13        forth in the school authority's student handbook; and
14            (C) that the State Board conducts research studies
15        and shall provide the website address for that part of
16        the State Board's website that contains a list of the
17        current and scheduled research studies to be
18        conducted.
19        (4) A written data use agreement that complies with the
20    federal Family Educational Rights and Privacy Act and its
21    accompanying regulations and, at a minimum, contains the
22    following provisions is entered into by and between the
23    party gaining access to the records of the school authority
24    or State Board and the entity with the legal authority to
25    permit the use of the data:
26            (A) The research entity has read, understands, and

 

 

HB0332- 29 -LRB100 04231 MLM 14237 b

1        will abide by all requirements of this paragraph (a-5).
2            (B) A statement of the purpose, scope, and duration
3        of the research study or studies, as well as a
4        description of the records to be used as part of the
5        study and the person or persons to whom the records
6        will be disclosed, provided that the list of persons to
7        whom the records may be disclosed may be amended from
8        time to time with the agreement of all parties to the
9        data use agreement.
10            (C) The research entity shall use school student
11        records only to meet the purpose or purposes of the
12        study as set forth in subdivision (B) of this
13        subparagraph (4).
14            (D) The research entity may only use records
15        containing personally identifiable information of a
16        student or by which a student may otherwise be
17        individually or personally identified: (i) to link
18        school student records of particular students to other
19        records of the same students or (ii) to identify
20        eligible students for research studies for which
21        written parental, guardian, or eligible student
22        consent will be obtained for participation and the
23        person or persons to whom such information will be
24        disclosed is set forth in the data use agreement.
25            (E) The research entity shall destroy all records
26        containing personally identifiable information of a

 

 

HB0332- 30 -LRB100 04231 MLM 14237 b

1        student or that otherwise individually or personally
2        identifies a student when the information is no longer
3        needed, but in no event later than 36 months after the
4        research study has been completed.
5            (F) The research entity shall certify in writing
6        that it has the capacity to and shall restrict access
7        to school student records to the person or persons set
8        forth in subdivision (b) of this subparagraph (4).
9            (G) The research entity shall certify in writing
10        that it shall maintain the security of all records
11        received pursuant to this paragraph (a-5) in
12        compliance with rules adopted by the State Board, which
13        rules shall be consistent and regularly updated to
14        comply with commonly accepted data-security practices,
15        including, but not limited to, those set forth by the
16        United States Department of Education Privacy
17        Technical Assistance Center.
18            (H) In compliance with the rules adopted pursuant
19        to subdivision (g) of this subparagraph (4) and any
20        other rules that may be necessary and adopted by the
21        State Board, the research entity shall develop,
22        implement, maintain, and use appropriate
23        administrative, technical, and physical security
24        measures to preserve the confidentiality and integrity
25        of all school student records.
26        (5) Research entities may only use records containing

 

 

HB0332- 31 -LRB100 04231 MLM 14237 b

1    personally identifiable information of a student or by
2    which a student may otherwise be personally or individually
3    identified: (i) to link school student records of
4    particular students to other records of the same students
5    or (ii) to identify eligible students for research studies
6    for which written parental, guardian, or eligible student
7    consent will be obtained for participation and the person
8    or persons to whom such information will be disclosed is
9    set forth in the data use agreement.
10        (6) The research entity shall use personally
11    identifiable information from school student records only
12    to meet the purpose or purposes of the research study or
13    studies as stated in the data use agreement described in
14    subparagraph (4).
15        (7) Any information by which a student may be
16    individually or personally identified shall be released,
17    transferred, disclosed, or otherwise disseminated only as
18    contemplated by the written data use agreement described in
19    subparagraph (4).
20        (8) All school student records shall have personally
21    identifiable information removed prior to analysis by the
22    research entity.
23        (9) The research entity shall implement and adhere to
24    policies and procedures that restrict access to records
25    that have personally identifiable information.
26            (A) The research entity shall designate an

 

 

HB0332- 32 -LRB100 04231 MLM 14237 b

1        individual to act as the custodian of the records with
2        personally identifiable information who is responsible
3        for restricting access to those records and provide the
4        name of that individual to the entity with the legal
5        authority to permit the use of the records.
6            (B) Any personally identifiable information used
7        to link school student records of particular students
8        to other records of the same students shall be securely
9        stored in a location separate and apart from the
10        location of the school student records that have had
11        personally identifiable data removed.
12    Nothing in this subparagraph (a-5) shall prohibit the State
13Board or any school authority from providing personally
14identifiable information about individual students to a
15research entity pursuant to a specific, written agreement with
16a school authority or State Board and in accordance with the
17federal Family Educational Rights and Privacy Act, where
18necessary for the school board or State Board to comply with
19State or federal statutory mandates.
20    (b) No information may be released pursuant to subparagraph
21(3) or (6) of paragraph (a) of this Section 6 unless the parent
22receives prior written notice of the nature and substance of
23the information proposed to be released, and an opportunity to
24inspect and copy such records in accordance with Section 5 and
25to challenge their contents in accordance with Section 7.
26Provided, however, that such notice shall be sufficient if

 

 

HB0332- 33 -LRB100 04231 MLM 14237 b

1published in a local newspaper of general circulation or other
2publication directed generally to the parents involved where
3the proposed release of information is pursuant to subparagraph
4(6) of paragraph (a) of this Section 6 and relates to more than
525 students.
6    (c) A record of any release of information pursuant to this
7Section must be made and kept as a part of the school student
8record and subject to the access granted by Section 5. Such
9record of release shall be maintained for the life of the
10school student records and shall be available only to the
11parent and the official records custodian. Each record of
12release shall also include:
13        (1) the nature and substance of the information
14    released;
15        (2) the name and signature of the official records
16    custodian releasing such information;
17        (3) the name of the person requesting such information,
18    the capacity in which such a request has been made, and the
19    purpose of such request;
20        (4) the date of the release; and
21        (5) a copy of any consent to such release.
22    (d) Except for the student and his parents, no person to
23whom information is released pursuant to this Section and no
24person specifically designated as a representative by a parent
25may permit any other person to have access to such information
26without a prior consent of the parent obtained in accordance

 

 

HB0332- 34 -LRB100 04231 MLM 14237 b

1with the requirements of subparagraph (8) of paragraph (a) of
2this Section.
3    (e) Nothing contained in this Act shall prohibit the
4publication of student directories which list student names,
5addresses and other identifying information and similar
6publications which comply with regulations issued by the State
7Board.
8(Source: P.A. 99-78, eff. 7-20-15.)
 
9    (105 ILCS 10/9)  (from Ch. 122, par. 50-9)
10    Sec. 9. (a) Any person aggrieved by any violation of this
11Act may institute an action for injunctive relief in the
12Circuit Court of the County in which the violation has occurred
13or the Circuit Court of the County in which the school is
14located.
15    (b) Any person injured by a wilful or negligent violation
16of this Act may institute an action for damages in the Circuit
17Court of the County in which the violation has occurred or the
18Circuit Court of the County in which the school is located.
19    (c) In the case of any successful action under paragraph
20(a) or (b) of this Section, any person or school found to have
21wilfully or negligently violated any provision of this Act is
22liable to the plaintiff for the plaintiff's damages, the costs
23of the action and reasonable attorneys' fees, as determined by
24the Court.
25    (d) Actions for injunctive relief to secure compliance with

 

 

HB0332- 35 -LRB100 04231 MLM 14237 b

1this Act may be brought by the State Board, by the State's
2Attorney of the County in which the alleged violation has
3occurred or the State's Attorney of the County in which the
4school is located, in each case in the Circuit Court of such
5County.
6    (e) Wilful failure to comply with any Section of this Act
7is a petty offense; except that any person who wilfully and
8maliciously falsifies any school student record, student
9permanent record or student temporary record shall be guilty of
10a Class A misdemeanor.
11    (f) Absent proof of malice, no cause of action or claim for
12relief, civil or criminal, may be maintained against any
13school, or employee or official of a school or person acting at
14the direction of a school for any statement made or judgment
15expressed in any entry to a school student record of a type
16which does not violate this Act or the regulations issued by
17the State Board pursuant to this Act; provided that this
18paragraph (f) does not limit or deny any defense available
19under existing law.
20    (g) In addition to any other penalties and remedies
21provided by this Section, any research entity that is found in
22any civil, criminal, or administrative proceeding authorized
23by this Section to have violated the requirements of paragraph
24(a-5) of Section 6 of this Act shall immediately cease
25conducting any research that utilizes school student records
26and shall be prohibited from conducting additional research

 

 

HB0332- 36 -LRB100 04231 MLM 14237 b

1studies based on such records and information for a period of
212 months after the date of the discovery of the violation.
3    (h) In addition to any other penalties and remedies
4provided by this Section, any school authority that is found in
5any civil, criminal, or administrative proceeding authorized
6by this Section to have violated the requirements of paragraph
7(a-5) of Section 6 of this Act shall be prohibited from
8entering into a data use agreement with any research entity for
9a period of 12 months after the date of the discovery of the
10violation, and all existing data use agreements governed by
11paragraph (a-5) of Section 6 of this Act shall be voided.
12(Source: P.A. 84-712.)
 
13    Section 15. The Children's Privacy Protection and Parental
14Empowerment Act is amended by changing Section 5 as follows:
 
15    (325 ILCS 17/5)
16    Sec. 5. Definitions. As used in this Act:
17    "Child" means a person under the age of 18 16. "Child" does
18not include a minor emancipated by operation of law.
19    "Parent" means a parent, step-parent, or legal guardian.
20    "Personal information" means any of the following:
21        (1) A person's name.
22        (2) A person's address.
23        (3) A person's telephone number.
24        (4) A person's driver's license number or State of

 

 

HB0332- 37 -LRB100 04231 MLM 14237 b

1    Illinois identification card as assigned by the Illinois
2    Secretary of State or by a similar agency of another state.
3        (5) A person's social security number.
4        (6) Any other information that can be used to locate or
5    contact a specific individual.
6    "Personal information" does not include any of the
7following:
8        (1) Public records as defined by Section 2 of the
9    Freedom of Information Act.
10        (2) Court records.
11        (3) Information found in publicly available sources,
12    including newspapers, magazines, and telephone
13    directories.
14        (4) Any other information that is not known to concern
15    a child.
16(Source: P.A. 93-462, eff. 1-1-04.)