(105 ILCS 85/27)
    Sec. 27. School duties.
    (a) Each school shall post and maintain on its website or, if the school does not maintain a website, make available for inspection by the general public at its administrative office all of the following information:
        (1) An explanation, that is clear and understandable
    
by a layperson, of the data elements of covered information that the school collects, maintains, or discloses to any person, entity, third party, or governmental agency. The information must explain how the school uses, to whom or what entities it discloses, and for what purpose it discloses the covered information.
        (2) A list of operators that the school has written
    
agreements with, a copy of each written agreement, and a business address for each operator. A copy of a written agreement posted or made available by a school under this paragraph may contain redactions, as provided under subparagraph (F) of paragraph (4) of Section 15.
        (3) For each operator, a list of any subcontractors
    
to whom covered information may be disclosed or a link to a page on the operator's website that clearly lists that information, as provided by the operator to the school under paragraph (6) of Section 15.
        (4) A written description of the procedures that a
    
parent may use to carry out the rights enumerated under Section 33.
        (5) A list of any breaches of covered information
    
maintained by the school or breaches under Section 15 that includes, but is not limited to, all of the following information:
            (A) The number of students whose covered
        
information is involved in the breach, unless disclosing that number would violate the provisions of the Personal Information Protection Act.
            (B) The date, estimated date, or estimated date
        
range of the breach.
            (C) For a breach under Section 15, the name of
        
the operator.
        The school may omit from the list required under this
    
paragraph (5): (i) any breach in which, to the best of the school's knowledge at the time of updating the list, the number of students whose covered information is involved in the breach is less than 10% of the school's enrollment, (ii) any breach in which, at the time of posting the list, the school is not required to notify the parent of a student under subsection (d), (iii) any breach in which the date, estimated date, or estimated date range in which it occurred is earlier than July 1, 2021, or (iv) any breach previously posted on a list under this paragraph (5) no more than 5 years prior to the school updating the current list.
    The school must, at a minimum, update the items under paragraphs (1), (3), (4), and (5) no later than 30 calendar days following the start of a fiscal year and no later than 30 days following the beginning of a calendar year.
    (b) Each school must adopt a policy for designating which school employees are authorized to enter into written agreements with operators. This subsection may not be construed to limit individual school employees outside of the scope of their employment from entering into agreements with operators on their own behalf and for non-K through 12 school purposes, provided that no covered information is provided to the operators. Any agreement or contract entered into in violation of this Act is void and unenforceable as against public policy.
    (c) A school must post on its website or, if the school does not maintain a website, make available at its administrative office for inspection by the general public each written agreement entered into under this Act, along with any information required under subsection (a), no later than 10 business days after entering into the agreement.
    (d) After receipt of notice of a breach under Section 15 or determination of a breach of covered information maintained by the school, a school shall notify, no later than 30 calendar days after receipt of the notice or determination that a breach has occurred, the parent of any student whose covered information is involved in the breach. The notification must include, but is not limited to, all of the following:
        (1) The date, estimated date, or estimated date range
    
of the breach.
        (2) A description of the covered information that was
    
compromised or reasonably believed to have been compromised in the breach.
        (3) Information that the parent may use to contact
    
the operator and school to inquire about the breach.
        (4) The toll-free numbers, addresses, and websites
    
for consumer reporting agencies.
        (5) The toll-free number, address, and website for
    
the Federal Trade Commission.
        (6) A statement that the parent may obtain
    
information from the Federal Trade Commission and consumer reporting agencies about fraud alerts and security freezes.
    A notice of breach required under this subsection may be delayed if an appropriate law enforcement agency determines that the notification will interfere with a criminal investigation and provides the school with a written request for a delay of notice. A school must comply with the notification requirements as soon as the notification will no longer interfere with the investigation.
    (e) Each school must implement and maintain reasonable security procedures and practices that otherwise meet or exceed industry standards designed to protect covered information from unauthorized access, destruction, use, modification, or disclosure. Any written agreement under which the disclosure of covered information between the school and a third party takes place must include a provision requiring the entity to whom the covered information is disclosed to implement and maintain reasonable security procedures and practices that otherwise meet or exceed industry standards designed to protect covered information from unauthorized access, destruction, use, modification, or disclosure. The State Board must make available on its website a guidance document for schools pertaining to reasonable security procedures and practices under this subsection.
    (f) Each school may designate an appropriate staff person as a privacy officer, who may also be an official records custodian as designated under the Illinois School Student Records Act, to carry out the duties and responsibilities assigned to schools and to ensure compliance with the requirements of this Section and Section 26.
    (g) A school shall make a request, pursuant to paragraph (2) of Section 15, to an operator to delete covered information on behalf of a student's parent if the parent requests from the school that the student's covered information held by the operator be deleted, so long as the deletion of the covered information is not in violation of State or federal records laws.
    (h) This Section does not apply to nonpublic schools.
(Source: P.A. 101-516, eff. 7-1-21; 102-558, eff. 8-20-21.)