Illinois Compiled Statutes
Information maintained by the Legislative
Updating the database of the Illinois Compiled Statutes (ILCS) is an ongoing process.
Recent laws may not yet be included in the ILCS database, but they are found on this site as Public
soon after they become law. For information concerning the relationship between statutes and Public Acts, refer to the
Because the statute database is maintained primarily for legislative drafting purposes,
statutory changes are sometimes included in the statute database before they take effect.
If the source note at the end of a Section of the statutes includes a Public Act that has
not yet taken effect, the version of the law that is currently in effect may have already
been removed from the database and you should refer to that Public Act to see the changes
made to the current law.
105 ILCS 85/27
(105 ILCS 85/27)
(This Section may contain text from a Public Act with a delayed effective date
(a) Each school shall post and maintain on its website or, if the school does not maintain a website, make available for inspection by the general public at its administrative office all of the following information:
(1) An explanation, that is clear and understandable
by a layperson, of the data elements of covered information that the school collects, maintains, or discloses to any person, entity, third party, or governmental agency. The information must explain how the school uses, to whom or what entities it discloses, and for what purpose it discloses the covered information.
(2) A list of operators that the school has written
agreements with, a copy of each written agreement, and a business address for each operator. A copy of a written agreement posted or made available by a school under this paragraph may contain redactions, as provided under subparagraph (F) of paragraph (4) of Section 15.
(3) For each operator, a list of any subcontractors
to whom covered information may be disclosed or a link to a page on the operator's website that clearly lists that information, as provided by the operator to the school under paragraph (6) of Section 15.
(4) A written description of the procedures that a
parent may use to carry out the rights enumerated under Section 33.
(5) A list of any breaches of covered information
maintained by the school or breaches under Section 15 that includes, but is not limited to, all of the following information:
(A) The number of students whose covered
information is involved in the breach, unless disclosing that number would violate the provisions of the Personal Information Protection Act.
(B) The date, estimated date, or estimated date
(C) For a breach under Section 15, the name of
The school may omit from the list required under this
paragraph (5) (i) any breach in which, to the best of the school's knowledge at the time of updating the list, the number of students whose covered information is involved in the breach is less than 10% of the school's enrollment, (ii) any breach in which, at the time of posting the list, the school is not required to notify the parent of a student under subsection (d), (iii) any breach in which the date, estimated date, or estimated date range in which it occurred is earlier than July 1, 2021, or (iv) any breach previously posted on a list under this paragraph (5) no more than 5 years prior to the school updating the current list.
The school must, at a minimum, update the items under paragraphs (1), (3), (4), and (5) no later than 30 calendar days following the start of a fiscal year and no later than 30 days following the beginning of a calendar year.
(b) Each school must adopt a policy for designating which school employees are authorized to enter into written agreements with operators. This subsection may not be construed to limit individual school employees outside of the scope of their employment from entering into agreements with operators on their own behalf and for non-K through 12 school purposes, provided that no covered information is provided to the operators. Any agreement or contract entered into in violation of this Act is void and unenforceable as against public policy.
(c) A school must post on its website or, if the school does not maintain a website, make available at its administrative office for inspection by the general public each written agreement entered into under this Act, along with any information required under subsection (a), no later than 10 business days after entering into the agreement.
(d) After receipt of notice of a breach under Section 15 or determination of a breach of covered information maintained by the school, a school shall notify, no later than 30 calendar days after receipt of the notice or determination that a breach has occurred, the parent of any student whose covered information is involved in the breach. The notification must include, but is not limited to, all of the following:
(1) The date, estimated date, or estimated date range
(2) A description of the covered information that was
compromised or reasonably believed to have been compromised in the breach.
(3) Information that the parent may use to contact
the operator and school to inquire about the breach.
(4) The toll-free numbers, addresses, and websites
for consumer reporting agencies.
(5) The toll-free number, address, and website for
the Federal Trade Commission.
(6) A statement that the parent may obtain
information from the Federal Trade Commission and consumer reporting agencies about fraud alerts and security freezes.
A notice of breach required under this subsection may be delayed if an appropriate law enforcement agency determines that the notification will interfere with a criminal investigation and provides the school with a written request for a delay of notice. A school must comply with the notification requirements as soon as the notification will no longer interfere with the investigation.
(e) Each school must implement and maintain reasonable security procedures and practices that otherwise meet or exceed industry standards designed to protect covered information from unauthorized access, destruction, use, modification, or disclosure. Any written agreement under which the disclosure of covered information between the school and a third party takes place must include a provision requiring the entity to whom the covered information is disclosed to implement and maintain reasonable security procedures and practices that otherwise meet or exceed industry standards designed to protect covered information from unauthorized access, destruction, use, modification, or disclosure. The State Board must make available on its website a guidance document for schools pertaining to reasonable security procedures and practices under this subsection.
(f) Each school may designate an appropriate staff person as a privacy officer, who may also be an official records custodian as designated under the Illinois School Student Records Act, to carry out the duties and responsibilities assigned to schools and to ensure compliance with the requirements of this Section and Section 26.
(g) A school shall make a request, pursuant to paragraph (2) of Section 15, to an operator to delete covered information on behalf of a student's parent if the parent requests from the school that the student's covered information held by the operator be deleted, so long as the deletion of the covered information is not in violation of State or federal records laws.
(h) This Section does not apply to nonpublic schools.
(Source: P.A. 101-516, eff. 7-1-21.)