(5 ILCS 179/10)
Sec. 10. Prohibited activities. (a) Beginning July 1, 2010, no person or State or local government agency may do any of the following:
(1) Publicly post or publicly display in any manner |
| an individual's social security number.
|
|
(2) Print an individual's social security number on
|
| any card required for the individual to access products or services provided by the person or entity.
|
|
(3) Require an individual to transmit his or her
|
| social security number over the Internet, unless the connection is secure or the social security number is encrypted.
|
|
(4) Print an individual's social security number on
|
| any materials that are mailed to the individual, through the U.S. Postal Service, any private mail service, electronic mail, or any similar method of delivery, unless State or federal law requires the social security number to be on the document to be mailed. Notwithstanding any provision in this Section to the contrary, social security numbers may be included in applications and forms sent by mail, including, but not limited to, any material mailed in connection with the administration of the Unemployment Insurance Act pursuant to the limitations and requirements of that Act, any material mailed in connection with any tax administered by the Department of Revenue, and documents sent as part of an application or enrollment process or to establish, amend, or terminate an account, contract, or policy or to confirm the accuracy of the social security number. A social security number that may permissibly be mailed under this Section may not be printed, in whole or in part, on a postcard or other mailer that does not require an envelope or be visible on an envelope without the envelope having been opened.
|
|
(b) Except as otherwise provided in this Act, beginning July 1, 2010, no person or State or local government agency may do any of the following:
(1) Collect, use, or disclose a social security
|
| number from an individual, unless (i) required to do so under State or federal law, rules, or regulations, or the collection, use, or disclosure of the social security number is otherwise necessary for the performance of that agency's duties and responsibilities; (ii) the need and purpose for the social security number is documented before collection of the social security number; and (iii) the social security number collected is relevant to the documented need and purpose.
|
|
(2) Require an individual to use his or her social
|
| security number to access an Internet website.
|
|
(3) Use the social security number for any purpose
|
| other than the purpose for which it was collected.
|
|
(c) The prohibitions in subsection (b) do not apply in the following circumstances:
(1) The disclosure of social security numbers to
|
| agents, employees, contractors, or subcontractors of a governmental entity or disclosure by a governmental entity to another governmental entity or its agents, employees, contractors, or subcontractors if disclosure is necessary in order for the entity to perform its duties and responsibilities; and, if disclosing to a contractor or subcontractor, prior to such disclosure, the governmental entity must first receive from the contractor or subcontractor a copy of the contractor's or subcontractor's policy that sets forth how the requirements imposed under this Act on a governmental entity to protect an individual's social security number will be achieved.
|
|
(2) The disclosure of social security numbers
|
| pursuant to a court order, warrant, or subpoena.
|
|
(3) The collection, use, or disclosure of social
|
| security numbers in order to ensure the safety of: State and local government employees; persons committed to correctional facilities, local jails, and other law-enforcement facilities or retention centers; wards of the State; youth in care as defined in Section 4d of the Children and Family Services Act, and all persons working in or visiting a State or local government agency facility.
|
|
(4) The collection, use, or disclosure of social
|
| security numbers for internal verification or administrative purposes.
|
|
(5) The disclosure of social security numbers by a
|
| State agency to any entity for the collection of delinquent child support or of any State debt or to a governmental agency to assist with an investigation or the prevention of fraud.
|
|
(6) The collection or use of social security numbers
|
| to investigate or prevent fraud, to conduct background checks, to collect a debt, to obtain a credit report from a consumer reporting agency under the federal Fair Credit Reporting Act, to undertake any permissible purpose that is enumerated under the federal Gramm-Leach-Bliley Act, or to locate a missing person, a lost relative, or a person who is due a benefit, such as a pension benefit or an unclaimed property benefit.
|
|
(d) If any State or local government agency has adopted standards for the collection, use, or disclosure of social security numbers that are stricter than the standards under this Act with respect to the protection of those social security numbers, then, in the event of any conflict with the provisions of this Act, the stricter standards adopted by the State or local government agency shall control.
(Source: P.A. 102-26, eff. 6-25-21.)
|
(5 ILCS 179/35)
Sec. 35. Identity-protection policy; local government. (a) Each local government agency must draft and approve an identity-protection policy within 12 months after the effective date of this Act. The policy must do all of the following:
(1) Identify this Act.
(2) Require all employees of the local government |
| agency identified as having access to social security numbers in the course of performing their duties to be trained to protect the confidentiality of social security numbers. Training should include instructions on the proper handling of information that contains social security numbers from the time of collection through the destruction of the information.
|
|
(3) Direct that only employees who are required to
|
| use or handle information or documents that contain social security numbers have access to such information or documents.
|
|
(4) Require that social security numbers requested
|
| from an individual be provided in a manner that makes the social security number easily redacted if required to be released as part of a public records request.
|
|
(5) Require that, when collecting a social security
|
| number or upon request by the individual, a statement of the purpose or purposes for which the agency is collecting and using the social security number be provided.
|
|
(b) Each local government agency must file a written copy of its privacy policy with the governing board of the unit of local government within 30 days after approval of the policy. Each local government agency must advise its employees of the existence of the policy and make a copy of the policy available to each of its employees, and must also make its privacy policy available to any member of the public, upon request. If a local government agency amends its privacy policy, then that agency must file a written copy of the amended policy with the appropriate entity and must also advise its employees of the existence of the amended policy and make a copy of the amended policy available to each of its employees.
(c) Each local government agency must implement the components of its identity-protection policy that are necessary to meet the requirements of this Act within 12 months after the date the identity-protection policy is approved. This subsection (c) shall not affect the requirements of Section 10 of this Act.
(Source: P.A. 96-874, eff. 6-1-10 .)
|
(5 ILCS 179/37)
Sec. 37. Identity-protection policy; State. (a) Each State agency must draft and approve an identity-protection policy within 12 months after the effective date of this Act. The policy must do all of the following:
(1) Identify this Act.
(2) Require all employees of the State agency |
| identified as having access to social security numbers in the course of performing their duties to be trained to protect the confidentiality of social security numbers. Training should include instructions on proper handling of information that contains social security numbers from the time of collection through the destruction of the information.
|
|
(3) Direct that only employees who are required to
|
| use or handle information or documents that contain social security numbers have access to such information or documents.
|
|
(4) Require that social security numbers requested
|
| from an individual be placed in a manner that makes the social security number easily redacted if required to be released as part of a public records request.
|
|
(5) Require that, when collecting a social security
|
| number or upon request by the individual, a statement of the purpose or purposes for which the agency is collecting and using the social security number be provided.
|
|
(b) Each State agency must provide a copy of its identity-protection policy to the Social Security Number Protection Task Force within 30 days after the approval of the policy.
(c) Each State agency must implement the components of its identity-protection policy that are necessary to meet the requirements of this Act within 12 months after the date the identity-protection policy is approved. This subsection (c) shall not affect the requirements of Section 10 of this Act.
(Source: P.A. 96-874, eff. 6-1-10 .)
|