Bill Text: IL SB3092 | 2013-2014 | 98th General Assembly | Amended
NOTE: There are more recent revisions of this legislation. Read Latest Draft
Bill Title: Amends the P-20 Longitudinal Education Data System Act. Provides that if an audit or evaluation or a compliance or enforcement activity in connection with legal requirements that relate to State-supported or school district-supported educational programs requires or is used as the basis for granting access to personally identifiable information, the State Board of Education or a public school shall designate parties only under its direct control to act as authorized representatives to conduct the audit, evaluation, or activity. Limits the disclosure of personally identifiable information by the State Board or a public school with respect to (i) a contractor, consultant, or other party to whom the State Board or school has outsourced services or functions; (ii) a party conducting certain studies for or on behalf of the State Board or school; (iii) any party for a commercial use; or (iv) the provision of services other than contracting, studies, and audits or evaluations. Limits the maintenance of personally identifiable information and provides for disclosure and notification. Limits appending education records with personally identifiable information obtained from other federal or State agencies through data matches. Provides for civil penalties. Effective immediately.
Spectrum: Moderate Partisan Bill (Democrat 6-1)
Status: (Failed) 2015-01-13 - Session Sine Die [SB3092 Detail]
Download: Illinois-2013-SB3092-Amended.html
Bill Title: Amends the P-20 Longitudinal Education Data System Act. Provides that if an audit or evaluation or a compliance or enforcement activity in connection with legal requirements that relate to State-supported or school district-supported educational programs requires or is used as the basis for granting access to personally identifiable information, the State Board of Education or a public school shall designate parties only under its direct control to act as authorized representatives to conduct the audit, evaluation, or activity. Limits the disclosure of personally identifiable information by the State Board or a public school with respect to (i) a contractor, consultant, or other party to whom the State Board or school has outsourced services or functions; (ii) a party conducting certain studies for or on behalf of the State Board or school; (iii) any party for a commercial use; or (iv) the provision of services other than contracting, studies, and audits or evaluations. Limits the maintenance of personally identifiable information and provides for disclosure and notification. Limits appending education records with personally identifiable information obtained from other federal or State agencies through data matches. Provides for civil penalties. Effective immediately.
Spectrum: Moderate Partisan Bill (Democrat 6-1)
Status: (Failed) 2015-01-13 - Session Sine Die [SB3092 Detail]
Download: Illinois-2013-SB3092-Amended.html
| |||||||
| |||||||
| |||||||
| 1 | AMENDMENT TO SENATE BILL 3092
| ||||||
| 2 | AMENDMENT NO. ______. Amend Senate Bill 3092 by replacing | ||||||
| 3 | everything after the enacting clause with the following:
| ||||||
| 4 | "Section 5. The P-20 Longitudinal Education Data System Act | ||||||
| 5 | is amended by adding Section 32 as follows:
| ||||||
| 6 | (105 ILCS 13/32 new) | ||||||
| 7 | Sec. 32. Personally identifiable information limitations. | ||||||
| 8 | (a) In this Section: | ||||||
| 9 | "Education records" has the meaning ascribed to that term | ||||||
| 10 | in 34 CFR 99.3. | ||||||
| 11 | "Organization" means not-for-profit organizations, think | ||||||
| 12 | tanks, or other organizations conducting research studies. | ||||||
| 13 | "Personally identifiable information" means (i) any | ||||||
| 14 | personally identifiable information under the federal Family | ||||||
| 15 | Educational Rights Act of 1974 (FERPA), other than "directory | ||||||
| 16 | information" as that term is defined in Section 99.3 of the | ||||||
| |||||||
| |||||||
| 1 | federal regulations implementing FERPA (34 CFR 99.3), and (ii) | ||||||
| 2 | the personally identifiable information of teachers, other | ||||||
| 3 | educators, and school administrators, other than publicly | ||||||
| 4 | available, school-related information such as the name, school | ||||||
| 5 | location, and grade levels or subjects taught. | ||||||
| 6 | (b) If an audit or evaluation or a compliance or | ||||||
| 7 | enforcement activity in connection with legal requirements | ||||||
| 8 | that relate to State-supported or school district-supported | ||||||
| 9 | educational programs requires or is used as the basis for | ||||||
| 10 | granting access to personally identifiable information, the | ||||||
| 11 | State Board or a school shall designate parties only under | ||||||
| 12 | their direct control to act as authorized representatives to | ||||||
| 13 | conduct the audit, evaluation, or activity. | ||||||
| 14 | (c) The State Board or schools may not disclose any | ||||||
| 15 | personally identifiable information, including personally | ||||||
| 16 | identifiable information from education records of students, | ||||||
| 17 | to a contractor, consultant, or other party to whom the State | ||||||
| 18 | Board or school has outsourced services or functions without | ||||||
| 19 | providing notice to parents, guardians, and eligible students | ||||||
| 20 | by posting the intent to disclose the information on the | ||||||
| 21 | Internet website of the school or State Board at least 30 days | ||||||
| 22 | in advance or as soon as practicable, unless that outside | ||||||
| 23 | party: | ||||||
| 24 | (1) performs an institutional service or function for | ||||||
| 25 | which the State Board or the school would otherwise use | ||||||
| 26 | employees; | ||||||
| |||||||
| |||||||
| 1 | (2) is under the direct control of the State Board or | ||||||
| 2 | the school with respect to the use and maintenance of | ||||||
| 3 | education records; | ||||||
| 4 | (3) limits internal access to education records to | ||||||
| 5 | those individuals who are determined to have legitimate | ||||||
| 6 | educational interests; | ||||||
| 7 | (4) does not use the education records for any purposes | ||||||
| 8 | other than those authorized in its contract; | ||||||
| 9 | (5) does not disclose any personally identifiable | ||||||
| 10 | information to any other party (i) without the prior | ||||||
| 11 | notification to the eligible student, parent, or guardian | ||||||
| 12 | or (ii) unless required by law and the party provides a | ||||||
| 13 | notice of the disclosure to the State Board or school board | ||||||
| 14 | that provided the information no later than the time the | ||||||
| 15 | information is disclosed, to the extent allowed by law or | ||||||
| 16 | by the terms of a court order; | ||||||
| 17 | (6) maintains reasonable administrative, technical, | ||||||
| 18 | and physical safeguards to protect the security, | ||||||
| 19 | confidentiality, and integrity of personally identifiable | ||||||
| 20 | information in its custody and conducts regular security | ||||||
| 21 | audits to confirm the efficacy of those safeguards; | ||||||
| 22 | (7) uses appropriate encryption technologies to | ||||||
| 23 | protect data while in motion or in its custody from | ||||||
| 24 | unauthorized disclosure; | ||||||
| 25 | (8) has sufficient administrative and technical | ||||||
| 26 | procedures to monitor continuously the security of | ||||||
| |||||||
| |||||||
| 1 | personally identifiable information in its custody; | ||||||
| 2 | (9) maintains a breach remediation plan prior to | ||||||
| 3 | initial receipts of the personally identifiable | ||||||
| 4 | information and reports breaches as specified by the | ||||||
| 5 | Personal Information Protection Act; | ||||||
| 6 | (10) reports all actual security breaches to the State | ||||||
| 7 | Board or the school that provided personally identifiable | ||||||
| 8 | information and education records as soon as possible, but | ||||||
| 9 | no later than 72 hours after an actual breach was known or | ||||||
| 10 | in the most expedient amount of time possible under the | ||||||
| 11 | circumstances; | ||||||
| 12 | (11) agrees, in the event of a security breach or an | ||||||
| 13 | unauthorized disclosure of personally identifiable | ||||||
| 14 | information, to pay all costs and liabilities incurred by | ||||||
| 15 | the State Board or school related to the security breach or | ||||||
| 16 | unauthorized disclosure, including without limitation the | ||||||
| 17 | costs of responding to inquiries about the security breach | ||||||
| 18 | or unauthorized disclosure, of notifying the subjects of | ||||||
| 19 | personally identifiable information about the breach, of | ||||||
| 20 | mitigating the effects of the breach for the subjects of | ||||||
| 21 | personally identifiable information, and of investigating | ||||||
| 22 | the cause or consequences of the security breach or | ||||||
| 23 | unauthorized disclosure; and | ||||||
| 24 | (12) destroys or returns to the State Board or school | ||||||
| 25 | all personally identifiable information in its custody | ||||||
| 26 | upon request and at the termination of the contract. | ||||||
| |||||||
| |||||||
| 1 | (d) The State Board or schools may disclose personally | ||||||
| 2 | identifiable information from an education record of a student | ||||||
| 3 | without the consent of the eligible student, parent, or | ||||||
| 4 | guardian to a party conducting studies for or on behalf of the | ||||||
| 5 | State Board or school to (i) develop, validate, or administer | ||||||
| 6 | predictive tests, (ii) administer student aid programs, or | ||||||
| 7 | (iii) improve instruction, provided that the outside party | ||||||
| 8 | conducting the study meets all of the requirements for | ||||||
| 9 | contractors set forth in subsection (c) of this Section. | ||||||
| 10 | (d-5) The State Board or schools may disclose personally | ||||||
| 11 | identifiable information from an education record of a student | ||||||
| 12 | to researchers at an organization or accredited post-secondary | ||||||
| 13 | educational institution conducting research pursuant to a | ||||||
| 14 | specific, written agreement with the school or State Board and | ||||||
| 15 | in accordance with the federal Family Educational Rights and | ||||||
| 16 | Privacy Act of 1974, provided that: | ||||||
| 17 | (1) the nature of the research is first publicly | ||||||
| 18 | disclosed to parents, guardians, and eligible students on | ||||||
| 19 | the Internet website of the school or State Board at least | ||||||
| 20 | 30 days in advance of the research being conducted or as | ||||||
| 21 | soon as practicable; | ||||||
| 22 | (2) the organization or institution and the school or | ||||||
| 23 | State Board enter into a data use agreement that complies | ||||||
| 24 | with the federal Family Educational Rights and Privacy Act | ||||||
| 25 | of 1974 and its accompanying rules and includes, at a | ||||||
| 26 | minimum, the following: | ||||||
| |||||||
| |||||||
| 1 | (A) the purpose, scope, and duration of the study | ||||||
| 2 | or studies and the information to be disclosed; | ||||||
| 3 | (B) provisions requiring the organization or | ||||||
| 4 | institution to use personally identifiable information | ||||||
| 5 | from school student records only to meet the purpose or | ||||||
| 6 | purposes of the study as stated in the written | ||||||
| 7 | agreement; | ||||||
| 8 | (C) provisions requiring the organization or | ||||||
| 9 | institution to conduct the study in a manner that does | ||||||
| 10 | not permit personal identification of parents or | ||||||
| 11 | guardians and students by anyone other than | ||||||
| 12 | representatives of the organization with legitimate | ||||||
| 13 | interests; | ||||||
| 14 | (D) provisions requiring the organization or | ||||||
| 15 | institution to destroy all personally identifiable | ||||||
| 16 | information when the information is no longer needed | ||||||
| 17 | for the purposes for which the study was conducted and | ||||||
| 18 | specifying the time period in which the information | ||||||
| 19 | must be destroyed; | ||||||
| 20 | (E) provisions requiring the organization or | ||||||
| 21 | institution to certify that it has the capacity to and | ||||||
| 22 | will restrict access to the school student records and | ||||||
| 23 | maintain the security of electronic information; and | ||||||
| 24 | (F) provisions requiring the organization or | ||||||
| 25 | institution to develop, implement, maintain, and use | ||||||
| 26 | appropriate administrative, technical, and physical | ||||||
| |||||||
| |||||||
| 1 | security measures to preserve the confidentiality, | ||||||
| 2 | integrity, and availability of all school student | ||||||
| 3 | records; and | ||||||
| 4 | (3) the organization or institution uses personally | ||||||
| 5 | identifiable information from school student records only | ||||||
| 6 | to meet the purpose or purposes of the study as stated in | ||||||
| 7 | the written agreement. | ||||||
| 8 | For purposes of this subsection (d-5), any information by | ||||||
| 9 | which a student may be individually or personally identified | ||||||
| 10 | may only be released, transferred, disclosed, or otherwise | ||||||
| 11 | disseminated as contemplated by the agreement between the | ||||||
| 12 | parties. The school student records must be redacted prior to | ||||||
| 13 | analysis by the organization or institution. Any personally | ||||||
| 14 | identifiable information used to link data sets must be stored | ||||||
| 15 | in a secure data file or location outside of the secure data | ||||||
| 16 | storage where redacted information from the school regarding | ||||||
| 17 | student records is stored. The organization or institution | ||||||
| 18 | shall implement and adhere to policies and procedures that | ||||||
| 19 | restrict access to information by which a student may be | ||||||
| 20 | individually or personally identified. The organization or | ||||||
| 21 | institution shall designate an individual to act as the | ||||||
| 22 | custodian of the personally identifiable information who is | ||||||
| 23 | responsible for restricting access to that information. | ||||||
| 24 | Nothing in this subsection (d-5) prohibits or limits the | ||||||
| 25 | ability of the State Board or any school to provide personally | ||||||
| 26 | identifiable information about individual students to a school | ||||||
| |||||||
| |||||||
| 1 | official, organization, or institution for the purposes of | ||||||
| 2 | developing, administering, scoring, or interpreting results of | ||||||
| 3 | student assessments or predictive tests if those assessments or | ||||||
| 4 | tests require individualized development or administration | ||||||
| 5 | based on the needs of individual students. | ||||||
| 6 | (e) The State Board or schools may not disclose any | ||||||
| 7 | personally identifiable information, including personally | ||||||
| 8 | identifiable information from education records of students, | ||||||
| 9 | without the written consent of eligible students, parents, or | ||||||
| 10 | guardians to any party for a commercial use, including without | ||||||
| 11 | limitation marketing products or services, compiling lists for | ||||||
| 12 | sale or rental, developing products or services, or creating | ||||||
| 13 | individual, household, or group profiles, nor may such | ||||||
| 14 | disclosure be made for the provision of services other than | ||||||
| 15 | contracting, studies, and audits or evaluations as authorized | ||||||
| 16 | and limited by subsections (c), (d), and (d-5) of this Section. | ||||||
| 17 | (f) The State Board or schools may not, directly or through | ||||||
| 18 | contracts with outside parties, maintain personally | ||||||
| 19 | identifiable information, including personally identifiable | ||||||
| 20 | information from education records of students, without the | ||||||
| 21 | proper notification to eligible students, parents, or | ||||||
| 22 | guardians, unless the maintenance of the information is: | ||||||
| 23 | (1) explicitly mandated in federal or State statute; | ||||||
| 24 | (2) administratively required for the proper | ||||||
| 25 | performance of their duties under the law and is relevant | ||||||
| 26 | to and necessary for the delivery of services; or | ||||||
| |||||||
| |||||||
| 1 | (3) designed to support a study of students or former | ||||||
| 2 | students. | ||||||
| 3 | (g) The State Board and schools shall publicly and | ||||||
| 4 | conspicuously disclose on their Internet websites and through | ||||||
| 5 | annual electronic notification to the chairperson of the House | ||||||
| 6 | of Representatives Elementary & Secondary Education Committee | ||||||
| 7 | and the chairperson of the Senate Education Committee the | ||||||
| 8 | existence and character of any personally identifiable | ||||||
| 9 | information that they, directly or through contracts with | ||||||
| 10 | outside parties, maintain. The disclosure and notification | ||||||
| 11 | shall include: | ||||||
| 12 | (1) the name and location of the data repository where | ||||||
| 13 | the information is maintained; | ||||||
| 14 | (2) the legal authority that authorizes the | ||||||
| 15 | establishment and existence of the data repository; | ||||||
| 16 | (3) the principal purpose or purposes for which the | ||||||
| 17 | information is intended to be used; | ||||||
| 18 | (4) the categories of individuals on whom records are | ||||||
| 19 | maintained in the data repository; | ||||||
| 20 | (5) the categories of records maintained in the data | ||||||
| 21 | repository; | ||||||
| 22 | (6) each expected disclosure of the records contained | ||||||
| 23 | in the data repository, including the categories of | ||||||
| 24 | recipients and the purpose of each disclosure; | ||||||
| 25 | (7) the policies and practices of the State Board or | ||||||
| 26 | school regarding storage, retrievability, access controls, | ||||||
| |||||||
| |||||||
| 1 | retention, and disposal of the records; | ||||||
| 2 | (8) the title and business address of the State Board | ||||||
| 3 | or school official who is responsible for the data | ||||||
| 4 | repository and the name and business address of any | ||||||
| 5 | contractor or other outside party maintaining the data | ||||||
| 6 | repository for or on behalf of the State Board or school; | ||||||
| 7 | (9) the procedures whereby eligible students, parents, | ||||||
| 8 | or guardians can be notified at their request if the data | ||||||
| 9 | repository contains a record pertaining to the student, | ||||||
| 10 | parent, or guardian; | ||||||
| 11 | (10) the procedures whereby eligible students, | ||||||
| 12 | parents, or guardians can be notified at their request on | ||||||
| 13 | how to gain access to any record pertaining to the student, | ||||||
| 14 | parent, or guardian contained in the data repository and | ||||||
| 15 | how they can contest its content; and | ||||||
| 16 | (11) the categories of sources of records in the data | ||||||
| 17 | repository. | ||||||
| 18 | (h) The State Board and schools may not append education | ||||||
| 19 | records with personally identifiable information obtained from | ||||||
| 20 | other federal or State agencies through data matches without | ||||||
| 21 | the proper notification to eligible students, parents, or | ||||||
| 22 | guardians unless the data matches are: | ||||||
| 23 | (1) explicitly mandated in federal or State statute; or | ||||||
| 24 | (2) administratively required for the proper | ||||||
| 25 | performance of their duties under the law and are relevant | ||||||
| 26 | to and necessary for the delivery of services. | ||||||
| |||||||
| |||||||
| 1 | (i) Each violation of this Section by an organization or | ||||||
| 2 | entity that is not the State Board or a school is subject to a | ||||||
| 3 | civil penalty of up to $1,000 for a first violation, up to | ||||||
| 4 | $5,000 for a second violation, and up to $10,000 for a third or | ||||||
| 5 | subsequent violation. Each violation involving a different | ||||||
| 6 | individual's personally identifiable information shall be | ||||||
| 7 | considered a separate violation for purposes of civil | ||||||
| 8 | penalties. | ||||||
| 9 | (j) The Attorney General shall have the authority to | ||||||
| 10 | enforce compliance with this Section by investigation and | ||||||
| 11 | subsequent commencement of a civil action to seek civil | ||||||
| 12 | penalties for violations of this Section and to seek | ||||||
| 13 | appropriate injunctive relief, including without limitation a | ||||||
| 14 | prohibition on obtaining personally identifiable information | ||||||
| 15 | for an appropriate time period. In carrying out an | ||||||
| 16 | investigation and in maintaining a civil action, the Attorney | ||||||
| 17 | General or any deputy or assistant Attorney General is | ||||||
| 18 | authorized to subpoena witnesses, compel their attendance, | ||||||
| 19 | examine them under oath, and require that any books, records, | ||||||
| 20 | documents, papers, or electronic records relevant or material | ||||||
| 21 | to the inquiry be turned over for inspection, examination, or | ||||||
| 22 | audit, pursuant to the Civil Practice Law and rules. Subpoenas | ||||||
| 23 | issued pursuant to this subsection (j) may be enforced pursuant | ||||||
| 24 | to the Civil Practice Law and rules. | ||||||
| 25 | (k) Nothing contained in this Section shall be construed as | ||||||
| 26 | creating a private right of action against the State Board or a | ||||||
| |||||||
| |||||||
| 1 | school. | ||||||
| 2 | (l) Nothing in this Section shall limit the administrative | ||||||
| 3 | use of personally identifiable information by a person acting | ||||||
| 4 | exclusively in the person's capacity as an employee of a | ||||||
| 5 | school, this State, a court, or the federal government that is | ||||||
| 6 | otherwise required by law.
| ||||||
| 7 | Section 99. Effective date. This Act takes effect upon | ||||||
| 8 | becoming law.".
| ||||||
