|
| | SB3092 Engrossed | | LRB098 15075 NHT 50039 b |
|
|
| 1 | | AN ACT concerning education.
|
| 2 | | Be it enacted by the People of the State of Illinois,
|
| 3 | | represented in the General Assembly:
|
| 4 | | Section 5. The P-20 Longitudinal Education Data System Act |
| 5 | | is amended by adding Section 32 as follows:
|
| 6 | | (105 ILCS 13/32 new) |
| 7 | | Sec. 32. Personally identifiable information limitations. |
| 8 | | (a) In this Section: |
| 9 | | "Education records" has the meaning ascribed to that term |
| 10 | | in 34 CFR 99.3. |
| 11 | | "Organization" means not-for-profit organizations, think |
| 12 | | tanks, or other organizations conducting research studies. |
| 13 | | "Personally identifiable information" means (i) any |
| 14 | | personally identifiable information under the federal Family |
| 15 | | Educational Rights Act of 1974 (FERPA), other than "directory |
| 16 | | information" as that term is defined in Section 99.3 of the |
| 17 | | federal regulations implementing FERPA (34 CFR 99.3), and (ii) |
| 18 | | the personally identifiable information of teachers, other |
| 19 | | educators, and school administrators, other than publicly |
| 20 | | available, school-related information such as the name, school |
| 21 | | location, and grade levels or subjects taught. |
| 22 | | (b) If an audit or evaluation or a compliance or |
| 23 | | enforcement activity in connection with legal requirements |
|
| | SB3092 Engrossed | - 2 - | LRB098 15075 NHT 50039 b |
|
|
|
| 1 | | that relate to State-supported or school district-supported |
| 2 | | educational programs requires or is used as the basis for |
| 3 | | granting access to personally identifiable information, the |
| 4 | | State Board or a school shall designate parties only under |
| 5 | | their direct control to act as authorized representatives to |
| 6 | | conduct the audit, evaluation, or activity. |
| 7 | | (c) The State Board or schools may not disclose any |
| 8 | | personally identifiable information, including personally |
| 9 | | identifiable information from education records of students, |
| 10 | | to a contractor, consultant, or other party to whom the State |
| 11 | | Board or school has outsourced services or functions without |
| 12 | | providing notice to parents, guardians, and eligible students |
| 13 | | by posting the intent to disclose the information on the |
| 14 | | Internet website of the school or State Board at least 30 days |
| 15 | | in advance or as soon as practicable, unless that outside |
| 16 | | party: |
| 17 | | (1) performs an institutional service or function for |
| 18 | | which the State Board or the school would otherwise use |
| 19 | | employees; |
| 20 | | (2) is under the direct control of the State Board or |
| 21 | | the school with respect to the use and maintenance of |
| 22 | | education records; |
| 23 | | (3) limits internal access to education records to |
| 24 | | those individuals who are determined to have legitimate |
| 25 | | educational interests; |
| 26 | | (4) does not use the education records for any purposes |
|
| | SB3092 Engrossed | - 3 - | LRB098 15075 NHT 50039 b |
|
|
|
| 1 | | other than those authorized in its contract; |
| 2 | | (5) does not disclose any personally identifiable |
| 3 | | information to any other party (i) without the prior |
| 4 | | notification to the eligible student, parent, or guardian |
| 5 | | or (ii) unless required by law and the party provides a |
| 6 | | notice of the disclosure to the State Board or school board |
| 7 | | that provided the information no later than the time the |
| 8 | | information is disclosed, to the extent allowed by law or |
| 9 | | by the terms of a court order; |
| 10 | | (6) maintains reasonable administrative, technical, |
| 11 | | and physical safeguards to protect the security, |
| 12 | | confidentiality, and integrity of personally identifiable |
| 13 | | information in its custody and conducts regular security |
| 14 | | audits to confirm the efficacy of those safeguards; |
| 15 | | (7) uses appropriate encryption technologies to |
| 16 | | protect data while in motion or in its custody from |
| 17 | | unauthorized disclosure; |
| 18 | | (8) has sufficient administrative and technical |
| 19 | | procedures to monitor continuously the security of |
| 20 | | personally identifiable information in its custody; |
| 21 | | (9) maintains a breach remediation plan prior to |
| 22 | | initial receipts of the personally identifiable |
| 23 | | information and reports breaches as specified by the |
| 24 | | Personal Information Protection Act; |
| 25 | | (10) reports all actual security breaches to the State |
| 26 | | Board or the school that provided personally identifiable |
|
| | SB3092 Engrossed | - 4 - | LRB098 15075 NHT 50039 b |
|
|
|
| 1 | | information and education records as soon as possible, but |
| 2 | | no later than 72 hours after an actual breach was known or |
| 3 | | in the most expedient amount of time possible under the |
| 4 | | circumstances; |
| 5 | | (11) agrees, in the event of a security breach or an |
| 6 | | unauthorized disclosure of personally identifiable |
| 7 | | information, to pay all costs and liabilities incurred by |
| 8 | | the State Board or school related to the security breach or |
| 9 | | unauthorized disclosure, including without limitation the |
| 10 | | costs of responding to inquiries about the security breach |
| 11 | | or unauthorized disclosure, of notifying the subjects of |
| 12 | | personally identifiable information about the breach, of |
| 13 | | mitigating the effects of the breach for the subjects of |
| 14 | | personally identifiable information, and of investigating |
| 15 | | the cause or consequences of the security breach or |
| 16 | | unauthorized disclosure; and |
| 17 | | (12) destroys or returns to the State Board or school |
| 18 | | all personally identifiable information in its custody |
| 19 | | upon request and at the termination of the contract. |
| 20 | | (d) The State Board or schools may disclose personally |
| 21 | | identifiable information from an education record of a student |
| 22 | | without the consent of the eligible student, parent, or |
| 23 | | guardian to a party conducting studies for or on behalf of the |
| 24 | | State Board or school to (i) develop, validate, or administer |
| 25 | | predictive tests, (ii) administer student aid programs, or |
| 26 | | (iii) improve instruction, provided that the outside party |
|
| | SB3092 Engrossed | - 5 - | LRB098 15075 NHT 50039 b |
|
|
|
| 1 | | conducting the study meets all of the requirements for |
| 2 | | contractors set forth in subsection (c) of this Section. |
| 3 | | (d-5) The State Board or schools may disclose personally |
| 4 | | identifiable information from an education record of a student |
| 5 | | to researchers at an organization or accredited post-secondary |
| 6 | | educational institution conducting research pursuant to a |
| 7 | | specific, written agreement with the school or State Board and |
| 8 | | in accordance with the federal Family Educational Rights and |
| 9 | | Privacy Act of 1974, provided that: |
| 10 | | (1) the nature of the research is first publicly |
| 11 | | disclosed to parents, guardians, and eligible students on |
| 12 | | the Internet website of the school or State Board at least |
| 13 | | 30 days in advance of the research being conducted or as |
| 14 | | soon as practicable; |
| 15 | | (2) the organization or institution and the school or |
| 16 | | State Board enter into a data use agreement that complies |
| 17 | | with the federal Family Educational Rights and Privacy Act |
| 18 | | of 1974 and its accompanying rules; and |
| 19 | | (3) the organization or institution uses personally |
| 20 | | identifiable information from school student records only |
| 21 | | to meet the purpose or purposes of the study as stated in |
| 22 | | the written agreement. |
| 23 | | For purposes of this subsection (d-5), any information by |
| 24 | | which a student may be individually or personally identified |
| 25 | | may only be released, transferred, disclosed, or otherwise |
| 26 | | disseminated as contemplated by the agreement between the |
|
| | SB3092 Engrossed | - 6 - | LRB098 15075 NHT 50039 b |
|
|
|
| 1 | | parties. The school student records must be redacted prior to |
| 2 | | analysis by the organization or institution. Any personally |
| 3 | | identifiable information used to link data sets must be stored |
| 4 | | in a secure data file or location outside of the secure data |
| 5 | | storage where redacted information from the school regarding |
| 6 | | student records is stored. The organization or institution |
| 7 | | shall implement and adhere to policies and procedures that |
| 8 | | restrict access to information by which a student may be |
| 9 | | individually or personally identified. The organization or |
| 10 | | institution shall designate an individual to act as the |
| 11 | | custodian of the personally identifiable information who is |
| 12 | | responsible for restricting access to that information. |
| 13 | | Nothing in this subsection (d-5) prohibits or limits the |
| 14 | | ability of the State Board or any school to provide personally |
| 15 | | identifiable information about individual students to a school |
| 16 | | official, organization, or institution for the purposes of |
| 17 | | developing, administering, scoring, or interpreting results of |
| 18 | | student assessments or predictive tests if those assessments or |
| 19 | | tests require individualized development or administration |
| 20 | | based on the needs of individual students. |
| 21 | | (e) The State Board or schools may not disclose any |
| 22 | | personally identifiable information, including personally |
| 23 | | identifiable information from education records of students, |
| 24 | | without the written consent of eligible students, parents, or |
| 25 | | guardians to any party for a commercial use, including without |
| 26 | | limitation marketing products or services, compiling lists for |
|
| | SB3092 Engrossed | - 7 - | LRB098 15075 NHT 50039 b |
|
|
|
| 1 | | sale or rental, developing products or services, or creating |
| 2 | | individual, household, or group profiles, nor may such |
| 3 | | disclosure be made for the provision of services other than |
| 4 | | contracting, studies, and audits or evaluations as authorized |
| 5 | | and limited by subsections (c), (d), and (d-5) of this Section. |
| 6 | | (f) The State Board or schools may not, directly or through |
| 7 | | contracts with outside parties, maintain personally |
| 8 | | identifiable information, including personally identifiable |
| 9 | | information from education records of students, without the |
| 10 | | proper notification to eligible students, parents, or |
| 11 | | guardians, unless the maintenance of the information is: |
| 12 | | (1) explicitly mandated in federal or State statute; |
| 13 | | (2) administratively required for the proper |
| 14 | | performance of their duties under the law and is relevant |
| 15 | | to and necessary for the delivery of services; or |
| 16 | | (3) designed to support a study of students or former |
| 17 | | students. |
| 18 | | (g) The State Board and schools shall publicly and |
| 19 | | conspicuously disclose on their Internet websites and through |
| 20 | | annual electronic notification to the chairperson of the House |
| 21 | | of Representatives Elementary & Secondary Education Committee |
| 22 | | and the chairperson of the Senate Education Committee the |
| 23 | | existence and character of any personally identifiable |
| 24 | | information that they, directly or through contracts with |
| 25 | | outside parties, maintain. The disclosure and notification |
| 26 | | shall include: |
|
| | SB3092 Engrossed | - 8 - | LRB098 15075 NHT 50039 b |
|
|
|
| 1 | | (1) the name and location of the data repository where |
| 2 | | the information is maintained; |
| 3 | | (2) the legal authority that authorizes the |
| 4 | | establishment and existence of the data repository; |
| 5 | | (3) the principal purpose or purposes for which the |
| 6 | | information is intended to be used; |
| 7 | | (4) the categories of individuals on whom records are |
| 8 | | maintained in the data repository; |
| 9 | | (5) the categories of records maintained in the data |
| 10 | | repository; |
| 11 | | (6) each expected disclosure of the records contained |
| 12 | | in the data repository, including the categories of |
| 13 | | recipients and the purpose of each disclosure; |
| 14 | | (7) the policies and practices of the State Board or |
| 15 | | school regarding storage, retrievability, access controls, |
| 16 | | retention, and disposal of the records; |
| 17 | | (8) the title and business address of the State Board |
| 18 | | or school official who is responsible for the data |
| 19 | | repository and the name and business address of any |
| 20 | | contractor or other outside party maintaining the data |
| 21 | | repository for or on behalf of the State Board or school; |
| 22 | | (9) the procedures whereby eligible students, parents, |
| 23 | | or guardians can be notified at their request if the data |
| 24 | | repository contains a record pertaining to the student, |
| 25 | | parent, or guardian; |
| 26 | | (10) the procedures whereby eligible students, |
|
| | SB3092 Engrossed | - 9 - | LRB098 15075 NHT 50039 b |
|
|
|
| 1 | | parents, or guardians can be notified at their request on |
| 2 | | how to gain access to any record pertaining to the student, |
| 3 | | parent, or guardian contained in the data repository and |
| 4 | | how they can contest its content; and |
| 5 | | (11) the categories of sources of records in the data |
| 6 | | repository. |
| 7 | | (h) The State Board and schools may not append education |
| 8 | | records with personally identifiable information obtained from |
| 9 | | other federal or State agencies through data matches without |
| 10 | | the proper notification to eligible students, parents, or |
| 11 | | guardians unless the data matches are: |
| 12 | | (1) explicitly mandated in federal or State statute; |
| 13 | | (2) administratively required for the proper |
| 14 | | performance of their duties under the law and are relevant |
| 15 | | to and necessary for the delivery of services; or |
| 16 | | (3) designed to support a study of students or former |
| 17 | | students. |
| 18 | | (i) Any person aggrieved by any violation of this Section |
| 19 | | may institute an action for injunctive relief in the circuit |
| 20 | | court of the county in which the violation has occurred or the |
| 21 | | circuit court of the county in which the school is located. Any |
| 22 | | person injured by a willful or negligent violation of this |
| 23 | | Section may institute an action for damages in the circuit |
| 24 | | court of the county in which the violation has occurred or the |
| 25 | | circuit court of the county in which the school is located. In |
| 26 | | the case of any successful action under this paragraph, any |
|
| | SB3092 Engrossed | - 10 - | LRB098 15075 NHT 50039 b |
|
|
|
| 1 | | person or school found to have willfully or negligently |
| 2 | | violated any provision of this Section is liable to the |
| 3 | | plaintiff for the plaintiff's damages, the costs of the action, |
| 4 | | and reasonable attorney's fees, as determined by the court. |
| 5 | | Actions for injunctive relief to secure compliance with |
| 6 | | this Section may be brought by the State Board, by the State's |
| 7 | | Attorney of the county in which the alleged violation has |
| 8 | | occurred or the State's Attorney of the county in which the |
| 9 | | school is located, in each case in the circuit court of such |
| 10 | | county. |
| 11 | | Willful failure to comply with this Section is a petty |
| 12 | | offense, except that any person who willfully and maliciously |
| 13 | | falsifies any school student record, student permanent record, |
| 14 | | or student temporary record is guilty of a Class A misdemeanor. |
| 15 | | Absent proof of malice, no cause of action or claim for |
| 16 | | relief, civil or criminal, may be maintained against any |
| 17 | | school, employee or official of a school, or person acting at |
| 18 | | the direction of a school for any statement made or judgment |
| 19 | | expressed in any entry to a school student record of a type |
| 20 | | that does not violate this Section or rules adopted by the |
| 21 | | State Board, provided that this paragraph does not limit or |
| 22 | | deny any defense available under existing law. |
| 23 | | (j) Nothing contained in this Section shall be construed as |
| 24 | | creating a private right of action against the State Board or a |
| 25 | | school. |
| 26 | | (k) Nothing in this Section shall limit the administrative |