|
| | HB0810 Engrossed | | LRB099 04620 NHT 24649 b |
|
|
| 1 | | AN ACT concerning education.
|
| 2 | | Be it enacted by the People of the State of Illinois, |
| 3 | | represented in the General Assembly:
|
| 4 | | Section 5. The School Code is amended by adding Sections |
| 5 | | 22-80 and 22-81 as follows:
|
| 6 | | (105 ILCS 5/22-80 new) |
| 7 | | Sec. 22-80. Student data privacy. |
| 8 | | (a) It is the intent of the General Assembly to help ensure |
| 9 | | that information generated by and about students in the course |
| 10 | | of, and in connection with, their education is safeguarded and |
| 11 | | that student privacy is honored, respected and protected. The |
| 12 | | General Assembly finds the following: |
| 13 | | (1) Information generated by and about students in the |
| 14 | | course of, and in connection with, their education is a |
| 15 | | vital resource for teachers and school staff in planning |
| 16 | | education programs and services, scheduling students into |
| 17 | | appropriate classes and completing reports for educational |
| 18 | | agencies. |
| 19 | | (2) Information generated by and about students in the |
| 20 | | course of, and in connection with, their education is |
| 21 | | critical to educators in helping students successfully |
| 22 | | graduate from high school and being ready to enter the |
| 23 | | workforce or postsecondary education. |
|
| | HB0810 Engrossed | - 2 - | LRB099 04620 NHT 24649 b |
|
|
|
| 1 | | (3) While information generated by and about students |
| 2 | | in the course of, and in connection with, their education |
| 3 | | is important for educational purposes, it is also |
| 4 | | critically important to ensure that the information is |
| 5 | | protected, safeguarded and kept private and used only by |
| 6 | | appropriate educational authorities or their permitted |
| 7 | | designees and then, only to serve the best interests of the |
| 8 | | student. |
| 9 | | To that end, this Section will help ensure that information |
| 10 | | generated by and about students in the course of, and in |
| 11 | | connection with, their education is protected and expectations |
| 12 | | of privacy are honored. |
| 13 | | (b) In this Section: |
| 14 | | "Biometric record" shall have the meaning set forth in the |
| 15 | | Illinois School Student Records Act. |
| 16 | | "Eligible student" shall have the meaning set forth in the |
| 17 | | Illinois School Student Records Act. |
| 18 | | "Parent" shall have the meaning set forth in the Illinois |
| 19 | | School Student Records Act. |
| 20 | | "Personally identifiable information" shall have the |
| 21 | | meaning set forth in the Illinois School Student Records Act. |
| 22 | | "Record" shall have the meaning set forth in the Illinois |
| 23 | | School Student Records Act. |
| 24 | | "School" shall have the meaning set forth in the Illinois |
| 25 | | School Student Records Act. |
| 26 | | "School board" shall have the meaning set forth in the |
|
| | HB0810 Engrossed | - 3 - | LRB099 04620 NHT 24649 b |
|
|
|
| 1 | | Illinois School Student Records Act. |
| 2 | | "School student record" shall have the meaning set forth in |
| 3 | | the Illinois School Student Records Act. |
| 4 | | "State Board" shall have the meaning set forth in the |
| 5 | | Illinois School Student Records Act. |
| 6 | | "Student" shall have the meaning set forth in the Illinois |
| 7 | | School Student Records Act. |
| 8 | | "Student data" means school student records, student |
| 9 | | permanent records, student temporary records, or any other |
| 10 | | records, personally identifiable information, or intellectual |
| 11 | | property of a student. |
| 12 | | "Student permanent record" shall have the meaning set forth |
| 13 | | in the Illinois School Student Records Act. |
| 14 | | "Student temporary record" shall have the meaning set forth |
| 15 | | in the Illinois School Student Records Act. |
| 16 | | "Targeted advertising" means any form of advertising aimed |
| 17 | | directly at a specific individual or group of individuals based |
| 18 | | on a known or assumed trait or traits, including, but not |
| 19 | | limited to, age, gender, race, grade level, address, observed |
| 20 | | behavior, or academic achievement. |
| 21 | | "Vendor" means any entity and its officers, employees, |
| 22 | | agents, independent contractors, and subcontractors that |
| 23 | | provides or offers to provide a product or service to a school |
| 24 | | board, which product or service is marketed or designed for |
| 25 | | school purposes or which the entity knows or reasonably should |
| 26 | | know will be used for school purposes. |
|
| | HB0810 Engrossed | - 4 - | LRB099 04620 NHT 24649 b |
|
|
|
| 1 | | (c) Any vendor who receives any student data from a school |
| 2 | | board or the State Board in any manner is prohibited from: |
| 3 | | (1) advertising or marketing, including targeted |
| 4 | | advertising, based on: |
| 5 | | (A) any information, including personally |
| 6 | | identifiable information, contained in the school |
| 7 | | student records, student permanent records, student |
| 8 | | temporary records, or any other records of a student; |
| 9 | | (B) any information generated by or about students |
| 10 | | in connection with their use of the vendor's product or |
| 11 | | service; or |
| 12 | | (C) any records created by the vendor as a result |
| 13 | | of students' use of the vendor's product or service; |
| 14 | | (2) creating, generating, or otherwise amassing a |
| 15 | | profile about any student for any purpose other than to |
| 16 | | provide the school board with information about student |
| 17 | | academic growth or achievement; |
| 18 | | (3) selling or otherwise disclosing the following to |
| 19 | | anyone other than the school board, unless such sale or |
| 20 | | disclosure is required by court order or to comply with the |
| 21 | | Illinois School Student Records Act or the federal Family |
| 22 | | Educational Rights and Privacy Act (20 U.S.C. 1232g) or is |
| 23 | | expressly authorized by this Section: |
| 24 | | (A) any information, including personally |
| 25 | | identifiable information, contained in the school |
| 26 | | student records, student permanent records, student |
|
| | HB0810 Engrossed | - 5 - | LRB099 04620 NHT 24649 b |
|
|
|
| 1 | | temporary records, or any other records of a student; |
| 2 | | (B) any information generated by or about students |
| 3 | | in connection with their use of the vendor's product or |
| 4 | | service; |
| 5 | | (C) any records created by the vendor as a result |
| 6 | | of students' use of the vendor's product or service; or |
| 7 | | (D) any student's intellectual property; |
| 8 | | (4) exercising or claiming any rights, implied or |
| 9 | | otherwise, to: |
| 10 | | (A) any information, including personally |
| 11 | | identifiable information, contained in the school |
| 12 | | student records, student permanent records, student |
| 13 | | temporary records, or any other records of a student; |
| 14 | | (B) any information generated by or about students |
| 15 | | in connection with their use of the vendor's product or |
| 16 | | service; |
| 17 | | (C) any records created by the vendor as a result |
| 18 | | of students' use of the vendor's product or service; or |
| 19 | | (D) any student's intellectual property; |
| 20 | | (5) storing or processing outside the United States: |
| 21 | | (A) any information, including personally |
| 22 | | identifiable information, contained in the school |
| 23 | | student records, student permanent records, student |
| 24 | | temporary records or any other records of a student; |
| 25 | | (B) any information generated by or about students |
| 26 | | in connection with their use of the vendor's product or |
|
| | HB0810 Engrossed | - 6 - | LRB099 04620 NHT 24649 b |
|
|
|
| 1 | | service; |
| 2 | | (C) any records created by the vendor as a result |
| 3 | | of students' use of the vendor's product or service; or |
| 4 | | (D) any student's intellectual property; |
| 5 | | (6) transferring the following to any third party |
| 6 | | (including subcontractors), affiliate, or government |
| 7 | | agency other than the State Board, unless required by court |
| 8 | | order or expressly authorized by the school board in |
| 9 | | compliance with this Section: |
| 10 | | (A) any information, including personally |
| 11 | | identifiable information, contained in the school |
| 12 | | student records, student permanent records, student |
| 13 | | temporary records, or any other records of a student; |
| 14 | | (B) any information generated by or about students |
| 15 | | in connection with their use of the vendor's product or |
| 16 | | service; |
| 17 | | (C) any records created by the vendor as a result |
| 18 | | of students' use of the vendor's product or service; or |
| 19 | | (D) any student's intellectual property; |
| 20 | | (7) permitting access by anyone to the following, |
| 21 | | unless such access is required for the vendor to provide |
| 22 | | its product or service to the school board: |
| 23 | | (A) any information, including personally |
| 24 | | identifiable information, contained in the school |
| 25 | | student records, student permanent records, student |
| 26 | | temporary records or any other records of a student; |
|
| | HB0810 Engrossed | - 7 - | LRB099 04620 NHT 24649 b |
|
|
|
| 1 | | (B) any information generated by or about students |
| 2 | | in connection with their use of the vendor's product or |
| 3 | | service; |
| 4 | | (C) any records created by the vendor as a result |
| 5 | | of students' use of the vendor's product or service; or |
| 6 | | (D) any student's intellectual property; |
| 7 | | (8) requiring a school board or its employees, agents, |
| 8 | | volunteers, or students to indemnify a vendor or pay the |
| 9 | | vendor's attorneys' fees or costs in connection with any |
| 10 | | dispute arising out of, or otherwise connected to, student |
| 11 | | data; |
| 12 | | (9) requiring a school board or its employees, agents, |
| 13 | | volunteers, or students to arbitrate any dispute arising |
| 14 | | out of, or otherwise connected to, student data; |
| 15 | | (10) entering into any contract or other agreement with |
| 16 | | a school board that authorizes in any manner activities |
| 17 | | prohibited by this Section; and |
| 18 | | (11) modifying or otherwise altering the terms and |
| 19 | | conditions of any contract or other agreement with a school |
| 20 | | board related to student data without the express consent |
| 21 | | of the school board. |
| 22 | | (d) Any vendor who receives any student data from a school |
| 23 | | board or the State Board in any manner shall: |
| 24 | | (1) store and process such records and information in |
| 25 | | accordance with commercial best practices, which shall |
| 26 | | include, but not be limited to, data-security practices set |
|
| | HB0810 Engrossed | - 8 - | LRB099 04620 NHT 24649 b |
|
|
|
| 1 | | forth by the United States Department of Education Privacy |
| 2 | | Technical Assistance Center and any rules adopted by the |
| 3 | | State Board; |
| 4 | | (2) implement and maintain appropriate administrative, |
| 5 | | physical, and technical safeguards, to secure such records |
| 6 | | and information from unauthorized access, destruction, |
| 7 | | use, modification, or disclosure, which safeguards shall |
| 8 | | be consistent with any rules adopted by the State Board and |
| 9 | | any guidance provided by the United States Department of |
| 10 | | Education Privacy and Technical Assistance Center; |
| 11 | | (3) immediately notify the school board of any security |
| 12 | | breach resulting in unauthorized access to any student |
| 13 | | data, regardless of whether it is the school board's |
| 14 | | student data; |
| 15 | | (4) delete the personally identifiable information of |
| 16 | | a specific student: |
| 17 | | (A) at the request of the student's school or |
| 18 | | school board; or |
| 19 | | (B) at the request of an eligible student or a |
| 20 | | parent, provided the school board consents to the |
| 21 | | request; |
| 22 | | (5) designate an officer or employee as a responsible |
| 23 | | person who shall be trained in a manner so as to ensure |
| 24 | | compliance with this Section and ensure the security and |
| 25 | | confidentiality of student data; |
| 26 | | (6) within 30 days of the completion or termination of |
|
| | HB0810 Engrossed | - 9 - | LRB099 04620 NHT 24649 b |
|
|
|
| 1 | | the terms of any contract with a school board related to |
| 2 | | student data, delete or return to the school board all |
| 3 | | student data and information and records generated |
| 4 | | therefrom and, in the event of deletion, provide a written |
| 5 | | certification that such deletion has occurred. In the event |
| 6 | | the vendor chooses to delete the data, records, and |
| 7 | | information described in this subdivision (6), it shall |
| 8 | | provide the school board with a written certification that |
| 9 | | the data, records, and information have been deleted, which |
| 10 | | certification shall be provided to the school board within |
| 11 | | 30 days of the termination of the contract; |
| 12 | | (7) permit eligible students and parents to access and |
| 13 | | correct any information contained in the school student |
| 14 | | records, student permanent records, student temporary |
| 15 | | records, or any other records provided to the vendor by the |
| 16 | | school board; |
| 17 | | (8) permit a school board to audit and inspect the |
| 18 | | vendor's practices with respect to any student data |
| 19 | | received by the vendor from the school board or any |
| 20 | | information or records generated therefrom; |
| 21 | | (9) permit the school board access to any student data |
| 22 | | provided by the school board and any information and |
| 23 | | records generated therefrom in order for the school board |
| 24 | | to respond to a request under the Freedom of Information |
| 25 | | Act or pursuant to a court order; |
| 26 | | (10) be permitted to diagnose and correct problems with |
|
| | HB0810 Engrossed | - 10 - | LRB099 04620 NHT 24649 b |
|
|
|
| 1 | | the vendor's product or service, provided that to diagnose |
| 2 | | or correct a problem does not require the vendor to engage |
| 3 | | in any activities prohibited by this Section; and |
| 4 | | (11) agree that any dispute arising out of, or |
| 5 | | otherwise connected to, student data shall be litigated |
| 6 | | using Illinois law and that the proper venue is the circuit |
| 7 | | court of the county in which the school board is located. |
| 8 | | (e) Any vendor who seeks to receive from a school board or |
| 9 | | the State Board in any manner any student data is required to |
| 10 | | enter into a written contract with the school board before any |
| 11 | | records can be transferred, which contract shall contain the |
| 12 | | following: |
| 13 | | (1) provisions consistent with each requirement set |
| 14 | | forth in subsections (c) and (d) of this Section; |
| 15 | | (2) a listing of the precise student data to be |
| 16 | | provided to the vendor; |
| 17 | | (3) a statement of the product or service being |
| 18 | | provided to the school board by the vendor; |
| 19 | | (4) a statement that the vendor is a school official |
| 20 | | with a legitimate educational interest, performing an |
| 21 | | institutional service or function for which the school |
| 22 | | board would otherwise use employees, under the direct |
| 23 | | control of the school board with respect to the use and |
| 24 | | maintenance of student data, and is using such student data |
| 25 | | only for an authorized purpose and will not re-disclose it |
| 26 | | to third parties or affiliates without permission from the |
|
| | HB0810 Engrossed | - 11 - | LRB099 04620 NHT 24649 b |
|
|
|
| 1 | | school board or pursuant to court order; |
| 2 | | (5) a statement that the student data continues to be |
| 3 | | the property of and under the control of the school board, |
| 4 | | and the vendor has a limited, nonexclusive license solely |
| 5 | | for the purpose of performing its obligations under the |
| 6 | | contract; |
| 7 | | (6) a description of the actions the vendor will take |
| 8 | | to ensure the security and confidentiality of student data; |
| 9 | | compliance with this requirement shall not, in itself, |
| 10 | | absolve the vendor of liability in the event of an |
| 11 | | unauthorized disclosure of student data; and |
| 12 | | (7) a statement that the contract is the entire |
| 13 | | agreement between the school board (including school board |
| 14 | | employees and other end users) and the vendor. |
| 15 | | (f) Each school board shall adopt a policy regarding which |
| 16 | | school employees have the power to bind the school board to the |
| 17 | | terms of any agreements, whether electronic, click-through, |
| 18 | | click-wrap, verbal, or in writing. If a vendor enters into an |
| 19 | | agreement with an employee or other end users who are not |
| 20 | | authorized through the school board's policy to enter into such |
| 21 | | an agreement, then the agreement shall be voidable by the |
| 22 | | school board. |
| 23 | | (g) Each school board entering into a contract or agreement |
| 24 | | as allowed by this Section shall maintain an original copy of |
| 25 | | its term and conditions at the school board's primary place of |
| 26 | | business, including a copy of the terms and conditions set |
|
| | HB0810 Engrossed | - 12 - | LRB099 04620 NHT 24649 b |
|
|
|
| 1 | | forth in any agreement described in subsection (f) of this |
| 2 | | Section. |
| 3 | | (h) The State Board shall create, publish, and make |
| 4 | | publicly available all data elements collected by the State |
| 5 | | Board that contain personally identifiable information. |
| 6 | | (i) In the event of a security breach resulting, in whole |
| 7 | | or in part, from the vendor's conduct, in addition to any other |
| 8 | | remedies available to the school board under law or equity, the |
| 9 | | vendor shall reimburse the school board in full for all costs |
| 10 | | and expenses incurred by the school board in investigating and |
| 11 | | remediating the breach, including, but not limited to: |
| 12 | | (1) providing notification to those students and their |
| 13 | | parents, in the event the student is under the age of 18, |
| 14 | | whose personally identifiable information was compromised |
| 15 | | and to regulatory agencies or other entities as required by |
| 16 | | law or contract; |
| 17 | | (2) providing one year's credit monitoring to those |
| 18 | | students and eligible students whose student data was |
| 19 | | exposed in such a manner during the breach that a |
| 20 | | reasonable person would have cause to believe that it could |
| 21 | | impact his or her credit or financial security; and |
| 22 | | (3) payment of legal fees, audit costs, fines, and |
| 23 | | other fees or damages imposed against the school board as a |
| 24 | | result of the security breach. |
| 25 | | (j) The State Board shall develop, publish, and make |
| 26 | | publicly available model student data privacy policies and |
|
| | HB0810 Engrossed | - 13 - | LRB099 04620 NHT 24649 b |
|
|
|
| 1 | | procedures that comply with relevant state and federal law. |
| 2 | | (k) Within 180 days after the effective date of this |
| 3 | | amendatory Act of the 99th General Assembly, the State Board |
| 4 | | shall create a model notice that school boards may use to |
| 5 | | provide notice to parents that states, in general terms, what |
| 6 | | types of student data are collected by the school board and |
| 7 | | shared with vendors under this Section and the purposes of |
| 8 | | collecting and using the student data. Upon the creation of the |
| 9 | | notice described in this subsection (k), a school board shall, |
| 10 | | at the beginning of each school year, provide such notice in |
| 11 | | writing or electronically to parents and eligible students. |
| 12 | | (l) In addition to any other penalties, any contract |
| 13 | | governed by this Section that fails to comply with the |
| 14 | | requirements of this Section shall be rendered void if, upon |
| 15 | | notice and a reasonable opportunity to cure, the noncompliant |
| 16 | | party fails to cure any defect. Written notice of noncompliance |
| 17 | | may be provided by either party to the contract. Any vendor |
| 18 | | subject to a contract voided under this subdivision is |
| 19 | | required, within 60 days, to return all student data and any |
| 20 | | information or records generated therefrom in its possession to |
| 21 | | the school board. Any vendor that fails to cure any defect in |
| 22 | | the contract shall not be entitled to any payment required |
| 23 | | under the contract and shall return to the school board all |
| 24 | | payments previously made by the school board.
|
| 25 | | (105 ILCS 5/22-81 new) |
|
| | HB0810 Engrossed | - 14 - | LRB099 04620 NHT 24649 b |
|
|
|
| 1 | | Sec. 22-81. Educator data privacy. |
| 2 | | (a) It is the intent of the General Assembly to help ensure |
| 3 | | that information generated by and about educators in the course |
| 4 | | of, and in connection with, the performance of their duties is |
| 5 | | safeguarded and that educator privacy is honored, respected and |
| 6 | | protected. The General Assembly finds the following: |
| 7 | | (1) Information generated by and about educators in the |
| 8 | | course of, and in connection with, the performance of their |
| 9 | | duties is a vital resource for school boards, the State |
| 10 | | Board and research organizations in planning education |
| 11 | | programs and services, completing reports for educational |
| 12 | | agencies, and improving the performance of schools. |
| 13 | | (2) Information generated by and about educators in the |
| 14 | | course of, and in connection with, the performance of their |
| 15 | | duties is critical to the performance and improvement of |
| 16 | | schools. |
| 17 | | (3) While information generated by and about educators |
| 18 | | in the course of, and in connection with, the performance |
| 19 | | of their duties is important for educational purposes, it |
| 20 | | is also critically important to ensure that the information |
| 21 | | is protected, safeguarded and kept private and used only by |
| 22 | | appropriate educational authorities or their permitted |
| 23 | | designees. |
| 24 | | To that end, this Section will help ensure that information |
| 25 | | generated by and about educators in the course of, and in |
| 26 | | connection with, the performance of their duties is protected |
|
| | HB0810 Engrossed | - 15 - | LRB099 04620 NHT 24649 b |
|
|
|
| 1 | | and expectations of privacy are honored. |
| 2 | | (b) In this Section: |
| 3 | | "Biometric record" shall have the meaning set forth in the |
| 4 | | Illinois School Student Records Act. |
| 5 | | "Educator" means any person employed by or otherwise |
| 6 | | working for a school board to provide educational services |
| 7 | | within a school. |
| 8 | | "Educator data" means educator records or any other records |
| 9 | | containing personally identifiable information of an educator. |
| 10 | | "Educator record" means any writing or other recorded |
| 11 | | information concerning an educator by which an educator may be |
| 12 | | individually or personally identified maintained by a school or |
| 13 | | at its direction or by an employee of a school, regardless of |
| 14 | | how or where the information is stored. |
| 15 | | "Personally identifiable information" means: |
| 16 | | (1) the educator's name; |
| 17 | | (2) the names of the educator's immediate family |
| 18 | | members; |
| 19 | | (3) the address of the educator or educator's immediate |
| 20 | | family members; |
| 21 | | (4) a personal identifier, such as the educator's |
| 22 | | social security number, student number, or biometric |
| 23 | | record; |
| 24 | | (5) other indirect identifiers, such as the educator's |
| 25 | | date of birth, place of birth, and mother's maiden name; |
| 26 | | (6) other information that, alone or in combination, is |
|
| | HB0810 Engrossed | - 16 - | LRB099 04620 NHT 24649 b |
|
|
|
| 1 | | linked or linkable to a specific educator that would allow |
| 2 | | a reasonable person in the school community, who does not |
| 3 | | have personal knowledge of the relevant circumstances, to |
| 4 | | identify the educator with reasonable certainty; or |
| 5 | | (7) information requested by a person who the |
| 6 | | educational agency or institution reasonably believes |
| 7 | | knows the identity of the educator to whom the record |
| 8 | | relates. |
| 9 | | "Record" means any information recorded or generated in any |
| 10 | | way, including, but not limited to, electronically-generated |
| 11 | | data, handwriting, print, computer media, video or audio tape, |
| 12 | | film, microfilm, and microfiche. |
| 13 | | "School" shall have the meaning set forth in the Illinois |
| 14 | | School Student Records Act. |
| 15 | | "School board" shall have the meaning set forth in the |
| 16 | | Illinois School Student Records Act. |
| 17 | | "State Board" shall have the meaning set forth in the |
| 18 | | Illinois School Student Records Act. |
| 19 | | "Targeted advertising" means any form of advertising aimed |
| 20 | | directly at a specific individual or group of individuals based |
| 21 | | on a known or assumed trait, or traits, including, but not |
| 22 | | limited to, age, gender, race, address, observed behavior, or |
| 23 | | classroom performance. |
| 24 | | "Vendor" means any entity and its officers, employees, |
| 25 | | agents, independent contractors, and subcontractors that |
| 26 | | provides or offers to provide a product or service to a school |
|
| | HB0810 Engrossed | - 17 - | LRB099 04620 NHT 24649 b |
|
|
|
| 1 | | board, which product or service is marketed or designed for |
| 2 | | school purposes or which the entity knows or reasonably should |
| 3 | | know will be used for school purposes. |
| 4 | | (c) Any vendor who receives any educator data from a school |
| 5 | | board or the State Board in any manner is prohibited from: |
| 6 | | (1) advertising or marketing, including targeted |
| 7 | | advertising, based on: |
| 8 | | (A) any information, including personally |
| 9 | | identifiable information, contained in the educator |
| 10 | | records; |
| 11 | | (B) any information generated by or about |
| 12 | | educators in connection with their use of the vendor's |
| 13 | | product or service; or |
| 14 | | (C) any records created by the vendor as a result |
| 15 | | of educators' use of the vendor's product or service; |
| 16 | | (2) creating, generating, or otherwise amassing a |
| 17 | | profile about any educator for any purpose other than to |
| 18 | | provide the school board with information about educator |
| 19 | | performance or achievement; |
| 20 | | (3) selling or otherwise disclosing the following to |
| 21 | | anyone other than the school board, unless such sale or |
| 22 | | disclosure is required by court order or is expressly |
| 23 | | authorized by this Section: |
| 24 | | (A) any information, including personally |
| 25 | | identifiable information, contained in the educator |
| 26 | | records; |
|
| | HB0810 Engrossed | - 18 - | LRB099 04620 NHT 24649 b |
|
|
|
| 1 | | (B) any information generated by or about |
| 2 | | educators in connection with their use of the vendor's |
| 3 | | product or service; or |
| 4 | | (C) any records created by the vendor as a result |
| 5 | | of educators' use of the vendor's product or service; |
| 6 | | (4) exercising or claiming any rights, implied or |
| 7 | | otherwise, to: |
| 8 | | (A) any information, including personally |
| 9 | | identifiable information, contained in the educator |
| 10 | | records; |
| 11 | | (B) any information generated by or about |
| 12 | | educators in connection with their use of the vendor's |
| 13 | | product or service; or |
| 14 | | (C) any records created by the vendor as a result |
| 15 | | of educators' use of the vendor's product or service; |
| 16 | | (5) storing or processing outside the United States: |
| 17 | | (A) any information, including personally |
| 18 | | identifiable information, contained in the educator |
| 19 | | records; |
| 20 | | (B) any information generated by or about |
| 21 | | educators in connection with their use of the vendor's |
| 22 | | product or service; or |
| 23 | | (C) any records created by the vendor as a result |
| 24 | | of educators' use of the vendor's product or service; |
| 25 | | (6) transferring the following to any third-party |
| 26 | | (including subcontractors), affiliate, or government |
|
| | HB0810 Engrossed | - 19 - | LRB099 04620 NHT 24649 b |
|
|
|
| 1 | | agency other than the State Board, unless required by court |
| 2 | | order or expressly authorized by the school board in |
| 3 | | compliance with this Section: |
| 4 | | (A) any information, including personally |
| 5 | | identifiable information, contained in the educator |
| 6 | | records; |
| 7 | | (B) any information generated by or about |
| 8 | | educators in connection with their use of the vendor's |
| 9 | | product or service; or |
| 10 | | (C) any records created by the vendor as a result |
| 11 | | of educators' use of the vendor's product or service; |
| 12 | | (7) permitting access by anyone to the following, |
| 13 | | unless such access is required for the vendor to provide |
| 14 | | its product or service to the school board: |
| 15 | | (A) any information, including personally |
| 16 | | identifiable information, contained in the educator |
| 17 | | records; |
| 18 | | (B) any information generated by or about |
| 19 | | educators in connection with their use of the vendor's |
| 20 | | product or service; or |
| 21 | | (C) any records created by the vendor as a result |
| 22 | | of educators' use of the vendor's product or service; |
| 23 | | (8) requiring a school board or its employees, agents, |
| 24 | | volunteers, or educators to indemnify a vendor or pay the |
| 25 | | vendor's attorneys' fees or costs in connection with any |
| 26 | | dispute arising out of, or otherwise connected to, educator |
|
| | HB0810 Engrossed | - 20 - | LRB099 04620 NHT 24649 b |
|
|
|
| 1 | | data; |
| 2 | | (9) requiring a school board or its employees, agents, |
| 3 | | volunteers, or educators to arbitrate any dispute arising |
| 4 | | out of, or otherwise connected to, educator data; |
| 5 | | (10) entering into any contract or other agreement with |
| 6 | | a school board that authorizes in any manner activities |
| 7 | | prohibited by this Section; and |
| 8 | | (11) modifying or otherwise altering the terms and |
| 9 | | conditions of any contract or other agreement with a school |
| 10 | | board related to educator data without the express consent |
| 11 | | of the school board. |
| 12 | | (d) Any vendor who receives any educator data from a school |
| 13 | | board or the State Board in any manner shall: |
| 14 | | (1) store and process such records and information in |
| 15 | | accordance with commercial best practices, which shall |
| 16 | | include, but not be limited to, data-security practices set |
| 17 | | forth by the United States Department of Education Privacy |
| 18 | | Technical Assistance Center and any rules adopted by the |
| 19 | | State Board; |
| 20 | | (2) implement and maintain appropriate administrative, |
| 21 | | physical, and technical safeguards, to secure such records |
| 22 | | and information from unauthorized access, destruction, |
| 23 | | use, modification, or disclosure, which safeguards shall |
| 24 | | be consistent with any rules adopted by the State Board and |
| 25 | | any guidance provided by the United States Department of |
| 26 | | Education Privacy and Technical Assistance Center; |
|
| | HB0810 Engrossed | - 21 - | LRB099 04620 NHT 24649 b |
|
|
|
| 1 | | (3) immediately notify the school board of any security |
| 2 | | breach resulting in unauthorized access to any educator |
| 3 | | data, regardless of whether it is the school board's |
| 4 | | educator data; |
| 5 | | (4) delete the personally identifiable information of |
| 6 | | a specific educator: |
| 7 | | (A) at the request of the educator's school or |
| 8 | | school board; or |
| 9 | | (B) at the request of an educator, provided the |
| 10 | | school board consents to the request; |
| 11 | | (5) designate an officer or employee as a responsible |
| 12 | | person who shall be trained in a manner so as to ensure |
| 13 | | compliance with this Section and ensure the security and |
| 14 | | confidentiality of student data; |
| 15 | | (6) within 30 days of the completion or termination of |
| 16 | | the terms of any contract with a school board related to |
| 17 | | educator data, delete or return to the school board all |
| 18 | | educator data and information and records generated |
| 19 | | therefrom and, in the event of deletion, provide a written |
| 20 | | certification that such deletion has occurred. In the event |
| 21 | | the vendor chooses to delete the data, records, and |
| 22 | | information described in this subdivision (6), it shall |
| 23 | | provide the school board with a written certification that |
| 24 | | the data, records, and information have been deleted, which |
| 25 | | certification shall be provided to the school board within |
| 26 | | 30 days of the termination of the contract; |
|
| | HB0810 Engrossed | - 22 - | LRB099 04620 NHT 24649 b |
|
|
|
| 1 | | (7) permit educators to access and correct any |
| 2 | | information contained in the educator records provided to |
| 3 | | the vendor by the school board; |
| 4 | | (8) permit a school board to audit and inspect the |
| 5 | | vendor's practices with respect to any educator data |
| 6 | | received by the vendor from the school board or any |
| 7 | | information or records generated therefrom; |
| 8 | | (9) permit the school board access to any educator data |
| 9 | | provided by the school board and any information and |
| 10 | | records generated therefrom in order for the school board |
| 11 | | to respond to a request under the Freedom of Information |
| 12 | | Act or pursuant to a court order; |
| 13 | | (10) be permitted to diagnose and correct problems with |
| 14 | | the vendor's product or service, provided that to diagnose |
| 15 | | or correct a problem does not require the vendor to engage |
| 16 | | in any activities prohibited by this Section; and |
| 17 | | (11) agree that any dispute arising out of, or |
| 18 | | otherwise connected to, student data shall be litigated |
| 19 | | using Illinois law and that the proper venue is the circuit |
| 20 | | court of the county in which the school board is located. |
| 21 | | (e) Any vendor who seeks to receive from a school board or |
| 22 | | the State Board in any manner any educator data is required to |
| 23 | | enter into a written contract with the school board before any |
| 24 | | records can be transferred, which contract shall contain the |
| 25 | | following: |
| 26 | | (1) provisions consistent with each requirement set |
|
| | HB0810 Engrossed | - 23 - | LRB099 04620 NHT 24649 b |
|
|
|
| 1 | | forth in subsections (c) and (d) of this Section; |
| 2 | | (2) a listing of the precise educator data to be |
| 3 | | provided to the vendor; |
| 4 | | (3) a statement of the product or service being |
| 5 | | provided to the school board by the vendor; |
| 6 | | (4) a statement that the vendor is a school official |
| 7 | | with a legitimate educational interest, performing an |
| 8 | | institutional service or function for which the school |
| 9 | | board would otherwise use employees, under the direct |
| 10 | | control of the school board with respect to the use and |
| 11 | | maintenance of educator data, and is using such educator |
| 12 | | data only for an authorized purpose and will not |
| 13 | | re-disclose it to third parties or affiliates without |
| 14 | | permission from the school board or pursuant to court |
| 15 | | order; |
| 16 | | (5) a statement that the educator data continues to be |
| 17 | | the property of and under the control of the school board, |
| 18 | | and the vendor has a limited, nonexclusive license solely |
| 19 | | for the purpose of performing its obligations under the |
| 20 | | contract; |
| 21 | | (6) a description of the actions the vendor will take, |
| 22 | | including the designation and training of responsible |
| 23 | | employees, to ensure the security and confidentiality of |
| 24 | | educator data; compliance with this requirement shall not, |
| 25 | | in itself, absolve the vendor of liability in the event of |
| 26 | | an unauthorized disclosure of educator data; and |
|
| | HB0810 Engrossed | - 24 - | LRB099 04620 NHT 24649 b |
|
|
|
| 1 | | (7) a statement that the contract is the entire |
| 2 | | agreement between the school board (including school board |
| 3 | | employees and other end users) and the vendor. |
| 4 | | (f) Each school board shall adopt a policy regarding which |
| 5 | | school employees have the power to bind the school board to the |
| 6 | | terms of any agreements, whether electronic, click-through, |
| 7 | | click-wrap, verbal, or in writing. If a vendor enters into an |
| 8 | | agreement with an employee or other end users who are not |
| 9 | | authorized through the school board's policy to enter into such |
| 10 | | an agreement, then the agreement shall be voidable by the |
| 11 | | school board. |
| 12 | | (g) Each school board entering into a contract or agreement |
| 13 | | as allowed by this Section shall maintain an original copy of |
| 14 | | its term and conditions at the school board's primary place of |
| 15 | | business, including a copy of the terms and conditions set |
| 16 | | forth in any agreement described in subsection (f) of this |
| 17 | | Section. |
| 18 | | (h) In the event of a security breach resulting, in whole |
| 19 | | or in part, from the vendor's conduct, in addition to any other |
| 20 | | remedies available to the school board under law or equity, the |
| 21 | | vendor shall reimburse the school board in full for all costs |
| 22 | | and expenses incurred by the school board in investigating and |
| 23 | | remediating the breach, including, but not limited to: |
| 24 | | (1) providing notification to the educators whose |
| 25 | | personally identifiable information was compromised and to |
| 26 | | regulatory agencies or other entities as required by law or |
|
| | HB0810 Engrossed | - 25 - | LRB099 04620 NHT 24649 b |
|
|
|
| 1 | | contract; |
| 2 | | (2) providing one year's credit monitoring to those |
| 3 | | educators whose educator data was exposed in such a manner |
| 4 | | during the breach that a reasonable person would have cause |
| 5 | | to believe that it could impact his or her credit or |
| 6 | | financial security; and |
| 7 | | (3) payment of legal fees, audit costs, fines, and |
| 8 | | other fees or damages imposed against the school board as a |
| 9 | | result of the security breach. |
| 10 | | (i) The State Board shall develop, publish, and make |
| 11 | | publicly available model educator data privacy policies and |
| 12 | | procedures that comply with relevant state and federal law. |
| 13 | | (j) In addition to any other penalties, any contract |
| 14 | | governed by this Section that fails to comply with the |
| 15 | | requirements of this Section shall be rendered void if, upon |
| 16 | | notice and a reasonable opportunity to cure, the noncompliant |
| 17 | | party fails to cure any defect. Written notice of noncompliance |
| 18 | | may be provided by either party to the contract. Any vendor |
| 19 | | subject to a contract voided under this subdivision is |
| 20 | | required, within 60 days, to return all student data and any |
| 21 | | information or records generated therefrom in its possession to |
| 22 | | the school board. Any vendor that fails to cure any defect in |
| 23 | | the contract shall not be entitled to any payment required |
| 24 | | under the contract and shall return to the school board all |
| 25 | | payments previously made by the school board.
|
|
| | HB0810 Engrossed | - 26 - | LRB099 04620 NHT 24649 b |
|
|
|
| 1 | | Section 10. The Illinois School Student Records Act is |
| 2 | | amended by changing Sections 2, 6, and 9 as follows:
|
| 3 | | (105 ILCS 10/2) (from Ch. 122, par. 50-2)
|
| 4 | | Sec. 2.
In this Act: |
| 5 | | "Biometric record" means a record of one or more measurable |
| 6 | | biological or behavioral characteristics that can be used for |
| 7 | | automated recognition of an individual. Examples include |
| 8 | | fingerprints, retina and iris patterns, voiceprints, DNA |
| 9 | | sequence, facial characteristics, and handwriting. |
| 10 | | "Eligible student" means a student who has reached 18 years |
| 11 | | of age. |
| 12 | | "Parent" means a person who is the natural parent of the |
| 13 | | student or other person who has the primary responsibility for |
| 14 | | the care and upbringing of the student. All rights and |
| 15 | | privileges accorded to a parent under this Act shall become |
| 16 | | exclusively those of the student upon the student's 18th |
| 17 | | birthday, graduation from secondary school, marriage, or entry |
| 18 | | into military service, whichever occurs first. Such rights and |
| 19 | | privileges may also be exercised by the student at any time |
| 20 | | with respect to the student's permanent school record. |
| 21 | | "Personally identifiable information" means: |
| 22 | | (1) the student's name; |
| 23 | | (2) the name of the student's parent or other family |
| 24 | | members; |
| 25 | | (3) the address of the student or student's family; |
|
| | HB0810 Engrossed | - 27 - | LRB099 04620 NHT 24649 b |
|
|
|
| 1 | | (4) a personal identifier, such as the student's social |
| 2 | | security number, student number, or biometric record; |
| 3 | | (5) other indirect identifiers, such as the student's |
| 4 | | date of birth, place of birth, and mother's maiden name; |
| 5 | | (6) other information that, alone or in combination, is |
| 6 | | linked or linkable to a specific student that would allow a |
| 7 | | reasonable person in the school community, who does not |
| 8 | | have personal knowledge of the relevant circumstances, to |
| 9 | | identify the student with reasonable certainty; or |
| 10 | | (7) information requested by a person who the |
| 11 | | educational agency or institution reasonably believes |
| 12 | | knows the identity of the student to whom the education |
| 13 | | record relates. |
| 14 | | "Record" means any information recorded or generated in any |
| 15 | | way, including, but not limited to, electronically-generated |
| 16 | | data, handwriting, print, computer media, video or audio tape, |
| 17 | | film, microfilm, and microfiche. |
| 18 | | "School" means any public preschool, day care center, |
| 19 | | kindergarten, nursery, elementary or secondary educational |
| 20 | | institution, vocational school, special education facility or |
| 21 | | any other elementary or secondary educational agency or |
| 22 | | institution and any person, agency or institution which |
| 23 | | maintains school student records from more than one school, but |
| 24 | | does not include a private or non-public school. |
| 25 | | "School board" means any school board, board of directors, |
| 26 | | or any other governing body established under the School Code. |
|
| | HB0810 Engrossed | - 28 - | LRB099 04620 NHT 24649 b |
|
|
|
| 1 | | "School student record" means any writing or other recorded |
| 2 | | information concerning a student by which a student may be |
| 3 | | individually or personally identified that is maintained by a |
| 4 | | school or at its direction or by an employee of a school, |
| 5 | | regardless of how or where the information is stored. The |
| 6 | | following shall not be deemed school student records under this |
| 7 | | Act: writings or other recorded information maintained by an |
| 8 | | employee of a school or other person at the direction of a |
| 9 | | school for his or her exclusive use; provided that all such |
| 10 | | writings and other recorded information are destroyed not later |
| 11 | | than the student's graduation or permanent withdrawal from the |
| 12 | | school; and provided further that no such records or recorded |
| 13 | | information may be released or disclosed to any person except a |
| 14 | | person designated by the school as a substitute unless they are |
| 15 | | first incorporated in a school student record and made subject |
| 16 | | to all of the provisions of this Act. School student records |
| 17 | | shall not include information maintained by law enforcement |
| 18 | | professionals working in the school. |
| 19 | | "State Board" means the State Board of Education. |
| 20 | | "Student" means any person enrolled or previously enrolled |
| 21 | | in a school. |
| 22 | | "Student permanent record" means the minimum personal |
| 23 | | information necessary to a school in the education of the |
| 24 | | student and contained in a school student record. Such |
| 25 | | information may include the student's name, birth date, |
| 26 | | address, grades and grade level, parents' names and addresses, |
|
| | HB0810 Engrossed | - 29 - | LRB099 04620 NHT 24649 b |
|
|
|
| 1 | | attendance records, and such other entries as the State Board |
| 2 | | may require or authorize. |
| 3 | | "Student temporary record" means all information contained |
| 4 | | in a school student record but not contained in the student |
| 5 | | permanent record. Such information may include family |
| 6 | | background information, intelligence test scores, aptitude |
| 7 | | test scores, psychological and personality test results, |
| 8 | | teacher evaluations, and other information of clear relevance |
| 9 | | to the education of the student, all subject to rules of the |
| 10 | | State Board. The information shall include information |
| 11 | | provided under Section 8.6 of the Abused and Neglected Child |
| 12 | | Reporting Act. In addition, the student temporary record shall |
| 13 | | include information regarding disciplinary infractions |
| 14 | | involving drugs, weapons, or bodily harm to another that |
| 15 | | resulted in expulsion, suspension, or the imposition of |
| 16 | | punishment or sanction. |
| 17 | | As used in this Act,
|
| 18 | | (a) "Student" means any person enrolled or previously |
| 19 | | enrolled in a school.
|
| 20 | | (b) "School" means any public preschool, day care center,
|
| 21 | | kindergarten, nursery, elementary or secondary educational |
| 22 | | institution,
vocational school, special educational facility |
| 23 | | or any other elementary or
secondary educational agency or |
| 24 | | institution and any person, agency or
institution which |
| 25 | | maintains school student records from more than one school,
but |
| 26 | | does not include a private or non-public school.
|
|
| | HB0810 Engrossed | - 30 - | LRB099 04620 NHT 24649 b |
|
|
|
| 1 | | (c) "State Board" means the State Board of Education.
|
| 2 | | (d) "School Student Record" means any writing or
other |
| 3 | | recorded information concerning a student
and by which a |
| 4 | | student may be individually identified,
maintained by a school |
| 5 | | or at its direction or by an employee of a
school, regardless |
| 6 | | of how or where the information is stored.
The following shall |
| 7 | | not be deemed school student records under
this Act: writings |
| 8 | | or other recorded information maintained by an
employee of a |
| 9 | | school or other person at the direction of a school for his or
|
| 10 | | her exclusive use; provided that all such writings and other |
| 11 | | recorded
information are destroyed not later than the student's |
| 12 | | graduation or permanent
withdrawal from the school; and |
| 13 | | provided further that no such records or
recorded information |
| 14 | | may be released or disclosed to any person except a person
|
| 15 | | designated by the school as
a substitute unless they are first |
| 16 | | incorporated
in a school student record and made subject to all |
| 17 | | of the
provisions of this Act.
School student records shall not |
| 18 | | include information maintained by
law enforcement |
| 19 | | professionals working in the school.
|
| 20 | | (e) "Student Permanent Record" means the minimum personal
|
| 21 | | information necessary to a school in the education of the |
| 22 | | student
and contained in a school student record. Such |
| 23 | | information
may include the student's name, birth date, |
| 24 | | address, grades
and grade level, parents' names and addresses, |
| 25 | | attendance
records, and such other entries as the State Board |
| 26 | | may
require or authorize.
|
|
| | HB0810 Engrossed | - 31 - | LRB099 04620 NHT 24649 b |
|
|
|
| 1 | | (f) "Student Temporary Record" means all information |
| 2 | | contained in
a school student record but not contained in
the |
| 3 | | student permanent record. Such information may include
family |
| 4 | | background information, intelligence test scores, aptitude
|
| 5 | | test scores, psychological and personality test results, |
| 6 | | teacher
evaluations, and other information of clear relevance |
| 7 | | to the
education of the student, all subject to regulations of |
| 8 | | the State Board.
The information shall include information |
| 9 | | provided under Section 8.6 of the
Abused and Neglected Child |
| 10 | | Reporting Act.
In addition, the student temporary record shall |
| 11 | | include information regarding
serious disciplinary infractions |
| 12 | | that resulted in expulsion, suspension, or the
imposition of |
| 13 | | punishment or sanction. For purposes of this provision, serious
|
| 14 | | disciplinary infractions means: infractions involving drugs, |
| 15 | | weapons, or bodily
harm to another.
|
| 16 | | (g) "Parent" means a person who is the natural parent of |
| 17 | | the
student or other person who has the primary responsibility |
| 18 | | for the
care and upbringing of the student. All rights and |
| 19 | | privileges accorded
to a parent under this Act shall become |
| 20 | | exclusively those of the student
upon his 18th birthday, |
| 21 | | graduation from secondary school, marriage
or entry into |
| 22 | | military service, whichever occurs first. Such
rights and |
| 23 | | privileges may also be exercised by the student
at any time |
| 24 | | with respect to the student's permanent school record.
|
| 25 | | (Source: P.A. 92-295, eff. 1-1-02.)
|
|
| | HB0810 Engrossed | - 32 - | LRB099 04620 NHT 24649 b |
|
|
|
| 1 | | (105 ILCS 10/6) (from Ch. 122, par. 50-6)
|
| 2 | | Sec. 6. (a) No school student records or information
|
| 3 | | contained therein may be released, transferred, disclosed or |
| 4 | | otherwise
disseminated, except as follows:
|
| 5 | | (1) to To a parent or student or person specifically
|
| 6 | | designated as a representative by a parent, as provided in |
| 7 | | paragraph (a)
of Section 5;
|
| 8 | | (2) to To an employee or official of the school or
|
| 9 | | school district or State Board with current demonstrable |
| 10 | | educational
or administrative interest in the student, in |
| 11 | | furtherance of such interest;
|
| 12 | | (3) to To the official records custodian of another |
| 13 | | school within
Illinois or an official with similar |
| 14 | | responsibilities of a school
outside Illinois, in which the |
| 15 | | student has enrolled, or intends to enroll,
upon the |
| 16 | | request of such official or student;
|
| 17 | | (4) to To any person for the purpose of research,
|
| 18 | | statistical reporting, or planning, provided that such |
| 19 | | research, statistical reporting, or planning is |
| 20 | | permissible under and undertaken in accordance with the |
| 21 | | federal Family Educational Rights and Privacy Act (20 |
| 22 | | U.S.C. 1232g);
|
| 23 | | (5) pursuant Pursuant to a court order, provided that |
| 24 | | the
parent shall be given prompt written notice upon |
| 25 | | receipt
of such order of the terms of the order, the nature |
| 26 | | and
substance of the information proposed to be released
in |
|
| | HB0810 Engrossed | - 33 - | LRB099 04620 NHT 24649 b |
|
|
|
| 1 | | compliance with such order and an opportunity to
inspect |
| 2 | | and copy the school student records and to
challenge their |
| 3 | | contents pursuant to Section 7;
|
| 4 | | (6) to To any person as specifically required by State
|
| 5 | | or federal law;
|
| 6 | | (6.5) to To juvenile authorities
when necessary for the |
| 7 | | discharge of their official duties
who request information |
| 8 | | prior to
adjudication of the student and who certify in |
| 9 | | writing that the information
will not be disclosed to any |
| 10 | | other party except as provided under law or order
of court. |
| 11 | | For purposes of this Section "juvenile authorities" means:
|
| 12 | | (i) a judge of
the circuit court and members of the staff |
| 13 | | of the court designated by the
judge; (ii) parties to the |
| 14 | | proceedings under the Juvenile Court Act of 1987 and
their |
| 15 | | attorneys; (iii) probation
officers and court appointed |
| 16 | | advocates for the juvenile authorized by the judge
hearing |
| 17 | | the case; (iv) any individual, public or private agency |
| 18 | | having custody
of the child pursuant to court order; (v) |
| 19 | | any individual, public or private
agency providing |
| 20 | | education, medical or mental health service to the child |
| 21 | | when
the requested information is needed to determine the |
| 22 | | appropriate service or
treatment for the minor; (vi) any |
| 23 | | potential placement provider when such
release
is |
| 24 | | authorized by the court for the limited purpose of |
| 25 | | determining the
appropriateness of the potential |
| 26 | | placement; (vii) law enforcement officers and
prosecutors;
|
|
| | HB0810 Engrossed | - 34 - | LRB099 04620 NHT 24649 b |
|
|
|
| 1 | | (viii) adult and juvenile prisoner review boards; (ix) |
| 2 | | authorized military
personnel; (x)
individuals authorized |
| 3 | | by court;
|
| 4 | | (7) subject Subject to regulations of the State Board,
|
| 5 | | in connection with an emergency, to appropriate persons
if |
| 6 | | the knowledge of such information is necessary to protect
|
| 7 | | the health or safety of the student or other
persons;
|
| 8 | | (8) to To any person, with the prior specific dated
|
| 9 | | written consent of the parent designating the person
to |
| 10 | | whom the records may be released, provided that at
the time |
| 11 | | any such consent is requested or obtained,
the parent shall |
| 12 | | be advised in writing that he has the right
to inspect and |
| 13 | | copy such records in accordance with Section 5, to
|
| 14 | | challenge their contents in accordance with Section 7 and |
| 15 | | to limit any such
consent to
designated records or |
| 16 | | designated portions of the information contained
therein;
|
| 17 | | (9) to To a governmental agency, or social service |
| 18 | | agency contracted by a
governmental agency, in furtherance |
| 19 | | of an investigation of a student's school
attendance |
| 20 | | pursuant to the compulsory student attendance laws of this |
| 21 | | State,
provided that the records are released to the |
| 22 | | employee or agent designated by
the agency;
|
| 23 | | (10) to To those SHOCAP committee members who fall |
| 24 | | within the meaning of
"state and local officials and |
| 25 | | authorities", as those terms are used within the
meaning of |
| 26 | | the federal Family Educational Rights and Privacy Act, for
|
|
| | HB0810 Engrossed | - 35 - | LRB099 04620 NHT 24649 b |
|
|
|
| 1 | | the
purposes of identifying serious habitual juvenile |
| 2 | | offenders and matching those
offenders with community |
| 3 | | resources pursuant to Section 5-145 of the Juvenile
Court |
| 4 | | Act of 1987, but only to the extent that the release, |
| 5 | | transfer,
disclosure, or dissemination is consistent with |
| 6 | | the Family Educational Rights
and Privacy Act;
|
| 7 | | (11) to To the Department of Healthcare and Family |
| 8 | | Services in furtherance of the
requirements of Section |
| 9 | | 2-3.131, 3-14.29, 10-28, or 34-18.26 of
the School Code or |
| 10 | | Section 10 of the School Breakfast and Lunch
Program Act; |
| 11 | | or
|
| 12 | | (12) to To the State Board or another State government |
| 13 | | agency or between or among State government agencies in |
| 14 | | order to evaluate or audit federal and State programs or |
| 15 | | perform research and planning, but only to the extent that |
| 16 | | the release, transfer, disclosure, or dissemination is |
| 17 | | consistent with the federal Family Educational Rights and |
| 18 | | Privacy Act (20 U.S.C. 1232g). |
| 19 | | (a-5) Pursuant to subparagraph (4) of paragraph (a) of this |
| 20 | | Section, a school board or the State Board may provide records |
| 21 | | of a student to researchers at an accredited post-secondary |
| 22 | | educational institution or an organization conducting research |
| 23 | | if any such research is conducted in accordance with the |
| 24 | | federal Family Educational Rights and Privacy Act and does not |
| 25 | | take place until the following requirements are complied with: |
| 26 | | (1) Prior to the beginning of each school year, the |
|
| | HB0810 Engrossed | - 36 - | LRB099 04620 NHT 24649 b |
|
|
|
| 1 | | school board shall provide notice to parents, guardians or |
| 2 | | eligible students regarding planned studies. For those |
| 3 | | school boards that maintain an Internet website, the school |
| 4 | | board shall post on its Internet website a current list of |
| 5 | | all research studies using records obtained from the school |
| 6 | | board without obtaining consent from parents, guardians or |
| 7 | | eligible students currently being conducted or scheduled |
| 8 | | to be conducted. In April and December of each year, the |
| 9 | | school board shall update the Internet website to include |
| 10 | | new research studies that are approved or conducted. For |
| 11 | | those school boards that do not maintain an Internet |
| 12 | | website, each school board shall provide parents, |
| 13 | | guardians and eligible students with a current list of all |
| 14 | | research studies being conducted or scheduled to be |
| 15 | | conducted in the same notice described above and shall |
| 16 | | provide supplemental notices every April and December |
| 17 | | provided new research studies have been approved or are |
| 18 | | being conducted. |
| 19 | | (A) The school board shall send the notice |
| 20 | | described in this subparagraph (1) by the same means |
| 21 | | generally used to send notices to parents, guardians or |
| 22 | | eligible students. |
| 23 | | (B) The notice described in this subparagraph (1) |
| 24 | | shall describe generally the purposes of conducting |
| 25 | | educational research, contain a short description of |
| 26 | | all current and scheduled research studies and set |
|
| | HB0810 Engrossed | - 37 - | LRB099 04620 NHT 24649 b |
|
|
|
| 1 | | forth the address of the Internet website containing a |
| 2 | | current list of all research studies being conducted |
| 3 | | and scheduled to be conducted, which web address shall |
| 4 | | also be set forth in the school board's student |
| 5 | | handbook. The notice shall also advise parents, |
| 6 | | guardians and eligible students that the State Board |
| 7 | | conducts research studies and shall provide the |
| 8 | | Internet website address for that part of the State |
| 9 | | Board's website that contains a list of the current and |
| 10 | | scheduled studies to be conducted. |
| 11 | | (C) For those school boards that maintain an |
| 12 | | Internet website, the webpage that contains the list of |
| 13 | | all current and scheduled research studies shall also |
| 14 | | set forth, in general terms, the nature of each listed |
| 15 | | research study, the categories of students whose |
| 16 | | records will be used in each listed research study and |
| 17 | | the names of all organizations involved in each listed |
| 18 | | research study. For those school boards that do not |
| 19 | | maintain an Internet website, the school boards shall |
| 20 | | provide the information described in this subdivision |
| 21 | | (C) in the notice described in this subparagraph (1). |
| 22 | | (2) A written data use agreement that complies with the |
| 23 | | Family Educational Rights and Privacy Act and its |
| 24 | | accompanying regulations and, at a minimum, contains the |
| 25 | | provisions set forth below is entered into by and between |
| 26 | | the party gaining access to the records of the school board |
|
| | HB0810 Engrossed | - 38 - | LRB099 04620 NHT 24649 b |
|
|
|
| 1 | | or State Board and the entity with the legal authority to |
| 2 | | permit the use of the data: |
| 3 | | (A) The accredited post-secondary educational |
| 4 | | institution or the organization conducting research |
| 5 | | shall abide by all requirements of this subparagraph |
| 6 | | (2). |
| 7 | | (B) A statement of the purpose, scope and duration |
| 8 | | of the research study or studies, as well as a |
| 9 | | description of the records to be used as part of the |
| 10 | | study and the person or persons to whom the records |
| 11 | | will be disclosed, provided that the list of persons to |
| 12 | | whom the records may be disclosed may be amended from |
| 13 | | time to time with the agreement of all parties to the |
| 14 | | data use agreement. |
| 15 | | (C) The accredited post-secondary educational |
| 16 | | institution or the organization conducting research |
| 17 | | shall use school student records only to meet the |
| 18 | | purpose or purposes of the study as set forth in |
| 19 | | subdivision (B) of this subparagraph (2). |
| 20 | | (D) The accredited post-secondary educational |
| 21 | | institution or the organization conducting research |
| 22 | | may only use records containing personally |
| 23 | | identifiable information of a student or by which a |
| 24 | | student may otherwise be individually or personally |
| 25 | | identified for two reasons: (i) to link data files; or |
| 26 | | (ii) to identify eligible students for research |
|
| | HB0810 Engrossed | - 39 - | LRB099 04620 NHT 24649 b |
|
|
|
| 1 | | studies for which written parental, guardian or |
| 2 | | eligible student consent will be obtained for |
| 3 | | participation and the person or persons to whom such |
| 4 | | information will be disclosed is set forth in the data |
| 5 | | use agreement. |
| 6 | | (E) The accredited post-secondary educational |
| 7 | | institution or the organization conducting research |
| 8 | | shall destroy all records containing personally |
| 9 | | identifiable information of a student or that |
| 10 | | otherwise individually or personally identifies a |
| 11 | | student when the information is no longer needed, but |
| 12 | | in no event later than 36 months after the research |
| 13 | | study has been completed. |
| 14 | | (F) The accredited post-secondary educational |
| 15 | | institution or the organization conducting research |
| 16 | | shall certify in writing that it has the capacity to |
| 17 | | and shall restrict access to school student records to |
| 18 | | the person or persons set forth in subdivision (B) of |
| 19 | | this subparagraph (2). |
| 20 | | (G) The accredited post-secondary educational |
| 21 | | institution or the organization conducting research |
| 22 | | shall certify in writing that it shall maintain the |
| 23 | | security of all records received pursuant to this |
| 24 | | paragraph (a-5) in compliance with rules that shall be |
| 25 | | adopted by the State Board, which rules shall be |
| 26 | | consistent, and regularly updated to comply, with |
|
| | HB0810 Engrossed | - 40 - | LRB099 04620 NHT 24649 b |
|
|
|
| 1 | | commonly accepted data-security practices, including, |
| 2 | | but not limited to, those set forth by the United |
| 3 | | States Department of Education Privacy Technical |
| 4 | | Assistance Center. |
| 5 | | (H) In compliance with the rules adopted pursuant |
| 6 | | to subdivision (G) of this subparagraph (2) and any |
| 7 | | other rules that may be necessary and adopted by the |
| 8 | | State Board, the accredited post-secondary educational |
| 9 | | institution or the organization conducting research |
| 10 | | shall develop, implement, maintain, and use |
| 11 | | appropriate administrative, technical and physical |
| 12 | | security measures to preserve the confidentiality and |
| 13 | | integrity of all school student records. |
| 14 | | (3) Accredited post-secondary educational institutions |
| 15 | | and organizations conducting research may only use records |
| 16 | | containing personally identifiable information or a |
| 17 | | student or by which a student may otherwise be personally |
| 18 | | or individually identified for two reasons: (i) to link |
| 19 | | data files or (ii) to identify eligible students for |
| 20 | | research studies for which written parental, guardian or |
| 21 | | eligible student consent will be obtained for |
| 22 | | participation and the person or persons to whom such |
| 23 | | information will be disclosed is set forth in the data use |
| 24 | | agreement. |
| 25 | | (4) The accredited post-secondary institution or the |
| 26 | | organization conducting research agrees that it shall use |
|
| | HB0810 Engrossed | - 41 - | LRB099 04620 NHT 24649 b |
|
|
|
| 1 | | personally identifiable information from school student |
| 2 | | records only to meet the purpose or purposes of the |
| 3 | | research study or studies as stated in the data use |
| 4 | | agreement described in subparagraph (2) of this paragraph |
| 5 | | (a-5). |
| 6 | | (5) Any information by which a student may be |
| 7 | | individually or personally identified shall be released, |
| 8 | | transferred, disclosed or otherwise disseminated only as |
| 9 | | contemplated by the written data use agreement of paragraph |
| 10 | | (a-5). |
| 11 | | (6) All school student records shall have personally |
| 12 | | identifiable information removed prior to analysis by the |
| 13 | | accredited post-secondary educational institution or the |
| 14 | | organization conducting research. |
| 15 | | (7) The accredited post-secondary institution or |
| 16 | | organization conducting research shall implement and |
| 17 | | adhere to policies and procedures that restrict access to |
| 18 | | records which have personally identifiable information. |
| 19 | | (A) The accredited post-secondary institution or |
| 20 | | organization conducting research shall designate an |
| 21 | | individual to act as the custodian of the records with |
| 22 | | personally identifiable information who is responsible |
| 23 | | for restricting access to those records and provide the |
| 24 | | name of that individual to the entity with the legal |
| 25 | | authority to permit the use of the records. |
| 26 | | (B) Any personally identifiable information used |
|
| | HB0810 Engrossed | - 42 - | LRB099 04620 NHT 24649 b |
|
|
|
| 1 | | to link data sets shall be securely stored in a |
| 2 | | location separate and apart from the location of the |
| 3 | | de-identified school student records, in a secure data |
| 4 | | file. |
| 5 | | Nothing in this subparagraph (a-5) shall prohibit the State |
| 6 | | Board or any school board from providing personally |
| 7 | | identifiable information about individual students to an |
| 8 | | accredited post-secondary educational institution or an |
| 9 | | organization conducting research pursuant to a specific, |
| 10 | | written agreement with a school board or State Board and in |
| 11 | | accordance with the federal Family Educational Rights and |
| 12 | | Privacy Act, where necessary for the school board or State |
| 13 | | Board to comply with state or federal statutory mandates. |
| 14 | | (b) No information may be released pursuant to subparagraph |
| 15 | | subparagraphs (3) or
(6) of paragraph (a) of this Section 6 |
| 16 | | unless the parent receives
prior written notice of the nature |
| 17 | | and substance of the information
proposed to be released, and |
| 18 | | an opportunity to inspect
and copy such records in accordance |
| 19 | | with Section 5 and to
challenge their contents in accordance |
| 20 | | with Section 7. Provided, however,
that such notice shall be |
| 21 | | sufficient if published in a local newspaper of
general |
| 22 | | circulation or other publication directed generally to the |
| 23 | | parents
involved where the proposed release of information is |
| 24 | | pursuant to
subparagraph (6) 6 of paragraph (a) of in this |
| 25 | | Section 6 and relates to more
than 25 students.
|
| 26 | | (c) A record of any release of information pursuant
to this |
|
| | HB0810 Engrossed | - 43 - | LRB099 04620 NHT 24649 b |
|
|
|
| 1 | | Section must be made and kept as a part of the
school student |
| 2 | | record and subject to the access granted by Section 5.
Such |
| 3 | | record of release shall be maintained for the life of the
|
| 4 | | school student records and shall be available only to the |
| 5 | | parent
and the official records custodian.
Each record of |
| 6 | | release shall also include:
|
| 7 | | (1) the The nature and substance of the information |
| 8 | | released;
|
| 9 | | (2) the The name and signature of the official records
|
| 10 | | custodian releasing such information;
|
| 11 | | (3) the The name of the person requesting such |
| 12 | | information,
the capacity in which such a request has been |
| 13 | | made, and the purpose of such
request;
|
| 14 | | (4) the The date of the release; and
|
| 15 | | (5) a A copy of any consent to such release.
|
| 16 | | (d) Except for the student and his parents, no person
to |
| 17 | | whom information is released pursuant to this Section
and no |
| 18 | | person specifically designated as a representative by a parent
|
| 19 | | may permit any other person to have access to such information |
| 20 | | without a prior
consent of the parent obtained in accordance |
| 21 | | with the requirements
of subparagraph (8) of paragraph (a) of |
| 22 | | this Section.
|
| 23 | | (e) Nothing contained in this Act shall prohibit the
|
| 24 | | publication of student directories which list student names, |
| 25 | | addresses
and other identifying information and similar |
| 26 | | publications which
comply with regulations issued by the State |
|
| | HB0810 Engrossed | - 44 - | LRB099 04620 NHT 24649 b |
|
|
|
| 1 | | Board.
|
| 2 | | (Source: P.A. 95-331, eff. 8-21-07; 95-793, eff. 1-1-09; |
| 3 | | 96-107, eff. 7-30-09; 96-1000, eff. 7-2-10; revised 11-26-14.)
|
| 4 | | (105 ILCS 10/9) (from Ch. 122, par. 50-9)
|
| 5 | | Sec. 9.
(a) Any person aggrieved by any violation of
this |
| 6 | | Act may institute an action for injunctive relief in the |
| 7 | | Circuit
Court of the County in which the violation has occurred |
| 8 | | or the Circuit
Court of the County in which the school is |
| 9 | | located.
|
| 10 | | (b) Any person injured by a wilful or negligent violation |
| 11 | | of
this Act may institute an action for damages in the Circuit |
| 12 | | Court of the
County in which the violation has occurred or the |
| 13 | | Circuit Court of the
County in which the school is located.
|
| 14 | | (c) In the case of any successful action under paragraph |
| 15 | | (a) or
(b) of this Section, any person or school found to have |
| 16 | | wilfully
or negligently violated any provision of this Act is |
| 17 | | liable to the
plaintiff for the plaintiff's damages, the costs |
| 18 | | of the action and
reasonable attorneys' fees, as determined by |
| 19 | | the Court.
|
| 20 | | (d) Actions for injunctive relief to secure compliance
with |
| 21 | | this Act may be brought by the State Board, by the State's
|
| 22 | | Attorney of the County in which the alleged violation has |
| 23 | | occurred or the
State's Attorney of the County in which the |
| 24 | | school is located, in each
case in the Circuit Court of such |
| 25 | | County.
|
|
| | HB0810 Engrossed | - 45 - | LRB099 04620 NHT 24649 b |
|
|
|
| 1 | | (e) Wilful failure to comply with any Section of this Act
|
| 2 | | is a petty offense; except that any person who wilfully and |
| 3 | | maliciously
falsifies any school student record, student |
| 4 | | permanent record or student
temporary record shall be guilty of |
| 5 | | a Class A misdemeanor.
|
| 6 | | (f) Absent proof of malice, no cause of action or claim for |
| 7 | | relief,
civil or criminal, may be maintained against any |
| 8 | | school, or employee or
official of a school or person acting at |
| 9 | | the direction of a school for
any statement made or judgment |
| 10 | | expressed in any entry to a school student
record of a type |
| 11 | | which does not violate this Act or the regulations
issued by |
| 12 | | the State Board pursuant to this Act; provided that this
|
| 13 | | paragraph (f) does not limit or deny any defense available
|
| 14 | | under existing law.
|
| 15 | | (g) In addition to any other penalties and remedies |
| 16 | | provided by this Section 9 of this Act, any accredited |
| 17 | | post-secondary educational institution or organization |
| 18 | | conducting research that violates the requirements of |
| 19 | | subparagraph (a-5) of Section 6 of this Act shall immediately |
| 20 | | cease conducting any research that utilizes school student |
| 21 | | records and shall be prohibited from conducting additional |
| 22 | | research studies based on such records and information for a |
| 23 | | period of 6 months from the date of the discovery of the |
| 24 | | violation. |
| 25 | | (h) In addition to any other penalties and remedies |
| 26 | | provided by this Section 9 of this Act, any school board that |
|
| | HB0810 Engrossed | - 46 - | LRB099 04620 NHT 24649 b |
|
|
|
| 1 | | violates the requirements of subparagraph (a-5) of Section 6 of |
| 2 | | this Act shall be prohibited from entering into a data use |
| 3 | | agreement with any accredited post-secondary educational |
| 4 | | institution or organization conducting research for a period of |
| 5 | | 12 months from the date of the discovery of the violation, and |
| 6 | | all existing data use agreements shall be voided. |
| 7 | | (Source: P.A. 84-712.)
|
| 8 | | Section 15. The Children's Privacy Protection and Parental |
| 9 | | Empowerment Act is amended by changing Section 5 as follows:
|
| 10 | | (325 ILCS 17/5)
|
| 11 | | Sec. 5. Definitions. As used in this Act:
|
| 12 | | "Child" means a person under the age of 18 16. "Child" does |
| 13 | | not include a minor
emancipated by operation of law.
|
| 14 | | "Parent" means a parent, step-parent, or legal guardian.
|
| 15 | | "Personal information" means any of the following:
|
| 16 | | (1) A person's name.
|
| 17 | | (2) A person's address.
|
| 18 | | (3) A person's telephone number.
|
| 19 | | (4) A person's driver's license number or State of |
| 20 | | Illinois identification
card as
assigned by the Illinois |
| 21 | | Secretary of State or by a similar agency of another
state.
|
| 22 | | (5) A person's social security number.
|
| 23 | | (6) Any other information that can be used to locate or |
| 24 | | contact a specific
individual.
|
|
| | HB0810 Engrossed | - 47 - | LRB099 04620 NHT 24649 b |
|
|
|
| 1 | | "Personal information" does not include any of the
|
| 2 | | following:
|
| 3 | | (1) Public records as defined by Section 2 of the |
| 4 | | Freedom of Information
Act.
|
| 5 | | (2) Court records.
|
| 6 | | (3) Information found in publicly available sources, |
| 7 | | including newspapers,
magazines, and telephone |
| 8 | | directories.
|
| 9 | | (4) Any other information that is not known to concern |
| 10 | | a child.
|
| 11 | | (Source: P.A. 93-462, eff. 1-1-04.)
|