Full Text of SB3092 98th General Assembly
SB3092eng 98TH GENERAL ASSEMBLY |
| | SB3092 Engrossed | | LRB098 15075 NHT 50039 b |
|
| 1 | | AN ACT concerning education.
| 2 | | Be it enacted by the People of the State of Illinois,
| 3 | | represented in the General Assembly:
| 4 | | Section 5. The P-20 Longitudinal Education Data System Act | 5 | | is amended by adding Section 32 as follows: | 6 | | (105 ILCS 13/32 new) | 7 | | Sec. 32. Personally identifiable information limitations. | 8 | | (a) In this Section: | 9 | | "Education records" has the meaning ascribed to that term | 10 | | in 34 CFR 99.3. | 11 | | "Organization" means not-for-profit organizations, think | 12 | | tanks, or other organizations conducting research studies. | 13 | | "Personally identifiable information" means (i) any | 14 | | personally identifiable information under the federal Family | 15 | | Educational Rights Act of 1974 (FERPA), other than "directory | 16 | | information" as that term is defined in Section 99.3 of the | 17 | | federal regulations implementing FERPA (34 CFR 99.3), and (ii) | 18 | | the personally identifiable information of teachers, other | 19 | | educators, and school administrators, other than publicly | 20 | | available, school-related information such as the name, school | 21 | | location, and grade levels or subjects taught. | 22 | | (b) If an audit or evaluation or a compliance or | 23 | | enforcement activity in connection with legal requirements |
| | | SB3092 Engrossed | - 2 - | LRB098 15075 NHT 50039 b |
|
| 1 | | that relate to State-supported or school district-supported | 2 | | educational programs requires or is used as the basis for | 3 | | granting access to personally identifiable information, the | 4 | | State Board or a school shall designate parties only under | 5 | | their direct control to act as authorized representatives to | 6 | | conduct the audit, evaluation, or activity. | 7 | | (c) The State Board or schools may not disclose any | 8 | | personally identifiable information, including personally | 9 | | identifiable information from education records of students, | 10 | | to a contractor, consultant, or other party to whom the State | 11 | | Board or school has outsourced services or functions without | 12 | | providing notice to parents, guardians, and eligible students | 13 | | by posting the intent to disclose the information on the | 14 | | Internet website of the school or State Board at least 30 days | 15 | | in advance or as soon as practicable, unless that outside | 16 | | party: | 17 | | (1) performs an institutional service or function for | 18 | | which the State Board or the school would otherwise use | 19 | | employees; | 20 | | (2) is under the direct control of the State Board or | 21 | | the school with respect to the use and maintenance of | 22 | | education records; | 23 | | (3) limits internal access to education records to | 24 | | those individuals who are determined to have legitimate | 25 | | educational interests; | 26 | | (4) does not use the education records for any purposes |
| | | SB3092 Engrossed | - 3 - | LRB098 15075 NHT 50039 b |
|
| 1 | | other than those authorized in its contract; | 2 | | (5) does not disclose any personally identifiable | 3 | | information to any other party (i) without the prior | 4 | | notification to the eligible student, parent, or guardian | 5 | | or (ii) unless required by law and the party provides a | 6 | | notice of the disclosure to the State Board or school board | 7 | | that provided the information no later than the time the | 8 | | information is disclosed, to the extent allowed by law or | 9 | | by the terms of a court order; | 10 | | (6) maintains reasonable administrative, technical, | 11 | | and physical safeguards to protect the security, | 12 | | confidentiality, and integrity of personally identifiable | 13 | | information in its custody and conducts regular security | 14 | | audits to confirm the efficacy of those safeguards; | 15 | | (7) uses appropriate encryption technologies to | 16 | | protect data while in motion or in its custody from | 17 | | unauthorized disclosure; | 18 | | (8) has sufficient administrative and technical | 19 | | procedures to monitor continuously the security of | 20 | | personally identifiable information in its custody; | 21 | | (9) maintains a breach remediation plan prior to | 22 | | initial receipts of the personally identifiable | 23 | | information and reports breaches as specified by the | 24 | | Personal Information Protection Act; | 25 | | (10) reports all actual security breaches to the State | 26 | | Board or the school that provided personally identifiable |
| | | SB3092 Engrossed | - 4 - | LRB098 15075 NHT 50039 b |
|
| 1 | | information and education records as soon as possible, but | 2 | | no later than 72 hours after an actual breach was known or | 3 | | in the most expedient amount of time possible under the | 4 | | circumstances; | 5 | | (11) agrees, in the event of a security breach or an | 6 | | unauthorized disclosure of personally identifiable | 7 | | information, to pay all costs and liabilities incurred by | 8 | | the State Board or school related to the security breach or | 9 | | unauthorized disclosure, including without limitation the | 10 | | costs of responding to inquiries about the security breach | 11 | | or unauthorized disclosure, of notifying the subjects of | 12 | | personally identifiable information about the breach, of | 13 | | mitigating the effects of the breach for the subjects of | 14 | | personally identifiable information, and of investigating | 15 | | the cause or consequences of the security breach or | 16 | | unauthorized disclosure; and | 17 | | (12) destroys or returns to the State Board or school | 18 | | all personally identifiable information in its custody | 19 | | upon request and at the termination of the contract. | 20 | | (d) The State Board or schools may disclose personally | 21 | | identifiable information from an education record of a student | 22 | | without the consent of the eligible student, parent, or | 23 | | guardian to a party conducting studies for or on behalf of the | 24 | | State Board or school to (i) develop, validate, or administer | 25 | | predictive tests, (ii) administer student aid programs, or | 26 | | (iii) improve instruction, provided that the outside party |
| | | SB3092 Engrossed | - 5 - | LRB098 15075 NHT 50039 b |
|
| 1 | | conducting the study meets all of the requirements for | 2 | | contractors set forth in subsection (c) of this Section. | 3 | | (d-5) The State Board or schools may disclose personally | 4 | | identifiable information from an education record of a student | 5 | | to researchers at an organization or accredited post-secondary | 6 | | educational institution conducting research pursuant to a | 7 | | specific, written agreement with the school or State Board and | 8 | | in accordance with the federal Family Educational Rights and | 9 | | Privacy Act of 1974, provided that: | 10 | | (1) the nature of the research is first publicly | 11 | | disclosed to parents, guardians, and eligible students on | 12 | | the Internet website of the school or State Board at least | 13 | | 30 days in advance of the research being conducted or as | 14 | | soon as practicable; | 15 | | (2) the organization or institution and the school or | 16 | | State Board enter into a data use agreement that complies | 17 | | with the federal Family Educational Rights and Privacy Act | 18 | | of 1974 and its accompanying rules; and | 19 | | (3) the organization or institution uses personally | 20 | | identifiable information from school student records only | 21 | | to meet the purpose or purposes of the study as stated in | 22 | | the written agreement. | 23 | | For purposes of this subsection (d-5), any information by | 24 | | which a student may be individually or personally identified | 25 | | may only be released, transferred, disclosed, or otherwise | 26 | | disseminated as contemplated by the agreement between the |
| | | SB3092 Engrossed | - 6 - | LRB098 15075 NHT 50039 b |
|
| 1 | | parties. The school student records must be redacted prior to | 2 | | analysis by the organization or institution. Any personally | 3 | | identifiable information used to link data sets must be stored | 4 | | in a secure data file or location outside of the secure data | 5 | | storage where redacted information from the school regarding | 6 | | student records is stored. The organization or institution | 7 | | shall implement and adhere to policies and procedures that | 8 | | restrict access to information by which a student may be | 9 | | individually or personally identified. The organization or | 10 | | institution shall designate an individual to act as the | 11 | | custodian of the personally identifiable information who is | 12 | | responsible for restricting access to that information. | 13 | | Nothing in this subsection (d-5) prohibits or limits the | 14 | | ability of the State Board or any school to provide personally | 15 | | identifiable information about individual students to a school | 16 | | official, organization, or institution for the purposes of | 17 | | developing, administering, scoring, or interpreting results of | 18 | | student assessments or predictive tests if those assessments or | 19 | | tests require individualized development or administration | 20 | | based on the needs of individual students. | 21 | | (e) The State Board or schools may not disclose any | 22 | | personally identifiable information, including personally | 23 | | identifiable information from education records of students, | 24 | | without the written consent of eligible students, parents, or | 25 | | guardians to any party for a commercial use, including without | 26 | | limitation marketing products or services, compiling lists for |
| | | SB3092 Engrossed | - 7 - | LRB098 15075 NHT 50039 b |
|
| 1 | | sale or rental, developing products or services, or creating | 2 | | individual, household, or group profiles, nor may such | 3 | | disclosure be made for the provision of services other than | 4 | | contracting, studies, and audits or evaluations as authorized | 5 | | and limited by subsections (c), (d), and (d-5) of this Section. | 6 | | (f) The State Board or schools may not, directly or through | 7 | | contracts with outside parties, maintain personally | 8 | | identifiable information, including personally identifiable | 9 | | information from education records of students, without the | 10 | | proper notification to eligible students, parents, or | 11 | | guardians, unless the maintenance of the information is: | 12 | | (1) explicitly mandated in federal or State statute; | 13 | | (2) administratively required for the proper | 14 | | performance of their duties under the law and is relevant | 15 | | to and necessary for the delivery of services; or | 16 | | (3) designed to support a study of students or former | 17 | | students. | 18 | | (g) The State Board and schools shall publicly and | 19 | | conspicuously disclose on their Internet websites and through | 20 | | annual electronic notification to the chairperson of the House | 21 | | of Representatives Elementary & Secondary Education Committee | 22 | | and the chairperson of the Senate Education Committee the | 23 | | existence and character of any personally identifiable | 24 | | information that they, directly or through contracts with | 25 | | outside parties, maintain. The disclosure and notification | 26 | | shall include: |
| | | SB3092 Engrossed | - 8 - | LRB098 15075 NHT 50039 b |
|
| 1 | | (1) the name and location of the data repository where | 2 | | the information is maintained; | 3 | | (2) the legal authority that authorizes the | 4 | | establishment and existence of the data repository; | 5 | | (3) the principal purpose or purposes for which the | 6 | | information is intended to be used; | 7 | | (4) the categories of individuals on whom records are | 8 | | maintained in the data repository; | 9 | | (5) the categories of records maintained in the data | 10 | | repository; | 11 | | (6) each expected disclosure of the records contained | 12 | | in the data repository, including the categories of | 13 | | recipients and the purpose of each disclosure; | 14 | | (7) the policies and practices of the State Board or | 15 | | school regarding storage, retrievability, access controls, | 16 | | retention, and disposal of the records; | 17 | | (8) the title and business address of the State Board | 18 | | or school official who is responsible for the data | 19 | | repository and the name and business address of any | 20 | | contractor or other outside party maintaining the data | 21 | | repository for or on behalf of the State Board or school; | 22 | | (9) the procedures whereby eligible students, parents, | 23 | | or guardians can be notified at their request if the data | 24 | | repository contains a record pertaining to the student, | 25 | | parent, or guardian; | 26 | | (10) the procedures whereby eligible students, |
| | | SB3092 Engrossed | - 9 - | LRB098 15075 NHT 50039 b |
|
| 1 | | parents, or guardians can be notified at their request on | 2 | | how to gain access to any record pertaining to the student, | 3 | | parent, or guardian contained in the data repository and | 4 | | how they can contest its content; and | 5 | | (11) the categories of sources of records in the data | 6 | | repository. | 7 | | (h) The State Board and schools may not append education | 8 | | records with personally identifiable information obtained from | 9 | | other federal or State agencies through data matches without | 10 | | the proper notification to eligible students, parents, or | 11 | | guardians unless the data matches are: | 12 | | (1) explicitly mandated in federal or State statute; | 13 | | (2) administratively required for the proper | 14 | | performance of their duties under the law and are relevant | 15 | | to and necessary for the delivery of services; or | 16 | | (3) designed to support a study of students or former | 17 | | students. | 18 | | (i) Any person aggrieved by any violation of this Section | 19 | | may institute an action for injunctive relief in the circuit | 20 | | court of the county in which the violation has occurred or the | 21 | | circuit court of the county in which the school is located. Any | 22 | | person injured by a willful or negligent violation of this | 23 | | Section may institute an action for damages in the circuit | 24 | | court of the county in which the violation has occurred or the | 25 | | circuit court of the county in which the school is located. In | 26 | | the case of any successful action under this paragraph, any |
| | | SB3092 Engrossed | - 10 - | LRB098 15075 NHT 50039 b |
|
| 1 | | person or school found to have willfully or negligently | 2 | | violated any provision of this Section is liable to the | 3 | | plaintiff for the plaintiff's damages, the costs of the action, | 4 | | and reasonable attorney's fees, as determined by the court. | 5 | | Actions for injunctive relief to secure compliance with | 6 | | this Section may be brought by the State Board, by the State's | 7 | | Attorney of the county in which the alleged violation has | 8 | | occurred or the State's Attorney of the county in which the | 9 | | school is located, in each case in the circuit court of such | 10 | | county. | 11 | | Willful failure to comply with this Section is a petty | 12 | | offense, except that any person who willfully and maliciously | 13 | | falsifies any school student record, student permanent record, | 14 | | or student temporary record is guilty of a Class A misdemeanor. | 15 | | Absent proof of malice, no cause of action or claim for | 16 | | relief, civil or criminal, may be maintained against any | 17 | | school, employee or official of a school, or person acting at | 18 | | the direction of a school for any statement made or judgment | 19 | | expressed in any entry to a school student record of a type | 20 | | that does not violate this Section or rules adopted by the | 21 | | State Board, provided that this paragraph does not limit or | 22 | | deny any defense available under existing law. | 23 | | (j) Nothing contained in this Section shall be construed as | 24 | | creating a private right of action against the State Board or a | 25 | | school. | 26 | | (k) Nothing in this Section shall limit the administrative |
| | | SB3092 Engrossed | - 11 - | LRB098 15075 NHT 50039 b |
|
| 1 | | use of personally identifiable information by a person acting | 2 | | exclusively in the person's capacity as an employee of a | 3 | | school, this State, a court, or the federal government that is | 4 | | otherwise required by law.
| 5 | | Section 99. Effective date. This Act takes effect upon | 6 | | becoming law.
|
|