Full Text of HB0810 99th General Assembly
HB0810ham001 99TH GENERAL ASSEMBLY | Rep. Scott Drury Filed: 4/7/2015
| | 09900HB0810ham001 | | LRB099 04620 SXM 33703 a |
|
| 1 | | AMENDMENT TO HOUSE BILL 810
| 2 | | AMENDMENT NO. ______. Amend House Bill 810 by replacing | 3 | | everything after the enacting clause with the following:
| 4 | | "Section 5. The School Code is amended by adding Sections | 5 | | 22-80 and 22-81 as follows: | 6 | | (105 ILCS 5/22-80 new) | 7 | | Sec. 22-80. Student data privacy. | 8 | | (a) It is the intent of the General Assembly to help ensure | 9 | | that information generated by and about students in the course | 10 | | of, and in connection with, their education is safeguarded and | 11 | | that student privacy is honored, respected and protected. The | 12 | | General Assembly finds the following: | 13 | | (1) Information generated by and about students in the | 14 | | course of, and in connection with, their education is a | 15 | | vital resource for teachers and school staff in planning | 16 | | education programs and services, scheduling students into |
| | | 09900HB0810ham001 | - 2 - | LRB099 04620 SXM 33703 a |
|
| 1 | | appropriate classes and completing reports for educational | 2 | | agencies. | 3 | | (2) Information generated by and about students in the | 4 | | course of, and in connection with, their education is | 5 | | critical to educators in helping students successfully | 6 | | graduate from high school and being ready to enter the | 7 | | workforce or postsecondary education. | 8 | | (3) While information generated by and about students | 9 | | in the course of, and in connection with, their education | 10 | | is important for educational purposes, it is also | 11 | | critically important to ensure that the information is | 12 | | protected, safeguarded and kept private and used only by | 13 | | appropriate educational authorities or their permitted | 14 | | designees and then, only to serve the best interests of the | 15 | | student. | 16 | | To that end, this Section will help ensure that information | 17 | | generated by and about students in the course of, and in | 18 | | connection with, their education is protected and expectations | 19 | | of privacy are honored. | 20 | | (b) In this Section: | 21 | | "Biometric record" shall have the meaning set forth in the | 22 | | Illinois School Student Records Act. | 23 | | "Eligible student" shall have the meaning set forth in the | 24 | | Illinois School Student Records Act. | 25 | | "Parent" shall have the meaning set forth in the Illinois | 26 | | School Student Records Act. |
| | | 09900HB0810ham001 | - 3 - | LRB099 04620 SXM 33703 a |
|
| 1 | | "Personally identifiable information" shall have the | 2 | | meaning set forth in the Illinois School Student Records Act. | 3 | | "Record" shall have the meaning set forth in the Illinois | 4 | | School Student Records Act. | 5 | | "School" shall have the meaning set forth in the Illinois | 6 | | School Student Records Act. | 7 | | "School board" shall have the meaning set forth in the | 8 | | Illinois School Student Records Act. | 9 | | "School student record" shall have the meaning set forth in | 10 | | the Illinois School Student Records Act. | 11 | | "State Board" shall have the meaning set forth in the | 12 | | Illinois School Student Records Act. | 13 | | "Student" shall have the meaning set forth in the Illinois | 14 | | School Student Records Act. | 15 | | "Student data" means school student records, student | 16 | | permanent records, student temporary records, or any other | 17 | | records, personally identifiable information, or intellectual | 18 | | property of a student. | 19 | | "Student permanent record" shall have the meaning set forth | 20 | | in the Illinois School Student Records Act. | 21 | | "Student temporary record" shall have the meaning set forth | 22 | | in the Illinois School Students Records Act. | 23 | | "Targeted advertising" means any form of advertising aimed | 24 | | directly at a specific individual or group of individuals based | 25 | | on a known or assumed trait or traits, including, but not | 26 | | limited to, age, gender, race, grade level, address, observed |
| | | 09900HB0810ham001 | - 4 - | LRB099 04620 SXM 33703 a |
|
| 1 | | behavior, or academic achievement. | 2 | | "Vendor" means any entity and its officers, employees, | 3 | | agents, independent contractors, and subcontractors that | 4 | | provides or offers to provide a product or service to a school | 5 | | board, which product or service is marketed or designed for | 6 | | school purposes or which the entity knows or reasonably should | 7 | | know will be used for school purposes. | 8 | | (c) Any vendor who receives any student data from a school | 9 | | board or the State Board in any manner is prohibited from: | 10 | | (1) advertising or marketing, including targeted | 11 | | advertising, based on: | 12 | | (A) any information, including personally | 13 | | identifiable information, contained in the school | 14 | | student records, student permanent records, student | 15 | | temporary records, or any other records of a student; | 16 | | (B) any information generated by or about students | 17 | | in connection with their use of the vendor's product or | 18 | | service; or | 19 | | (C) any records created by the vendor as a result | 20 | | of students' use of the vendor's product or service; | 21 | | (2) creating, generating, or otherwise amassing a | 22 | | profile about any student for any purpose other than to | 23 | | provide the school board with information about student | 24 | | academic growth or achievement; | 25 | | (3) selling or otherwise disclosing the following to | 26 | | anyone other than the school board, unless such sale or |
| | | 09900HB0810ham001 | - 5 - | LRB099 04620 SXM 33703 a |
|
| 1 | | disclosure is required by court order or to comply with the | 2 | | Illinois School Student Records Act or the federal Family | 3 | | Educational Rights and Privacy Act (20 U.S.C. 1232g) or is | 4 | | expressly authorized by this Section: | 5 | | (A) any information, including personally | 6 | | identifiable information, contained in the school | 7 | | student records, student permanent records, student | 8 | | temporary records, or any other records of a student; | 9 | | (B) any information generated by or about students | 10 | | in connection with their use of the vendor's product or | 11 | | service; | 12 | | (C) any records created by the vendor as a result | 13 | | of students' use of the vendor's product or service; or | 14 | | (D) any student's intellectual property; | 15 | | (4) exercising or claiming any rights, implied or | 16 | | otherwise, to: | 17 | | (A) any information, including personally | 18 | | identifiable information, contained in the school | 19 | | student records, student permanent records, student | 20 | | temporary records, or any other records of a student; | 21 | | (B) any information generated by or about students | 22 | | in connection with their use of the vendor's product or | 23 | | service; | 24 | | (C) any records created by the vendor as a result | 25 | | of students' use of the vendor's product or service; or | 26 | | (D) any student's intellectual property; |
| | | 09900HB0810ham001 | - 6 - | LRB099 04620 SXM 33703 a |
|
| 1 | | (5) storing or processing outside the United States: | 2 | | (A) any information, including personally | 3 | | identifiable information, contained in the school | 4 | | student records, student permanent records, student | 5 | | temporary records or any other records of a student; | 6 | | (B) any information generated by or about students | 7 | | in connection with their use of the vendor's product or | 8 | | service; | 9 | | (C) any records created by the vendor as a result | 10 | | of students' use of the vendor's product or service; or | 11 | | (D) any student's intellectual property; | 12 | | (6) transferring the following to any third party | 13 | | (including subcontractors), affiliate, or government | 14 | | agency other than the State Board, unless required by court | 15 | | order or expressly authorized by the school board in | 16 | | compliance with this Section: | 17 | | (A) any information, including personally | 18 | | identifiable information, contained in the school | 19 | | student records, student permanent records, student | 20 | | temporary records, or any other records of a student; | 21 | | (B) any information generated by or about students | 22 | | in connection with their use of the vendor's product or | 23 | | service; | 24 | | (C) any records created by the vendor as a result | 25 | | of students' use of the vendor's product or service; or | 26 | | (D) any student's intellectual property; |
| | | 09900HB0810ham001 | - 7 - | LRB099 04620 SXM 33703 a |
|
| 1 | | (7) permitting access by anyone to the following, | 2 | | unless such access is required for the vendor to provide | 3 | | its product or service to the school board: | 4 | | (A) any information, including personally | 5 | | identifiable information, contained in the school | 6 | | student records, student permanent records, student | 7 | | temporary records or any other records of a student; | 8 | | (B) any information generated by or about students | 9 | | in connection with their use of the vendor's product or | 10 | | service; | 11 | | (C) any records created by the vendor as a result | 12 | | of students' use of the vendor's product or service; or | 13 | | (D) any student's intellectual property; | 14 | | (8) requiring a school board or its employees, agents, | 15 | | volunteers, or students to indemnify a vendor or pay the | 16 | | vendor's attorneys' fees or costs in connection with any | 17 | | dispute arising out of, or otherwise connected to, student | 18 | | data; | 19 | | (9) requiring a school board or its employees, agents, | 20 | | volunteers, or students to arbitrate any dispute arising | 21 | | out of, or otherwise connected to, student data; | 22 | | (10) entering into any contract or other agreement with | 23 | | a school board that authorizes in any manner activities | 24 | | prohibited by this Section; and | 25 | | (11) modifying or otherwise altering the terms and | 26 | | conditions of any contract or other agreement with a school |
| | | 09900HB0810ham001 | - 8 - | LRB099 04620 SXM 33703 a |
|
| 1 | | board related to student data without the express consent | 2 | | of the school board. | 3 | | (d) Any vendor who receives any educator data from a school | 4 | | board or the State Board in any manner shall: | 5 | | (1) store and process such records and information in | 6 | | accordance with commercial best practices, which shall | 7 | | include, but not be limited to, data-security practices set | 8 | | forth by the United States Department of Education Privacy | 9 | | Technical Assistance Center and any rules adopted by the | 10 | | State Board; | 11 | | (2) implement and maintain appropriate administrative, | 12 | | physical, and technical safeguards, to secure such records | 13 | | and information from unauthorized access, destruction, | 14 | | use, modification, or disclosure, which safeguards shall | 15 | | be consistent with any rules adopted by the State Board and | 16 | | any guidance provided by the United States Department of | 17 | | Education Privacy and Technical Assistance Center; | 18 | | (3) immediately notify the school board of any security | 19 | | breach resulting in unauthorized access to any student | 20 | | data, regardless of whether it is the school board's | 21 | | student data; | 22 | | (4) delete the personally identifiable information of | 23 | | a specific student: | 24 | | (A) at the request of the student's school or | 25 | | school board; or | 26 | | (B) at the request of an eligible student or a |
| | | 09900HB0810ham001 | - 9 - | LRB099 04620 SXM 33703 a |
|
| 1 | | parent, provided the school board consents to the | 2 | | request; | 3 | | (5) designate an officer or employee as a responsible | 4 | | person who shall be trained in a manner so as to ensure | 5 | | compliance with this Section and ensure the security and | 6 | | confidentiality of student data; | 7 | | (6) within 30 days of the completion or termination of | 8 | | the terms of any contract with a school board related to | 9 | | student data, delete or return to the school board all | 10 | | student data and information and records generated | 11 | | therefrom and, in the event of deletion, provide a written | 12 | | certification that such deletion has occurred. In the event | 13 | | the vendor chooses to delete the data, records, and | 14 | | information described in this subdivision (6), it shall | 15 | | provide the school board with a written certification that | 16 | | the data, records, and information have been deleted, which | 17 | | certification shall be provided to the school board within | 18 | | 30 days of the termination of the contract; | 19 | | (7) permit eligible students and parents to access and | 20 | | correct any information contained in the school student | 21 | | records, student permanent records, student temporary | 22 | | records, or any other records provided to the vendor by the | 23 | | school board; | 24 | | (8) permit a school board to audit and inspect the | 25 | | vendor's practices with respect to any student data | 26 | | received by the vendor from the school board or any |
| | | 09900HB0810ham001 | - 10 - | LRB099 04620 SXM 33703 a |
|
| 1 | | information or records generated therefrom; | 2 | | (9) permit the school board access to any student data | 3 | | provided by the school board and any information and | 4 | | records generated therefrom in order for the school board | 5 | | to respond to a request under the Freedom of Information | 6 | | Act or pursuant to a court order; | 7 | | (10) be permitted to diagnose and correct problems with | 8 | | the vendor's product or service, provided that to diagnose | 9 | | or correct a problem does not require the vendor to engage | 10 | | in any activities prohibited by this Section; and | 11 | | (11) agree that any dispute arising out of, or | 12 | | otherwise connected to, student data shall be litigated | 13 | | using Illinois law and that the proper venue is the circuit | 14 | | court of the county in which the school board is located. | 15 | | (e) Any vendor who seeks to receive from a school board or | 16 | | the State Board in any manner any student data is required to | 17 | | enter into a written contract with the school board before any | 18 | | records can be transferred, which contract shall contain the | 19 | | following: | 20 | | (1) provisions consistent with each requirement set | 21 | | forth in subsections (c) and (d) of this Section; | 22 | | (2) a listing of the precise student data to be | 23 | | provided to the vendor; | 24 | | (3) a statement of the product or service being | 25 | | provided to the school board by the vendor; | 26 | | (4) a statement that the vendor is a school official |
| | | 09900HB0810ham001 | - 11 - | LRB099 04620 SXM 33703 a |
|
| 1 | | with a legitimate educational interest, performing an | 2 | | institutional service or function for which the school | 3 | | board would otherwise use employees, under the direct | 4 | | control of the school board with respect to the use and | 5 | | maintenance of student data, and is using such student data | 6 | | only for an authorized purpose and will not re-disclose it | 7 | | to third parties or affiliates without permission from the | 8 | | school board or pursuant to court order; | 9 | | (5) a statement that the student data continues to be | 10 | | the property of and under the control of the school board, | 11 | | and the vendor has a limited, nonexclusive license solely | 12 | | for the purpose of performing its obligations under the | 13 | | contract; | 14 | | (6) a description of the actions the vendor will take | 15 | | to ensure the security and confidentiality of student data; | 16 | | compliance with this requirement shall not, in itself, | 17 | | absolve the vendor of liability in the event of an | 18 | | unauthorized disclosure of student data; and | 19 | | (7) a statement that the contract is the entire | 20 | | agreement between the school board (including school board | 21 | | employees and other end users) and the vendor. | 22 | | (f) Each school board shall adopt a policy regarding which | 23 | | school employees have the power to bind the school board to the | 24 | | terms of any agreements, whether electronic, click-through, | 25 | | click-wrap, verbal, or in writing. If a vendor enters into an | 26 | | agreement with an employee or other end users who are not |
| | | 09900HB0810ham001 | - 12 - | LRB099 04620 SXM 33703 a |
|
| 1 | | authorized through the school board's policy to enter into such | 2 | | an agreement, then the agreement shall be voidable by the | 3 | | school board. | 4 | | (g) Each school board entering into a contract or agreement | 5 | | as allowed by this Section shall maintain an original copy of | 6 | | its term and conditions at the school board's primary place of | 7 | | business, including a copy of the terms and conditions set | 8 | | forth in any agreement described in subsection (f) of this | 9 | | Section. | 10 | | (h) The State Board shall create, publish, and make | 11 | | publicly available all data elements collected by the State | 12 | | Board that contain personally identifiable information. | 13 | | (i) In the event of a security breach resulting, in whole | 14 | | or in part, from the vendor's conduct, in addition to any other | 15 | | remedies available to the school board under law or equity, the | 16 | | vendor shall reimburse the school board in full for all costs | 17 | | and expenses incurred by the school board in investigating and | 18 | | remediating the breach, including, but not limited to: | 19 | | (1) providing notification to those students and their | 20 | | parents, in the event the student is under the age of 18, | 21 | | whose personally identifiable information was compromised | 22 | | and to regulatory agencies or other entities as required by | 23 | | law or contract; | 24 | | (2) providing one year's credit monitoring to those | 25 | | students and eligible students whose student data was | 26 | | exposed in such a manner during the breach that a |
| | | 09900HB0810ham001 | - 13 - | LRB099 04620 SXM 33703 a |
|
| 1 | | reasonable person would have cause to believe that it could | 2 | | impact his or her credit or financial security; and | 3 | | (3) payment of legal fees, audit costs, fines, and | 4 | | other fees or damages imposed against the school board as a | 5 | | result of the security breach. | 6 | | (j) The State Board shall develop, publish, and make | 7 | | publicly available model student data privacy policies and | 8 | | procedures that comply with relevant state and federal law. | 9 | | (k) Within 180 days after the effective date of this | 10 | | amendatory Act of the 99th General Assembly, the State Board | 11 | | shall create a model notice that school boards may use to | 12 | | provide notice to parents that states, in general terms, what | 13 | | types of student data are collected by the school board and | 14 | | shared with vendors under this Section and the purposes of | 15 | | collecting and using the student data. Upon the creation of the | 16 | | notice described in this subsection (k), a school board shall, | 17 | | at the beginning of each school year, provide such notice in | 18 | | writing or electronically to parents and eligible students. | 19 | | (l) In addition to any other penalties, any contract | 20 | | governed by this Section that fails to comply with the | 21 | | requirements of this Section shall be rendered void if, upon | 22 | | notice and a reasonable opportunity to cure, the noncompliant | 23 | | party fails to cure any defect. Written notice of noncompliance | 24 | | may be provided by either party to the contract. Any vendor | 25 | | subject to a contract voided under this subdivision is | 26 | | required, within 60 days, to return all student data and any |
| | | 09900HB0810ham001 | - 14 - | LRB099 04620 SXM 33703 a |
|
| 1 | | information or records generated therefrom in its possession to | 2 | | the school board. Any vendor that fails to cure any defect in | 3 | | the contract shall not be entitled to any payment required | 4 | | under the contract and shall return to the school board all | 5 | | payments previously made by the school board. | 6 | | (105 ILCS 5/22-81 new) | 7 | | Sec. 22-81. Educator data privacy. | 8 | | (a) It is the intent of the General Assembly to help ensure | 9 | | that information generated by and about educators in the course | 10 | | of, and in connection with, the performance of their duties is | 11 | | safeguarded and that educator privacy is honored, respected and | 12 | | protected. The General Assembly finds the following: | 13 | | (1) Information generated by and about educators in the | 14 | | course of, and in connection with, the performance of their | 15 | | duties is a vital resource for school boards, the State | 16 | | Board and research organizations in planning education | 17 | | programs and services, completing reports for educational | 18 | | agencies, and improving the performance of schools. | 19 | | (2) Information generated by and about educators in the | 20 | | course of, and in connection with, the performance of their | 21 | | duties is critical to the performance and improvement of | 22 | | schools. | 23 | | (3) While information generated by and about educators | 24 | | in the course of, and in connection with the, performance | 25 | | of their duties is important for educational purposes, it |
| | | 09900HB0810ham001 | - 15 - | LRB099 04620 SXM 33703 a |
|
| 1 | | is also critically important to ensure that the information | 2 | | is protected, safeguarded and kept private and used only by | 3 | | appropriate educational authorities or their permitted | 4 | | designees. | 5 | | To that end, this Section will help ensure that information | 6 | | generated by and about educators in the course of, and in | 7 | | connection with, the performance of their duties is protected | 8 | | and expectations of privacy are honored. | 9 | | (b) In this Section: | 10 | | "Biometric record" shall have the meaning set forth in the | 11 | | Illinois School Student Records Act. | 12 | | "Educator" means any person employed by or otherwise | 13 | | working for a school board to provide educational services | 14 | | within a school. | 15 | | "Educator data" means educator records or any other records | 16 | | containing personally identifiable information of an educator. | 17 | | "Educator record" means any writing or other recorded | 18 | | information concerning an educator by which an educator may be | 19 | | individually or personally identified maintained by a school or | 20 | | at its direction or by an employee of a school, regardless of | 21 | | how or where the information is stored. | 22 | | "Personally identifiable information" means: | 23 | | (1) the educator's name; | 24 | | (2) the names of the educator's immediate family | 25 | | members; | 26 | | (3) the address of the educator or educator's immediate |
| | | 09900HB0810ham001 | - 16 - | LRB099 04620 SXM 33703 a |
|
| 1 | | family members; | 2 | | (4) a personal identifier, such as the educator's | 3 | | social security number, student number, or biometric | 4 | | record; | 5 | | (5) other indirect identifiers, such as the educator's | 6 | | date of birth, place of birth, and mother's maiden name; | 7 | | (6) other information that, alone or in combination, is | 8 | | linked or linkable to a specific educator that would allow | 9 | | a reasonable person in the school community, who does not | 10 | | have personal knowledge of the relevant circumstances, to | 11 | | identify the educator with reasonable certainty; or | 12 | | (7) information requested by a person who the | 13 | | educational agency or institution reasonably believes | 14 | | knows the identity of the educator to whom the record | 15 | | relates. | 16 | | "Record" means any information recorded or generated in any | 17 | | way, including, but not limited to, electronically-generated | 18 | | data, handwriting, print, computer media, video or audio tape, | 19 | | film, microfilm, and microfiche. | 20 | | "School" shall have the meaning set forth in the Illinois | 21 | | School Student Records Act. | 22 | | "School board" shall have the meaning set forth in the | 23 | | Illinois School Student Records Act. | 24 | | "State Board" shall have the meaning set forth in the | 25 | | Illinois School Student Records Act. | 26 | | "Targeted advertising" means any form of advertising aimed |
| | | 09900HB0810ham001 | - 17 - | LRB099 04620 SXM 33703 a |
|
| 1 | | directly at a specific individual or group of individuals based | 2 | | on a known or assumed trait, or traits, including, but not | 3 | | limited to, age, gender, race, address, observed behavior, or | 4 | | classroom performance. | 5 | | "Vendor" means any entity and its officers, employees, | 6 | | agents, independent contractors, and subcontractors that | 7 | | provides or offers to provide a product or service to a school | 8 | | board, which product or service is marketed or designed for | 9 | | school purposes or which the entity knows or reasonably should | 10 | | know will be used for school purposes. | 11 | | (c) Any vendor who receives any educator data from a school | 12 | | board or the State Board in any manner is prohibited from: | 13 | | (1) advertising or marketing, including targeted | 14 | | advertising, based on: | 15 | | (A) any information, including personally | 16 | | identifiable information, contained in the educator | 17 | | records; | 18 | | (B) any information generated by or about | 19 | | educators in connection with their use of the vendor's | 20 | | product or service; or | 21 | | (C) any records created by the vendor as a result | 22 | | of educators' use of the vendor's product or service; | 23 | | (2) creating, generating, or otherwise amassing a | 24 | | profile about any educator for any purpose other than to | 25 | | provide the school board with information about educator | 26 | | performance or achievement; |
| | | 09900HB0810ham001 | - 18 - | LRB099 04620 SXM 33703 a |
|
| 1 | | (3) selling or otherwise disclosing the following to | 2 | | anyone other than the school board, unless such sale or | 3 | | disclosure is required by court order or is expressly | 4 | | authorized by this Section: | 5 | | (A) any information, including personally | 6 | | identifiable information, contained in the educator | 7 | | records; | 8 | | (B) any information generated by or about | 9 | | educators in connection with their use of the vendor's | 10 | | product or service; or | 11 | | (C) any records created by the vendor as a result | 12 | | of educators' use of the vendor's product or service; | 13 | | | 14 | | (4) exercising or claiming any rights, implied or | 15 | | otherwise, to: | 16 | | (A) any information, including personally | 17 | | identifiable information, contained in the educator | 18 | | records; | 19 | | (B) any information generated by or about | 20 | | educators in connection with their use of the vendor's | 21 | | product or service; or | 22 | | (C) any records created by the vendor as a result | 23 | | of educators' use of the vendor's product or service; | 24 | | (5) storing or processing outside the United States: | 25 | | (A) any information, including personally | 26 | | identifiable information, contained in the educator |
| | | 09900HB0810ham001 | - 19 - | LRB099 04620 SXM 33703 a |
|
| 1 | | records; | 2 | | (B) any information generated by or about | 3 | | educators in connection with their use of the vendor's | 4 | | product or service; or | 5 | | (C) any records created by the vendor as a result | 6 | | of educators' use of the vendor's product or service; | 7 | | (6) transferring the following to any third-party | 8 | | (including subcontractors), affiliate, or government | 9 | | agency other than the State Board, unless required by court | 10 | | order or expressly authorized by the school board in | 11 | | compliance with this Section: | 12 | | (A) any information, including personally | 13 | | identifiable information, contained in the educator | 14 | | records; | 15 | | (B) any information generated by or about | 16 | | educators in connection with their use of the vendor's | 17 | | product or service; or | 18 | | (C) any records created by the vendor as a result | 19 | | of educators' use of the vendor's product or service; | 20 | | (7) permitting access by anyone to the following, | 21 | | unless such access is required for the vendor to provide | 22 | | its product or service to the school board: | 23 | | (A) any information, including personally | 24 | | identifiable information, contained in the educator | 25 | | records; | 26 | | (B) any information generated by or about |
| | | 09900HB0810ham001 | - 20 - | LRB099 04620 SXM 33703 a |
|
| 1 | | educators in connection with their use of the vendor's | 2 | | product or service; or | 3 | | (C) any records created by the vendor as a result | 4 | | of educators' use of the vendor's product or service; | 5 | | (8) requiring a school board or its employees, agents, | 6 | | volunteers, or educators to indemnify a vendor or pay the | 7 | | vendor's attorneys' fees or costs in connection with any | 8 | | dispute arising out of, or otherwise connected to, educator | 9 | | data; | 10 | | (9) requiring a school board or its employees, agents, | 11 | | volunteers, or educators to arbitrate any dispute arising | 12 | | out of, or otherwise connected to, educator data; | 13 | | (10) entering into any contract or other agreement with | 14 | | a school board that authorizes in any manner activities | 15 | | prohibited by this Section; and | 16 | | (11) modifying or otherwise altering the terms and | 17 | | conditions of any contract or other agreement with a school | 18 | | board related to educator data without the express consent | 19 | | of the school board. | 20 | | (d) Any vendor who receives any educator data from a school | 21 | | board or the State Board in any manner shall: | 22 | | (1) store and process such records and information in | 23 | | accordance with commercial best practices, which shall | 24 | | include, but not be limited to, data-security practices set | 25 | | forth by the United States Department of Education Privacy | 26 | | Technical Assistance Center and any rules adopted by the |
| | | 09900HB0810ham001 | - 21 - | LRB099 04620 SXM 33703 a |
|
| 1 | | State Board; | 2 | | (2) implement and maintain appropriate administrative, | 3 | | physical, and technical safeguards, to secure such records | 4 | | and information from unauthorized access, destruction, | 5 | | use, modification, or disclosure, which safeguards shall | 6 | | be consistent with any rules adopted by the State Board and | 7 | | any guidance provided by the United States Department of | 8 | | Education Privacy and Technical Assistance Center; | 9 | | (3) immediately notify the school board of any security | 10 | | breach resulting in unauthorized access to any educator | 11 | | data, regardless of whether it is the school board's | 12 | | educator data; | 13 | | (4) delete the personally identifiable information of | 14 | | a specific educator: | 15 | | (A) at the request of the educator's school or | 16 | | school board; or | 17 | | (B) at the request of an educator, provided the | 18 | | school board consents to the request; | 19 | | (5) designate an officer or employee as a responsible | 20 | | person who shall be trained in a manner so as to ensure | 21 | | compliance with this Section and ensure the security and | 22 | | confidentiality of student data; | 23 | | (6) within 30 days of the completion or termination of | 24 | | the terms of any contract with a school board related to | 25 | | educator data, delete or return to the school board all | 26 | | educator data and information and records generated |
| | | 09900HB0810ham001 | - 22 - | LRB099 04620 SXM 33703 a |
|
| 1 | | therefrom and, in the event of deletion, provide a written | 2 | | certification that such deletion has occurred. In the event | 3 | | the vendor chooses to delete the data, records, and | 4 | | information described in this subdivision (6), it shall | 5 | | provide the school board with a written certification that | 6 | | the data, records, and information have been deleted, which | 7 | | certification shall be provided to the school board within | 8 | | 30 days of the termination of the contract; | 9 | | (7) permit educators to access and correct any | 10 | | information contained in the educator records provided to | 11 | | the vendor by the school board; | 12 | | (8) permit a school board to audit and inspect the | 13 | | vendor's practices with respect to any educator data | 14 | | received by the vendor from the school board or any | 15 | | information or records generated therefrom; | 16 | | (9) permit the school board access to any educator data | 17 | | provided by the school board and any information and | 18 | | records generated therefrom in order for the school board | 19 | | to respond to a request under the Freedom of Information | 20 | | Act or pursuant to a court order; | 21 | | (10) be permitted to diagnose and correct problems with | 22 | | the vendor's product or service, provided that to diagnose | 23 | | or correct a problem does not require the vendor to engage | 24 | | in any activities prohibited by this Section; and | 25 | | (11) agree that any dispute arising out of, or | 26 | | otherwise connected to, student data shall be litigated |
| | | 09900HB0810ham001 | - 23 - | LRB099 04620 SXM 33703 a |
|
| 1 | | using Illinois law and that the proper venue is the circuit | 2 | | court of the county in which the school board is located. | 3 | | (e) Any vendor who seeks to receive from a school board or | 4 | | the State Board in any manner any educator data is required to | 5 | | enter into a written contract with the school board before any | 6 | | records can be transferred, which contract shall contain the | 7 | | following: | 8 | | (1) provisions consistent with each requirement set | 9 | | forth in subsections (c) and (d) of this Section; | 10 | | (2) a listing of the precise educator data to be | 11 | | provided to the vendor; | 12 | | (3) a statement of the product or service being | 13 | | provided to the school board by the vendor; | 14 | | (4) a statement that the vendor is a school official | 15 | | with a legitimate educational interest, performing an | 16 | | institutional service or function for which the school | 17 | | board would otherwise use employees, under the direct | 18 | | control of the school board with respect to the use and | 19 | | maintenance of educator data, and is using such educator | 20 | | data only for an authorized purpose and will not | 21 | | re-disclose it to third parties or affiliates without | 22 | | permission from the school board or pursuant to court | 23 | | order; | 24 | | (5) a statement that the educator data continues to be | 25 | | the property of and under the control of the school board, | 26 | | and the vendor has a limited, nonexclusive license solely |
| | | 09900HB0810ham001 | - 24 - | LRB099 04620 SXM 33703 a |
|
| 1 | | for the purpose of performing its obligations under the | 2 | | contract; | 3 | | (6) a description of the actions the vendor will take, | 4 | | including the designation and training of responsible | 5 | | employees, to ensure the security and confidentiality of | 6 | | educator data; compliance with this requirement shall not, | 7 | | in itself, absolve the vendor of liability in the event of | 8 | | an unauthorized disclosure of educator data; and | 9 | | (7) a statement that the contract is the entire | 10 | | agreement between the school board (including school board | 11 | | employees and other end users) and the vendor. | 12 | | (f) Each school board shall adopt a policy regarding which | 13 | | school employees have the power to bind the school board to the | 14 | | terms of any agreements, whether electronic, click-through, | 15 | | click-wrap, verbal, or in writing. If a vendor enters into an | 16 | | agreement with an employee or other end users who are not | 17 | | authorized through the school board's policy to enter into such | 18 | | an agreement, then the agreement shall be voidable by the | 19 | | school board. | 20 | | (g) Each school board entering into a contract or agreement | 21 | | as allowed by this Section shall maintain an original copy of | 22 | | its term and conditions at the school board's primary place of | 23 | | business, including a copy of the terms and conditions set | 24 | | forth in any agreement described in subsection (f) of this | 25 | | Section. | 26 | | (h) In the event of a security breach resulting, in whole |
| | | 09900HB0810ham001 | - 25 - | LRB099 04620 SXM 33703 a |
|
| 1 | | or in part, from the vendor's conduct, in addition to any other | 2 | | remedies available to the school board under law or equity, the | 3 | | vendor shall reimburse the school board in full for all costs | 4 | | and expenses incurred by the school board in investigating and | 5 | | remediating the breach, including, but not limited to: | 6 | | (1) providing notification to the educators whose | 7 | | personally identifiable information was compromised and to | 8 | | regulatory agencies or other entities as required by law or | 9 | | contract; | 10 | | (2) providing one year's credit monitoring to those | 11 | | educators whose educator data was exposed in such a manner | 12 | | during the breach that a reasonable person would have cause | 13 | | to believe that it could impact his or her credit or | 14 | | financial security; and | 15 | | (3) payment of legal fees, audit costs, fines, and | 16 | | other fees or damages imposed against the school board as a | 17 | | result of the security breach. | 18 | | (i) The State Board shall develop, publish, and make | 19 | | publicly available model educator data privacy policies and | 20 | | procedures that comply with relevant state and federal law. | 21 | | (j) In addition to any other penalties, any contract | 22 | | governed by this Section that fails to comply with the | 23 | | requirements of this Section shall be rendered void if, upon | 24 | | notice and a reasonable opportunity to cure, the noncompliant | 25 | | party fails to cure any defect. Written notice of noncompliance | 26 | | may be provided by either party to the contract. Any vendor |
| | | 09900HB0810ham001 | - 26 - | LRB099 04620 SXM 33703 a |
|
| 1 | | subject to a contract voided under this subdivision is | 2 | | required, within 60 days, to return all student data and any | 3 | | information or records generated therefrom in its possession to | 4 | | the school board. Any vendor that fails to cure any defect in | 5 | | the contract shall not be entitled to any payment required | 6 | | under the contract and shall return to the school board all | 7 | | payments previously made by the school board. | 8 | | Section 10. The Illinois School Student Records Act is | 9 | | amended by changing Sections 2, 6, and 9 as follows:
| 10 | | (105 ILCS 10/2) (from Ch. 122, par. 50-2)
| 11 | | Sec. 2.
In this Act: | 12 | | "Biometric record" means a record of one or more measurable | 13 | | biological or behavioral characteristics that can be used for | 14 | | automated recognition of an individual. Examples include | 15 | | fingerprints, retina and iris patterns voiceprints, DNA | 16 | | sequence, facial characteristics, and handwriting. | 17 | | "Eligible student" means a student who has reached 18 years | 18 | | of age. | 19 | | "Parent" means a person who is the natural parent of the | 20 | | student or other person who has the primary responsibility for | 21 | | the care and upbringing of the student. All rights and | 22 | | privileges accorded to a parent under this Act shall become | 23 | | exclusively those of the student upon the student's 18th | 24 | | birthday, graduation from secondary school, marriage, or entry |
| | | 09900HB0810ham001 | - 27 - | LRB099 04620 SXM 33703 a |
|
| 1 | | into military service, whichever occurs first. Such rights and | 2 | | privileges may also be exercised by the student at any time | 3 | | with respect to the student's permanent school record. | 4 | | "Personally identifiable information" means: | 5 | | (1) the student's name; | 6 | | (2) the name of the student's parent or other family | 7 | | members; | 8 | | (3) the address of the student or student's family; | 9 | | (4) a personal identifier, such as the student's social | 10 | | security number, student number, or biometric record; | 11 | | (5) other indirect identifiers, such as the student's | 12 | | date of birth, place of birth, and mother's maiden name; | 13 | | (6) other information that, alone or in combination, is | 14 | | linked or linkable to a specific student that would allow a | 15 | | reasonable person in the school community, who does not | 16 | | have personal knowledge of the relevant circumstances, to | 17 | | identify the student with reasonable certainty; or | 18 | | (7) information requested by a person who the | 19 | | educational agency or institution reasonably believes | 20 | | knows the identity of the student to whom the education | 21 | | record relates. | 22 | | "Record" means any information recorded or generated in any | 23 | | way, including, but not limited to, electronically-generated | 24 | | data, handwriting, print, computer media, video or audio tape, | 25 | | film, microfilm, and microfiche. | 26 | | "School" means any public preschool, day care center, |
| | | 09900HB0810ham001 | - 28 - | LRB099 04620 SXM 33703 a |
|
| 1 | | kindergarten, nursery, elementary or secondary educational | 2 | | institution, vocational school, special education facility or | 3 | | any other elementary or secondary educational agency or | 4 | | institution and any person, agency or institution which | 5 | | maintains school student records from more than one school, but | 6 | | does not include a private or non-public school. | 7 | | "School board" means any school board, board of directors, | 8 | | or any other governing body established under the School Code. | 9 | | "School student record" means any writing or other recorded | 10 | | information concerning a student by which a student may be | 11 | | individually or personally identified that is maintained by a | 12 | | school or at its direction or by an employee of a school, | 13 | | regardless of how or where the information is stored. The | 14 | | following shall not be deemed school student records under this | 15 | | Act: writings or other recorded information maintained by an | 16 | | employee of a school or other person at the direction of a | 17 | | school for his or her exclusive use; provided that all such | 18 | | writings and other recorded information are destroyed not later | 19 | | than the student's graduation or permanent withdrawal from the | 20 | | school; and provided further that no such records or recorded | 21 | | information may be released or disclosed to any person except a | 22 | | person designated by the school as a substitute unless they are | 23 | | first incorporated in a school student record and made subject | 24 | | to all of the provisions of this Act. School student records | 25 | | shall not include information maintained by law enforcement | 26 | | professionals working in the school. |
| | | 09900HB0810ham001 | - 29 - | LRB099 04620 SXM 33703 a |
|
| 1 | | "State Board" means the State Board of Education. | 2 | | "Student" means any person enrolled or previously enrolled | 3 | | in a school. | 4 | | "Student permanent record" means the minimum personal | 5 | | information necessary to a school in the education of the | 6 | | student and contained in a school student record. Such | 7 | | information may include the student's name, birth date, | 8 | | address, grades and grade level, parents' names and addresses, | 9 | | attendance records, and such other entries as the State Board | 10 | | may require or authorize. | 11 | | "Student temporary record" means all information contained | 12 | | in a school student record but not contained in the student | 13 | | permanent record. Such information may include family | 14 | | background information, intelligence test scores, aptitude | 15 | | test scores, psychological and personality test results, | 16 | | teacher evaluations, and other information of clear relevance | 17 | | to the education of the student, all subject to rules of the | 18 | | State Board. The information shall include information | 19 | | provided under Section 8.6 of the Abused and Neglected Child | 20 | | Reporting Act. In addition, the student temporary record shall | 21 | | include information regarding disciplinary infractions | 22 | | involving drugs, weapons, or bodily harm to another that | 23 | | resulted in expulsion, suspension, or the imposition of | 24 | | punishment or sanction. | 25 | | As used in this Act,
| 26 | | (a) "Student" means any person enrolled or previously |
| | | 09900HB0810ham001 | - 30 - | LRB099 04620 SXM 33703 a |
|
| 1 | | enrolled in a school.
| 2 | | (b) "School" means any public preschool, day care center,
| 3 | | kindergarten, nursery, elementary or secondary educational | 4 | | institution,
vocational school, special educational facility | 5 | | or any other elementary or
secondary educational agency or | 6 | | institution and any person, agency or
institution which | 7 | | maintains school student records from more than one school,
but | 8 | | does not include a private or non-public school.
| 9 | | (c) "State Board" means the State Board of Education.
| 10 | | (d) "School Student Record" means any writing or
other | 11 | | recorded information concerning a student
and by which a | 12 | | student may be individually identified,
maintained by a school | 13 | | or at its direction or by an employee of a
school, regardless | 14 | | of how or where the information is stored.
The following shall | 15 | | not be deemed school student records under
this Act: writings | 16 | | or other recorded information maintained by an
employee of a | 17 | | school or other person at the direction of a school for his or
| 18 | | her exclusive use; provided that all such writings and other | 19 | | recorded
information are destroyed not later than the student's | 20 | | graduation or permanent
withdrawal from the school; and | 21 | | provided further that no such records or
recorded information | 22 | | may be released or disclosed to any person except a person
| 23 | | designated by the school as
a substitute unless they are first | 24 | | incorporated
in a school student record and made subject to all | 25 | | of the
provisions of this Act.
School student records shall not | 26 | | include information maintained by
law enforcement |
| | | 09900HB0810ham001 | - 31 - | LRB099 04620 SXM 33703 a |
|
| 1 | | professionals working in the school.
| 2 | | (e) "Student Permanent Record" means the minimum personal
| 3 | | information necessary to a school in the education of the | 4 | | student
and contained in a school student record. Such | 5 | | information
may include the student's name, birth date, | 6 | | address, grades
and grade level, parents' names and addresses, | 7 | | attendance
records, and such other entries as the State Board | 8 | | may
require or authorize.
| 9 | | (f) "Student Temporary Record" means all information | 10 | | contained in
a school student record but not contained in
the | 11 | | student permanent record. Such information may include
family | 12 | | background information, intelligence test scores, aptitude
| 13 | | test scores, psychological and personality test results, | 14 | | teacher
evaluations, and other information of clear relevance | 15 | | to the
education of the student, all subject to regulations of | 16 | | the State Board.
The information shall include information | 17 | | provided under Section 8.6 of the
Abused and Neglected Child | 18 | | Reporting Act.
In addition, the student temporary record shall | 19 | | include information regarding
serious disciplinary infractions | 20 | | that resulted in expulsion, suspension, or the
imposition of | 21 | | punishment or sanction. For purposes of this provision, serious
| 22 | | disciplinary infractions means: infractions involving drugs, | 23 | | weapons, or bodily
harm to another.
| 24 | | (g) "Parent" means a person who is the natural parent of | 25 | | the
student or other person who has the primary responsibility | 26 | | for the
care and upbringing of the student. All rights and |
| | | 09900HB0810ham001 | - 32 - | LRB099 04620 SXM 33703 a |
|
| 1 | | privileges accorded
to a parent under this Act shall become | 2 | | exclusively those of the student
upon his 18th birthday, | 3 | | graduation from secondary school, marriage
or entry into | 4 | | military service, whichever occurs first. Such
rights and | 5 | | privileges may also be exercised by the student
at any time | 6 | | with respect to the student's permanent school record.
| 7 | | (Source: P.A. 92-295, eff. 1-1-02.)
| 8 | | (105 ILCS 10/6) (from Ch. 122, par. 50-6)
| 9 | | Sec. 6. (a) No school student records or information
| 10 | | contained therein may be released, transferred, disclosed or | 11 | | otherwise
disseminated, except as follows:
| 12 | | (1) to To a parent or student or person specifically
| 13 | | designated as a representative by a parent, as provided in | 14 | | paragraph (a)
of Section 5;
| 15 | | (2) to To an employee or official of the school or
| 16 | | school district or State Board with current demonstrable | 17 | | educational
or administrative interest in the student, in | 18 | | furtherance of such interest;
| 19 | | (3) to To the official records custodian of another | 20 | | school within
Illinois or an official with similar | 21 | | responsibilities of a school
outside Illinois, in which the | 22 | | student has enrolled, or intends to enroll,
upon the | 23 | | request of such official or student;
| 24 | | (4) to To any person for the purpose of research,
| 25 | | statistical reporting, or planning, provided that such |
| | | 09900HB0810ham001 | - 33 - | LRB099 04620 SXM 33703 a |
|
| 1 | | research, statistical reporting, or planning is | 2 | | permissible under and undertaken in accordance with the | 3 | | federal Family Educational Rights and Privacy Act (20 | 4 | | U.S.C. 1232g);
| 5 | | (5) pursuant Pursuant to a court order, provided that | 6 | | the
parent shall be given prompt written notice upon | 7 | | receipt
of such order of the terms of the order, the nature | 8 | | and
substance of the information proposed to be released
in | 9 | | compliance with such order and an opportunity to
inspect | 10 | | and copy the school student records and to
challenge their | 11 | | contents pursuant to Section 7;
| 12 | | (6) to To any person as specifically required by State
| 13 | | or federal law;
| 14 | | (6.5) to To juvenile authorities
when necessary for the | 15 | | discharge of their official duties
who request information | 16 | | prior to
adjudication of the student and who certify in | 17 | | writing that the information
will not be disclosed to any | 18 | | other party except as provided under law or order
of court. | 19 | | For purposes of this Section "juvenile authorities" means:
| 20 | | (i) a judge of
the circuit court and members of the staff | 21 | | of the court designated by the
judge; (ii) parties to the | 22 | | proceedings under the Juvenile Court Act of 1987 and
their | 23 | | attorneys; (iii) probation
officers and court appointed | 24 | | advocates for the juvenile authorized by the judge
hearing | 25 | | the case; (iv) any individual, public or private agency | 26 | | having custody
of the child pursuant to court order; (v) |
| | | 09900HB0810ham001 | - 34 - | LRB099 04620 SXM 33703 a |
|
| 1 | | any individual, public or private
agency providing | 2 | | education, medical or mental health service to the child | 3 | | when
the requested information is needed to determine the | 4 | | appropriate service or
treatment for the minor; (vi) any | 5 | | potential placement provider when such
release
is | 6 | | authorized by the court for the limited purpose of | 7 | | determining the
appropriateness of the potential | 8 | | placement; (vii) law enforcement officers and
prosecutors;
| 9 | | (viii) adult and juvenile prisoner review boards; (ix) | 10 | | authorized military
personnel; (x)
individuals authorized | 11 | | by court;
| 12 | | (7) subject Subject to regulations of the State Board,
| 13 | | in connection with an emergency, to appropriate persons
if | 14 | | the knowledge of such information is necessary to protect
| 15 | | the health or safety of the student or other
persons;
| 16 | | (8) to To any person, with the prior specific dated
| 17 | | written consent of the parent designating the person
to | 18 | | whom the records may be released, provided that at
the time | 19 | | any such consent is requested or obtained,
the parent shall | 20 | | be advised in writing that he has the right
to inspect and | 21 | | copy such records in accordance with Section 5, to
| 22 | | challenge their contents in accordance with Section 7 and | 23 | | to limit any such
consent to
designated records or | 24 | | designated portions of the information contained
therein;
| 25 | | (9) to To a governmental agency, or social service | 26 | | agency contracted by a
governmental agency, in furtherance |
| | | 09900HB0810ham001 | - 35 - | LRB099 04620 SXM 33703 a |
|
| 1 | | of an investigation of a student's school
attendance | 2 | | pursuant to the compulsory student attendance laws of this | 3 | | State,
provided that the records are released to the | 4 | | employee or agent designated by
the agency;
| 5 | | (10) to To those SHOCAP committee members who fall | 6 | | within the meaning of
"state and local officials and | 7 | | authorities", as those terms are used within the
meaning of | 8 | | the federal Family Educational Rights and Privacy Act, for
| 9 | | the
purposes of identifying serious habitual juvenile | 10 | | offenders and matching those
offenders with community | 11 | | resources pursuant to Section 5-145 of the Juvenile
Court | 12 | | Act of 1987, but only to the extent that the release, | 13 | | transfer,
disclosure, or dissemination is consistent with | 14 | | the Family Educational Rights
and Privacy Act;
| 15 | | (11) to To the Department of Healthcare and Family | 16 | | Services in furtherance of the
requirements of Section | 17 | | 2-3.131, 3-14.29, 10-28, or 34-18.26 of
the School Code or | 18 | | Section 10 of the School Breakfast and Lunch
Program Act; | 19 | | or
| 20 | | (12) to To the State Board or another State government | 21 | | agency or between or among State government agencies in | 22 | | order to evaluate or audit federal and State programs or | 23 | | perform research and planning, but only to the extent that | 24 | | the release, transfer, disclosure, or dissemination is | 25 | | consistent with the federal Family Educational Rights and | 26 | | Privacy Act (20 U.S.C. 1232g). |
| | | 09900HB0810ham001 | - 36 - | LRB099 04620 SXM 33703 a |
|
| 1 | | (a-5) Pursuant to subparagraph (4) of paragraph (a) of this | 2 | | Section, a school board or the State Board may provide records | 3 | | of a student to researchers at an accredited post-secondary | 4 | | educational institution or an organization conducting research | 5 | | if any such research is conducted in accordance with the | 6 | | federal Family Educational Rights and Privacy Act and does not | 7 | | take place until the following requirements are complied with: | 8 | | (1) Prior to the beginning of each school year, the | 9 | | school board shall provide notice to parents, guardians or | 10 | | eligible students regarding planned studies. For those | 11 | | school boards that maintain an Internet website, the school | 12 | | board shall post on its Internet website a current list of | 13 | | all research studies using records obtained from the school | 14 | | board without obtaining consent from parents, guardians or | 15 | | eligible students currently being conducted or scheduled | 16 | | to be conducted. In April and December of each year, the | 17 | | school board shall update the Internet website to include | 18 | | new research studies that are approved or conducted. For | 19 | | those school boards that do not maintain an Internet | 20 | | website, each school board shall provide parents, | 21 | | guardians and eligible students with a current list of all | 22 | | research studies being conducted or scheduled to be | 23 | | conducted in the same notice described above and shall | 24 | | provide supplemental notices every April and December | 25 | | provided new research studies have been approved or are | 26 | | being conducted. |
| | | 09900HB0810ham001 | - 37 - | LRB099 04620 SXM 33703 a |
|
| 1 | | (A) The school board shall send the notice | 2 | | described in this subparagraph (1) by the same means | 3 | | generally used to send notices to parents, guardians or | 4 | | eligible students. | 5 | | (B) The notice described in this subparagraph (1) | 6 | | shall describe generally the purposes of conducting | 7 | | educational research, contain a short description of | 8 | | all current and scheduled research studies and set | 9 | | forth the address of the Internet website containing a | 10 | | current list of all research studies being conducted | 11 | | and scheduled to be conducted, which web address shall | 12 | | also be set forth in the school board's student | 13 | | handbook. The notice shall also advise parents, | 14 | | guardians and eligible students that the State Board | 15 | | conducts research studies and shall provide the | 16 | | Internet website address for that part of the State | 17 | | Board's website that contains a list of the current and | 18 | | scheduled studies to be conducted. | 19 | | (C) For those school boards that maintain an | 20 | | Internet website, the webpage that contains the list of | 21 | | all current and scheduled research studies shall also | 22 | | set forth, in general terms, the nature of each listed | 23 | | research study, the categories of students whose | 24 | | records will be used in each listed research study and | 25 | | the names of all organizations involved in each listed | 26 | | research study. For those school boards that do not |
| | | 09900HB0810ham001 | - 38 - | LRB099 04620 SXM 33703 a |
|
| 1 | | maintain an Internet website, the school boards shall | 2 | | provide the information described in this subdivision | 3 | | (C) in the notice described in this subparagraph (1). | 4 | | (2) A written data use agreement that complies with the | 5 | | Family Educational Rights and Privacy Act and its | 6 | | accompanying regulations and, at a minimum, contains the | 7 | | provisions set forth below is entered into by and between | 8 | | the party gaining access to the records of the school board | 9 | | or State Board and the entity with the legal authority to | 10 | | permit the use of the data: | 11 | | (A) The accredited post-secondary educational | 12 | | institution or the organization conducting research | 13 | | shall abide by all requirements of this subparagraph | 14 | | (2). | 15 | | (B) A statement of the purpose, scope and duration | 16 | | of the research study or studies, as well as a | 17 | | description of the records to be used as part of the | 18 | | study and the person or persons to whom the records | 19 | | will be disclosed, provided that the list of persons to | 20 | | whom the records may be disclosed may be amended from | 21 | | time to time with the agreement of all parties to the | 22 | | data use agreement. | 23 | | (C) The accredited post-secondary educational | 24 | | institution or the organization conducting research | 25 | | shall use school student records only to meet the | 26 | | purpose or purposes of the study as set forth in |
| | | 09900HB0810ham001 | - 39 - | LRB099 04620 SXM 33703 a |
|
| 1 | | subdivision (B) of this subparagraph (2). | 2 | | (D) The accredited post-secondary educational | 3 | | institution or the organization conducting research | 4 | | may only use records containing personally | 5 | | identifiable information of a student or by which a | 6 | | student may otherwise be individually or personally | 7 | | identified for two reasons: (i) to link data files; or | 8 | | (ii) to identify eligible students for research | 9 | | studies for which written parental, guardian or | 10 | | eligible student consent will be obtained for | 11 | | participation and the person or persons to whom such | 12 | | information will be disclosed is set forth in the data | 13 | | use agreement. | 14 | | (E) The accredited post-secondary educational | 15 | | institution or the organization conducting research | 16 | | shall destroy all records containing personally | 17 | | identifiable information of a student or that | 18 | | otherwise individually or personally identifies a | 19 | | student when the information is no longer needed, but | 20 | | in no event later than 36 months after the research | 21 | | study has been completed. | 22 | | (F) The accredited post-secondary educational | 23 | | institution or the organization conducting research | 24 | | shall certify in writing that it has the capacity to | 25 | | and shall restrict access to school student records to | 26 | | the person or persons set forth in subdivision (B) of |
| | | 09900HB0810ham001 | - 40 - | LRB099 04620 SXM 33703 a |
|
| 1 | | this subparagraph (2). | 2 | | (G) The accredited post-secondary educational | 3 | | institution or the organization conducting research | 4 | | shall certify in writing that it shall maintain the | 5 | | security of all records received pursuant to this | 6 | | paragraph (a-5) in compliance with rules that shall be | 7 | | adopted by the State Board, which rules shall be | 8 | | consistent, and regularly updated to comply, with | 9 | | commonly accepted data-security practices, including, | 10 | | but not limited to, those set forth by the United | 11 | | States Department of Education Privacy Technical | 12 | | Assistance Center. | 13 | | (H) In compliance with the rules adopted pursuant | 14 | | to subdivision (G) of this subparagraph (2) and any | 15 | | other rules that may be necessary and adopted by the | 16 | | State Board, the accredited post-secondary educational | 17 | | institution or the organization conducting research | 18 | | shall develop, implement, maintain, and use | 19 | | appropriate administrative, technical and physical | 20 | | security measures to preserve the confidentiality and | 21 | | integrity of all school student records. | 22 | | (3) Accredited post-secondary educational institutions | 23 | | and organizations conducting research may only use records | 24 | | containing personally identifiable information or a | 25 | | student or by which a student may otherwise be personally | 26 | | or individually identified for two reasons: (i) to link |
| | | 09900HB0810ham001 | - 41 - | LRB099 04620 SXM 33703 a |
|
| 1 | | data files or (ii) to identify eligible students for | 2 | | research studies for which written parental, guardian or | 3 | | eligible student consent will be obtained for | 4 | | participation and the person or persons to whom such | 5 | | information will be disclosed is set forth in the data use | 6 | | agreement. | 7 | | (4) The accredited post-secondary institution or the | 8 | | organization conducting research agrees that it shall use | 9 | | personally identifiable information from school student | 10 | | records only to meet the purpose or purposes of the | 11 | | research study or studies as stated in the data use | 12 | | agreement described in subparagraph (2) of this paragraph | 13 | | (a-5). | 14 | | (5) Any information by which a student may be | 15 | | individually or personally identified shall be released, | 16 | | transferred, disclosed or otherwise disseminated only as | 17 | | contemplated by the written data use a paragraph (a-5). | 18 | | (6) All school student records shall have personally | 19 | | identifiable information removed prior to analysis by the | 20 | | accredited post-secondary educational institution or the | 21 | | organization conducting research. | 22 | | (7) The accredited post-secondary institution or | 23 | | organization conducting research shall implement and | 24 | | adhere to policies and procedures that restrict access to | 25 | | records which have personally identifiable information. | 26 | | (A) The accredited post-secondary institution or |
| | | 09900HB0810ham001 | - 42 - | LRB099 04620 SXM 33703 a |
|
| 1 | | organization conducting research shall designate an | 2 | | individual to act as the custodian of the records with | 3 | | personally identifiable information who is responsible | 4 | | for restricting access to those records and provide the | 5 | | name of that individual to the entity with the legal | 6 | | authority to permit the use of the records. | 7 | | (B) Any personally identifiable information used | 8 | | to link data sets shall be securely stored in a | 9 | | location separate and apart from the location of the | 10 | | de-identified school student records, in a secure data | 11 | | file. | 12 | | Nothing in this subparagraph (a-5) shall prohibit the State | 13 | | Board or any school board from providing personally | 14 | | identifiable information about individual students to an | 15 | | accredited post-secondary educational institution or an | 16 | | organization conducting research pursuant to a specific, | 17 | | written agreement with a school board or State Board and in | 18 | | accordance with the federal Family Educational Rights and | 19 | | Privacy Act, where necessary for the school board or State | 20 | | Board to comply with state or federal statutory mandates. | 21 | | (b) No information may be released pursuant to subparagraph | 22 | | subparagraphs (3) or
(6) of paragraph (a) of this Section 6 | 23 | | unless the parent receives
prior written notice of the nature | 24 | | and substance of the information
proposed to be released, and | 25 | | an opportunity to inspect
and copy such records in accordance | 26 | | with Section 5 and to
challenge their contents in accordance |
| | | 09900HB0810ham001 | - 43 - | LRB099 04620 SXM 33703 a |
|
| 1 | | with Section 7. Provided, however,
that such notice shall be | 2 | | sufficient if published in a local newspaper of
general | 3 | | circulation or other publication directed generally to the | 4 | | parents
involved where the proposed release of information is | 5 | | pursuant to
subparagraph (6) 6 of paragraph (a) of in this | 6 | | Section 6 and relates to more
than 25 students.
| 7 | | (c) A record of any release of information pursuant
to this | 8 | | Section must be made and kept as a part of the
school student | 9 | | record and subject to the access granted by Section 5.
Such | 10 | | record of release shall be maintained for the life of the
| 11 | | school student records and shall be available only to the | 12 | | parent
and the official records custodian.
Each record of | 13 | | release shall also include:
| 14 | | (1) the The nature and substance of the information | 15 | | released;
| 16 | | (2) the The name and signature of the official records
| 17 | | custodian releasing such information;
| 18 | | (3) the The name of the person requesting such | 19 | | information,
the capacity in which such a request has been | 20 | | made, and the purpose of such
request;
| 21 | | (4) the The date of the release; and
| 22 | | (5) a A copy of any consent to such release.
| 23 | | (d) Except for the student and his parents, no person
to | 24 | | whom information is released pursuant to this Section
and no | 25 | | person specifically designated as a representative by a parent
| 26 | | may permit any other person to have access to such information |
| | | 09900HB0810ham001 | - 44 - | LRB099 04620 SXM 33703 a |
|
| 1 | | without a prior
consent of the parent obtained in accordance | 2 | | with the requirements
of subparagraph (8) of paragraph (a) of | 3 | | this Section.
| 4 | | (e) Nothing contained in this Act shall prohibit the
| 5 | | publication of student directories which list student names, | 6 | | addresses
and other identifying information and similar | 7 | | publications which
comply with regulations issued by the State | 8 | | Board.
| 9 | | (Source: P.A. 95-331, eff. 8-21-07; 95-793, eff. 1-1-09; | 10 | | 96-107, eff. 7-30-09; 96-1000, eff. 7-2-10; revised 11-26-14.)
| 11 | | (105 ILCS 10/9) (from Ch. 122, par. 50-9)
| 12 | | Sec. 9.
(a) Any person aggrieved by any violation of
this | 13 | | Act may institute an action for injunctive relief in the | 14 | | Circuit
Court of the County in which the violation has occurred | 15 | | or the Circuit
Court of the County in which the school is | 16 | | located.
| 17 | | (b) Any person injured by a wilful or negligent violation | 18 | | of
this Act may institute an action for damages in the Circuit | 19 | | Court of the
County in which the violation has occurred or the | 20 | | Circuit Court of the
County in which the school is located.
| 21 | | (c) In the case of any successful action under paragraph | 22 | | (a) or
(b) of this Section, any person or school found to have | 23 | | wilfully
or negligently violated any provision of this Act is | 24 | | liable to the
plaintiff for the plaintiff's damages, the costs | 25 | | of the action and
reasonable attorneys' fees, as determined by |
| | | 09900HB0810ham001 | - 45 - | LRB099 04620 SXM 33703 a |
|
| 1 | | the Court.
| 2 | | (d) Actions for injunctive relief to secure compliance
with | 3 | | this Act may be brought by the State Board, by the State's
| 4 | | Attorney of the County in which the alleged violation has | 5 | | occurred or the
State's Attorney of the County in which the | 6 | | school is located, in each
case in the Circuit Court of such | 7 | | County.
| 8 | | (e) Wilful failure to comply with any Section of this Act
| 9 | | is a petty offense; except that any person who wilfully and | 10 | | maliciously
falsifies any school student record, student | 11 | | permanent record or student
temporary record shall be guilty of | 12 | | a Class A misdemeanor.
| 13 | | (f) Absent proof of malice, no cause of action or claim for | 14 | | relief,
civil or criminal, may be maintained against any | 15 | | school, or employee or
official of a school or person acting at | 16 | | the direction of a school for
any statement made or judgment | 17 | | expressed in any entry to a school student
record of a type | 18 | | which does not violate this Act or the regulations
issued by | 19 | | the State Board pursuant to this Act; provided that this
| 20 | | paragraph (f) does not limit or deny any defense available
| 21 | | under existing law.
| 22 | | (g) In addition to any other penalties and remedies | 23 | | provided by this Section 9 of this Act, any accredited | 24 | | post-secondary educational institution or organization | 25 | | conducting research that violates the requirements of | 26 | | subparagraph (a-5) of Section 6 of this Act shall immediately |
| | | 09900HB0810ham001 | - 46 - | LRB099 04620 SXM 33703 a |
|
| 1 | | cease conducting any research that utilizes school student | 2 | | records and shall be prohibited from conducting additional | 3 | | research studies based on such records and information for a | 4 | | period of 6 months from the date of the discovery of the | 5 | | violation. | 6 | | (h) In addition to any other penalties and remedies | 7 | | provided by this Section 9 of this Act, any school board that | 8 | | violates the requirements of subparagraph (a-5) of Section 6 of | 9 | | this Act shall be prohibited from entering into a data use | 10 | | agreement with any accredited post-secondary educational | 11 | | institution or organization conducting research for a period of | 12 | | 12 months from the date of the discovery of the violation, and | 13 | | all existing data use agreements shall be voided. | 14 | | (Source: P.A. 84-712.)
| 15 | | Section 15. The Children's Privacy Protection and Parental | 16 | | Empowerment Act is amended by changing Section 5 as follows:
| 17 | | (325 ILCS 17/5)
| 18 | | Sec. 5. Definitions. As used in this Act:
| 19 | | "Child" means a person under the age of 18 16 . "Child" does | 20 | | not include a minor
emancipated by operation of law.
| 21 | | "Parent" means a parent, step-parent, or legal guardian.
| 22 | | "Personal information" means any of the following:
| 23 | | (1) A person's name.
| 24 | | (2) A person's address.
|
| | | 09900HB0810ham001 | - 47 - | LRB099 04620 SXM 33703 a |
|
| 1 | | (3) A person's telephone number.
| 2 | | (4) A person's driver's license number or State of | 3 | | Illinois identification
card as
assigned by the Illinois | 4 | | Secretary of State or by a similar agency of another
state.
| 5 | | (5) A person's social security number.
| 6 | | (6) Any other information that can be used to locate or | 7 | | contact a specific
individual.
| 8 | | "Personal information" does not include any of the
| 9 | | following:
| 10 | | (1) Public records as defined by Section 2 of the | 11 | | Freedom of Information
Act.
| 12 | | (2) Court records.
| 13 | | (3) Information found in publicly available sources, | 14 | | including newspapers,
magazines, and telephone | 15 | | directories.
| 16 | | (4) Any other information that is not known to concern | 17 | | a child.
| 18 | | (Source: P.A. 93-462, eff. 1-1-04.)".
|
|