Full Text of SB1393 99th General Assembly
SB1393ham001 99TH GENERAL ASSEMBLY | Rep. Scott Drury Filed: 11/28/2016
| | 09900SB1393ham001 | | LRB099 08398 MLM 51831 a |
|
| 1 | | AMENDMENT TO SENATE BILL 1393
| 2 | | AMENDMENT NO. ______. Amend Senate Bill 1393 by replacing | 3 | | everything after the enacting clause with the following:
| 4 | | "Section 1. Short title. This Act may be cited as the | 5 | | Student Data Privacy Act. | 6 | | Section 5. Legislative intent. It is the intent of the | 7 | | General Assembly to ensure that information generated by and | 8 | | about students in the course of and in connection with their | 9 | | education is safeguarded and that student privacy is honored, | 10 | | respected, and protected. The General Assembly finds the | 11 | | following: | 12 | | (1) Information generated by and about students in the | 13 | | course of and in connection with their education is a vital | 14 | | resource for teachers and school staff in planning | 15 | | education programs and services, scheduling students into | 16 | | appropriate classes, and completing reports for school |
| | | 09900SB1393ham001 | - 2 - | LRB099 08398 MLM 51831 a |
|
| 1 | | districts. | 2 | | (2) Information generated by and about students in the | 3 | | course of and in connection with their education is | 4 | | critical to educators in helping students successfully | 5 | | graduate from high school and being ready to enter the | 6 | | workforce or postsecondary education. | 7 | | (3) While information generated by and about students | 8 | | in the course of and in connection with their education is | 9 | | important for educational purposes, it is also critically | 10 | | important to ensure that the information is protected, | 11 | | safeguarded, and kept private and used only by appropriate | 12 | | educational authorities or their permitted designees, and | 13 | | then only to serve the best interests of the student. | 14 | | To that end, this Act helps ensure that information | 15 | | generated by and about students in the course of and in | 16 | | connection with their education is protected and expectations | 17 | | of privacy are honored. | 18 | | Section 10. Definitions. As used in this Act: | 19 | | "Biometric information" has the meaning ascribed to that | 20 | | term in Section 10-20.40 of the School Code. | 21 | | "Directory information" means any personally identifiable | 22 | | information that the State Board of Education has designated as | 23 | | directory information under Section 375.80 of Title 23 of the | 24 | | Illinois Administrative Code. | 25 | | "Educational online product" means an Internet website, |
| | | 09900SB1393ham001 | - 3 - | LRB099 08398 MLM 51831 a |
|
| 1 | | online service, online application, cloud computing service, | 2 | | or mobile application that is designed and marketed or may | 3 | | reasonably be used for educational purposes. | 4 | | "Educational purposes" means any activity that is directed | 5 | | by an employee or agent of a school district with authority to | 6 | | give the direction and is intended to assist with the school | 7 | | district's educational curriculum. | 8 | | "Interactive computer service" means any service, system, | 9 | | or software provider that provides or enables multiple users | 10 | | access to a computer server, including a service or system that | 11 | | provides access to the Internet and systems or services offered | 12 | | by libraries or educational institutions. | 13 | | "Operator" means the owner or operator, or any agent | 14 | | thereof, of an educational online product or interactive | 15 | | computer service that may reasonably be used for educational | 16 | | purposes or was designed and marketed for educational purposes. | 17 | | For the purposes of this Act, the term "operator" shall not be | 18 | | construed to include any school district, or school district | 19 | | employee or agent acting on behalf of a school district | 20 | | employer, that operates or owns an educational online product | 21 | | that is solely used within the school district for educational | 22 | | purposes. | 23 | | "Personally identifiable information" means information | 24 | | that, alone or in combination, identifies an individual student | 25 | | with reasonable certainty or that is linked to information that | 26 | | identifies an individual student, including, but not limited |
| | | 09900SB1393ham001 | - 4 - | LRB099 08398 MLM 51831 a |
|
| 1 | | to: (1) information in the student's school student record, | 2 | | student permanent record, or student temporary record, as those | 3 | | terms are defined in the Illinois School Student Records Act, | 4 | | or other educational record or electronic mail; (2) the | 5 | | student's first and last name or the name of the student's | 6 | | parent or guardian or other family members; (3) the home | 7 | | address of the student or student's family; (4) the telephone | 8 | | number of the student or student's family; (5) the electronic | 9 | | mail address of the student or student's family; (6) any other | 10 | | information that allows physical or online contact with the | 11 | | student; (7) discipline records; (8) test results; (9) data | 12 | | that is a part of or related to any individualized education | 13 | | program for such student; (10) juvenile dependency records; | 14 | | (11) grades; (12) evaluations; (13) criminal records; (14) | 15 | | medical records; (15) health records; (16) social security | 16 | | number or other personal identifiers; (17) biometric | 17 | | information; (18) disabilities; (19) socioeconomic | 18 | | information; (20) food purchases; (21) political affiliations; | 19 | | (22) religious information; (23) text messages; (24) | 20 | | documents; (25) student identifiers, such as date of birth, | 21 | | place of birth, and mother's maiden name; (26) search activity; | 22 | | (27) photos; (28) voice recordings; (29) geolocation | 23 | | information; (30) directory information; (31) online accounts; | 24 | | (32) other information that, alone or in combination, is linked | 25 | | or linkable to a specific student that would allow a reasonable | 26 | | person in the school community who does not have knowledge of |
| | | 09900SB1393ham001 | - 5 - | LRB099 08398 MLM 51831 a |
|
| 1 | | the relevant circumstances to identify the student with | 2 | | reasonable certainty; or (33) information requested by a person | 3 | | whom the school district or an employee or agent of the school | 4 | | district reasonably believes knows the identity of the student | 5 | | to whom the information relates. | 6 | | "Service provider" means a person, subcontractor, agent, | 7 | | independent contractor, or other entity that provides a service | 8 | | to an operator or provides a service that enables users to | 9 | | access content, information, electronic mail, or other | 10 | | services offered over the Internet or a computer network. | 11 | | "Student data" means any information or record, including | 12 | | personally identifiable information, not otherwise available | 13 | | to the public that was collected or created by or otherwise | 14 | | provided to an operator, in any media or format, for or in | 15 | | connection with an educational purpose. "Student data" | 16 | | includes any aggregated information or records capable of being | 17 | | de-aggregated or reconstructed to the point that any student | 18 | | may be individually identified therefrom. | 19 | | "Targeted advertising" means presenting an advertisement | 20 | | to a student or group of students in which the advertisement is | 21 | | selected based on a known or assumed trait of the student or | 22 | | group of students or information obtained or inferred over time | 23 | | from that student's or group of students' online behavior; | 24 | | usage of online applications, educational online products, | 25 | | online services, cloud computing services, or mobile | 26 | | applications; or student data. Targeted advertising does not |
| | | 09900SB1393ham001 | - 6 - | LRB099 08398 MLM 51831 a |
|
| 1 | | include information provided to a student for an educational | 2 | | purpose. | 3 | | Section 15. Operator and service provider duties. | 4 | | (a) An operator or service provider shall not knowingly: | 5 | | (1) engage in targeted advertising based in whole or in | 6 | | part on any student data; | 7 | | (2) use data created or collected through the operation | 8 | | of educational online products or interactive services to | 9 | | amass a profile about a student, except in furtherance of | 10 | | specifically defined educational purposes that are set | 11 | | forth in writing as required by subsection (e) of this | 12 | | Section; | 13 | | (3) sell, rent, or provide student data to a third | 14 | | party, unless the data is part of assets being transferred | 15 | | during the purchase, merger, or other acquisition of an | 16 | | operator by another entity, provided that the successor | 17 | | entity agrees in writing to be subject to and bound by the | 18 | | provisions of this Act as though it were an operator with | 19 | | respect to the acquired student data and information; | 20 | | (4) exercise or claim any rights, implied or otherwise, | 21 | | to any student data, unless otherwise authorized by this | 22 | | Act; | 23 | | (5) disclose student data, unless the disclosure is | 24 | | made for the following purposes: | 25 | | (A) for legitimate research purposes, subject to |
| | | 09900SB1393ham001 | - 7 - | LRB099 08398 MLM 51831 a |
|
| 1 | | and as allowed by federal law and in compliance with | 2 | | subsection (a) of Section 6 of the Illinois School | 3 | | Student Records Act, and under the direction of a | 4 | | school district, provided that the student data is not | 5 | | used for advertising or to amass a profile on the | 6 | | student or for any other purposes other than | 7 | | specifically defined educational purposes that are set | 8 | | forth in writing as required by subsection (e) of this | 9 | | Section; | 10 | | (B) in response to requests by a school district or | 11 | | State agency for personal information for educational | 12 | | purposes; | 13 | | (C) in response to legally permissible and | 14 | | authorized requests or orders by law enforcement | 15 | | agencies or courts of competent jurisdiction, as long | 16 | | as the operator complies with the requirements of | 17 | | federal and State law in protecting and disclosing that | 18 | | information; or | 19 | | (D) to a service provider, provided that the | 20 | | operator contractually: (i) prohibits the service | 21 | | provider from using any student data for any purpose | 22 | | prohibited by this Act; (ii) prohibits the service | 23 | | provider from disclosing any student data provided by | 24 | | the operator with subsequent third parties; and (iii) | 25 | | requires the service provider to implement and | 26 | | maintain reasonable security procedures and practices |
| | | 09900SB1393ham001 | - 8 - | LRB099 08398 MLM 51831 a |
|
| 1 | | to ensure the confidentiality of the student data; or | 2 | | (6) subject to the provisions of subsection (e) of this | 3 | | Section, modify or otherwise alter the terms and conditions | 4 | | of any agreement with a school district related to student | 5 | | data without the express written consent of the school | 6 | | district. | 7 | | (b) An operator or service provider shall: | 8 | | (1) implement and maintain reasonable security | 9 | | procedures and practices appropriate to the nature of | 10 | | the student data that are designed to protect the | 11 | | information from unauthorized access, destruction, | 12 | | use, modification, or disclosure; and | 13 | | (2) delete student data within a reasonable period | 14 | | of time, not to exceed 60 days, upon written request by | 15 | | the school district, provided that the school district | 16 | | provides the student or the student's parent or legal | 17 | | guardian with written notice of the request and | 18 | | provides an opportunity to object. | 19 | | (c) Nothing in this Section shall be construed to prohibit | 20 | | an operator or service provider from: | 21 | | (1) using or sharing aggregated, de-identified student | 22 | | data that is not capable of being deaggregated or otherwise | 23 | | manipulated to allow for the identification of any | 24 | | individual student to maintain, develop, support, improve, | 25 | | or diagnose educational online products or interactive | 26 | | computer services; |
| | | 09900SB1393ham001 | - 9 - | LRB099 08398 MLM 51831 a |
|
| 1 | | (2) using aggregated, de-identified student data that | 2 | | is not capable of being deaggregated or otherwise | 3 | | manipulated to allow for the identification of any | 4 | | individual student to demonstrate the effectiveness of | 5 | | educational online products or interactive computer | 6 | | services, including marketing; or | 7 | | (3) providing a response for a non-advertising, | 8 | | educational purpose to a student's request for information | 9 | | or feedback, provided that (i) the response is not | 10 | | determined in whole or in part by payment or other | 11 | | consideration from a third party, (ii) the operator does | 12 | | not receive any payment or other consideration upon a | 13 | | student selecting any information or responding to the | 14 | | request, and (iii) the operator does not keep a record or | 15 | | otherwise collect or retain data regarding a student's | 16 | | online activities over time or that links or otherwise ties | 17 | | the student to the request. | 18 | | (d) Nothing in this Section shall be construed to: | 19 | | (1) limit the authority of a law enforcement agency to | 20 | | obtain any content or information from an operator as | 21 | | authorized by law or pursuant to a court order; | 22 | | (2) limit the ability of a school district to authorize | 23 | | an operator to use student data for adaptive learning or | 24 | | customized student-learning purposes, provided it is done | 25 | | in a manner consistent with this Act; | 26 | | (3) limit service providers from providing Internet |
| | | 09900SB1393ham001 | - 10 - | LRB099 08398 MLM 51831 a |
|
| 1 | | connectivity to schools or to students and the students' | 2 | | parents or legal guardians; | 3 | | (4) prohibit an operator from marketing educational | 4 | | products to general audiences, provided that the marketing | 5 | | is not based on any student data and does not constitute | 6 | | targeted advertising; | 7 | | (5) impose a duty upon a provider of an electronic | 8 | | store, gateway, marketplace, or other means of purchasing | 9 | | or downloading software or applications to review or | 10 | | enforce compliance with this Section on such software or | 11 | | applications, unless the provider is also an operator or | 12 | | affiliated with an operator, in which case the provider is | 13 | | required to comply with this Section with respect to | 14 | | software or applications offered by or otherwise provided | 15 | | by the operator or affiliate; | 16 | | (6) impose a duty upon a provider of an interactive | 17 | | computer service to review or enforce compliance with this | 18 | | Section by third-party content providers, unless the | 19 | | third-party content providers are affiliated with the | 20 | | interactive computer service, in which case the | 21 | | interactive computer service is required to comply with | 22 | | this Section with respect to software or applications | 23 | | offered or otherwise provided by those content providers; | 24 | | or | 25 | | (7) prohibit students from downloading, exporting, | 26 | | transferring, saving, or maintaining the student's own |
| | | 09900SB1393ham001 | - 11 - | LRB099 08398 MLM 51831 a |
|
| 1 | | student data or documents, provided that an operator does | 2 | | not offer or receive any consideration from a student | 3 | | engaging in such an activity. | 4 | | (e) Any operator who seeks to receive any student data may | 5 | | do so only by entering into a written agreement with the | 6 | | applicable school district before any records may be released | 7 | | or transferred. | 8 | | (1) The agreement shall include, but not be limited to, | 9 | | all of the following: | 10 | | (A) Provisions consistent with the prohibitions or | 11 | | requirements of this Section. | 12 | | (B) A statement of the educational products or | 13 | | interactive computer services being provided. | 14 | | (C) A statement that the operator is acting as a | 15 | | school official with a legitimate educational | 16 | | interest, is performing an institutional service or | 17 | | function for which the school district would otherwise | 18 | | use employees, is under the direct control of the | 19 | | school district with respect to the use and maintenance | 20 | | of student data, and is using such student data only | 21 | | for an authorized purpose and will not redisclose it to | 22 | | third parties or affiliates unless otherwise permitted | 23 | | under this Act. | 24 | | (D) A description of the actions the operator will | 25 | | take, including a description of the training the | 26 | | operator will provide to anyone who will receive or |
| | | 09900SB1393ham001 | - 12 - | LRB099 08398 MLM 51831 a |
|
| 1 | | have access to student data, to ensure the security and | 2 | | confidentiality of student data. Compliance with this | 3 | | subdivision (D) does not, in itself, absolve the | 4 | | operator of liability in the event of an unauthorized | 5 | | disclosure of student data. | 6 | | (E) A provision stating that (i) any dispute | 7 | | arising out of or otherwise connected to student data | 8 | | must be litigated using Illinois law, (ii) the proper | 9 | | venue is in the county in which the school district is | 10 | | located, and (iii) the court in the proper venue shall | 11 | | have jurisdiction over the operator. | 12 | | (F) A statement that the agreement is the entire | 13 | | agreement between the school district, including | 14 | | school district employees or agents and other users, | 15 | | and the operator. | 16 | | (2) The agreement shall not include any provisions that | 17 | | require a school district or its employees or agents to: | 18 | | (A) pay the operator's attorney's fees or costs in | 19 | | connection with any dispute arising out of or otherwise | 20 | | connected to student data, except in the case of | 21 | | willful or wanton conduct by a school district or its | 22 | | employees or agents, in which case indemnification by | 23 | | the school district may be permitted; or | 24 | | (B) arbitrate any dispute arising out of or | 25 | | otherwise connected to student data. |
| | | 09900SB1393ham001 | - 13 - | LRB099 08398 MLM 51831 a |
|
| 1 | | Section 20. Disclosure of student data by school district. | 2 | | A school district or its employees or agents shall only | 3 | | disclose student data in accordance with the provisions of this | 4 | | Section. | 5 | | Without prior written authorization from the school | 6 | | district in which an individual employee or agent works, no | 7 | | individual employee or agent of that school district may enter | 8 | | into any agreements with operators or service providers that | 9 | | concern the use of educational online products that utilize | 10 | | student data. If an operator enters into an agreement with any | 11 | | unauthorized individual employee or agent or other user, then | 12 | | the school district must have the authority to unilaterally | 13 | | cancel the agreement and require the operator or service | 14 | | provider to provide all collected student data to the school | 15 | | district or to delete it. | 16 | | The school district may disclose personally identifiable | 17 | | information or directory information if the student (if the | 18 | | student is an adult) or the student's parent or legal guardian | 19 | | (if the student is a minor) consents to the disclosure in | 20 | | writing. An operator may not solicit any student or parent or | 21 | | legal guardian to disclose student data. | 22 | | Section 25. Collection of biometric information. No school | 23 | | district may collect biometric information from a student or | 24 | | use any device or mechanism to assess a student's physiological | 25 | | or emotional state, unless the student (if the student is an |
| | | 09900SB1393ham001 | - 14 - | LRB099 08398 MLM 51831 a |
|
| 1 | | adult) or the student's parent or legal guardian (if student is | 2 | | a minor) consents in writing. | 3 | | Section 30. Security breach. | 4 | | (a) Each school district must establish a policy for | 5 | | notifying students and parents of any security breach or | 6 | | unauthorized disclosure of student data by the school district | 7 | | or by an operator, service provider, or other entity or third | 8 | | party given access to student data or personally identifiable | 9 | | information of a student. | 10 | | (b) In the event of any security breach or unauthorized | 11 | | disclosure of any student data by an operator, service | 12 | | provider, or other entity or third party given access to | 13 | | student data or personally identifiable information of any | 14 | | student, the operator, service provider, or other entity or | 15 | | third party shall immediately notify any Illinois school | 16 | | district that has provided student data to the operator, | 17 | | service provider, or other entity or third party of the breach | 18 | | or unauthorized disclosure, investigate the causes and | 19 | | consequences of the breach or unauthorized disclosure, and | 20 | | reimburse the school district in full for all reasonable costs | 21 | | and expenses incurred by the school district as a result of the | 22 | | breach, including (i) providing notification to students, | 23 | | parents, and guardians; (ii) providing at least one year's | 24 | | credit monitoring to impacted students; and (iii) paying all | 25 | | legal fees, costs, fines, and damages imposed against the |
| | | 09900SB1393ham001 | - 15 - | LRB099 08398 MLM 51831 a |
|
| 1 | | school district as a result of the breach. | 2 | | (c) In the event of a security breach or unauthorized | 3 | | disclosure of student data by a school district, State agency, | 4 | | or other third party not covered by subsection (b) of this | 5 | | Section and given access to student data or personally | 6 | | identifiable information of any student, the school district, | 7 | | State agency, or other third party shall immediately notify | 8 | | each affected student (if the student is an adult) or the | 9 | | student's parent or legal guardian (if the student is a minor) | 10 | | of the breach or unauthorized disclosure and investigate the | 11 | | causes and consequences of the breach or unauthorized | 12 | | disclosure. | 13 | | Section 35. Rulemaking; notice. | 14 | | (a) The State Board of Education shall adopt rules in | 15 | | accordance with this Act and applicable federal and State laws | 16 | | and rules to protect the right of privacy of any student and | 17 | | his or her family regarding personally identifiable records, | 18 | | files, and data directly related to the student by January 1, | 19 | | 2018. The rules shall provide for: | 20 | | (1) means by which any student (if the student is an | 21 | | adult) or the student's parent or guardian (if the student | 22 | | is a minor) may inspect and review any records or files | 23 | | directly related to the student; | 24 | | (2) restricting the accessibility and availability of | 25 | | any personally identifiable information in records or |
| | | 09900SB1393ham001 | - 16 - | LRB099 08398 MLM 51831 a |
|
| 1 | | files of any student and preventing disclosure thereof | 2 | | unless made upon written consent of such student (if the | 3 | | student is an adult) or the student's parent or guardian | 4 | | (if the student is a minor); and | 5 | | (3) which employees or agents may bind the school | 6 | | district to the terms of any written agreements, not | 7 | | including electronic, click-through, or click-wrap | 8 | | agreements, which agreements may not be entered into with a | 9 | | school district. | 10 | | (b) The State Board of Education must create a model notice | 11 | | that school districts shall annually provide to parents, legal | 12 | | guardians, and students that student data may be disclosed in | 13 | | accordance with this Act. The notice shall be signed by the | 14 | | student (if the student is an adult) or by the student's parent | 15 | | or legal guardian (if the student is a minor) and maintained on | 16 | | file with the school district. The notice must provide what | 17 | | types of student data are collected and shared with operators | 18 | | or service providers and the purpose for collection or use. | 19 | | Section 40. Enforcement. | 20 | | (a) Any person aggrieved by any violation of this Act may | 21 | | institute an action for injunctive relief in the circuit court | 22 | | of the county in which the violation has occurred or the | 23 | | circuit court of any of the counties in which the school | 24 | | district is located. | 25 | | (b) Any person injured by a willful or negligent violation |
| | | 09900SB1393ham001 | - 17 - | LRB099 08398 MLM 51831 a |
|
| 1 | | of this Act may institute an action for damages in the circuit | 2 | | court of the county in which the violation has occurred or the | 3 | | circuit court of any of the counties in which the school | 4 | | district is located. | 5 | | (c) In the case of any successful action under subsection | 6 | | (a) or (b) of this Section, any person or entity found to have | 7 | | willfully or negligently violated any provision of this Act is | 8 | | liable to the plaintiff for the plaintiff's damages, the costs | 9 | | of the action, and reasonable attorney's fees, as determined by | 10 | | the court. | 11 | | (d) Actions for injunctive relief to secure compliance with | 12 | | this Act may be brought by the State Board of Education, by the | 13 | | State's Attorney of the county in which the alleged violation | 14 | | has occurred, or by the State's Attorney of any of the counties | 15 | | in which the school district is located, in each case in the | 16 | | circuit court of such county. | 17 | | (e) Willful failure to comply with any Section of this Act | 18 | | is a petty offense.
| 19 | | Section 95. The Children's Privacy Protection and Parental | 20 | | Empowerment Act is amended by changing Section 5 as follows:
| 21 | | (325 ILCS 17/5)
| 22 | | Sec. 5. Definitions. As used in this Act:
| 23 | | "Child" means a person under the age of 18 16 . "Child" does | 24 | | not include a minor
emancipated by operation of law.
|
| | | 09900SB1393ham001 | - 18 - | LRB099 08398 MLM 51831 a |
|
| 1 | | "Parent" means a parent, step-parent, or legal guardian.
| 2 | | "Personal information" means any of the following:
| 3 | | (1) A person's name.
| 4 | | (2) A person's address.
| 5 | | (3) A person's telephone number.
| 6 | | (4) A person's driver's license number or State of | 7 | | Illinois identification
card as
assigned by the Illinois | 8 | | Secretary of State or by a similar agency of another
state.
| 9 | | (5) A person's social security number.
| 10 | | (6) Any other information that can be used to locate or | 11 | | contact a specific
individual.
| 12 | | "Personal information" does not include any of the
| 13 | | following:
| 14 | | (1) Public records as defined by Section 2 of the | 15 | | Freedom of Information
Act.
| 16 | | (2) Court records.
| 17 | | (3) Information found in publicly available sources, | 18 | | including newspapers,
magazines, and telephone | 19 | | directories.
| 20 | | (4) Any other information that is not known to concern | 21 | | a child.
| 22 | | (Source: P.A. 93-462, eff. 1-1-04.)".
|
|