|
(2) Print an individual's social security number on any |
card required for the individual to access products or |
services provided by the person or entity.
|
(3) Require an individual to transmit his or her social |
security number over the Internet, unless the connection is |
secure or the social security number is encrypted.
|
(4) Print an individual's social security number on any |
materials that are mailed to the individual, through the |
U.S. Postal Service, any private mail service, electronic |
mail, or any similar method of delivery, unless State or |
federal law requires the social security number to be on |
the document to be mailed. Notwithstanding any provision in |
this Section to the contrary, social security numbers may |
be included in applications and forms sent by mail, |
including, but not limited to, any material mailed in |
connection with the administration of the Unemployment |
Insurance Act, any material mailed in connection with any |
tax administered by the Department of Revenue, and |
documents sent as part of an application or enrollment |
process or to establish, amend, or terminate an account, |
contract, or policy or to confirm the accuracy of the |
social security number. A social security number that may |
permissibly be mailed under this Section may not be |
printed, in whole or in part, on a postcard or other mailer |
that does not require an envelope or be visible on an |
envelope without the envelope having been opened.
|
|
(b) Except as otherwise provided in this Act, beginning |
July 1, 2010, no person or State or local government agency may |
do any of the following:
|
(1) Collect, use, or disclose a social security number |
from an individual, unless (i) required to do so under |
State or federal law, rules, or regulations, or the |
collection, use, or disclosure of the social security |
number is otherwise necessary for the performance of that |
agency's duties and responsibilities; (ii) the need and |
purpose for the social security number is documented before |
collection of the social security number; and (iii) the |
social security number collected is relevant to the |
documented need and purpose.
|
(2) Require an individual to use his or her social |
security number to access an Internet website.
|
(3) Use the social security number for any purpose |
other than the purpose for which it was collected.
|
(c) The prohibitions in subsection (b) do not apply in the |
following circumstances:
|
(1) The disclosure of social security numbers to |
agents, employees, contractors, or subcontractors of a |
governmental entity or disclosure by a governmental entity |
to another governmental entity or its agents, employees, |
contractors, or subcontractors if disclosure is necessary |
in order for the entity to perform its duties and |
responsibilities; and, if disclosing to a contractor or |
|
subcontractor, prior to such disclosure, the governmental |
entity must first receive from the contractor or |
subcontractor a copy of the contractor's or |
subcontractor's policy that sets forth how the |
requirements imposed under this Act on a governmental |
entity to protect an individual's social security number |
will be achieved.
|
(2) The disclosure of social security numbers pursuant |
to a court order, warrant, or subpoena.
|
(3) The collection, use, or disclosure of social |
security numbers in order to ensure the safety of: State |
and local government employees; persons committed to |
correctional facilities, local jails, and other |
law-enforcement facilities or retention centers; wards of |
the State; and all persons working in or visiting a State |
or local government agency facility.
|
(4) The collection, use, or disclosure of social |
security numbers for internal verification or |
administrative purposes.
|
(5) The disclosure of social security numbers by a |
State agency to any entity for the collection of delinquent |
child support or of any State debt or to a governmental |
agency to assist with an investigation or the prevention of |
fraud.
|
(6) The collection or use of social security numbers to |
investigate or prevent fraud, to conduct background |
|
checks, to collect a debt, to obtain a credit report from a |
consumer reporting agency under the federal Fair Credit |
Reporting Act, to undertake any permissible purpose that is |
enumerated under the federal Gramm Leach Bliley Act, or to |
locate a missing person, a lost relative, or a person who |
is due a benefit, such as a pension benefit or an unclaimed |
property benefit.
|
(d) If any State or local government agency has adopted |
standards for the collection, use, or disclosure of social |
security numbers that are stricter than the standards under |
this Act with respect to the protection of those social |
security numbers, then, in the event of any conflict with the |
provisions of this Act, the stricter standards adopted by the |
State or local government agency shall control.
|
Section 15. Public inspection and copying of documents. |
Notwithstanding any other provision of this Act to the |
contrary, a person or State or local government agency must |
comply with the provisions of any other State law with respect |
to allowing the public inspection and copying of information or |
documents containing all or any portion of an individual's |
social security number. A person or State or local government |
agency must redact social security numbers from the information |
or documents before allowing the public inspection or copying |
of the information or documents.
|
|
Section 20. Applicability. |
(a) This Act does not apply to the collection, use, or |
disclosure of a social security number as required by State or |
federal law, rule, or regulation.
|
(b) This Act does not apply to documents that are recorded |
with a county recorder or required to be open to the public |
under any State or federal law, rule, or regulation, applicable |
case law, Supreme Court Rule, or the Constitution of the State |
of Illinois. Notwithstanding this Section, county recorders |
must comply with Section 35 of this Act.
|
Section 25. Compliance with federal law. If a federal law |
takes effect requiring any federal agency to establish a |
national unique patient health identifier program, any State or |
local government agency that complies with the federal law |
shall be deemed to be in compliance with this Act.
|
Section 30. Embedded social security numbers. Beginning |
December 31, 2009, no person or State or local government |
agency may encode or embed a social security number in or on a |
card or document, including, but not limited to, using a bar |
code, chip, magnetic strip, RFID technology, or other |
technology, in place of removing the social security number as |
required by this Act.
|
Section 35. Identity-protection policy; local government. |
|
(a) Each local government agency must draft and approve an |
identity-protection policy within 12 months after the |
effective date of this Act. The policy must do all of the |
following:
|
(1) Identify this Act.
|
(2) Require all employees of the local government |
agency identified as having access to social security |
numbers in the course of performing their duties to be |
trained to protect the confidentiality of social security |
numbers. Training should include instructions on the |
proper handling of information that contains social |
security numbers from the time of collection through the |
destruction of the information.
|
(3) Direct that only employees who are required to use |
or handle information or documents that contain social |
security numbers have access to such information or |
documents. |
(4) Require that social security numbers requested |
from an individual be provided in a manner that makes the |
social security number easily redacted if required to be |
released as part of a public records request.
|
(5) Require that, when collecting a social security |
number or upon request by the individual, a statement of |
the purpose or purposes for which the agency is collecting |
and using the social security number be provided.
|
(b) Each local government agency must file a written copy |
|
of its privacy policy with the governing board of the unit of |
local government within 30 days after approval of the policy. |
Each local government agency must advise its employees of the |
existence of the policy and make a copy of the policy available |
to each of its employees, and must also make its privacy policy |
available to any member of the public, upon request. If a local |
government agency amends its privacy policy, then that agency |
must file a written copy of the amended policy with the |
appropriate entity and must also advise its employees of the |
existence of the amended policy and make a copy of the amended |
policy available to each of its employees.
|
(c) Each local government agency must implement the |
components of its identity-protection policy that are |
necessary to meet the requirements of this Act within 12 months |
after the date the identity-protection policy is approved. This |
subsection (c) shall not affect the requirements of Section 10 |
of this Act.
|
Section 37. Identity-protection policy; State. |
(a) Each State agency must draft and approve an |
identity-protection policy within 12 months after the |
effective date of this Act. The policy must do all of the |
following:
|
(1) Identify this Act.
|
(2) Require all employees of the State agency |
identified as having access to social security numbers in |
|
the course of performing their duties to be trained to |
protect the confidentiality of social security numbers. |
Training should include instructions on proper handling of |
information that contains social security numbers from the |
time of collection through the destruction of the |
information.
|
(3) Direct that only employees who are required to use |
or handle information or documents that contain social |
security numbers have access to such information or |
documents.
|
(4) Require that social security numbers requested |
from an individual be placed in a manner that makes the |
social security number easily redacted if required to be |
released as part of a public records request.
|
(5) Require that, when collecting a social security |
number or upon request by the individual, a statement of |
the purpose or purposes for which the agency is collecting |
and using the social security number be provided.
|
(b) Each State agency must provide a copy of its |
identity-protection policy to the Social Security Number |
Protection Task Force within 30 days after the approval of the |
policy.
|
(c) Each State agency must implement the components of its |
identity-protection policy that are necessary to meet the |
requirements of this Act within 12 months after the date the |
identity-protection policy is approved. This subsection (c) |
|
shall not affect the requirements of Section 10 of this Act.
|
Section 40. Judicial branch and clerks of courts. The |
judicial branch and clerks of the circuit court are not subject |
to the provisions of this Act, except that the Supreme Court |
shall, under its rulemaking authority or by administrative |
order, adopt requirements applicable to the judicial branch, |
including clerks of the circuit court, regulating the |
disclosure of social security numbers consistent with the |
intent of this Act and the unique circumstances relevant in the |
judicial process.
|
Section 45. Violation. Any person who intentionally |
violates the prohibitions in Section 10 of this Act is guilty |
of a Class B misdemeanor.
|
Section 50. Home rule. A home rule unit of local |
government, any non-home rule municipality, or any non-home |
rule county may regulate the use of social security numbers, |
but that regulation must be no less restrictive than this Act. |
This Act is a limitation under subsection (i) of Section 6 of |
Article VII of the Illinois Constitution on the concurrent |
exercise by home rule units of powers and functions exercised |
by the State.
|
Section 55. This Act does not supersede any more |
|
restrictive law, rule, or regulation regarding the collection, |
use, or disclosure of social security numbers.
|
Section 90. The State Mandates Act is amended by adding |
Section 8.33 as follows:
|
(30 ILCS 805/8.33 new) |
Sec. 8.33. Exempt mandate. Notwithstanding Sections 6 and 8 |
of this Act, no reimbursement by the State is required for the |
implementation of any mandate created by the Identity |
Protection Act.
|