|
Rep. Robert Martwick
Filed: 4/1/2019
| | 10100HB3606ham001 | | LRB101 09053 AXK 58960 a |
|
|
| 1 | | AMENDMENT TO HOUSE BILL 3606
|
| 2 | | AMENDMENT NO. ______. Amend House Bill 3606 by replacing |
| 3 | | everything after the enacting clause with the following:
|
| 4 | | "Section 5. The Student Online Personal Protection Act is |
| 5 | | amended by changing Sections 5, 10, and 15 and by adding |
| 6 | | Sections 26, 27, 28, 33, and 37 as follows:
|
| 7 | | (105 ILCS 85/5)
|
| 8 | | Sec. 5. Definitions. In this Act: |
| 9 | | "Breach" means the unauthorized disclosure of data or |
| 10 | | unauthorized provision of physical or electronic means of |
| 11 | | gaining access to data that compromises the security, |
| 12 | | confidentiality, or integrity of covered information. |
| 13 | | "Covered information" means personally identifiable |
| 14 | | information or material or information that is linked to |
| 15 | | personally identifiable information or material in any media or |
| 16 | | format that is not publicly available and is any of the |
|
| | 10100HB3606ham001 | - 2 - | LRB101 09053 AXK 58960 a |
|
|
| 1 | | following: |
| 2 | | (1) Created by or provided to an operator by a student |
| 3 | | or the student's parent or legal guardian in the course of |
| 4 | | the student's, parent's, or legal guardian's use of the |
| 5 | | operator's site, service, or application for K through 12 |
| 6 | | school purposes. |
| 7 | | (2) Created by or provided to an operator by an |
| 8 | | employee or agent of a school or school district for K |
| 9 | | through 12 school purposes. |
| 10 | | (3) Gathered by an operator through the operation of |
| 11 | | its site, service, or application for K through 12 school |
| 12 | | purposes and personally identifies a student, including, |
| 13 | | but not limited to, information in the student's |
| 14 | | educational record or electronic mail, first and last name, |
| 15 | | home address, telephone number, electronic mail address, |
| 16 | | or other information that allows physical or online |
| 17 | | contact, discipline records, test results, special |
| 18 | | education data, juvenile dependency records, grades, |
| 19 | | evaluations, criminal records, medical records, health |
| 20 | | records, a social security number, biometric information, |
| 21 | | disabilities, socioeconomic information, food purchases, |
| 22 | | political affiliations, religious information, text |
| 23 | | messages, documents, student identifiers, search activity, |
| 24 | | photos, voice recordings, or geolocation information. |
| 25 | | "Destroy" means the removal of covered information so that |
| 26 | | it is permanently irretrievable in the normal course of |
|
| | 10100HB3606ham001 | - 3 - | LRB101 09053 AXK 58960 a |
|
|
| 1 | | business. |
| 2 | | "Interactive computer service" has the meaning ascribed to |
| 3 | | that term in Section 230 of the federal Communications Decency |
| 4 | | Act of 1996 (47 U.S.C. 230). |
| 5 | | "K through 12 school purposes" means purposes that are |
| 6 | | directed by or that customarily take place at the direction of |
| 7 | | a school, teacher, or school district; aid in the |
| 8 | | administration of school activities, including, but not |
| 9 | | limited to, instruction in the classroom or at home, |
| 10 | | administrative activities, and collaboration between students, |
| 11 | | school personnel, or parents; or are otherwise for the use and |
| 12 | | benefit of the school. Advertising that is not otherwise |
| 13 | | specifically authorized in this Act is not a K through 12 |
| 14 | | school purpose. |
| 15 | | "Longitudinal data system" has the meaning given to that |
| 16 | | term under the P-20 Longitudinal Education Data System Act. |
| 17 | | "Operator" means, to the extent that an entity is operating |
| 18 | | in this capacity, the operator of an Internet website, online |
| 19 | | service, online application, or mobile application with actual |
| 20 | | knowledge that the site, service, or application is used |
| 21 | | primarily for K through 12 school purposes and was designed and |
| 22 | | marketed for K through 12 school purposes. |
| 23 | | "Parent" has the meaning given to that term under the |
| 24 | | Illinois School Student Records Act. |
| 25 | | "School" means (1) any preschool, public kindergarten, |
| 26 | | elementary or secondary educational institution, vocational |
|
| | 10100HB3606ham001 | - 4 - | LRB101 09053 AXK 58960 a |
|
|
| 1 | | school, special educational facility, or any other elementary |
| 2 | | or secondary educational agency or institution or (2) any |
| 3 | | person, agency, or institution that maintains school student |
| 4 | | records from more than one school. "School" includes a private |
| 5 | | or nonpublic school. |
| 6 | | "State Board" means the State Board of Education. |
| 7 | | "Student" has the meaning given to that term under the |
| 8 | | Illinois School Student Records Act. |
| 9 | | "Targeted advertising" means presenting advertisements to |
| 10 | | a student where the advertisement is selected based on |
| 11 | | information obtained or inferred over time from that student's |
| 12 | | online behavior, usage of applications, or covered |
| 13 | | information. The term does not include advertising to a student |
| 14 | | at an online location based upon that student's current visit |
| 15 | | to that location or in response to that student's request for |
| 16 | | information or feedback, without the retention of that |
| 17 | | student's online activities or requests over time for the |
| 18 | | purpose of targeting subsequent ads.
|
| 19 | | (Source: P.A. 100-315, eff. 8-24-17.)
|
| 20 | | (105 ILCS 85/10)
|
| 21 | | Sec. 10. Operator prohibitions. An operator shall not |
| 22 | | knowingly do any of the following: |
| 23 | | (1) Engage in targeted advertising on the operator's |
| 24 | | site, service, or application or target advertising on any |
| 25 | | other site, service, or application if the targeting of the |
|
| | 10100HB3606ham001 | - 5 - | LRB101 09053 AXK 58960 a |
|
|
| 1 | | advertising is based on any information, including covered |
| 2 | | information and persistent unique identifiers, that the |
| 3 | | operator has acquired because of the use of that operator's |
| 4 | | site, service, or application for K through 12 school |
| 5 | | purposes. |
| 6 | | (2) Use information, including persistent unique |
| 7 | | identifiers, created or gathered by the operator's site, |
| 8 | | service, or application to amass a profile about a student, |
| 9 | | except in furtherance of K through 12 school purposes. |
| 10 | | "Amass a profile" does not include the collection and |
| 11 | | retention of account information that remains under the |
| 12 | | control of the student, the student's parent or legal |
| 13 | | guardian, or the school. |
| 14 | | (3) Sell or rent a student's information, including |
| 15 | | covered information. This subdivision (3) does not apply to |
| 16 | | the purchase, merger, or other type of acquisition of an |
| 17 | | operator by another entity if the operator and the or |
| 18 | | successor entity comply complies with this Act regarding |
| 19 | | previously acquired student information. |
| 20 | | (4) Except as otherwise provided in Section 20 of this |
| 21 | | Act, disclose covered information, unless the disclosure |
| 22 | | is made for the following purposes: |
| 23 | | (A) In furtherance of the K through 12 school |
| 24 | | purposes of the site, service, or application if the |
| 25 | | recipient of the covered information disclosed under |
| 26 | | this clause (A) does not further disclose the |
|
| | 10100HB3606ham001 | - 6 - | LRB101 09053 AXK 58960 a |
|
|
| 1 | | information, unless done to allow or improve |
| 2 | | operability and functionality of the operator's site, |
| 3 | | service, or application. |
| 4 | | (B) To ensure legal and regulatory compliance or |
| 5 | | take precautions
against liability. |
| 6 | | (C) To respond to the judicial process. |
| 7 | | (D) To protect the safety or integrity of users of |
| 8 | | the site or others or the security of the site, |
| 9 | | service, or application. |
| 10 | | (E) For a school, educational, or employment |
| 11 | | purpose requested by the student or the student's |
| 12 | | parent or legal guardian, provided that the |
| 13 | | information is not used or further disclosed for any |
| 14 | | other purpose. |
| 15 | | (F) To a third party if the operator contractually |
| 16 | | prohibits the third party from using any covered |
| 17 | | information for any purpose other than providing the |
| 18 | | contracted service to or on behalf of the operator, |
| 19 | | prohibits the third party from disclosing any covered |
| 20 | | information provided by the operator with subsequent |
| 21 | | third parties, and requires the third party to |
| 22 | | implement and maintain reasonable security procedures |
| 23 | | and practices as required under Section 15. |
| 24 | | Nothing in this Section prohibits the operator's use of |
| 25 | | information for maintaining, developing, supporting, |
| 26 | | improving, or diagnosing the operator's site, service, or |
|
| | 10100HB3606ham001 | - 7 - | LRB101 09053 AXK 58960 a |
|
|
| 1 | | application.
|
| 2 | | (Source: P.A. 100-315, eff. 8-24-17.)
|
| 3 | | (105 ILCS 85/15)
|
| 4 | | Sec. 15. Operator duties. An operator shall do the |
| 5 | | following: |
| 6 | | (1) Implement and maintain reasonable security |
| 7 | | procedures and practices appropriate to the nature of the |
| 8 | | covered information and designed to protect that covered |
| 9 | | information from unauthorized access, destruction, use, |
| 10 | | modification, or disclosure that, based on the sensitivity |
| 11 | | of the data and the risk from unauthorized access, (i) uses |
| 12 | | technologies and methodologies that are consistent with |
| 13 | | the U.S. Department of Commerce's National Institute of |
| 14 | | Standards and Technology's Framework for Improving |
| 15 | | Critical Infrastructure Cybersecurity Version 1.1 and any |
| 16 | | updates to it, (ii) maintains technical safeguards as it |
| 17 | | relates to the possession of covered information in a |
| 18 | | manner consistent with the provisions of 45 CFR 164.312, |
| 19 | | and (iii) otherwise meets or exceeds industry standards. |
| 20 | | (2) Destroy Delete, within a reasonable time period, a |
| 21 | | student's covered information if the school or school |
| 22 | | district requests destruction deletion of covered |
| 23 | | information under the control of the school or school |
| 24 | | district, unless a student or his or her parent or legal |
| 25 | | guardian consents to the maintenance of the covered |
|
| | 10100HB3606ham001 | - 8 - | LRB101 09053 AXK 58960 a |
|
|
| 1 | | information. |
| 2 | | (3) Publicly disclose material information about its |
| 3 | | collection, use, and disclosure of covered information, |
| 4 | | including, but not limited to, publishing a terms of |
| 5 | | service agreement, privacy policy, or similar document. |
| 6 | | (4) For any operator who seeks to receive from a |
| 7 | | school, school district, or the State Board in any manner |
| 8 | | any covered information, enter into a written agreement |
| 9 | | with the school, school district, or State Board before any |
| 10 | | covered information may be transferred. The written |
| 11 | | agreement may be created in electronic form and signed with |
| 12 | | an electronic or digital signature or may be a click wrap |
| 13 | | agreement that is used with software licenses, downloaded |
| 14 | | or online applications and transactions for educational |
| 15 | | technologies, or other technologies in which a user must |
| 16 | | agree to terms and conditions prior to using the product or |
| 17 | | service. The written agreement must contain all of the |
| 18 | | following: |
| 19 | | (A) Provisions consistent with each duty, |
| 20 | | prohibition, or requirement set forth in this Act. |
| 21 | | (B) A listing of the categories or types of covered |
| 22 | | information to be provided to the operator. |
| 23 | | (C) A statement of the product or service being |
| 24 | | provided to the school by the operator. |
| 25 | | (D) A statement that the operator is acting as a |
| 26 | | school official with a legitimate educational |
|
| | 10100HB3606ham001 | - 9 - | LRB101 09053 AXK 58960 a |
|
|
| 1 | | interest, is performing an institutional service or |
| 2 | | function for which the school would otherwise use |
| 3 | | employees, under the direct control of the school, with |
| 4 | | respect to the use and maintenance of covered |
| 5 | | information, and is using the covered information only |
| 6 | | for an authorized purpose and may not re-disclose it to |
| 7 | | third parties or affiliates, unless otherwise |
| 8 | | permitted under this Act, without permission from the |
| 9 | | school or pursuant to court order. |
| 10 | | (E) A description of the actions the operator must |
| 11 | | take, including a description of the training the |
| 12 | | operator will provide to anyone who receives or has |
| 13 | | access to covered information, to ensure the security |
| 14 | | and confidentiality of covered information. Compliance |
| 15 | | with this subparagraph (E) shall not, in itself, |
| 16 | | absolve the operator of liability if an unauthorized |
| 17 | | disclosure of covered information occurs. |
| 18 | | (F) A description of how, if a breach is attributed |
| 19 | | to the operator, any costs and expenses incurred by the |
| 20 | | school in investigating and remediating the breach |
| 21 | | must be shared between the operator and the school. The |
| 22 | | costs and expenses may include, but are not limited to: |
| 23 | | (i) providing notification to the parents of |
| 24 | | those students whose covered information was |
| 25 | | compromised and to regulatory agencies or other |
| 26 | | entities as required by law or contract; |
|
| | 10100HB3606ham001 | - 10 - | LRB101 09053 AXK 58960 a |
|
|
| 1 | | (ii) providing credit monitoring to those |
| 2 | | students whose covered information was exposed in |
| 3 | | a manner during the breach that a reasonable person |
| 4 | | would believe that it could impact his or her |
| 5 | | credit or financial security; |
| 6 | | (iii) legal fees, audit costs, fines, and any |
| 7 | | other fees or damages imposed against the school as |
| 8 | | a result of the security breach; and |
| 9 | | (iv) providing any other notifications or |
| 10 | | fulfilling any other requirements adopted by the |
| 11 | | State Board or of any other State or federal laws. |
| 12 | | (G) A statement that the operator must destroy or |
| 13 | | transfer to the school all covered information if the |
| 14 | | information is no longer needed for the purposes of the |
| 15 | | written agreement and to specify the time period in |
| 16 | | which the information must be destroyed or returned. |
| 17 | | (H) A statement that the school must publish the |
| 18 | | written agreement on the school's website. |
| 19 | | (I) A statement that the agreement is the entire |
| 20 | | agreement with the school, including school employees |
| 21 | | and other end users, and the operator. |
| 22 | | (5) In case of any breach, within the most expedient |
| 23 | | time possible and without unreasonable delay, but no later |
| 24 | | than 5 calendar days after the determination that a breach |
| 25 | | has occurred, notify the school of any breach of the |
| 26 | | students' covered information.
|
|
| | 10100HB3606ham001 | - 11 - | LRB101 09053 AXK 58960 a |
|
|
| 1 | | (Source: P.A. 100-315, eff. 8-24-17.)
|
| 2 | | (105 ILCS 85/26 new) |
| 3 | | Sec. 26. School prohibitions. A school may not do any of |
| 4 | | the following: |
| 5 | | (1) Sell, rent, lease, or trade covered information. |
| 6 | | (2) Share, transfer, disclose, or provide access to a |
| 7 | | student's covered information to an entity or individual, |
| 8 | | other than the student's parent or the State Board, without |
| 9 | | a written agreement, unless the disclosure or transfer is: |
| 10 | | (A) to the extent permitted by federal law, to law |
| 11 | | enforcement officials to protect the safety of users or |
| 12 | | others or the security or integrity of the operator's |
| 13 | | service; |
| 14 | | (B) required by court order or State or federal |
| 15 | | law; or |
| 16 | | (C) to ensure legal or regulatory compliance.
|
| 17 | | (105 ILCS 85/27 new) |
| 18 | | Sec. 27. School duties. |
| 19 | | (a) Each school shall post and maintain on its website all |
| 20 | | of the following information: |
| 21 | | (1) An explanation, that is clear and understandable by |
| 22 | | a layperson, of the data elements of covered information |
| 23 | | that the school collects, maintains, or discloses to any |
| 24 | | person, entity, third party, or governmental agency. The |
|
| | 10100HB3606ham001 | - 12 - | LRB101 09053 AXK 58960 a |
|
|
| 1 | | information must explain how the school uses, to whom or |
| 2 | | what entities it discloses, and for what purpose it |
| 3 | | discloses the covered information. |
| 4 | | (2) A list of operators that the school has written |
| 5 | | agreements with, a copy of each written agreement, and a |
| 6 | | business address and telephone number for each operator. |
| 7 | | (3) For each operator, a list of any subcontractors to |
| 8 | | whom covered information may be disclosed under Section 15. |
| 9 | | (4) A written description of the procedures that a |
| 10 | | parent may use to carry out the rights enumerated under |
| 11 | | Section 45. |
| 12 | | The school must, at a minimum, update the items under |
| 13 | | paragraphs (1), (3), and (4) of this subsection no later than |
| 14 | | 30 calendar days following the start of a school year and no |
| 15 | | later than 30 days following the beginning of a calendar year. |
| 16 | | (b) Each school must adopt a policy designating which |
| 17 | | school employees are authorized to enter into written |
| 18 | | agreements with operators. This subsection may not be construed |
| 19 | | to limit individual school employees outside of the scope of |
| 20 | | their employment from entering into agreements with operators |
| 21 | | on their own behalf and for non-K through 12 school purposes, |
| 22 | | provided that no covered information is provided to the |
| 23 | | operators. Any agreement or contract entered into in violation |
| 24 | | of this Act is void and unenforceable as against public policy. |
| 25 | | (c) A school must post on its website each written |
| 26 | | agreement entered into under this Act, along with any |
|
| | 10100HB3606ham001 | - 13 - | LRB101 09053 AXK 58960 a |
|
|
| 1 | | information required under subsection (a), no later than 5 |
| 2 | | business days after entering into the agreement. |
| 3 | | (d) After receipt of notice of a breach under Section 15 or |
| 4 | | determination of a breach of covered information maintained by |
| 5 | | the school, a school shall electronically notify, no later than |
| 6 | | 5 calendar days after receipt of the notice or determination |
| 7 | | that a breach has occurred, the parent of any student whose |
| 8 | | covered information is involved in the breach. The school must |
| 9 | | also post the notice on the school's website. The notification |
| 10 | | must include, but is not limited to, all of the following: |
| 11 | | (1) The date, estimated date, or estimated date range |
| 12 | | of the breach. |
| 13 | | (2) A description of the covered information that was |
| 14 | | compromised or reasonably believed to have been |
| 15 | | compromised in the breach. |
| 16 | | (3) Information that the parent may use to contact the |
| 17 | | operator and school to inquire about the breach. |
| 18 | | (4) The toll-free numbers, addresses, and websites for |
| 19 | | consumer reporting agencies. |
| 20 | | (5) The toll-free number, address, and website for the |
| 21 | | Federal Trade Commission. |
| 22 | | (6) A statement that the parent may obtain information |
| 23 | | from the Federal Trade Commission and consumer reporting |
| 24 | | agencies about fraud alerts and security freezes. |
| 25 | | (e) Each school must implement and maintain security |
| 26 | | procedures and practices designed to protect covered |
|
| | 10100HB3606ham001 | - 14 - | LRB101 09053 AXK 58960 a |
|
|
| 1 | | information from unauthorized access, destruction, use, |
| 2 | | modification, or disclosure that, based on the sensitivity of |
| 3 | | the covered information and the risk from unauthorized access, |
| 4 | | (i) uses technologies and methodologies that are consistent |
| 5 | | with the U.S. Department of Commerce's National Institute of |
| 6 | | Standards and Technology's Framework for Improving Critical |
| 7 | | Infrastructure Cybersecurity Version 1.1 and any updates to it, |
| 8 | | (ii) maintain technical safeguards as they relate to the |
| 9 | | possession of student records in a manner consistent with the |
| 10 | | provisions of 45 CFR 164.312, and (iii) otherwise meet or |
| 11 | | exceed industry standards. |
| 12 | | (f) Each school shall designate an appropriate staff person |
| 13 | | as a privacy officer, who may also be an official records |
| 14 | | custodian as designated under the Illinois School Student |
| 15 | | Records Act, to carry out the duties and responsibilities |
| 16 | | assigned to schools and to ensure compliance with the |
| 17 | | requirements of this Section and Section 26. |
| 18 | | (g) A school shall make a request, pursuant to paragraph |
| 19 | | (2) of Section 15, to an operator to destroy covered |
| 20 | | information on behalf of a student's parent if the parent |
| 21 | | requests from the school that the student's covered information |
| 22 | | held by the operator be destroyed, so long as the destruction |
| 23 | | of the covered information is not in violation of the Illinois |
| 24 | | School Student Records Act.
|
| 25 | | (105 ILCS 85/28 new) |
|
| | 10100HB3606ham001 | - 15 - | LRB101 09053 AXK 58960 a |
|
|
| 1 | | Sec. 28. State Board duties. |
| 2 | | (a) The State Board may not sell, rent, lease, or trade |
| 3 | | covered information. |
| 4 | | (b) The State Board may not share, transfer, disclose, or |
| 5 | | provide covered information to an entity or individual without |
| 6 | | a contract or written agreement, except for disclosures |
| 7 | | required by federal law to federal agencies. |
| 8 | | (c) The State Board must publish and maintain on its |
| 9 | | website a list of all of the entities or individuals, |
| 10 | | including, but not limited to, operators, individual |
| 11 | | researchers, research organizations, institutions of higher |
| 12 | | education, or government agencies, that the State Board |
| 13 | | contracts with or has agreements with and that hold covered |
| 14 | | information and a copy of each contract or agreement. The list |
| 15 | | must include all of the following information: |
| 16 | | (1) The name of the entity or individual. In naming an |
| 17 | | individual, the list must include the entity that sponsors |
| 18 | | the individual or with which the individual is affiliated, |
| 19 | | if any. If the individual is conducting research at an |
| 20 | | institution of higher education, the list may include the |
| 21 | | name of that institution and a contact person in the |
| 22 | | department that is associated with the research in lieu of |
| 23 | | the name of the researcher. If the entity is an operator, |
| 24 | | the list must include a business address and telephone |
| 25 | | number for the operator. |
| 26 | | (2) The purpose and scope of the contract or agreement. |
|
| | 10100HB3606ham001 | - 16 - | LRB101 09053 AXK 58960 a |
|
|
| 1 | | (3) The duration of the contract or agreement. |
| 2 | | (4) The types of covered information that the entity or |
| 3 | | individual holds under the contract or agreement. |
| 4 | | (5) The use of the covered information under the |
| 5 | | contract or agreement. |
| 6 | | (6) The length of time for which the entity or |
| 7 | | individual may hold the covered information. |
| 8 | | (7) A list of any subcontractors to whom covered |
| 9 | | information may be disclosed under Section 15. |
| 10 | | (d) The State Board shall create, publish, and make |
| 11 | | publicly available an inventory, along with a dictionary or |
| 12 | | index of data elements and their definitions, of covered |
| 13 | | information collected or maintained by the State Board, |
| 14 | | including, but not limited to, both of the following: |
| 15 | | (1) Covered information that schools are required to |
| 16 | | report to the State Board by State or federal law. |
| 17 | | (2) Covered information in the State longitudinal data |
| 18 | | system or any data warehouse used by the State Board to |
| 19 | | populate the longitudinal data system. |
| 20 | | The inventory shall make clear for what purposes the State |
| 21 | | Board uses the covered information. |
| 22 | | (e) The State Board shall develop, publish, and make |
| 23 | | publicly available, for the benefit of schools, model student |
| 24 | | data privacy policies and procedures that comply with relevant |
| 25 | | State and federal law, including, but not limited to, a model |
| 26 | | notice that schools must use to provide notice to parents and |
|
| | 10100HB3606ham001 | - 17 - | LRB101 09053 AXK 58960 a |
|
|
| 1 | | students about operators. The notice must state, in general |
| 2 | | terms, the types of student data that are collected by the |
| 3 | | schools and shared with operators under this Act and the |
| 4 | | purposes of collecting and using the student data. After |
| 5 | | creation of the notice under this subsection, a schools shall, |
| 6 | | at the beginning of each school year, provide the notice to |
| 7 | | parents by the same means generally used to send notices to |
| 8 | | them.
|
| 9 | | (105 ILCS 85/33 new) |
| 10 | | Sec. 33. Parent and student rights. |
| 11 | | (a) A student's covered information is the sole property of |
| 12 | | the student's parent. |
| 13 | | (b) A student's covered information shall be collected only |
| 14 | | for specified, explicit, and legitimate school purposes and not |
| 15 | | further processed in a manner that is incompatible with those |
| 16 | | purposes. |
| 17 | | (c) A student's covered information shall only be adequate, |
| 18 | | relevant, and limited to what is necessary in relation to the |
| 19 | | school purpose for which it is processed. |
| 20 | | (d) The parent of a student enrolled in a school has the |
| 21 | | right to all of the following: |
| 22 | | (1) Inspect and review the student's student data, |
| 23 | | regardless of whether it is maintained by the school, the |
| 24 | | State Board, or an operator. |
| 25 | | (2) Request from a school a paper or electronic copy of |
|
| | 10100HB3606ham001 | - 18 - | LRB101 09053 AXK 58960 a |
|
|
| 1 | | the student's covered information, including covered |
| 2 | | information maintained by an operator or the State Board. |
| 3 | | If a parent requests an electronic copy of the student's |
| 4 | | covered information under this paragraph, the school must |
| 5 | | provide an electronic copy of that information, unless the |
| 6 | | school does not maintain the information in an electronic |
| 7 | | format and reproducing the information in an electronic |
| 8 | | format would be unduly burdensome to the school. If a |
| 9 | | parent requests a paper copy of the student's covered |
| 10 | | information, the school may charge the parent the |
| 11 | | reasonable cost for copying the information in an amount |
| 12 | | not to exceed the amount fixed in a schedule adopted by the |
| 13 | | State Board, except that no parent may be denied a copy of |
| 14 | | the information due to the parent's inability to bear the |
| 15 | | cost of the copying. |
| 16 | | (3) Request corrections of factual inaccuracies |
| 17 | | contained in the student's covered information. After |
| 18 | | receiving a request for corrections that documents a |
| 19 | | factual inaccuracy, a school must do either of the |
| 20 | | following: |
| 21 | | (A) Confirm the correction with the parent within |
| 22 | | 90 days after receiving the parent's request if the |
| 23 | | school or State Board maintains the covered |
| 24 | | information that contains the factual inaccuracy. |
| 25 | | (B) Notify the operator who must confirm the |
| 26 | | correction with the parent within 90 days after |
|
| | 10100HB3606ham001 | - 19 - | LRB101 09053 AXK 58960 a |
|
|
| 1 | | receiving the parent's request if the covered |
| 2 | | information that contains the factual inaccuracy is |
| 3 | | maintained by an operator. |
| 4 | | (e) Nothing in this Section shall be construed to limit the |
| 5 | | rights granted to parents and students under the Illinois |
| 6 | | School Student Records Act.
|
| 7 | | (105 ILCS 85/37 new) |
| 8 | | Sec. 37. Oversight. |
| 9 | | (a) There is created a Student Data Protection Oversight |
| 10 | | Committee that consists of all of the following members, |
| 11 | | appointed by the State Board of Education: |
| 12 | | (1) A high school student enrolled in a public school |
| 13 | | in this State. |
| 14 | | (2) A parent of a student in a school district |
| 15 | | organized under Article 34 of the School Code. |
| 16 | | (3) A parent of a student in a school district located |
| 17 | | in whole or in part in Lake, Kane, Will, DuPage, McHenry, |
| 18 | | or Cook County, but not in a school district organized |
| 19 | | under Article 34 of the School Code. |
| 20 | | (4) A parent of a student enrolled in a small, rural |
| 21 | | school district. |
| 22 | | (5) An expert in school information technology |
| 23 | | systems. |
| 24 | | (6) An expert in digital privacy law. |
| 25 | | (7) A representative of a computer and information |
|
| | 10100HB3606ham001 | - 20 - | LRB101 09053 AXK 58960 a |
|
|
| 1 | | technology trade group. |
| 2 | | (8) A representative of a civil rights advocacy |
| 3 | | organization. |
| 4 | | (9) A representative of a different civil rights or a |
| 5 | | privacy rights advocacy organization. |
| 6 | | (10) A representative of an association representing |
| 7 | | principals in a city having a population exceeding 500,000. |
| 8 | | (11) A representative of a statewide association |
| 9 | | representing school administrators. |
| 10 | | (12) A representative of a statewide professional |
| 11 | | teachers' organization. |
| 12 | | (13) A representative of a different statewide |
| 13 | | professional teachers' organization. |
| 14 | | (14) A representative of a professional teachers'
|
| 15 | | organization in a city having a population exceeding |
| 16 | | 500,000. |
| 17 | | (15) A representative of a statewide association |
| 18 | | representing school boards. |
| 19 | | (16) A representative of a school district organized |
| 20 | | under Article 34 of the School Code. |
| 21 | | The Committee shall also consist of the Attorney General or |
| 22 | | his or her designee and the State Superintendent of Education |
| 23 | | or his or her designee. |
| 24 | | The State Board, in consultation with the Committee, may |
| 25 | | appoint no more than 2 additional individuals to the Committee |
| 26 | | who shall serve in an advisory role and may not have voting or |
|
| | 10100HB3606ham001 | - 21 - | LRB101 09053 AXK 58960 a |
|
|
| 1 | | other decision-making rights. |
| 2 | | (b) The Committee shall initially meet at the call of the |
| 3 | | Governor, at which meeting it shall designate a chairperson. |
| 4 | | The Committee shall meet thereafter at the call of the |
| 5 | | chairperson, but no less than 4 times within one year after the |
| 6 | | effective date of this amendatory Act of the 101st General |
| 7 | | Assembly and at least once per year thereafter to study, |
| 8 | | review, and make recommendations to the General Assembly about |
| 9 | | laws and rules in light of technological and legal developments |
| 10 | | related to the privacy and security of school student data. The |
| 11 | | members of the Committee shall serve without compensation but |
| 12 | | may be reimbursed for reasonable and necessary expenses |
| 13 | | incurred in performing their duties from funds appropriated to |
| 14 | | the State Board for that purpose. The State Board must provide |
| 15 | | administrative and other support to the Committee. |
| 16 | | (c) The Committee shall submit an annual report to the |
| 17 | | General Assembly and the State Board no later than December 15, |
| 18 | | 2020, and on or before each December 15 thereafter, with |
| 19 | | recommendations, if any, for policy revisions and legislative |
| 20 | | amendments that would carry out the intent of this Act. |
| 21 | | (d) The Committee is subject to the Open Meetings Act and |
| 22 | | the Freedom of Information Act.
|
| 23 | | Section 99. Effective date. This Act takes effect July 1, |
| 24 | | 2020.".
|