Full Text of SB3092 98th General Assembly
SB3092sam001 98TH GENERAL ASSEMBLY | Sen. William Delgado Filed: 4/10/2014
| | 09800SB3092sam001 | | LRB098 15075 NHT 58512 a |
|
| 1 | | AMENDMENT TO SENATE BILL 3092
| 2 | | AMENDMENT NO. ______. Amend Senate Bill 3092 by replacing | 3 | | everything after the enacting clause with the following:
| 4 | | "Section 5. The P-20 Longitudinal Education Data System Act | 5 | | is amended by adding Section 32 as follows: | 6 | | (105 ILCS 13/32 new) | 7 | | Sec. 32. Personally identifiable information limitations. | 8 | | (a) In this Section: | 9 | | "Education records" has the meaning ascribed to that term | 10 | | in 34 CFR 99.3. | 11 | | "Organization" means not-for-profit organizations, think | 12 | | tanks, or other organizations conducting research studies. | 13 | | "Personally identifiable information" means (i) any | 14 | | personally identifiable information under the federal Family | 15 | | Educational Rights Act of 1974 (FERPA), other than "directory | 16 | | information" as that term is defined in Section 99.3 of the |
| | | 09800SB3092sam001 | - 2 - | LRB098 15075 NHT 58512 a |
|
| 1 | | federal regulations implementing FERPA (34 CFR 99.3), and (ii) | 2 | | the personally identifiable information of teachers, other | 3 | | educators, and school administrators, other than publicly | 4 | | available, school-related information such as the name, school | 5 | | location, and grade levels or subjects taught. | 6 | | (b) If an audit or evaluation or a compliance or | 7 | | enforcement activity in connection with legal requirements | 8 | | that relate to State-supported or school district-supported | 9 | | educational programs requires or is used as the basis for | 10 | | granting access to personally identifiable information, the | 11 | | State Board or a school shall designate parties only under | 12 | | their direct control to act as authorized representatives to | 13 | | conduct the audit, evaluation, or activity. | 14 | | (c) The State Board or schools may not disclose any | 15 | | personally identifiable information, including personally | 16 | | identifiable information from education records of students, | 17 | | to a contractor, consultant, or other party to whom the State | 18 | | Board or school has outsourced services or functions without | 19 | | providing notice to parents, guardians, and eligible students | 20 | | by posting the intent to disclose the information on the | 21 | | Internet website of the school or State Board at least 30 days | 22 | | in advance or as soon as practicable, unless that outside | 23 | | party: | 24 | | (1) performs an institutional service or function for | 25 | | which the State Board or the school would otherwise use | 26 | | employees; |
| | | 09800SB3092sam001 | - 3 - | LRB098 15075 NHT 58512 a |
|
| 1 | | (2) is under the direct control of the State Board or | 2 | | the school with respect to the use and maintenance of | 3 | | education records; | 4 | | (3) limits internal access to education records to | 5 | | those individuals who are determined to have legitimate | 6 | | educational interests; | 7 | | (4) does not use the education records for any purposes | 8 | | other than those authorized in its contract; | 9 | | (5) does not disclose any personally identifiable | 10 | | information to any other party (i) without the prior | 11 | | notification to the eligible student, parent, or guardian | 12 | | or (ii) unless required by law and the party provides a | 13 | | notice of the disclosure to the State Board or school board | 14 | | that provided the information no later than the time the | 15 | | information is disclosed, to the extent allowed by law or | 16 | | by the terms of a court order; | 17 | | (6) maintains reasonable administrative, technical, | 18 | | and physical safeguards to protect the security, | 19 | | confidentiality, and integrity of personally identifiable | 20 | | information in its custody and conducts regular security | 21 | | audits to confirm the efficacy of those safeguards; | 22 | | (7) uses appropriate encryption technologies to | 23 | | protect data while in motion or in its custody from | 24 | | unauthorized disclosure; | 25 | | (8) has sufficient administrative and technical | 26 | | procedures to monitor continuously the security of |
| | | 09800SB3092sam001 | - 4 - | LRB098 15075 NHT 58512 a |
|
| 1 | | personally identifiable information in its custody; | 2 | | (9) maintains a breach remediation plan prior to | 3 | | initial receipts of the personally identifiable | 4 | | information and reports breaches as specified by the | 5 | | Personal Information Protection Act; | 6 | | (10) reports all actual security breaches to the State | 7 | | Board or the school that provided personally identifiable | 8 | | information and education records as soon as possible, but | 9 | | no later than 72 hours after an actual breach was known or | 10 | | in the most expedient amount of time possible under the | 11 | | circumstances; | 12 | | (11) agrees, in the event of a security breach or an | 13 | | unauthorized disclosure of personally identifiable | 14 | | information, to pay all costs and liabilities incurred by | 15 | | the State Board or school related to the security breach or | 16 | | unauthorized disclosure, including without limitation the | 17 | | costs of responding to inquiries about the security breach | 18 | | or unauthorized disclosure, of notifying the subjects of | 19 | | personally identifiable information about the breach, of | 20 | | mitigating the effects of the breach for the subjects of | 21 | | personally identifiable information, and of investigating | 22 | | the cause or consequences of the security breach or | 23 | | unauthorized disclosure; and | 24 | | (12) destroys or returns to the State Board or school | 25 | | all personally identifiable information in its custody | 26 | | upon request and at the termination of the contract. |
| | | 09800SB3092sam001 | - 5 - | LRB098 15075 NHT 58512 a |
|
| 1 | | (d) The State Board or schools may disclose personally | 2 | | identifiable information from an education record of a student | 3 | | without the consent of the eligible student, parent, or | 4 | | guardian to a party conducting studies for or on behalf of the | 5 | | State Board or school to (i) develop, validate, or administer | 6 | | predictive tests, (ii) administer student aid programs, or | 7 | | (iii) improve instruction, provided that the outside party | 8 | | conducting the study meets all of the requirements for | 9 | | contractors set forth in subsection (c) of this Section. | 10 | | (d-5) The State Board or schools may disclose personally | 11 | | identifiable information from an education record of a student | 12 | | to researchers at an organization or accredited post-secondary | 13 | | educational institution conducting research pursuant to a | 14 | | specific, written agreement with the school or State Board and | 15 | | in accordance with the federal Family Educational Rights and | 16 | | Privacy Act of 1974, provided that: | 17 | | (1) the nature of the research is first publicly | 18 | | disclosed to parents, guardians, and eligible students on | 19 | | the Internet website of the school or State Board at least | 20 | | 30 days in advance of the research being conducted or as | 21 | | soon as practicable; | 22 | | (2) the organization or institution and the school or | 23 | | State Board enter into a data use agreement that complies | 24 | | with the federal Family Educational Rights and Privacy Act | 25 | | of 1974 and its accompanying rules and includes, at a | 26 | | minimum, the following: |
| | | 09800SB3092sam001 | - 6 - | LRB098 15075 NHT 58512 a |
|
| 1 | | (A) the purpose, scope, and duration of the study | 2 | | or studies and the information to be disclosed; | 3 | | (B) provisions requiring the organization or | 4 | | institution to use personally identifiable information | 5 | | from school student records only to meet the purpose or | 6 | | purposes of the study as stated in the written | 7 | | agreement; | 8 | | (C) provisions requiring the organization or | 9 | | institution to conduct the study in a manner that does | 10 | | not permit personal identification of parents or | 11 | | guardians and students by anyone other than | 12 | | representatives of the organization with legitimate | 13 | | interests; | 14 | | (D) provisions requiring the organization or | 15 | | institution to destroy all personally identifiable | 16 | | information when the information is no longer needed | 17 | | for the purposes for which the study was conducted and | 18 | | specifying the time period in which the information | 19 | | must be destroyed; | 20 | | (E) provisions requiring the organization or | 21 | | institution to certify that it has the capacity to and | 22 | | will restrict access to the school student records and | 23 | | maintain the security of electronic information; and | 24 | | (F) provisions requiring the organization or | 25 | | institution to develop, implement, maintain, and use | 26 | | appropriate administrative, technical, and physical |
| | | 09800SB3092sam001 | - 7 - | LRB098 15075 NHT 58512 a |
|
| 1 | | security measures to preserve the confidentiality, | 2 | | integrity, and availability of all school student | 3 | | records; and | 4 | | (3) the organization or institution uses personally | 5 | | identifiable information from school student records only | 6 | | to meet the purpose or purposes of the study as stated in | 7 | | the written agreement. | 8 | | For purposes of this subsection (d-5), any information by | 9 | | which a student may be individually or personally identified | 10 | | may only be released, transferred, disclosed, or otherwise | 11 | | disseminated as contemplated by the agreement between the | 12 | | parties. The school student records must be redacted prior to | 13 | | analysis by the organization or institution. Any personally | 14 | | identifiable information used to link data sets must be stored | 15 | | in a secure data file or location outside of the secure data | 16 | | storage where redacted information from the school regarding | 17 | | student records is stored. The organization or institution | 18 | | shall implement and adhere to policies and procedures that | 19 | | restrict access to information by which a student may be | 20 | | individually or personally identified. The organization or | 21 | | institution shall designate an individual to act as the | 22 | | custodian of the personally identifiable information who is | 23 | | responsible for restricting access to that information. | 24 | | Nothing in this subsection (d-5) prohibits or limits the | 25 | | ability of the State Board or any school to provide personally | 26 | | identifiable information about individual students to a school |
| | | 09800SB3092sam001 | - 8 - | LRB098 15075 NHT 58512 a |
|
| 1 | | official, organization, or institution for the purposes of | 2 | | developing, administering, scoring, or interpreting results of | 3 | | student assessments or predictive tests if those assessments or | 4 | | tests require individualized development or administration | 5 | | based on the needs of individual students. | 6 | | (e) The State Board or schools may not disclose any | 7 | | personally identifiable information, including personally | 8 | | identifiable information from education records of students, | 9 | | without the written consent of eligible students, parents, or | 10 | | guardians to any party for a commercial use, including without | 11 | | limitation marketing products or services, compiling lists for | 12 | | sale or rental, developing products or services, or creating | 13 | | individual, household, or group profiles, nor may such | 14 | | disclosure be made for the provision of services other than | 15 | | contracting, studies, and audits or evaluations as authorized | 16 | | and limited by subsections (c), (d), and (d-5) of this Section. | 17 | | (f) The State Board or schools may not, directly or through | 18 | | contracts with outside parties, maintain personally | 19 | | identifiable information, including personally identifiable | 20 | | information from education records of students, without the | 21 | | proper notification to eligible students, parents, or | 22 | | guardians, unless the maintenance of the information is: | 23 | | (1) explicitly mandated in federal or State statute; | 24 | | (2) administratively required for the proper | 25 | | performance of their duties under the law and is relevant | 26 | | to and necessary for the delivery of services; or |
| | | 09800SB3092sam001 | - 9 - | LRB098 15075 NHT 58512 a |
|
| 1 | | (3) designed to support a study of students or former | 2 | | students. | 3 | | (g) The State Board and schools shall publicly and | 4 | | conspicuously disclose on their Internet websites and through | 5 | | annual electronic notification to the chairperson of the House | 6 | | of Representatives Elementary & Secondary Education Committee | 7 | | and the chairperson of the Senate Education Committee the | 8 | | existence and character of any personally identifiable | 9 | | information that they, directly or through contracts with | 10 | | outside parties, maintain. The disclosure and notification | 11 | | shall include: | 12 | | (1) the name and location of the data repository where | 13 | | the information is maintained; | 14 | | (2) the legal authority that authorizes the | 15 | | establishment and existence of the data repository; | 16 | | (3) the principal purpose or purposes for which the | 17 | | information is intended to be used; | 18 | | (4) the categories of individuals on whom records are | 19 | | maintained in the data repository; | 20 | | (5) the categories of records maintained in the data | 21 | | repository; | 22 | | (6) each expected disclosure of the records contained | 23 | | in the data repository, including the categories of | 24 | | recipients and the purpose of each disclosure; | 25 | | (7) the policies and practices of the State Board or | 26 | | school regarding storage, retrievability, access controls, |
| | | 09800SB3092sam001 | - 10 - | LRB098 15075 NHT 58512 a |
|
| 1 | | retention, and disposal of the records; | 2 | | (8) the title and business address of the State Board | 3 | | or school official who is responsible for the data | 4 | | repository and the name and business address of any | 5 | | contractor or other outside party maintaining the data | 6 | | repository for or on behalf of the State Board or school; | 7 | | (9) the procedures whereby eligible students, parents, | 8 | | or guardians can be notified at their request if the data | 9 | | repository contains a record pertaining to the student, | 10 | | parent, or guardian; | 11 | | (10) the procedures whereby eligible students, | 12 | | parents, or guardians can be notified at their request on | 13 | | how to gain access to any record pertaining to the student, | 14 | | parent, or guardian contained in the data repository and | 15 | | how they can contest its content; and | 16 | | (11) the categories of sources of records in the data | 17 | | repository. | 18 | | (h) The State Board and schools may not append education | 19 | | records with personally identifiable information obtained from | 20 | | other federal or State agencies through data matches without | 21 | | the proper notification to eligible students, parents, or | 22 | | guardians unless the data matches are: | 23 | | (1) explicitly mandated in federal or State statute; or | 24 | | (2) administratively required for the proper | 25 | | performance of their duties under the law and are relevant | 26 | | to and necessary for the delivery of services. |
| | | 09800SB3092sam001 | - 11 - | LRB098 15075 NHT 58512 a |
|
| 1 | | (i) Each violation of this Section by an organization or | 2 | | entity that is not the State Board or a school is subject to a | 3 | | civil penalty of up to $1,000 for a first violation, up to | 4 | | $5,000 for a second violation, and up to $10,000 for a third or | 5 | | subsequent violation. Each violation involving a different | 6 | | individual's personally identifiable information shall be | 7 | | considered a separate violation for purposes of civil | 8 | | penalties. | 9 | | (j) The Attorney General shall have the authority to | 10 | | enforce compliance with this Section by investigation and | 11 | | subsequent commencement of a civil action to seek civil | 12 | | penalties for violations of this Section and to seek | 13 | | appropriate injunctive relief, including without limitation a | 14 | | prohibition on obtaining personally identifiable information | 15 | | for an appropriate time period. In carrying out an | 16 | | investigation and in maintaining a civil action, the Attorney | 17 | | General or any deputy or assistant Attorney General is | 18 | | authorized to subpoena witnesses, compel their attendance, | 19 | | examine them under oath, and require that any books, records, | 20 | | documents, papers, or electronic records relevant or material | 21 | | to the inquiry be turned over for inspection, examination, or | 22 | | audit, pursuant to the Civil Practice Law and rules. Subpoenas | 23 | | issued pursuant to this subsection (j) may be enforced pursuant | 24 | | to the Civil Practice Law and rules. | 25 | | (k) Nothing contained in this Section shall be construed as | 26 | | creating a private right of action against the State Board or a |
| | | 09800SB3092sam001 | - 12 - | LRB098 15075 NHT 58512 a |
|
| 1 | | school. | 2 | | (l) Nothing in this Section shall limit the administrative | 3 | | use of personally identifiable information by a person acting | 4 | | exclusively in the person's capacity as an employee of a | 5 | | school, this State, a court, or the federal government that is | 6 | | otherwise required by law.
| 7 | | Section 99. Effective date. This Act takes effect upon | 8 | | becoming law.".
|
|