Signed by Governor JB Pritzker

Vote Smart's Synopsis:

Vote to concur with senate amendments and pass a bill that authorizes parental privacy rights for student data collection.

Highlights:

• Defines “breach” as the unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of covered information maintained by an operator or school (Sec. 5).

• Defines “operator” as, to the extent that an entity is operating in this capacity, the operator of an Internet website, online service, online application, or mobile application with actual knowledge that the site, service, or application is used primarily for K through 12 school purposes and was designed and marketed for K through 12 school purposes (Sec. 5).

• Defines “covered information” as personally identifiable information or material that is not publically available (Sec. 5).

• Specifies that “State Board” refers to the State Board of Education (Sec. 5).

• Amends operator duties to include (Sec. 15):

• Implementing and maintaining reasonable security procedures and practices that otherwise meet or exceed industry standards made to protect covered information from unauthorized access, destruction, use, modification, or disclosure;

• Entering into a written agreement with the relevant public school, school district, or the State Board before covered information is transferred if that operator is looking to receive from a school, school district, or the State Board in any manner any covered information;

• Notify the school of any breach of any student’s covered information within the most expedient time possible and without unreasonable delay, but no later than 30 calendar days after the breach has been determined to have occurred; and

• Give the school a list of any third parties or affiliates to whom the operator is disclosing or has disclosed covered information.

• Prohibits schools and school boards from (Sec. 26 & 28):

• Selling, renting, leasing, or trading covered information; or

• Sharing transferring, disclosing, or providing access to the covered information of a student to any entity or individual, except the student’s parent, school personnel, appointed or elected school board members or local school council members, or the State Board, without a written agreement, unless the disclosure or transfer is:

• To law enforcement officials for the protection of users or others or the security or integrity of the operator’s service;

• Required by court order or State or federal law; or

• To ensure legal or regulatory compliance.

• Requires each school to post and maintain on its website or make available for inspection by the general public at its administrative office, specific information regarding student data, including but not limited to, an explanation of the data elements of covered information collected by the school, a list of operators working with the school, subcontractors working for these operators, security procedures and practices, a description of the procedures parents can use to carry out their rights listed under section 33, and a list of covered information breaches (Sec. 27).

• Authorizes schools to designate an appropriate staff individual as a privacy officer for carrying out the duties and responsibilities schools have to ensure cooperation with data security requirements (Sec. 27).

• Authorizes the parents of students to request the deletion of covered information involving their child as long as no state or federal records laws are violated (Sec. 27).

• Requires on an annual basis, the online publication by the State Board of all of the entities or individuals that the State Board contracts with or has written agreements with that have covered information, and a copy of each contract or written agreement (Sec. 28).

• Requires the State Board to create, publish, and make publicly available an inventory of covered information collected or maintained by the State Board, in addition to model student data privacy policies and procedures in compliance with relevant state and federal law (Sec. 28).

• Establishes that covered information of students will only be collected for K through 12 school purposes and not further processed for incompatible purposes (Sec. 33).

• Establishes the right of parents whose children are enrolled in a public school to do all of the following (Sec. 33):

• Inspect and review the student’s covered information;

• Request a paper or electronic copy of their child’s covered information from a school; and

• Request corrections of factual inaccuracies in their child’s covered information.

• Specifies that this Act takes effect July 1, 2021 (Sec. 99).

Full Bill Text

Vote Smart's Synopsis:

Vote to amend and pass a bill that authorizes parental privacy rights for student data collection.

Highlights:

• Defines “breach” as the unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of covered information maintained by an operator or school (Sec. 5).

• Defines “operator” as, to the extent that an entity is operating in this capacity, the operator of an Internet website, online service, online application, or mobile application with actual knowledge that the site, service, or application is used primarily for K through 12 school purposes and was designed and marketed for K through 12 school purposes (Sec. 5).

• Defines “covered information” as personally identifiable information or material that is not publically available (Sec. 5).

• Specifies that “State Board” refers to the State Board of Education (Sec. 5).

• Amends operator duties to include (Sec. 15):

• Implementing and maintaining reasonable security procedures and practices that otherwise meet or exceed industry standards made to protect covered information from unauthorized access, destruction, use, modification, or disclosure;

• Entering into a written agreement with the relevant public school, school district, or the State Board before covered information is transferred if that operator is looking to receive from a school, school district, or the State Board in any manner any covered information;

• Notify the school of any breach of any student’s covered information within the most expedient time possible and without unreasonable delay, but no later than 30 calendar days after the breach has been determined to have occurred; and

• Give the school a list of any third parties or affiliates to whom the operator is disclosing or has disclosed covered information.

• Prohibits schools and school boards from (Sec. 26 & 28):

• Selling, renting, leasing, or trading covered information; or

• Sharing transferring, disclosing, or providing access to the covered information of a student to any entity or individual, except the student’s parent, school personnel, appointed or elected school board members or local school council members, or the State Board, without a written agreement, unless the disclosure or transfer is:

• To law enforcement officials for the protection of users or others or the security or integrity of the operator’s service;

• Required by court order or State or federal law; or

• To ensure legal or regulatory compliance.

• Requires each school to post and maintain on its website or make available for inspection by the general public at its administrative office, specific information regarding student data, including but not limited to, an explanation of the data elements of covered information collected by the school, a list of operators working with the school, subcontractors working for these operators, security procedures and practices, a description of the procedures parents can use to carry out their rights listed under section 33, and a list of covered information breaches (Sec. 27).

• Authorizes schools to designate an appropriate staff individual as a privacy officer for carrying out the duties and responsibilities schools have to ensure cooperation with data security requirements (Sec. 27).

• Authorizes the parents of students to request the deletion of covered information involving their child as long as no state or federal records laws are violated (Sec. 27).

• Requires on an annual basis, the online publication by the State Board of all of the entities or individuals that the State Board contracts with or has written agreements with that have covered information, and a copy of each contract or written agreement (Sec. 28).

• Requires the State Board to create, publish, and make publicly available an inventory of covered information collected or maintained by the State Board, in addition to model student data privacy policies and procedures in compliance with relevant state and federal law (Sec. 28).

• Establishes that covered information of students will only be collected for K through 12 school purposes and not further processed for incompatible purposes (Sec. 33).

• Establishes the right of parents whose children are enrolled in a public school to do all of the following (Sec. 33):

• Inspect and review the student’s covered information;

• Request a paper or electronic copy of their child’s covered information from a school; and

• Request corrections of factual inaccuracies in their child’s covered information.

• Specifies that this Act takes effect July 1, 2021 (Sec. 99).

Full Bill Text