Bill Text: IL SB2018 | 2017-2018 | 100th General Assembly | Introduced
Bill Title: Creates the Student Data Privacy Act. On and after October 1, 2017, requires the school board of a school district to enter into a written contract with a contractor any time the school board shares or provides access to student information, student records, or student-generated content with that contractor. Among other provisions, sets forth provisions concerning contract requirements, contractor and operator requirements and prohibitions, security breach procedures, and the establishment of a task force to study issues relating to student data privacy. Effective immediately.
Spectrum: Partisan Bill (Democrat 1-0)
Status: (Failed) 2019-01-09 - Session Sine Die [SB2018 Detail]
Download: Illinois-2017-SB2018-Introduced.html
| |||||||||||||||||||||||||
| |||||||||||||||||||||||||
| |||||||||||||||||||||||||
| |||||||||||||||||||||||||
| |||||||||||||||||||||||||
| 1 | AN ACT concerning education.
| ||||||||||||||||||||||||
| 2 | Be it enacted by the People of the State of Illinois,
| ||||||||||||||||||||||||
| 3 | represented in the General Assembly:
| ||||||||||||||||||||||||
| 4 | Section 1. Short title. This Act may be cited as the | ||||||||||||||||||||||||
| 5 | Student Data Privacy Act.
| ||||||||||||||||||||||||
| 6 | Section 5. Definitions. In this Act: | ||||||||||||||||||||||||
| 7 | "Contractor" means an operator or consultant that is in | ||||||||||||||||||||||||
| 8 | possession of or has access to student information, student | ||||||||||||||||||||||||
| 9 | records, or student-generated content as a result of a contract | ||||||||||||||||||||||||
| 10 | with a school board.
| ||||||||||||||||||||||||
| 11 | "Consultant" means a professional who provides | ||||||||||||||||||||||||
| 12 | noninstructional services, including, but not limited to, | ||||||||||||||||||||||||
| 13 | administrative, planning, analysis, statistical or research | ||||||||||||||||||||||||
| 14 | services, to a school board pursuant to a contract with the | ||||||||||||||||||||||||
| 15 | school board. | ||||||||||||||||||||||||
| 16 | "De-identified student information" means any student | ||||||||||||||||||||||||
| 17 | information that has been altered to prevent the identification | ||||||||||||||||||||||||
| 18 | of an individual student.
| ||||||||||||||||||||||||
| 19 | "Directory information" has the same meaning as provided in | ||||||||||||||||||||||||
| 20 | 34 CFR 99.3.
| ||||||||||||||||||||||||
| 21 | "Operator" means any person who (i) operates an Internet | ||||||||||||||||||||||||
| 22 | web site, online service, or mobile application with actual | ||||||||||||||||||||||||
| 23 | knowledge that the Internet web site, online service, or mobile | ||||||||||||||||||||||||
| |||||||
| |||||||
| 1 | application is used for school purposes and was designed and | ||||||
| 2 | marketed for school purposes, to the extent it is engaged in | ||||||
| 3 | the operation of that Internet web site, online service, or | ||||||
| 4 | mobile application, and (ii) collects, maintains, or uses | ||||||
| 5 | student information.
| ||||||
| 6 | "Persistent unique identifier" means a unique piece of | ||||||
| 7 | information that can be used to recognize a user over time and | ||||||
| 8 | across different Internet web sites, online services, or mobile | ||||||
| 9 | applications and is acquired as a result of a student's use of | ||||||
| 10 | an operator's Internet web site, online service, or mobile | ||||||
| 11 | application.
| ||||||
| 12 | "School purposes" means purposes that customarily take | ||||||
| 13 | place at the direction of a teacher or a school board or aid in | ||||||
| 14 | the administration of school activities, including, but not | ||||||
| 15 | limited to, instruction in the classroom, administrative | ||||||
| 16 | activities, and collaboration among students, school | ||||||
| 17 | personnel, or parents or legal guardians of students.
| ||||||
| 18 | "Student" means a person who is a resident of this State | ||||||
| 19 | and who is (i) enrolled in a school district's preschool | ||||||
| 20 | program, (ii) enrolled in any of grades kindergarten through 12 | ||||||
| 21 | in a public school, (iii) receiving special education and | ||||||
| 22 | related services under an individualized education program, or | ||||||
| 23 | (iv) otherwise the responsibility of a school district.
| ||||||
| 24 | "Student-generated content" means any student materials | ||||||
| 25 | created by a student, including, but not limited to, essays, | ||||||
| 26 | research papers, portfolios, creative writing, music or other | ||||||
| |||||||
| |||||||
| 1 | audio files, or photographs, except "student-generated | ||||||
| 2 | content" does not include student responses to a standardized | ||||||
| 3 | assessment.
| ||||||
| 4 | "Student information" means personally identifiable | ||||||
| 5 | information or material of a student in any media or format | ||||||
| 6 | that is not publicly available and is any of the following: (i) | ||||||
| 7 | created or provided by a student or the parent or legal | ||||||
| 8 | guardian of a student to the operator in the course of the | ||||||
| 9 | student, parent, or legal guardian using the operator's | ||||||
| 10 | Internet web site, online service, or mobile application for | ||||||
| 11 | school purposes, (ii) created or provided by an employee or | ||||||
| 12 | agent of a school board to an operator for school purposes, or | ||||||
| 13 | (iii) gathered by an operator through the operation of the | ||||||
| 14 | operator's Internet web site, online service, or mobile | ||||||
| 15 | application and identifies a student, including, but not | ||||||
| 16 | limited to, information in the student's records or electronic | ||||||
| 17 | mail account, first or last name, home address, telephone | ||||||
| 18 | number, date of birth, electronic mail address, discipline | ||||||
| 19 | records, test results, grades, evaluations, criminal records, | ||||||
| 20 | medical records, health records, Social Security number, | ||||||
| 21 | biometric information, disabilities, socioeconomic | ||||||
| 22 | information, food purchases, political affiliations, religious | ||||||
| 23 | affiliations, text messages, documents, student identifiers, | ||||||
| 24 | search activity, photographs, voice recordings, survey | ||||||
| 25 | responses, or behavioral assessments.
| ||||||
| 26 | "Student record" means any information directly related to | ||||||
| |||||||
| |||||||
| 1 | a student that is maintained by a school board or the State | ||||||
| 2 | Board of Education or any information acquired from a student | ||||||
| 3 | through the use of educational software assigned to the student | ||||||
| 4 | by a teacher or employee of a school board, except "student | ||||||
| 5 | record" does not include de-identified student information | ||||||
| 6 | allowed under a contract to be used by the contractor to (i) | ||||||
| 7 | improve educational products for adaptive learning purposes | ||||||
| 8 | and customize student learning, (ii) demonstrate the | ||||||
| 9 | effectiveness of the contractor's products in the marketing of | ||||||
| 10 | those products, and (iii) develop and improve the contractor's | ||||||
| 11 | products and services.
| ||||||
| 12 | "Targeted advertising" means presenting an advertisement | ||||||
| 13 | to a student where the selection of the advertisement is based | ||||||
| 14 | on student information, student records, or student-generated | ||||||
| 15 | content or inferred over time from the usage of the operator's | ||||||
| 16 | Internet web site, online service, or mobile application by a | ||||||
| 17 | student or the retention of a student's online activities or | ||||||
| 18 | requests over time for the purpose of targeting subsequent | ||||||
| 19 | advertisements. "Targeted advertising" does not include any | ||||||
| 20 | advertising to a student on an Internet web site that the | ||||||
| 21 | student is accessing at the time or in response to a student's | ||||||
| 22 | response or request for information or feedback.
| ||||||
| 23 | Section 10. Contract required. | ||||||
| 24 | (a) This Section applies beginning on October 1, 2017 and | ||||||
| 25 | is applicable to contracts entered into, amended, or renewed on | ||||||
| |||||||
| |||||||
| 1 | or after October 1, 2017. On and after October 1, 2017, the | ||||||
| 2 | school board of a school district shall enter into a written | ||||||
| 3 | contract with a contractor any time the school board shares or | ||||||
| 4 | provides access to student information, student records, or | ||||||
| 5 | student-generated content with the contractor. Each contract | ||||||
| 6 | shall include, but need not be limited to, the following:
| ||||||
| 7 | (1) a statement that student information, student | ||||||
| 8 | records, and student-generated content are not the | ||||||
| 9 | property of or under the control of a contractor;
| ||||||
| 10 | (2) a description of the means by which the school | ||||||
| 11 | board may request the deletion of student information, | ||||||
| 12 | student records, or student-generated content in the | ||||||
| 13 | possession of the contractor;
| ||||||
| 14 | (3) a statement that the contractor shall not use | ||||||
| 15 | student information, student records, and | ||||||
| 16 | student-generated content for any purposes other than | ||||||
| 17 | those authorized pursuant to the contract;
| ||||||
| 18 | (4) a description of the procedures by which a student | ||||||
| 19 | or parent or legal guardian of a student may review | ||||||
| 20 | personally identifiable information contained in student | ||||||
| 21 | information, student records, or student-generated content | ||||||
| 22 | and correct erroneous information, if any, in the student | ||||||
| 23 | record;
| ||||||
| 24 | (5) a statement that the contractor shall take actions | ||||||
| 25 | designed to ensure the security and confidentiality of | ||||||
| 26 | student information, student records, and | ||||||
| |||||||
| |||||||
| 1 | student-generated content;
| ||||||
| 2 | (6) a description of the procedures that a contractor | ||||||
| 3 | will follow to notify the school board, in accordance with | ||||||
| 4 | the provisions of Section 20 of this Act, when there has | ||||||
| 5 | been an unauthorized release, disclosure, or acquisition | ||||||
| 6 | of student information, student records, or | ||||||
| 7 | student-generated content;
| ||||||
| 8 | (7) a statement that student information, student | ||||||
| 9 | records, or student-generated content shall not be | ||||||
| 10 | retained or available to the contractor upon completion of | ||||||
| 11 | the contracted services unless a student or parent or legal | ||||||
| 12 | guardian of a student chooses to establish or maintain an | ||||||
| 13 | electronic account with the contractor for the purpose of | ||||||
| 14 | storing student-generated content;
| ||||||
| 15 | (8) a statement that the contractor and the school | ||||||
| 16 | board shall ensure compliance with the federal Family | ||||||
| 17 | Educational Rights and Privacy Act of 1974;
| ||||||
| 18 | (9) a statement that the laws of this State shall | ||||||
| 19 | govern the rights and duties of the contractor and the | ||||||
| 20 | school board; and | ||||||
| 21 | (10) a statement that if any provision of the contract | ||||||
| 22 | or the application of the contract is held invalid by a | ||||||
| 23 | court of competent jurisdiction, the invalidity does not | ||||||
| 24 | affect other provisions or applications of the contract | ||||||
| 25 | that can be given effect without the invalid provision or | ||||||
| 26 | application.
| ||||||
| |||||||
| |||||||
| 1 | (b) All student-generated content shall be the property of | ||||||
| 2 | the student or the parent or legal guardian of the student.
| ||||||
| 3 | (c) A contractor shall implement and maintain security | ||||||
| 4 | procedures and practices designed to protect student | ||||||
| 5 | information, student records, and student-generated content | ||||||
| 6 | from unauthorized access, destruction, use, modification, or | ||||||
| 7 | disclosure that, based on the sensitivity of the data and the | ||||||
| 8 | risk from unauthorized access:
| ||||||
| 9 | (1) use technologies and methodologies that are | ||||||
| 10 | consistent with the guidance issued pursuant to Section | ||||||
| 11 | 13402(h)(2) of Public Law 111-5, as amended from time to | ||||||
| 12 | time;
| ||||||
| 13 | (2) maintain technical safeguards as it relates to the | ||||||
| 14 | possession of student records in a manner consistent with | ||||||
| 15 | the provisions of 45 CFR 164.312; and
| ||||||
| 16 | (3) otherwise meet or exceed industry standards.
| ||||||
| 17 | (d) A contractor shall not use (i) student information, | ||||||
| 18 | student records, or student-generated content for any purposes | ||||||
| 19 | other than those authorized pursuant to the contract or (ii) | ||||||
| 20 | personally identifiable information contained in student | ||||||
| 21 | information, student records, or student-generated content to | ||||||
| 22 | engage in targeted advertising.
| ||||||
| 23 | (e) Any provision of a contract entered into between a | ||||||
| 24 | contractor and a school board on or after October 1, 2017 that | ||||||
| 25 | conflicts with any provision of this Section shall be void.
| ||||||
| 26 | (f) Any contract entered into on or after October 1, 2017 | ||||||
| |||||||
| |||||||
| 1 | that does not include a provision required by subsection (a) of | ||||||
| 2 | this Section shall be void, provided that the school board has | ||||||
| 3 | given reasonable notice to the contractor and the contractor | ||||||
| 4 | has failed within a reasonable time to amend the contract to | ||||||
| 5 | include the provision required by subsection (a) of this | ||||||
| 6 | Section.
| ||||||
| 7 | (g) Not later than 5 business days after executing a | ||||||
| 8 | contract pursuant to this Section, a school board shall provide | ||||||
| 9 | electronic notice to any student and the parent or legal | ||||||
| 10 | guardian of a student affected by the contract. The notice | ||||||
| 11 | shall (i) state that the contract has been executed and the | ||||||
| 12 | date that the contract was executed, (ii) provide a brief | ||||||
| 13 | description of the contract and the purpose of the contract, | ||||||
| 14 | and (iii) state what student information, student records, or | ||||||
| 15 | student-generated content may be collected as a result of the | ||||||
| 16 | contract. The school board shall post the notice and the | ||||||
| 17 | contract on the school district's Internet web site.
| ||||||
| 18 | Section 15. Operators. | ||||||
| 19 | (a) This Section applies beginning October 1, 2017. An | ||||||
| 20 | operator shall:
| ||||||
| 21 | (1) implement and maintain security procedures and | ||||||
| 22 | practices that meet or exceed industry standards and that | ||||||
| 23 | are designed to protect student information, student | ||||||
| 24 | records, and student-generated content from unauthorized | ||||||
| 25 | access, destruction, use, modification, or disclosure; and
| ||||||
| |||||||
| |||||||
| 1 | (2) delete any student information, student records, | ||||||
| 2 | or student-generated content within a reasonable amount of | ||||||
| 3 | time if a student, parent or legal guardian of a student, | ||||||
| 4 | or school board that has the right to control the student | ||||||
| 5 | information requests the deletion of the student | ||||||
| 6 | information, student records, or student-generated | ||||||
| 7 | content.
| ||||||
| 8 | (b) An operator shall not knowingly:
| ||||||
| 9 | (1) engage in (i) targeted advertising on the | ||||||
| 10 | operator's Internet web site, online service, or mobile | ||||||
| 11 | application or (ii) targeted advertising on any other | ||||||
| 12 | Internet web site, online service, or mobile application if | ||||||
| 13 | the advertising is based on any student information, | ||||||
| 14 | student records, student-generated content, or persistent | ||||||
| 15 | unique identifiers that the operator has acquired because | ||||||
| 16 | of the use of the operator's Internet web site, online | ||||||
| 17 | service, or mobile application for school purposes;
| ||||||
| 18 | (2) collect, store, and use student information, | ||||||
| 19 | student records, student-generated content, or persistent | ||||||
| 20 | unique identifiers for purposes other than the furtherance | ||||||
| 21 | of school purposes;
| ||||||
| 22 | (3) sell, rent, or trade student information, student | ||||||
| 23 | records, or student-generated content unless the sale is | ||||||
| 24 | part of the purchase, merger, or acquisition of an operator | ||||||
| 25 | by a successor operator and the operator and successor | ||||||
| 26 | operator continue to be subject to the provisions of this | ||||||
| |||||||
| |||||||
| 1 | Section regarding student information; or
| ||||||
| 2 | (4) disclose student information, student records, or | ||||||
| 3 | student-generated content unless the disclosure is made:
| ||||||
| 4 | (A) in furtherance of school purposes of the | ||||||
| 5 | Internet web site, online service, or mobile | ||||||
| 6 | application, provided that the recipient of the | ||||||
| 7 | student information uses the student information to | ||||||
| 8 | improve the operability and functionality of the | ||||||
| 9 | Internet web site, online service, or mobile | ||||||
| 10 | application and complies with subsection (a) of this | ||||||
| 11 | Section;
| ||||||
| 12 | (B) to ensure compliance with federal or State law | ||||||
| 13 | or rules or pursuant to a court order;
| ||||||
| 14 | (C) in response to a judicial order;
| ||||||
| 15 | (D) to protect the safety or integrity of users or | ||||||
| 16 | others or the security of the Internet web site, online | ||||||
| 17 | service, or mobile application;
| ||||||
| 18 | (E) to an entity hired by the operator to provide | ||||||
| 19 | services for the operator's Internet web site, online | ||||||
| 20 | service, or mobile application, provided that the | ||||||
| 21 | operator contractually (i) prohibits the entity from | ||||||
| 22 | using student information, student records, or | ||||||
| 23 | student-generated content for any purpose other than | ||||||
| 24 | providing the contracted service to or on behalf of the | ||||||
| 25 | operator, (ii) prohibits the entity from disclosing | ||||||
| 26 | student information, student records, or | ||||||
| |||||||
| |||||||
| 1 | student-generated content provided by the operator to | ||||||
| 2 | subsequent third parties, and (iii) requires the | ||||||
| 3 | entity to comply with subsection (a) of this Section; | ||||||
| 4 | or
| ||||||
| 5 | (F) for a school purpose or other educational or | ||||||
| 6 | employment purpose requested by a student or the parent | ||||||
| 7 | or legal guardian of a student, provided that the | ||||||
| 8 | student information is not used or disclosed for any | ||||||
| 9 | other purpose.
| ||||||
| 10 | (c) An operator may use student information:
| ||||||
| 11 | (1) to maintain, support, improve, evaluate, or | ||||||
| 12 | diagnose the operator's Internet web site, online service, | ||||||
| 13 | or mobile application;
| ||||||
| 14 | (2) for adaptive learning purposes or customized | ||||||
| 15 | student learning; | ||||||
| 16 | (3) to provide recommendation engines to recommend | ||||||
| 17 | content or services relating to school purposes or other | ||||||
| 18 | educational or employment purposes, provided that the | ||||||
| 19 | recommendation is not determined in whole or in part by | ||||||
| 20 | payment or other consideration from a third party; or
| ||||||
| 21 | (4) to respond to a request for information or feedback | ||||||
| 22 | from a student, provided that the response is not | ||||||
| 23 | determined in whole or in part by payment or other | ||||||
| 24 | consideration from a third party.
| ||||||
| 25 | (d) An operator may use de-identified student information | ||||||
| 26 | or aggregated student information:
| ||||||
| |||||||
| |||||||
| 1 | (1) to develop or improve the operator's Internet web | ||||||
| 2 | site, online service, or mobile application or other | ||||||
| 3 | Internet web sites, online services, or mobile | ||||||
| 4 | applications owned by the operator; or
| ||||||
| 5 | (2) to demonstrate or market the effectiveness of the | ||||||
| 6 | operator's Internet web site, online service, or mobile | ||||||
| 7 | application.
| ||||||
| 8 | (e) An operator may share aggregated student information or | ||||||
| 9 | de-identified student information for the improvement and | ||||||
| 10 | development of Internet web sites, online services, or mobile | ||||||
| 11 | applications designed for school purposes.
| ||||||
| 12 | (f) Nothing in this Section shall be construed to:
| ||||||
| 13 | (1) limit the ability of a law enforcement agency to | ||||||
| 14 | obtain student information, student records, or | ||||||
| 15 | student-generated content from an operator as authorized | ||||||
| 16 | by law or pursuant to a court order;
| ||||||
| 17 | (2) limit the ability of a student or the parent or | ||||||
| 18 | legal guardian of a student to download, export, transfer, | ||||||
| 19 | or otherwise save or maintain student information, student | ||||||
| 20 | records, or student-generated content;
| ||||||
| 21 | (3) impose a duty upon a provider of an interactive | ||||||
| 22 | computer service, as defined in 47 U.S.C. 230, to ensure | ||||||
| 23 | compliance with this Section by third-party information | ||||||
| 24 | content providers, as defined in 47 U.S.C. 230;
| ||||||
| 25 | (4) impose a duty upon a seller or provider of an | ||||||
| 26 | electronic store, gateway, marketplace, or other means of | ||||||
| |||||||
| |||||||
| 1 | purchasing or downloading software applications to review | ||||||
| 2 | or enforce compliance with this Section on the software | ||||||
| 3 | applications;
| ||||||
| 4 | (5) limit an Internet service provider from providing a | ||||||
| 5 | student, parent or legal guardian of a student, or school | ||||||
| 6 | board with the ability to connect to the Internet;
| ||||||
| 7 | (6) prohibit an operator from advertising other | ||||||
| 8 | Internet web sites, online services, or mobile | ||||||
| 9 | applications that are used for school purposes to parents | ||||||
| 10 | or legal guardians of students, provided that the | ||||||
| 11 | advertising does not result from the operator's use of | ||||||
| 12 | student information, student records, or student-generated | ||||||
| 13 | content; or
| ||||||
| 14 | (7) apply to Internet web sites, online services, or | ||||||
| 15 | mobile applications that are designed and marketed for use | ||||||
| 16 | by individuals generally, even if the account credentials | ||||||
| 17 | created for an operator's Internet web site, online | ||||||
| 18 | service, or mobile application may be used to access | ||||||
| 19 | Internet web sites, online services, or mobile | ||||||
| 20 | applications that are designed and marketed for school | ||||||
| 21 | purposes.
| ||||||
| 22 | Section 20. Security breach. | ||||||
| 23 | (a) This Section applies beginning October 1, 2017.
| ||||||
| 24 | (1) Upon the discovery of a breach of security that | ||||||
| 25 | results in the unauthorized release, disclosure, or | ||||||
| |||||||
| |||||||
| 1 | acquisition of student information, excluding any | ||||||
| 2 | directory information contained in the student | ||||||
| 3 | information, a contractor shall notify, without | ||||||
| 4 | unreasonable delay, but not more than 30 days after the | ||||||
| 5 | discovery, the school board of the breach of security. | ||||||
| 6 | During the 30-day period, the contractor may: | ||||||
| 7 | (A) conduct an investigation to determine the | ||||||
| 8 | nature and scope of the unauthorized release, | ||||||
| 9 | disclosure, or acquisition and the identity of the | ||||||
| 10 | students whose student information is involved in the | ||||||
| 11 | unauthorized release, disclosure, or acquisition; or
| ||||||
| 12 | (B) restore the reasonable integrity of the | ||||||
| 13 | contractor's data system.
| ||||||
| 14 | (2) Upon the discovery of a breach of security that | ||||||
| 15 | results in the unauthorized release, disclosure, or | ||||||
| 16 | acquisition of directory information, student records, or | ||||||
| 17 | student-generated content, a contractor shall notify, | ||||||
| 18 | without unreasonable delay, but not more than 60 days after | ||||||
| 19 | the discovery, the school board of the breach of security. | ||||||
| 20 | During the 60-day period, the contractor may:
| ||||||
| 21 | (A) conduct an investigation to determine the | ||||||
| 22 | nature and scope of the unauthorized release, | ||||||
| 23 | disclosure, or acquisition and the identity of the | ||||||
| 24 | students whose directory information, student records, | ||||||
| 25 | or student-generated content is involved in the | ||||||
| 26 | unauthorized release, disclosure, or acquisition; or
| ||||||
| |||||||
| |||||||
| 1 | (B) restore the reasonable integrity of the | ||||||
| 2 | contractor's data system.
| ||||||
| 3 | (3) Upon receipt of notice of a breach of security | ||||||
| 4 | under subdivisions (1) or (2) of this subsection (a), a | ||||||
| 5 | school board shall electronically notify, not later than 48 | ||||||
| 6 | hours after receipt of the notice, the student and the | ||||||
| 7 | parents or legal guardians of the student whose student | ||||||
| 8 | information, student records, or student-generated content | ||||||
| 9 | is involved in the breach of security. The school board | ||||||
| 10 | shall post the notice on the school district's Internet web | ||||||
| 11 | site.
| ||||||
| 12 | (b) Upon the discovery of a breach of security that results | ||||||
| 13 | in the unauthorized release, disclosure, or acquisition of | ||||||
| 14 | student information, student records, or student-generated | ||||||
| 15 | content, an operator that is in possession of or maintains | ||||||
| 16 | student information, student records, or student-generated | ||||||
| 17 | content as a result of a student's use of the operator's | ||||||
| 18 | Internet web site, online service, or mobile application shall:
| ||||||
| 19 | (1) notify, without unreasonable delay, but not more | ||||||
| 20 | than 30 days after the discovery, the student or the | ||||||
| 21 | parents or legal guardians of the student of any breach of | ||||||
| 22 | security that results in the unauthorized release, | ||||||
| 23 | disclosure, or acquisition of student information, | ||||||
| 24 | excluding any directory information contained in the | ||||||
| 25 | student information; and
| ||||||
| 26 | (2) notify, without unreasonable delay, but not more | ||||||
| |||||||
| |||||||
| 1 | than 60 days after the discovery, the student or the | ||||||
| 2 | parents or legal guardians of the student of any breach of | ||||||
| 3 | security that results in the unauthorized release, | ||||||
| 4 | disclosure, or acquisition of directory information, | ||||||
| 5 | student records, or student-generated content of the | ||||||
| 6 | student.
| ||||||
| 7 | During the 30-day or 60-day period, the operator may (i) | ||||||
| 8 | conduct an investigation to determine the nature and scope of | ||||||
| 9 | the unauthorized release, disclosure, or acquisition and the | ||||||
| 10 | identity of the students whose student information, student | ||||||
| 11 | records, or student-generated content are involved in the | ||||||
| 12 | unauthorized release, disclosure, or acquisition or (ii) | ||||||
| 13 | restore the reasonable integrity of the operator's data system.
| ||||||
| 14 | Section 25. Task force. | ||||||
| 15 | (a) There is established a task force to study issues | ||||||
| 16 | relating to student data privacy. The study shall include, but | ||||||
| 17 | not be limited to, an examination of:
| ||||||
| 18 | (1) when a parent or legal guardian of a student may | ||||||
| 19 | reasonably or appropriately request the deletion of | ||||||
| 20 | student information, student records, or student-generated | ||||||
| 21 | content that is in the possession of a contractor or | ||||||
| 22 | operator;
| ||||||
| 23 | (2) means of providing notice to parents and legal | ||||||
| 24 | guardians of students when a student uses an Internet web | ||||||
| 25 | site, online service, or mobile application of an operator | ||||||
| |||||||
| |||||||
| 1 | for instructional purposes in a classroom or as part of an | ||||||
| 2 | assignment by a teacher;
| ||||||
| 3 | (3) reasonable penalties for violations of this Act, | ||||||
| 4 | such as restricting a contractor or operator from accessing | ||||||
| 5 | or collecting student information, student records, or | ||||||
| 6 | student-generated content;
| ||||||
| 7 | (4) strategies in effect in other states that ensure | ||||||
| 8 | that school employees, contractors, and operators are | ||||||
| 9 | trained in data security handling, compliance, and best | ||||||
| 10 | practices;
| ||||||
| 11 | (5) the feasibility of developing a school | ||||||
| 12 | district-wide list of approved Internet web sites, online | ||||||
| 13 | services, and mobile applications;
| ||||||
| 14 | (6) the use of an administrative hearing process | ||||||
| 15 | designed to provide legal recourse to students and parents | ||||||
| 16 | and legal guardians of students aggrieved by any violation | ||||||
| 17 | of this Act;
| ||||||
| 18 | (7) the feasibility of creating an inventory of student | ||||||
| 19 | information, student records, and student-generated | ||||||
| 20 | content currently collected pursuant to State and federal | ||||||
| 21 | law;
| ||||||
| 22 | (8) the feasibility of developing a tool kit for use by | ||||||
| 23 | school boards to:
| ||||||
| 24 | (A) improve student data contracting practices and | ||||||
| 25 | compliance, including a statewide template for use by | ||||||
| 26 | districts;
| ||||||
| |||||||
| |||||||
| 1 | (B) increase school employee awareness of student | ||||||
| 2 | data security best practices, including model training | ||||||
| 3 | components;
| ||||||
| 4 | (C) develop district-wide lists of approved | ||||||
| 5 | software applications and Internet web sites; and
| ||||||
| 6 | (D) increase the availability and accessibility of | ||||||
| 7 | information on student data privacy for parents and | ||||||
| 8 | legal guardians of students and educators; and | ||||||
| 9 | (9) any other issue involving student data security | ||||||
| 10 | that the task force deems relevant.
| ||||||
| 11 | (b) The task force shall consist of all of the following | ||||||
| 12 | members, who shall serve without compensation but may be | ||||||
| 13 | reimbursed for their reasonable and necessary expenses from | ||||||
| 14 | funds appropriated for that purpose:
| ||||||
| 15 | (1) Members appointed by the State Superintendent of | ||||||
| 16 | Education as follows:
| ||||||
| 17 | (A) One operator, one representative of a | ||||||
| 18 | contractor, and 2 experts in information technology | ||||||
| 19 | systems.
| ||||||
| 20 | (B) One representative or member of a statewide | ||||||
| 21 | professional teachers' organization and one | ||||||
| 22 | representative or member of a different statewide | ||||||
| 23 | professional teachers' organization.
| ||||||
| 24 | (C) One representative or member of a statewide | ||||||
| 25 | parent teacher association and one high school student | ||||||
| 26 | in this State.
| ||||||
| |||||||
| |||||||
| 1 | (D) One student privacy advocate.
| ||||||
| 2 | (E) One representative or member of a statewide | ||||||
| 3 | association of school boards.
| ||||||
| 4 | (F) One representative of a statewide association | ||||||
| 5 | of school administrators and one representative or | ||||||
| 6 | member of a statewide association of school district | ||||||
| 7 | superintendents.
| ||||||
| 8 | (2) The Attorney General or the Attorney General's | ||||||
| 9 | designee.
| ||||||
| 10 | (3) The State Superintendent of Education, who shall | ||||||
| 11 | serve as chairperson.
| ||||||
| 12 | (c) All appointments to the task force shall be made not | ||||||
| 13 | later than 30 days after the effective date of this Act. Any | ||||||
| 14 | vacancy shall be filled by the appointing authority.
| ||||||
| 15 | (d) The chairperson shall schedule the first meeting of the | ||||||
| 16 | task force, which shall be held not later than 60 days after | ||||||
| 17 | the effective date of this Act.
| ||||||
| 18 | (e) The State Board of Education shall provide | ||||||
| 19 | administrative and other support to the task force.
| ||||||
| 20 | (f) Not later than January 1, 2018, the task force shall | ||||||
| 21 | submit a report on its findings and recommendations to the | ||||||
| 22 | General Assembly. The task force shall terminate on the date | ||||||
| 23 | that it submits its report or January 1, 2018, whichever is | ||||||
| 24 | later.
| ||||||
| 25 | (g) This Section is repealed on January 1, 2019.
| ||||||
| 26 | Section 99. Effective date. This Act takes effect upon | ||||||
| |||||||
| |||||||
| 1 | becoming law.
| ||||||
