|
|
||||
| Public Act 096-0874 |
||||
| ||||
| ||||
AN ACT concerning State government.
| ||||
Be it enacted by the People of the State of Illinois,
| ||||
represented in the General Assembly:
| ||||
Section 1. Short title. This Act may be cited as the | ||||
Identity Protection Act. | ||||
Section 5. Definitions. In this Act: | ||||
"Identity-protection policy" means any policy created to | ||||
protect social security numbers from unauthorized disclosure.
| ||||
"Local government agency" means that term as it is defined | ||||
in Section 1-8 of the Illinois State Auditing Act.
| ||||
"Person" means any individual in the employ of a State | ||||
agency or local government agency.
| ||||
"Publicly post" or "publicly display" means to | ||||
intentionally communicate or otherwise intentionally make | ||||
available to the general public.
| ||||
"State agency" means that term as it is defined in Section | ||||
1-7 of the Illinois State Auditing Act.
| ||||
Section 10. Prohibited Activities. | ||||
(a) Beginning July 1, 2010, no person or State or local | ||||
government agency may do any of the following:
| ||||
(1) Publicly post or publicly display in any manner an | ||||
individual's social security number.
| ||||
(2) Print an individual's social security number on any | ||
card required for the individual to access products or | ||
services provided by the person or entity.
| ||
(3) Require an individual to transmit his or her social | ||
security number over the Internet, unless the connection is | ||
secure or the social security number is encrypted.
| ||
(4) Print an individual's social security number on any | ||
materials that are mailed to the individual, through the | ||
U.S. Postal Service, any private mail service, electronic | ||
mail, or any similar method of delivery, unless State or | ||
federal law requires the social security number to be on | ||
the document to be mailed. Notwithstanding any provision in | ||
this Section to the contrary, social security numbers may | ||
be included in applications and forms sent by mail, | ||
including, but not limited to, any material mailed in | ||
connection with the administration of the Unemployment | ||
Insurance Act, any material mailed in connection with any | ||
tax administered by the Department of Revenue, and | ||
documents sent as part of an application or enrollment | ||
process or to establish, amend, or terminate an account, | ||
contract, or policy or to confirm the accuracy of the | ||
social security number. A social security number that may | ||
permissibly be mailed under this Section may not be | ||
printed, in whole or in part, on a postcard or other mailer | ||
that does not require an envelope or be visible on an | ||
envelope without the envelope having been opened.
| ||
(b) Except as otherwise provided in this Act, beginning | ||
July 1, 2010, no person or State or local government agency may | ||
do any of the following:
| ||
(1) Collect, use, or disclose a social security number | ||
from an individual, unless (i) required to do so under | ||
State or federal law, rules, or regulations, or the | ||
collection, use, or disclosure of the social security | ||
number is otherwise necessary for the performance of that | ||
agency's duties and responsibilities; (ii) the need and | ||
purpose for the social security number is documented before | ||
collection of the social security number; and (iii) the | ||
social security number collected is relevant to the | ||
documented need and purpose.
| ||
(2) Require an individual to use his or her social | ||
security number to access an Internet website.
| ||
(3) Use the social security number for any purpose | ||
other than the purpose for which it was collected.
| ||
(c) The prohibitions in subsection (b) do not apply in the | ||
following circumstances:
| ||
(1) The disclosure of social security numbers to | ||
agents, employees, contractors, or subcontractors of a | ||
governmental entity or disclosure by a governmental entity | ||
to another governmental entity or its agents, employees, | ||
contractors, or subcontractors if disclosure is necessary | ||
in order for the entity to perform its duties and | ||
responsibilities; and, if disclosing to a contractor or | ||
subcontractor, prior to such disclosure, the governmental | ||
entity must first receive from the contractor or | ||
subcontractor a copy of the contractor's or | ||
subcontractor's policy that sets forth how the | ||
requirements imposed under this Act on a governmental | ||
entity to protect an individual's social security number | ||
will be achieved.
| ||
(2) The disclosure of social security numbers pursuant | ||
to a court order, warrant, or subpoena.
| ||
(3) The collection, use, or disclosure of social | ||
security numbers in order to ensure the safety of: State | ||
and local government employees; persons committed to | ||
correctional facilities, local jails, and other | ||
law-enforcement facilities or retention centers; wards of | ||
the State; and all persons working in or visiting a State | ||
or local government agency facility.
| ||
(4) The collection, use, or disclosure of social | ||
security numbers for internal verification or | ||
administrative purposes.
| ||
(5) The disclosure of social security numbers by a | ||
State agency to any entity for the collection of delinquent | ||
child support or of any State debt or to a governmental | ||
agency to assist with an investigation or the prevention of | ||
fraud.
| ||
(6) The collection or use of social security numbers to | ||
investigate or prevent fraud, to conduct background | ||
checks, to collect a debt, to obtain a credit report from a | ||
consumer reporting agency under the federal Fair Credit | ||
Reporting Act, to undertake any permissible purpose that is | ||
enumerated under the federal Gramm Leach Bliley Act, or to | ||
locate a missing person, a lost relative, or a person who | ||
is due a benefit, such as a pension benefit or an unclaimed | ||
property benefit.
| ||
(d) If any State or local government agency has adopted | ||
standards for the collection, use, or disclosure of social | ||
security numbers that are stricter than the standards under | ||
this Act with respect to the protection of those social | ||
security numbers, then, in the event of any conflict with the | ||
provisions of this Act, the stricter standards adopted by the | ||
State or local government agency shall control.
| ||
Section 15. Public inspection and copying of documents. | ||
Notwithstanding any other provision of this Act to the | ||
contrary, a person or State or local government agency must | ||
comply with the provisions of any other State law with respect | ||
to allowing the public inspection and copying of information or | ||
documents containing all or any portion of an individual's | ||
social security number. A person or State or local government | ||
agency must redact social security numbers from the information | ||
or documents before allowing the public inspection or copying | ||
of the information or documents. | ||
Section 20. Applicability. | ||
(a) This Act does not apply to the collection, use, or | ||
disclosure of a social security number as required by State or | ||
federal law, rule, or regulation.
| ||
(b) This Act does not apply to documents that are recorded | ||
with a county recorder or required to be open to the public | ||
under any State or federal law, rule, or regulation, applicable | ||
case law, Supreme Court Rule, or the Constitution of the State | ||
of Illinois. Notwithstanding this Section, county recorders | ||
must comply with Section 35 of this Act.
| ||
Section 25. Compliance with federal law. If a federal law | ||
takes effect requiring any federal agency to establish a | ||
national unique patient health identifier program, any State or | ||
local government agency that complies with the federal law | ||
shall be deemed to be in compliance with this Act. | ||
Section 30. Embedded social security numbers. Beginning | ||
December 31, 2009, no person or State or local government | ||
agency may encode or embed a social security number in or on a | ||
card or document, including, but not limited to, using a bar | ||
code, chip, magnetic strip, RFID technology, or other | ||
technology, in place of removing the social security number as | ||
required by this Act. | ||
Section 35. Identity-protection policy; local government. | ||
(a) Each local government agency must draft and approve an | ||
identity-protection policy within 12 months after the | ||
effective date of this Act. The policy must do all of the | ||
following:
| ||
(1) Identify this Act.
| ||
(2) Require all employees of the local government | ||
agency identified as having access to social security | ||
numbers in the course of performing their duties to be | ||
trained to protect the confidentiality of social security | ||
numbers. Training should include instructions on the | ||
proper handling of information that contains social | ||
security numbers from the time of collection through the | ||
destruction of the information.
| ||
(3) Direct that only employees who are required to use | ||
or handle information or documents that contain social | ||
security numbers have access to such information or | ||
documents. | ||
(4) Require that social security numbers requested | ||
from an individual be provided in a manner that makes the | ||
social security number easily redacted if required to be | ||
released as part of a public records request.
| ||
(5) Require that, when collecting a social security | ||
number or upon request by the individual, a statement of | ||
the purpose or purposes for which the agency is collecting | ||
and using the social security number be provided.
| ||
(b) Each local government agency must file a written copy | ||
of its privacy policy with the governing board of the unit of | ||
local government within 30 days after approval of the policy. | ||
Each local government agency must advise its employees of the | ||
existence of the policy and make a copy of the policy available | ||
to each of its employees, and must also make its privacy policy | ||
available to any member of the public, upon request. If a local | ||
government agency amends its privacy policy, then that agency | ||
must file a written copy of the amended policy with the | ||
appropriate entity and must also advise its employees of the | ||
existence of the amended policy and make a copy of the amended | ||
policy available to each of its employees.
| ||
(c) Each local government agency must implement the | ||
components of its identity-protection policy that are | ||
necessary to meet the requirements of this Act within 12 months | ||
after the date the identity-protection policy is approved. This | ||
subsection (c) shall not affect the requirements of Section 10 | ||
of this Act.
| ||
Section 37. Identity-protection policy; State. | ||
(a) Each State agency must draft and approve an | ||
identity-protection policy within 12 months after the | ||
effective date of this Act. The policy must do all of the | ||
following:
| ||
(1) Identify this Act.
| ||
(2) Require all employees of the State agency | ||
identified as having access to social security numbers in | ||
the course of performing their duties to be trained to | ||
protect the confidentiality of social security numbers. | ||
Training should include instructions on proper handling of | ||
information that contains social security numbers from the | ||
time of collection through the destruction of the | ||
information.
| ||
(3) Direct that only employees who are required to use | ||
or handle information or documents that contain social | ||
security numbers have access to such information or | ||
documents.
| ||
(4) Require that social security numbers requested | ||
from an individual be placed in a manner that makes the | ||
social security number easily redacted if required to be | ||
released as part of a public records request.
| ||
(5) Require that, when collecting a social security | ||
number or upon request by the individual, a statement of | ||
the purpose or purposes for which the agency is collecting | ||
and using the social security number be provided.
| ||
(b) Each State agency must provide a copy of its | ||
identity-protection policy to the Social Security Number | ||
Protection Task Force within 30 days after the approval of the | ||
policy.
| ||
(c) Each State agency must implement the components of its | ||
identity-protection policy that are necessary to meet the | ||
requirements of this Act within 12 months after the date the | ||
identity-protection policy is approved. This subsection (c) | ||
shall not affect the requirements of Section 10 of this Act.
| ||
Section 40. Judicial branch and clerks of courts. The | ||
judicial branch and clerks of the circuit court are not subject | ||
to the provisions of this Act, except that the Supreme Court | ||
shall, under its rulemaking authority or by administrative | ||
order, adopt requirements applicable to the judicial branch, | ||
including clerks of the circuit court, regulating the | ||
disclosure of social security numbers consistent with the | ||
intent of this Act and the unique circumstances relevant in the | ||
judicial process. | ||
Section 45. Violation. Any person who intentionally | ||
violates the prohibitions in Section 10 of this Act is guilty | ||
of a Class B misdemeanor. | ||
Section 50. Home rule. A home rule unit of local | ||
government, any non-home rule municipality, or any non-home | ||
rule county may regulate the use of social security numbers, | ||
but that regulation must be no less restrictive than this Act. | ||
This Act is a limitation under subsection (i) of Section 6 of | ||
Article VII of the Illinois Constitution on the concurrent | ||
exercise by home rule units of powers and functions exercised | ||
by the State. | ||
Section 55. This Act does not supersede any more | ||
restrictive law, rule, or regulation regarding the collection, | ||
use, or disclosure of social security numbers. | ||
Section 90. The State Mandates Act is amended by adding | ||
Section 8.33 as follows: | ||
(30 ILCS 805/8.33 new) | ||
Sec. 8.33. Exempt mandate. Notwithstanding Sections 6 and 8 | ||
of this Act, no reimbursement by the State is required for the | ||
implementation of any mandate created by the Identity | ||
Protection Act.
| ||