4:015 Identity Protection
The collection, storage, use, and disclosure of social security numbers by the School District shall be consistent with State and federal laws. The goals for managing the District’s collection, storage, use, and disclosure of social security numbers are to:
- Limit all activities involving social security numbers to those circumstances that are authorized by State or federal law.
- Protect each social security number collected or maintained by the District from unauthorized disclosure.
The Superintendent is responsible for ensuring that the District complies with the Identity Protection Act, 5 ILCS 179/. Compliance measures shall include each of the following:
- All employees having access to social security numbers in the course of performing their duties shall be trained to protect the confidentiality of social security numbers. Training should include instructions on the proper handling of information containing social security numbers from the time of collection through the destruction of the information.
- Only employees who are required to use or handle information or documents that contain social security numbers shall have access to such information or documents.
- Social security numbers requested from an individual shall be provided in a manner that makes the social security number easily redacted if the record is required to be released as part of a public records request.
- When collecting a social security number or upon request by an individual, a statement of the purpose(s) for which the District is collecting and using the social security number shall be provided. The stated reason for collection of the social security number must be relevant to the documented purpose.
- All employees must be advised of this policy’s existence, and a copy of the policy must be made available to each employee. The policy must also be made available to any member of the public upon request.
- If this policy is amended, employees will be advised of the existence of the amended policy and a copy of the amended policy will be made available to each employee.
Disposal of materials containing personal information in a manner that renders the personal information unreadable, unusable, and undecipherable; personal information has the meaning stated in #5, above.
The Superintendent is also responsible for ensuring the District complies with the Personal Information Protection Act, 815 ILCS 530/. Compliance measures shall include each of the following:
- Written or electronic notification to an individual as required by 815 ILCS 530/12 whenever his or her personal information was acquired by an unauthorized person, personal information means either:
- An individual’s first name or first initial and last name in combination with any one or more of his or her (i) social security number, (ii) driver’s license number or State identification card number, (iii) financial account information (with any required security codes or passwords), (iv) medical information, (v) health insurance information and/or (vi) unique biometric data or other unique physical or digital representation of biometric data, when either the name or the data elements are not encrypted or redacted or are encrypted or redacted but the keys to unencrypt or unredact or otherwise read the name or data elements have been acquired through the breach of security; or
- An individual’s username or email address, in combination with a password or security question and answer that would permit access to an online account, when either the username or email address or password or security question and answer are not encrypted or redacted or are encrypted or redacted but the keys to unencrypt or unredact or otherwise read the data elements have been obtained through the breach of security.
- Disposal of material containing personal information in a manner that renders the personal information unreadable, unusable, and undecipherable; personal information has the meaning stated in #1 above.
- Notification, no later than 45 days of the discovery of a security breach, to the Illinois Attorney General
- If the District suffers a breach of more than 250 Illinois residents; or
- When the District provides notice as required in #1, above.
- No District employee shall collect, store, use or disclose an individual’s social security number unless specifically authorized by the Superintendent. This policy shall not be interpreted as a guarantee of the confidentiality of social security numbers and/or other personal information. The District will use the best efforts to comply with this policy, but this policy should not be construed to convey any rights to protection of information not otherwise afforded by law.
5 ILCS 179/, Identity Protection Act.
815 ILCS 530/, Personal Information Protection Act
Date Adopted: June 28, 2011
Date Amended: January 23, 2018