Checkout our iOS App for a better way to browser and research.
(1) As used in this section:
(a) "Designated government entity" means a government entity that is not a state agency.
(b) "Independent entity" means the same as that term is defined in Section 63E-1-102.
(c)
(i) "Government entity" means the state, a county, a municipality, a higher education institution, a local district, a special service district, a school district, an independent entity, or any other political subdivision of the state or an administrative subunit of any political subdivision, including a law enforcement entity.
(ii) "Government entity" includes an agent of an entity described in Subsection (1)(c)(i).
(d)
(i) "Personal data" means any information relating to an identified or identifiable individual.
(ii) "Personal data" includes personally identifying information.
(e)
(i) "Privacy practice" means the acquisition, use, storage, or disposal of personal data.
(ii) "Privacy practice" includes:
(A) a technology use related to personal data; and
(B) policies related to the protection, storage, sharing, and retention of personal data.
(f)
(i) "State agency" means the following entities that are under the direct supervision and control of the governor or the lieutenant governor:
(A) a department;
(B) a commission;
(C) a board;
(D) a council;
(E) an institution;
(F) an officer;
(G) a corporation;
(H) a fund;
(I) a division;
(J) an office;
(K) a committee;
(L) an authority;
(M) a laboratory;
(N) a library;
(O) a bureau;
(P) a panel;
(Q) another administrative unit of the state; or
(R) an agent of an entity described in Subsections (A) through (Q).
(ii) "State agency" does not include:
(A) the legislative branch;
(B) the judicial branch;
(C) an executive branch agency within the Office of the Attorney General, the state auditor, the state treasurer, or the State Board of Education; or
(D) an independent entity.
(2) The state privacy officer shall:
(a) when completing the duties of this Subsection (2), focus on the privacy practices of designated government entities;
(b) compile information about government privacy practices of designated government entities;
(c) make public and maintain information about government privacy practices on the state auditor's website;
(d) provide designated government entities with educational and training materials developed by the Personal Privacy Oversight Commission established in Section 63C-24-201 that include the information described in Subsection 63C-24-202(1)(b);
(e) implement a process to analyze and respond to requests from individuals for the state privacy officer to review a designated government entity's privacy practice;
(f) identify annually which designated government entities' privacy practices pose the greatest risk to individual privacy and prioritize those privacy practices for review;
(g) review each year, in as timely a manner as possible, the privacy practices that the privacy officer identifies under Subsection (2)(e) or (2)(f) as posing the greatest risk to individuals' privacy;
(h) when reviewing a designated government entity's privacy practice under Subsection (2)(g), analyze:
(i) details about the technology or the policy and the technology's or the policy's application;
(ii) information about the type of data being used;
(iii) information about how the data is obtained, stored, shared, secured, and disposed;
(iv) information about with which persons the designated government entity shares the information;
(v) information about whether an individual can or should be able to opt out of the retention and sharing of the individual's data;
(vi) information about how the designated government entity de-identifies or anonymizes data;
(vii) a determination about the existence of alternative technology or improved practices to protect privacy; and
(viii) a finding of whether the designated government entity's current privacy practice adequately protects individual privacy; and
(i) after completing a review described in Subsections (2)(g) and (h), determine:
(i) each designated government entity's use of personal data, including the designated government entity's practices regarding data:
(A) acquisition;
(B) storage;
(C) disposal;
(D) protection; and
(E) sharing;
(ii) the adequacy of the designated government entity's practices in each of the areas described in Subsection (2)(i)(i); and
(iii) for each of the areas described in Subsection (2)(i)(i) that the state privacy officer determines to require reform, provide recommendations for reform to the designated government entity and the legislative body charged with regulating the designated government entity.
(3)
(a) The legislative body charged with regulating a designated government entity that receives a recommendation described in Subsection (2)(i)(iii) shall hold a public hearing on the proposed reforms:
(i) with a quorum of the legislative body present; and
(ii) within 90 days after the day on which the legislative body receives the recommendation.
(b)
(i) The legislative body shall provide notice of the hearing described in Subsection (3)(a).
(ii) Notice of the public hearing and the recommendations to be discussed shall be posted on:
(A) the Utah Public Notice Website created in Section 63A-16-601 for 30 days before the day on which the legislative body will hold the public hearing; and
(B) the website of the designated government entity that received a recommendation, if the designated government entity has a website, for 30 days before the day on which the legislative body will hold the public hearing.
(iii) Each notice required under Subsection (3)(b)(i) shall:
(A) identify the recommendations to be discussed; and
(B) state the date, time, and location of the public hearing.
(c) During the hearing described in Subsection (3)(a), the legislative body shall:
(i) provide the public the opportunity to ask questions and obtain further information about the recommendations; and
(ii) provide any interested person an opportunity to address the legislative body with concerns about the recommendations.
(d) At the conclusion of the hearing, the legislative body shall determine whether the legislative body shall adopt reforms to address the recommendations and any concerns raised during the public hearing.
(4)
(a) Except as provided in Subsection (4)(b), if the government operations privacy officer described in Section 67-1-17 is not conducting reviews of the privacy practices of state agencies, the state privacy officer may review the privacy practices of a state agency in accordance with the processes described in this section.
(b) Subsection (3) does not apply to a state agency.
(5) The state privacy officer shall:
(a) quarterly report, to the Personal Privacy Oversight Commission:
(i) recommendations for privacy practices for the commission to review; and
(ii) the information provided in Subsection (2)(i); and
(b) annually, on or before October 1, report to the Judiciary Interim Committee:
(i) the results of any reviews described in Subsection (2)(g), if any reviews have been completed;
(ii) reforms, to the extent that the state privacy officer is aware of any reforms, that the designated government entity made in response to any reviews described in Subsection (2)(g);
(iii) the information described in Subsection (2)(i); and
(iv) recommendations for legislation based on any results of a review described in Subsection (2)(g).
Technically renumbered to avoid duplication of section number renumbered and amended in HB27, Chapter 84.