1     
PRIVACY PROTECTION AMENDMENTS

2     
2021 GENERAL SESSION

3     
STATE OF UTAH

4     
Chief Sponsor: Francis D. Gibson

5     
Senate Sponsor: Kirk A. Cullimore

6     Cosponsors:
7     Suzanne Harrison
Brian S. King
Val L. Peterson
Ryan D. Wilcox

8     

9     LONG TITLE
10     General Description:
11          This bill creates positions to oversee privacy practices in state government.
12     Highlighted Provisions:
13          This bill:
14          ▸     creates the government operations privacy officer, who will be appointed by the
15     governor;
16          ▸     authorizes the government operations privacy officer to review the data practices of
17     state agencies;
18          ▸     creates the Personal Privacy Oversight Commission, whose membership is
19     appointed by the governor, the state auditor, and the attorney general;
20          ▸     directs the Personal Privacy Oversight Commission to establish guidelines and best
21     practices with respect to certain government technology uses related to personal
22     privacy and policies related to data security;
23          ▸     authorizes the Personal Privacy Oversight Commission to review government
24     technology uses related to personal privacy and policies related to data security;
25          ▸     directs the state auditor to appoint and oversee the state privacy officer;
26          ▸     authorizes the state privacy officer to review the data practices of certain
27     government entities; and

28          ▸     creates a reporting requirement for the operations privacy officer, the Personal
29     Privacy Oversight Committee, and the data privacy officer.
30     Money Appropriated in this Bill:
31          None
32     Other Special Clauses:
33          None
34     Utah Code Sections Affected:
35     AMENDS:
36          67-3-1, as last amended by Laws of Utah 2018, Chapters 200 and 256
37     ENACTS:
38          63C-23-101, Utah Code Annotated 1953
39          63C-23-102, Utah Code Annotated 1953
40          63C-23-201, Utah Code Annotated 1953
41          63C-23-202, Utah Code Annotated 1953
42          67-1-17, Utah Code Annotated 1953
43          67-3-12, Utah Code Annotated 1953
44     

45     Be it enacted by the Legislature of the state of Utah:
46          Section 1. Section 63C-23-101 is enacted to read:
47     
CHAPTER 23. PERSONAL PRIVACY OVERSIGHT COMMISSION

48     
Part 1. General Provisions

49          63C-23-101. Title.
50          This chapter is known as the "Personal Privacy Oversight Commission."
51          Section 2. Section 63C-23-102 is enacted to read:
52          63C-23-102. Definitions.
53          As used in this chapter:
54          (1) "Commission" means the Personal Privacy Oversight Commission created in
55     Section 63C-23-201.

56          (2) (a) "Government entity" means the state, a county, a municipality, a higher
57     education institution, a local district, a special service district, a school district, an independent
58     entity, or any other political subdivision of the state or an administrative subunit of any
59     political subdivision, including a law enforcement entity.
60          (b) "Government entity" includes an agent of an entity described in Subsection (2)(a).
61          (3) "Independent entity" means the same as that term is defined in Section 63E-1-102.
62          (4) (a) "Personal data" means any information relating to an identified or identifiable
63     individual.
64          (b) "Personal data" includes personally identifying information.
65          (5) (a) "Privacy practice" means the acquisition, use, storage, or disposal of personal
66     data.
67          (b) "Privacy practice" includes:
68          (i) a technology use related to personal data; and
69          (ii) policies related to the protection, storage, sharing, and retention of personal data.
70          Section 3. Section 63C-23-201 is enacted to read:
71     
Part 2. Personal Privacy Oversight Commission

72          63C-23-201. Personal Privacy Oversight Commission created.
73          (1) There is created the Personal Privacy Oversight Commission.
74          (2) (a) The commission shall be composed of 12 members.
75          (b) The governor shall appoint:
76          (i) one member who, at the time of appointment provides internet technology services
77     for a county or a municipality;
78          (ii) one member with experience in cybersecurity;
79          (iii) one member representing private industry in technology;
80          (iv) one member representing law enforcement; and
81          (v) one member with experience in data privacy law.
82          (c) The state auditor shall appoint:
83          (i) one member with experience in internet technology services;

84          (ii) one member with experience in cybersecurity;
85          (iii) one member representing private industry in technology;
86          (iv) one member with experience in data privacy law; and
87          (v) one member with experience in civil liberties law or policy and with specific
88     experience in identifying the disparate impacts of the use of a technology or a policy on
89     different populations.
90          (d) The attorney general shall appoint:
91          (i) one member with experience as a prosecutor or appellate attorney and with
92     experience in civil liberties law; and
93          (ii) one member representing law enforcement.
94          (3) (a) Except as provided in Subsection (3)(b), a member is appointed for a term of
95     four years.
96          (b) The initial appointments of members described in Subsections (2)(b)(i) through
97     (b)(iii), (2)(c)(iv) through (c)(v), and (2)(d)(ii) shall be for two-year terms.
98          (c) When the term of a current member expires, a member shall be reappointed or a
99     new member shall be appointed in accordance with Subsection (2).
100          (4) (a) When a vacancy occurs in the membership for any reason, a replacement shall
101     be appointed in accordance with Subsection (2) for the unexpired term.
102          (b) A member whose term has expired may continue to serve until a replacement is
103     appointed.
104          (5) The commission shall select officers from the commission's members as the
105     commission finds necessary.
106          (6) (a) A majority of the members of the commission is a quorum.
107          (b) The action of a majority of a quorum constitutes an action of the commission.
108          (7) A member may not receive compensation or benefits for the member's service but
109     may receive per diem and travel expenses incurred as a member of the commission at the rates
110     established by the Division of Finance under:
111          (a) Sections 63A-3-106 and 63A-3-107; and

112          (b) rules made by the Division of Finance in accordance with Sections 63A-3-106 and
113     63A-3-107.
114          (8) A member shall refrain from participating in a review of:
115          (a) an entity of which the member is an employee; or
116          (b) a technology in which the member has a financial interest.
117          (9) The state auditor shall provide staff and support to the commission.
118          (10) The commission shall meet up to seven times a year to accomplish the duties
119     described in Section 63C-23-202.
120          Section 4. Section 63C-23-202 is enacted to read:
121          63C-23-202. Commission duties.
122          (1) The commission shall:
123          (a) develop guiding standards and best practices with respect to government privacy
124     practices;
125          (b) develop educational and training materials that include information about:
126          (i) the privacy implications and civil liberties concerns of the privacy practices of
127     government entities;
128          (ii) best practices for government collection and retention policies regarding personal
129     data; and
130          (iii) best practices for government personal data security standards; and
131          (c) review the privacy implications and civil liberties concerns of government privacy
132     practices.
133          (2) The commission may:
134          (a) review specific government privacy practices as referred to the commission by the
135     government operations privacy officer described in Section 67-1-17 or the state privacy officer
136     described in Section 67-3-12; and
137          (b) develop recommendations for legislation regarding the guiding standards and best
138     practices the commission has developed in accordance with Subsection (1)(a).
139          (3) Annually, on or before October 1, the commission shall report to the Judiciary

140     Interim Committee:
141          (a) the results of any reviews the commission has conducted;
142          (b) the guiding standards and best practices described in Subsection (1)(a); and
143          (c) any recommendations for legislation the commission has developed in accordance
144     with Subsection (2)(b).
145          Section 5. Section 67-1-17 is enacted to read:
146          67-1-17. Government operations privacy officer.
147          (1) As used in this section:
148          (a) "Independent entity" means the same as that term is defined in Section 63E-1-102.
149          (b) (i) "Personal data" means any information relating to an identified or identifiable
150     individual.
151          (ii) "Personal data" includes personally identifying information.
152          (c) (i) "Privacy practice" means the acquisition, use, storage, or disposal of personal
153     data.
154          (ii) "Privacy practice" includes:
155          (A) a technology use related to personal data; and
156          (B) policies related to the protection, storage, sharing, and retention of personal data.
157          (d) (i) "State agency" means the following entities that are under the direct supervision
158     and control of the governor or the lieutenant governor:
159          (A) a department;
160          (B) a commission;
161          (C) a board;
162          (D) a council;
163          (E) an institution;
164          (F) an officer;
165          (G) a corporation;
166          (H) a fund;
167          (I) a division;

168          (J) an office;
169          (K) a committee;
170          (L) an authority;
171          (M) a laboratory;
172          (N) a library;
173          (O) a bureau;
174          (P) a panel;
175          (Q) another administrative unit of the state; or
176          (R) an agent of an entity described in Subsections (A) through (Q).
177          (ii) "State agency" does not include:
178          (A) the legislative branch;
179          (B) the judicial branch;
180          (C) an executive branch agency within the Office of the Attorney General, the state
181     auditor, the state treasurer, or the State Board of Education; or
182          (D) an independent entity.
183          (2) The governor may, with the advice and consent of the Senate, appoint a
184     government operations privacy officer.
185          (3) The government operations privacy officer shall:
186          (a) compile information about the privacy practices of state agencies;
187          (b) make public and maintain information about the privacy practices of state agencies
188     on the governor's website;
189          (c) provide state agencies with educational and training materials developed by the
190     Personal Privacy Oversight Commission established in Section 63C-23-201 that include the
191     information described in Subsection 63C-23-202(1)(b);
192          (d) implement a process to analyze and respond to requests from individuals for the
193     government operations privacy officer to review a state agency's privacy practice;
194          (e) identify annually which state agencies' privacy practices pose the greatest risk to
195     individual privacy and prioritize those privacy practices for review;

196          (f) review each year, in as timely a manner as possible, the privacy practices that the
197     government operations privacy officer identifies under Subsection (3)(d) or (e) as posing the
198     greatest risk to individuals' privacy;
199          (g) when reviewing a state agency's privacy practice under Subsection (3)(f), analyze:
200          (i) details about the privacy practice;
201          (ii) information about the type of data being used;
202          (iii) information about how the data is obtained, shared, secured, stored, and disposed;
203          (iv) information about with which persons the state agency shares the information;
204          (v) information about whether an individual can or should be able to opt out of the
205     retention and sharing of the individual's data;
206          (vi) information about how the state agency de-identifies or anonymizes data;
207          (vii) a determination about the existence of alternative technology or improved
208     practices to protect privacy; and
209          (viii) a finding of whether the state agency's current privacy practice adequately
210     protects individual privacy; and
211          (h) after completing a review described in Subsections (3)(f) and (g), determine:
212          (i) each state agency's use of personal data, including the state agency's practices
213     regarding data:
214          (A) acquisition;
215          (B) storage;
216          (C) disposal;
217          (D) protection; and
218          (E) sharing;
219          (ii) the adequacy of the state agency's practices in each of the areas described in
220     Subsection (3)(h)(i); and
221          (iii) for each of the areas described in Subsection (3)(h)(i) that the government
222     operations privacy officer determines require reform, provide recommendations to the state
223     agency for reform.

224          (4) The government operations privacy officer shall:
225          (a) quarterly report, to the Personal Privacy Oversight Commission:
226          (i) recommendations for privacy practices for the commission to review; and
227          (ii) the information described in Subsection (3)(h); and
228          (b) annually, on or before October 1, report to the Judiciary Interim Committee:
229          (i) the results of any reviews described in Subsection (3)(g), if any reviews have been
230     completed;
231          (ii) reforms, to the extent that the government operations privacy officer is aware of
232     any reforms, that the state agency made in response to any reviews described in Subsection
233     (3)(g);
234          (iii) the information described in Subsection (3)(h); and
235          (iv) recommendations for legislation based on the results of any reviews described in
236     Subsection (3)(g).
237          Section 6. Section 67-3-1 is amended to read:
238          67-3-1. Functions and duties.
239          (1) (a) The state auditor is the auditor of public accounts and is independent of any
240     executive or administrative officers of the state.
241          (b) The state auditor is not limited in the selection of personnel or in the determination
242     of the reasonable and necessary expenses of the state auditor's office.
243          (2) The state auditor shall examine and certify annually in respect to each fiscal year,
244     financial statements showing:
245          (a) the condition of the state's finances;
246          (b) the revenues received or accrued;
247          (c) expenditures paid or accrued;
248          (d) the amount of unexpended or unencumbered balances of the appropriations to the
249     agencies, departments, divisions, commissions, and institutions; and
250          (e) the cash balances of the funds in the custody of the state treasurer.
251          (3) (a) The state auditor shall:

252          (i) audit each permanent fund, each special fund, the General Fund, and the accounts of
253     any department of state government or any independent agency or public corporation as the law
254     requires, as the auditor determines is necessary, or upon request of the governor or the
255     Legislature;
256          (ii) perform the audits in accordance with generally accepted auditing standards and
257     other auditing procedures as promulgated by recognized authoritative bodies;
258          (iii) as the auditor determines is necessary, conduct the audits to determine:
259          (A) honesty and integrity in fiscal affairs;
260          (B) accuracy and reliability of financial statements;
261          (C) effectiveness and adequacy of financial controls; and
262          (D) compliance with the law.
263          (b) If any state entity receives federal funding, the state auditor shall ensure that the
264     audit is performed in accordance with federal audit requirements.
265          (c) (i) The costs of the federal compliance portion of the audit may be paid from an
266     appropriation to the state auditor from the General Fund.
267          (ii) If an appropriation is not provided, or if the federal government does not
268     specifically provide for payment of audit costs, the costs of the federal compliance portions of
269     the audit shall be allocated on the basis of the percentage that each state entity's federal funding
270     bears to the total federal funds received by the state.
271          (iii) The allocation shall be adjusted to reflect any reduced audit time required to audit
272     funds passed through the state to local governments and to reflect any reduction in audit time
273     obtained through the use of internal auditors working under the direction of the state auditor.
274          (4) (a) Except as provided in Subsection (4)(b), the state auditor shall, in addition to
275     financial audits, and as the auditor determines is necessary, conduct performance and special
276     purpose audits, examinations, and reviews of any entity that receives public funds, including a
277     determination of any or all of the following:
278          (i) the honesty and integrity of all [its] the entity's fiscal affairs;
279          (ii) whether or not [its] the entity's administrators have faithfully complied with

280     legislative intent;
281          (iii) whether or not [its] the entity's operations have been conducted in an efficient,
282     effective, and cost-efficient manner;
283          (iv) whether or not [its] the entity's programs have been effective in accomplishing the
284     intended objectives; and
285          (v) whether or not [its] the entity's management, control, and information systems are
286     adequate, effective, and secure.
287          (b) The auditor may not conduct performance and special purpose audits,
288     examinations, and reviews of any entity that receives public funds if the entity:
289          (i) has an elected auditor; and
290          (ii) has, within the entity's last budget year, had [its] the entity's financial statements or
291     performance formally reviewed by another outside auditor.
292          (5) The state auditor:
293          (a) shall administer any oath or affirmation necessary to the performance of the duties
294     of the auditor's office[,]; and
295          (b) may:
296          (i) subpoena witnesses and documents, whether electronic or otherwise[,]; and
297          (ii) examine into any matter that the auditor considers necessary.
298          (6) The state auditor may require all persons who have had the disposition or
299     management of any property of this state or its political subdivisions to submit statements
300     regarding [it] the property at the time and in the form that the auditor requires.
301          (7) The state auditor shall:
302          (a) except where otherwise provided by law, institute suits in Salt Lake County in
303     relation to the assessment, collection, and payment of [its] revenues against:
304          (i) persons who by any means have become entrusted with public money or property
305     and have failed to pay over or deliver the money or property; and
306          (ii) all debtors of the state;
307          (b) collect and pay into the state treasury all fees received by the state auditor;

308          (c) perform the duties of a member of all boards of which the state auditor is a member
309     by the constitution or laws of the state, and any other duties that are prescribed by the
310     constitution and by law;
311          (d) stop the payment of the salary of any state official or state employee who:
312          (i) refuses to settle accounts or provide required statements about the custody and
313     disposition of public funds or other state property;
314          (ii) refuses, neglects, or ignores the instruction of the state auditor or any controlling
315     board or department head with respect to the manner of keeping prescribed accounts or funds;
316     or
317          (iii) fails to correct any delinquencies, improper procedures, and errors brought to the
318     official's or employee's attention;
319          (e) establish accounting systems, methods, and forms for public accounts in all taxing
320     or fee-assessing units of the state in the interest of uniformity, efficiency, and economy;
321          (f) superintend the contractual auditing of all state accounts;
322          (g) subject to Subsection (8)(a), withhold state allocated funds or the disbursement of
323     property taxes from a state or local taxing or fee-assessing unit, if necessary, to ensure that
324     officials and employees in those taxing units comply with state laws and procedures in the
325     budgeting, expenditures, and financial reporting of public funds;
326          (h) subject to Subsection (9), withhold the disbursement of tax money from any county,
327     if necessary, to ensure that officials and employees in the county comply with Section
328     59-2-303.1; and
329          (i) withhold state allocated funds or the disbursement of property taxes from a local
330     government entity or a limited purpose entity, as those terms are defined in Section 67-1a-15 if
331     the state auditor finds the withholding necessary to ensure that the entity registers and
332     maintains the entity's registration with the lieutenant governor, in accordance with Section
333     67-1a-15.
334          (8) (a) Except as otherwise provided by law, the state auditor may not withhold funds
335     under Subsection (7)(g) until a state or local taxing or fee-assessing unit has received formal

336     written notice of noncompliance from the auditor and has been given 60 days to make the
337     specified corrections.
338          (b) If, after receiving notice under Subsection (8)(a), a state or independent local
339     fee-assessing unit that exclusively assesses fees has not made corrections to comply with state
340     laws and procedures in the budgeting, expenditures, and financial reporting of public funds, the
341     state auditor:
342          (i) shall provide a recommended timeline for corrective actions; [and]
343          (ii) may prohibit the state or local fee-assessing unit from accessing money held by the
344     state; and
345          (iii) may prohibit a state or local fee-assessing unit from accessing money held in an
346     account of a financial institution by filing an action in district court requesting an order of the
347     court to prohibit a financial institution from providing the fee-assessing unit access to an
348     account.
349          (c) The state auditor shall remove a limitation on accessing funds under Subsection
350     (8)(b) upon compliance with state laws and procedures in the budgeting, expenditures, and
351     financial reporting of public funds.
352          (d) If a local taxing or fee-assessing unit has not adopted a budget in compliance with
353     state law, the state auditor:
354          (i) shall provide notice to the taxing or fee-assessing unit of the unit's failure to
355     comply;
356          (ii) may prohibit the taxing or fee-assessing unit from accessing money held by the
357     state; and
358          (iii) may prohibit a taxing or fee-assessing unit from accessing money held in an
359     account of a financial institution by:
360          (A) contacting the taxing or fee-assessing unit's financial institution and requesting that
361     the institution prohibit access to the account; or
362          (B) filing an action in district court requesting an order of the court to prohibit a
363     financial institution from providing the taxing or fee-assessing unit access to an account.

364          (e) If the local taxing or fee-assessing unit adopts a budget in compliance with state
365     law, the state auditor shall eliminate a limitation on accessing funds described in Subsection
366     (8)(d).
367          (9) The state auditor may not withhold funds under Subsection (7)(h) until a county has
368     received formal written notice of noncompliance from the auditor and has been given 60 days
369     to make the specified corrections.
370          (10) (a) The state auditor may not withhold funds under Subsection (7)(i) until the state
371     auditor receives a notice of non-registration, as that term is defined in Section 67-1a-15.
372          (b) If the state auditor receives a notice of non-registration, the state auditor may
373     prohibit the local government entity or limited purpose entity, as those terms are defined in
374     Section 67-1a-15, from accessing:
375          (i) money held by the state; and
376          (ii) money held in an account of a financial institution by:
377          (A) contacting the entity's financial institution and requesting that the institution
378     prohibit access to the account; or
379          (B) filing an action in district court requesting an order of the court to prohibit a
380     financial institution from providing the entity access to an account.
381          (c) The state auditor shall remove the prohibition on accessing funds described in
382     Subsection (10)(b) if the state auditor received a notice of registration, as that term is defined in
383     Section 67-1a-15, from the lieutenant governor.
384          (11) Notwithstanding Subsection (7)(g), (7)(h), (7)(i), (8)(b), (8)(d), or (10)(b), the
385     state auditor:
386          (a) shall authorize a disbursement by a local government entity or limited purpose
387     entity, as those terms are defined in Section 67-1a-15, or a state or local taxing or fee-assessing
388     unit if the disbursement is necessary to:
389          (i) avoid a major disruption in the operations of the local government entity, limited
390     purpose entity, or state or local taxing or fee-assessing unit; or
391          (ii) meet debt service obligations; and

392          (b) may authorize a disbursement by a local government entity, limited purpose entity,
393     or state or local taxing or fee-assessing unit as the state auditor determines is appropriate.
394          (12) (a) The state auditor may seek relief under the Utah Rules of Civil Procedure to
395     take temporary custody of public funds if an action is necessary to protect public funds from
396     being improperly diverted from their intended public purpose.
397          (b) If the state auditor seeks relief under Subsection (12)(a):
398          (i) the state auditor is not required to exhaust the procedures in Subsection (7) or (8);
399     and
400          (ii) the state treasurer may hold the public funds in accordance with Section 67-4-1 if a
401     court orders the public funds to be protected from improper diversion from their public
402     purpose.
403          (13) The state auditor shall:
404          (a) establish audit guidelines and procedures for audits of local mental health and
405     substance abuse authorities and their contract providers, conducted pursuant to Title 17,
406     Chapter 43, Part 2, Local Substance Abuse Authorities, Title 17, Chapter 43, Part 3, Local
407     Mental Health Authorities, Title 51, Chapter 2a, Accounting Reports from Political
408     Subdivisions, Interlocal Organizations, and Other Local Entities Act, and Title 62A, Chapter
409     15, Substance Abuse and Mental Health Act; and
410          (b) ensure that those guidelines and procedures provide assurances to the state that:
411          (i) state and federal funds appropriated to local mental health authorities are used for
412     mental health purposes;
413          (ii) a private provider under an annual or otherwise ongoing contract to provide
414     comprehensive mental health programs or services for a local mental health authority is in
415     compliance with state and local contract requirements, and state and federal law;
416          (iii) state and federal funds appropriated to local substance abuse authorities are used
417     for substance abuse programs and services; and
418          (iv) a private provider under an annual or otherwise ongoing contract to provide
419     comprehensive substance abuse programs or services for a local substance abuse authority is in

420     compliance with state and local contract requirements, and state and federal law.
421          (14) The state auditor may, in accordance with the auditor's responsibilities for political
422     subdivisions of the state as provided in Title 51, Chapter 2a, Accounting Reports from Political
423     Subdivisions, Interlocal Organizations, and Other Local Entities Act, initiate audits or
424     investigations of any political subdivision that are necessary to determine honesty and integrity
425     in fiscal affairs, accuracy and reliability of financial statements, effectiveness, and adequacy of
426     financial controls and compliance with the law.
427          (15) (a) The state auditor may not audit work that the state auditor performed before
428     becoming state auditor.
429          (b) If the state auditor has previously been a responsible official in state government
430     whose work has not yet been audited, the Legislature shall:
431          (i) designate how that work shall be audited; and
432          (ii) provide additional funding for those audits, if necessary.
433          (16) The state auditor shall:
434          (a) with the assistance, advice, and recommendations of an advisory committee
435     appointed by the state auditor from among local district boards of trustees, officers, and
436     employees and special service district boards, officers, and employees:
437          (i) prepare a Uniform Accounting Manual for Local Districts that:
438          (A) prescribes a uniform system of accounting and uniform budgeting and reporting
439     procedures for local districts under Title 17B, Limited Purpose Local Government Entities -
440     Local Districts, and special service districts under Title 17D, Chapter 1, Special Service
441     District Act;
442          (B) conforms with generally accepted accounting principles; and
443          (C) prescribes reasonable exceptions and modifications for smaller districts to the
444     uniform system of accounting, budgeting, and reporting;
445          (ii) maintain the manual under this Subsection (16)(a) so that [it] the manual continues
446     to reflect generally accepted accounting principles;
447          (iii) conduct a continuing review and modification of procedures in order to improve

448     them;
449          (iv) prepare and supply each district with suitable budget and reporting forms; and
450          (v) (A) prepare instructional materials, conduct training programs, and render other
451     services considered necessary to assist local districts and special service districts in
452     implementing the uniform accounting, budgeting, and reporting procedures; and
453          (B) ensure that any training described in Subsection (16)(a)(v)(A) complies with Title
454     63G, Chapter 22, State Training and Certification Requirements; and
455          (b) continually analyze and evaluate the accounting, budgeting, and reporting practices
456     and experiences of specific local districts and special service districts selected by the state
457     auditor and make the information available to all districts.
458          (17) (a) The following records in the custody or control of the state auditor are
459     protected records under Title 63G, Chapter 2, Government Records Access and Management
460     Act:
461          (i) records that would disclose information relating to allegations of personal
462     misconduct, gross mismanagement, or illegal activity of a past or present governmental
463     employee if the information or allegation cannot be corroborated by the state auditor through
464     other documents or evidence, and the records relating to the allegation are not relied upon by
465     the state auditor in preparing a final audit report;
466          (ii) records and audit workpapers to the extent [they] the workpapers would disclose
467     the identity of [a person] an individual who during the course of an audit, communicated the
468     existence of any waste of public funds, property, or manpower, or a violation or suspected
469     violation of a law, rule, or regulation adopted under the laws of this state, a political
470     subdivision of the state, or any recognized entity of the United States, if the information was
471     disclosed on the condition that the identity of the [person] individual be protected;
472          (iii) before an audit is completed and the final audit report is released, records or drafts
473     circulated to [a person] an individual who is not an employee or head of a governmental entity
474     for [their] the individual's response or information;
475          (iv) records that would disclose an outline or part of any audit survey plans or audit

476     program; and
477          (v) requests for audits, if disclosure would risk circumvention of an audit.
478          (b) The provisions of Subsections (17)(a)(i), (ii), and (iii) do not prohibit the disclosure
479     of records or information that relate to a violation of the law by a governmental entity or
480     employee to a government prosecutor or peace officer.
481          (c) The provisions of this Subsection (17) do not limit the authority otherwise given to
482     the state auditor to classify a document as public, private, controlled, or protected under Title
483     63G, Chapter 2, Government Records Access and Management Act.
484          (d) (i) As used in this Subsection (17)(d), "record dispute" means a dispute between the
485     state auditor and the subject of an audit performed by the state auditor as to whether the state
486     auditor may release a record, as defined in Section 63G-2-103, to the public that the state
487     auditor gained access to in the course of the state auditor's audit but which the subject of the
488     audit claims is not subject to disclosure under Title 63G, Chapter 2, Government Records
489     Access and Management Act.
490          (ii) The state auditor may submit a record dispute to the State Records Committee,
491     created in Section 63G-2-501, for a determination of whether the state auditor may, in
492     conjunction with the state auditor's release of an audit report, release to the public the record
493     that is the subject of the record dispute.
494          (iii) The state auditor or the subject of the audit may seek judicial review of a State
495     Records Committee determination under Subsection (17)(d)(ii), as provided in Section
496     63G-2-404.
497          (18) If the state auditor conducts an audit of an entity that the state auditor has
498     previously audited and finds that the entity has not implemented a recommendation made by
499     the state auditor in a previous audit, the state auditor shall notify the Legislative Management
500     Committee through [its] the Legislative Management Committee's audit subcommittee that the
501     entity has not implemented that recommendation.
502          (19) The state auditor shall, with the advice and consent of the Senate, appoint the state
503     privacy officer described in Section 67-3-12.

504          Section 7. Section 67-3-12 is enacted to read:
505          67-3-12. State privacy officer.
506          (1) As used in this section:
507          (a) "Designated government entity" means a government entity that is not a state
508     agency.
509          (b) "Independent entity" means the same as that term is defined in Section 63E-1-102.
510          (c) (i) "Government entity" means the state, a county, a municipality, a higher
511     education institution, a local district, a special service district, a school district, an independent
512     entity, or any other political subdivision of the state or an administrative subunit of any
513     political subdivision, including a law enforcement entity.
514          (ii) "Government entity" includes an agent of an entity described in Subsection
515     (1)(c)(i).
516          (d) (i) "Personal data" means any information relating to an identified or identifiable
517     individual.
518          (ii) "Personal data" includes personally identifying information.
519          (e) (i) "Privacy practice" means the acquisition, use, storage, or disposal of personal
520     data.
521          (ii) "Privacy practice" includes:
522          (A) a technology use related to personal data; and
523          (B) policies related to the protection, storage, sharing, and retention of personal data.
524          (f) (i) "State agency" means the following entities that are under the direct supervision
525     and control of the governor or the lieutenant governor:
526          (A) a department;
527          (B) a commission;
528          (C) a board;
529          (D) a council;
530          (E) an institution;
531          (F) an officer;

532          (G) a corporation;
533          (H) a fund;
534          (I) a division;
535          (J) an office;
536          (K) a committee;
537          (L) an authority;
538          (M) a laboratory;
539          (N) a library;
540          (O) a bureau;
541          (P) a panel;
542          (Q) another administrative unit of the state; or
543          (R) an agent of an entity described in Subsections (A) through (Q).
544          (ii) "State agency" does not include:
545          (A) the legislative branch;
546          (B) the judicial branch;
547          (C) an executive branch agency within the Office of the Attorney General, the state
548     auditor, the state treasurer, or the State Board of Education; or
549          (D) an independent entity.
550          (2) The state privacy officer shall:
551          (a) when completing the duties of this Subsection (2), focus on the privacy practices of
552     designated government entities;
553          (b) compile information about government privacy practices of designated government
554     entities;
555          (c) make public and maintain information about government privacy practices on the
556     state auditor's website;
557          (d) provide designated government entities with educational and training materials
558     developed by the Personal Privacy Oversight Commission established in Section 63C-23-201
559     that include the information described in Subsection 63C-23-202(1)(b);

560          (e) implement a process to analyze and respond to requests from individuals for the
561     state privacy officer to review a designated government entity's privacy practice;
562          (f) identify annually which designated government entities' privacy practices pose the
563     greatest risk to individual privacy and prioritize those privacy practices for review;
564          (g) review each year, in as timely a manner as possible, the privacy practices that the
565     privacy officer identifies under Subsection (2)(e) or (2)(f) as posing the greatest risk to
566     individuals' privacy;
567          (h) when reviewing a designated government entity's privacy practice under Subsection
568     (2)(g), analyze:
569          (i) details about the technology or the policy and the technology's or the policy's
570     application;
571          (ii) information about the type of data being used;
572          (iii) information about how the data is obtained, stored, shared, secured, and disposed;
573          (iv) information about with which persons the designated government entity shares the
574     information;
575          (v) information about whether an individual can or should be able to opt out of the
576     retention and sharing of the individual's data;
577          (vi) information about how the designated government entity de-identifies or
578     anonymizes data;
579          (vii) a determination about the existence of alternative technology or improved
580     practices to protect privacy; and
581          (viii) a finding of whether the designated government entity's current privacy practice
582     adequately protects individual privacy; and
583          (i) after completing a review described in Subsections (2)(g) and (h), determine:
584          (i) each designated government entity's use of personal data, including the designated
585     government entity's practices regarding data:
586          (A) acquisition;
587          (B) storage;

588          (C) disposal;
589          (D) protection; and
590          (E) sharing;
591          (ii) the adequacy of the designated government entity's practices in each of the areas
592     described in Subsection (2)(i)(i); and
593          (iii) for each of the areas described in Subsection (2)(i)(i) that the state privacy officer
594     determines to require reform, provide recommendations for reform to the designated
595     government entity and the legislative body charged with regulating the designated government
596     entity.
597          (3) (a) The legislative body charged with regulating a designated government entity
598     that receives a recommendation described in Subsection (2)(i)(iii) shall hold a public hearing
599     on the proposed reforms:
600          (i) with a quorum of the legislative body present; and
601          (ii) within 90 days after the day on which the legislative body receives the
602     recommendation.
603          (b) (i) The legislative body shall provide notice of the hearing described in Subsection
604     (3)(a).
605          (ii) Notice of the public hearing and the recommendations to be discussed shall be
606     posted on:
607          (A) the Utah Public Notice Website created in Section 63F-1-701 for 30 days before
608     the day on which the legislative body will hold the public hearing; and
609          (B) the website of the designated government entity that received a recommendation, if
610     the designated government entity has a website, for 30 days before the day on which the
611     legislative body will hold the public hearing.
612          (iii) Each notice required under Subsection (3)(b)(i) shall:
613          (A) identify the recommendations to be discussed; and
614          (B) state the date, time, and location of the public hearing.
615          (c) During the hearing described in Subsection (3)(a), the legislative body shall:

616          (i) provide the public the opportunity to ask questions and obtain further information
617     about the recommendations; and
618          (ii) provide any interested person an opportunity to address the legislative body with
619     concerns about the recommendations.
620          (d) At the conclusion of the hearing, the legislative body shall determine whether the
621     legislative body shall adopt reforms to address the recommendations and any concerns raised
622     during the public hearing.
623          (4) (a) Except as provided in Subsection (4)(b), if the government operations privacy
624     officer described in Section 67-1-17 is not conducting reviews of the privacy practices of state
625     agencies, the state privacy officer may review the privacy practices of a state agency in
626     accordance with the processes described in this section.
627          (b) Subsection (3) does not apply to a state agency.
628          (5) The state privacy officer shall:
629          (a) quarterly report, to the Personal Privacy Oversight Commission:
630          (i) recommendations for privacy practices for the commission to review; and
631          (ii) the information provided in Subsection (2)(i); and
632          (b) annually, on or before October 1, report to the Judiciary Interim Committee:
633          (i) the results of any reviews described in Subsection (2)(g), if any reviews have been
634     completed;
635          (ii) reforms, to the extent that the state privacy officer is aware of any reforms, that the
636     designated government entity made in response to any reviews described in Subsection (2)(g);
637          (iii) the information described in Subsection (2)(i); and
638          (iv) recommendations for legislation based on any results of a review described in
639     Subsection (2)(g).