2
3
4
5
6 Cosponsors:
7 Suzanne Harrison
Brian S. King
Val L. Peterson
Ryan D. Wilcox
8
9 LONG TITLE
10 General Description:
11 This bill creates positions to oversee privacy practices in state government.
12 Highlighted Provisions:
13 This bill:
14 ▸ creates the government operations privacy officer, who will be appointed by the
15 governor;
16 ▸ authorizes the government operations privacy officer to review the data practices of
17 state agencies;
18 ▸ creates the Personal Privacy Oversight Commission, whose membership is
19 appointed by the governor, the state auditor, and the attorney general;
20 ▸ directs the Personal Privacy Oversight Commission to establish guidelines and best
21 practices with respect to certain government technology uses related to personal
22 privacy and policies related to data security;
23 ▸ authorizes the Personal Privacy Oversight Commission to review government
24 technology uses related to personal privacy and policies related to data security;
25 ▸ directs the state auditor to appoint and oversee the state privacy officer;
26 ▸ authorizes the state privacy officer to review the data practices of certain
27 government entities; and
28 ▸ creates a reporting requirement for the operations privacy officer, the Personal
29 Privacy Oversight Committee, and the data privacy officer.
30 Money Appropriated in this Bill:
31 None
32 Other Special Clauses:
33 None
34 Utah Code Sections Affected:
35 AMENDS:
36 67-3-1, as last amended by Laws of Utah 2018, Chapters 200 and 256
37 ENACTS:
38 63C-23-101, Utah Code Annotated 1953
39 63C-23-102, Utah Code Annotated 1953
40 63C-23-201, Utah Code Annotated 1953
41 63C-23-202, Utah Code Annotated 1953
42 67-1-17, Utah Code Annotated 1953
43 67-3-12, Utah Code Annotated 1953
44
45 Be it enacted by the Legislature of the state of Utah:
46 Section 1. Section 63C-23-101 is enacted to read:
47
48
49 63C-23-101. Title.
50 This chapter is known as the "Personal Privacy Oversight Commission."
51 Section 2. Section 63C-23-102 is enacted to read:
52 63C-23-102. Definitions.
53 As used in this chapter:
54 (1) "Commission" means the Personal Privacy Oversight Commission created in
55 Section 63C-23-201.
56 (2) (a) "Government entity" means the state, a county, a municipality, a higher
57 education institution, a local district, a special service district, a school district, an independent
58 entity, or any other political subdivision of the state or an administrative subunit of any
59 political subdivision, including a law enforcement entity.
60 (b) "Government entity" includes an agent of an entity described in Subsection (2)(a).
61 (3) "Independent entity" means the same as that term is defined in Section 63E-1-102.
62 (4) (a) "Personal data" means any information relating to an identified or identifiable
63 individual.
64 (b) "Personal data" includes personally identifying information.
65 (5) (a) "Privacy practice" means the acquisition, use, storage, or disposal of personal
66 data.
67 (b) "Privacy practice" includes:
68 (i) a technology use related to personal data; and
69 (ii) policies related to the protection, storage, sharing, and retention of personal data.
70 Section 3. Section 63C-23-201 is enacted to read:
71
72 63C-23-201. Personal Privacy Oversight Commission created.
73 (1) There is created the Personal Privacy Oversight Commission.
74 (2) (a) The commission shall be composed of 12 members.
75 (b) The governor shall appoint:
76 (i) one member who, at the time of appointment provides internet technology services
77 for a county or a municipality;
78 (ii) one member with experience in cybersecurity;
79 (iii) one member representing private industry in technology;
80 (iv) one member representing law enforcement; and
81 (v) one member with experience in data privacy law.
82 (c) The state auditor shall appoint:
83 (i) one member with experience in internet technology services;
84 (ii) one member with experience in cybersecurity;
85 (iii) one member representing private industry in technology;
86 (iv) one member with experience in data privacy law; and
87 (v) one member with experience in civil liberties law or policy and with specific
88 experience in identifying the disparate impacts of the use of a technology or a policy on
89 different populations.
90 (d) The attorney general shall appoint:
91 (i) one member with experience as a prosecutor or appellate attorney and with
92 experience in civil liberties law; and
93 (ii) one member representing law enforcement.
94 (3) (a) Except as provided in Subsection (3)(b), a member is appointed for a term of
95 four years.
96 (b) The initial appointments of members described in Subsections (2)(b)(i) through
97 (b)(iii), (2)(c)(iv) through (c)(v), and (2)(d)(ii) shall be for two-year terms.
98 (c) When the term of a current member expires, a member shall be reappointed or a
99 new member shall be appointed in accordance with Subsection (2).
100 (4) (a) When a vacancy occurs in the membership for any reason, a replacement shall
101 be appointed in accordance with Subsection (2) for the unexpired term.
102 (b) A member whose term has expired may continue to serve until a replacement is
103 appointed.
104 (5) The commission shall select officers from the commission's members as the
105 commission finds necessary.
106 (6) (a) A majority of the members of the commission is a quorum.
107 (b) The action of a majority of a quorum constitutes an action of the commission.
108 (7) A member may not receive compensation or benefits for the member's service but
109 may receive per diem and travel expenses incurred as a member of the commission at the rates
110 established by the Division of Finance under:
111 (a) Sections 63A-3-106 and 63A-3-107; and
112 (b) rules made by the Division of Finance in accordance with Sections 63A-3-106 and
113 63A-3-107.
114 (8) A member shall refrain from participating in a review of:
115 (a) an entity of which the member is an employee; or
116 (b) a technology in which the member has a financial interest.
117 (9) The state auditor shall provide staff and support to the commission.
118 (10) The commission shall meet up to seven times a year to accomplish the duties
119 described in Section 63C-23-202.
120 Section 4. Section 63C-23-202 is enacted to read:
121 63C-23-202. Commission duties.
122 (1) The commission shall:
123 (a) develop guiding standards and best practices with respect to government privacy
124 practices;
125 (b) develop educational and training materials that include information about:
126 (i) the privacy implications and civil liberties concerns of the privacy practices of
127 government entities;
128 (ii) best practices for government collection and retention policies regarding personal
129 data; and
130 (iii) best practices for government personal data security standards; and
131 (c) review the privacy implications and civil liberties concerns of government privacy
132 practices.
133 (2) The commission may:
134 (a) review specific government privacy practices as referred to the commission by the
135 government operations privacy officer described in Section 67-1-17 or the state privacy officer
136 described in Section 67-3-12; and
137 (b) develop recommendations for legislation regarding the guiding standards and best
138 practices the commission has developed in accordance with Subsection (1)(a).
139 (3) Annually, on or before October 1, the commission shall report to the Judiciary
140 Interim Committee:
141 (a) the results of any reviews the commission has conducted;
142 (b) the guiding standards and best practices described in Subsection (1)(a); and
143 (c) any recommendations for legislation the commission has developed in accordance
144 with Subsection (2)(b).
145 Section 5. Section 67-1-17 is enacted to read:
146 67-1-17. Government operations privacy officer.
147 (1) As used in this section:
148 (a) "Independent entity" means the same as that term is defined in Section 63E-1-102.
149 (b) (i) "Personal data" means any information relating to an identified or identifiable
150 individual.
151 (ii) "Personal data" includes personally identifying information.
152 (c) (i) "Privacy practice" means the acquisition, use, storage, or disposal of personal
153 data.
154 (ii) "Privacy practice" includes:
155 (A) a technology use related to personal data; and
156 (B) policies related to the protection, storage, sharing, and retention of personal data.
157 (d) (i) "State agency" means the following entities that are under the direct supervision
158 and control of the governor or the lieutenant governor:
159 (A) a department;
160 (B) a commission;
161 (C) a board;
162 (D) a council;
163 (E) an institution;
164 (F) an officer;
165 (G) a corporation;
166 (H) a fund;
167 (I) a division;
168 (J) an office;
169 (K) a committee;
170 (L) an authority;
171 (M) a laboratory;
172 (N) a library;
173 (O) a bureau;
174 (P) a panel;
175 (Q) another administrative unit of the state; or
176 (R) an agent of an entity described in Subsections (A) through (Q).
177 (ii) "State agency" does not include:
178 (A) the legislative branch;
179 (B) the judicial branch;
180 (C) an executive branch agency within the Office of the Attorney General, the state
181 auditor, the state treasurer, or the State Board of Education; or
182 (D) an independent entity.
183 (2) The governor may, with the advice and consent of the Senate, appoint a
184 government operations privacy officer.
185 (3) The government operations privacy officer shall:
186 (a) compile information about the privacy practices of state agencies;
187 (b) make public and maintain information about the privacy practices of state agencies
188 on the governor's website;
189 (c) provide state agencies with educational and training materials developed by the
190 Personal Privacy Oversight Commission established in Section 63C-23-201 that include the
191 information described in Subsection 63C-23-202(1)(b);
192 (d) implement a process to analyze and respond to requests from individuals for the
193 government operations privacy officer to review a state agency's privacy practice;
194 (e) identify annually which state agencies' privacy practices pose the greatest risk to
195 individual privacy and prioritize those privacy practices for review;
196 (f) review each year, in as timely a manner as possible, the privacy practices that the
197 government operations privacy officer identifies under Subsection (3)(d) or (e) as posing the
198 greatest risk to individuals' privacy;
199 (g) when reviewing a state agency's privacy practice under Subsection (3)(f), analyze:
200 (i) details about the privacy practice;
201 (ii) information about the type of data being used;
202 (iii) information about how the data is obtained, shared, secured, stored, and disposed;
203 (iv) information about with which persons the state agency shares the information;
204 (v) information about whether an individual can or should be able to opt out of the
205 retention and sharing of the individual's data;
206 (vi) information about how the state agency de-identifies or anonymizes data;
207 (vii) a determination about the existence of alternative technology or improved
208 practices to protect privacy; and
209 (viii) a finding of whether the state agency's current privacy practice adequately
210 protects individual privacy; and
211 (h) after completing a review described in Subsections (3)(f) and (g), determine:
212 (i) each state agency's use of personal data, including the state agency's practices
213 regarding data:
214 (A) acquisition;
215 (B) storage;
216 (C) disposal;
217 (D) protection; and
218 (E) sharing;
219 (ii) the adequacy of the state agency's practices in each of the areas described in
220 Subsection (3)(h)(i); and
221 (iii) for each of the areas described in Subsection (3)(h)(i) that the government
222 operations privacy officer determines require reform, provide recommendations to the state
223 agency for reform.
224 (4) The government operations privacy officer shall:
225 (a) quarterly report, to the Personal Privacy Oversight Commission:
226 (i) recommendations for privacy practices for the commission to review; and
227 (ii) the information described in Subsection (3)(h); and
228 (b) annually, on or before October 1, report to the Judiciary Interim Committee:
229 (i) the results of any reviews described in Subsection (3)(g), if any reviews have been
230 completed;
231 (ii) reforms, to the extent that the government operations privacy officer is aware of
232 any reforms, that the state agency made in response to any reviews described in Subsection
233 (3)(g);
234 (iii) the information described in Subsection (3)(h); and
235 (iv) recommendations for legislation based on the results of any reviews described in
236 Subsection (3)(g).
237 Section 6. Section 67-3-1 is amended to read:
238 67-3-1. Functions and duties.
239 (1) (a) The state auditor is the auditor of public accounts and is independent of any
240 executive or administrative officers of the state.
241 (b) The state auditor is not limited in the selection of personnel or in the determination
242 of the reasonable and necessary expenses of the state auditor's office.
243 (2) The state auditor shall examine and certify annually in respect to each fiscal year,
244 financial statements showing:
245 (a) the condition of the state's finances;
246 (b) the revenues received or accrued;
247 (c) expenditures paid or accrued;
248 (d) the amount of unexpended or unencumbered balances of the appropriations to the
249 agencies, departments, divisions, commissions, and institutions; and
250 (e) the cash balances of the funds in the custody of the state treasurer.
251 (3) (a) The state auditor shall:
252 (i) audit each permanent fund, each special fund, the General Fund, and the accounts of
253 any department of state government or any independent agency or public corporation as the law
254 requires, as the auditor determines is necessary, or upon request of the governor or the
255 Legislature;
256 (ii) perform the audits in accordance with generally accepted auditing standards and
257 other auditing procedures as promulgated by recognized authoritative bodies;
258 (iii) as the auditor determines is necessary, conduct the audits to determine:
259 (A) honesty and integrity in fiscal affairs;
260 (B) accuracy and reliability of financial statements;
261 (C) effectiveness and adequacy of financial controls; and
262 (D) compliance with the law.
263 (b) If any state entity receives federal funding, the state auditor shall ensure that the
264 audit is performed in accordance with federal audit requirements.
265 (c) (i) The costs of the federal compliance portion of the audit may be paid from an
266 appropriation to the state auditor from the General Fund.
267 (ii) If an appropriation is not provided, or if the federal government does not
268 specifically provide for payment of audit costs, the costs of the federal compliance portions of
269 the audit shall be allocated on the basis of the percentage that each state entity's federal funding
270 bears to the total federal funds received by the state.
271 (iii) The allocation shall be adjusted to reflect any reduced audit time required to audit
272 funds passed through the state to local governments and to reflect any reduction in audit time
273 obtained through the use of internal auditors working under the direction of the state auditor.
274 (4) (a) Except as provided in Subsection (4)(b), the state auditor shall, in addition to
275 financial audits, and as the auditor determines is necessary, conduct performance and special
276 purpose audits, examinations, and reviews of any entity that receives public funds, including a
277 determination of any or all of the following:
278 (i) the honesty and integrity of all [
279 (ii) whether or not [
280 legislative intent;
281 (iii) whether or not [
282 effective, and cost-efficient manner;
283 (iv) whether or not [
284 intended objectives; and
285 (v) whether or not [
286 adequate, effective, and secure.
287 (b) The auditor may not conduct performance and special purpose audits,
288 examinations, and reviews of any entity that receives public funds if the entity:
289 (i) has an elected auditor; and
290 (ii) has, within the entity's last budget year, had [
291 performance formally reviewed by another outside auditor.
292 (5) The state auditor:
293 (a) shall administer any oath or affirmation necessary to the performance of the duties
294 of the auditor's office[
295 (b) may:
296 (i) subpoena witnesses and documents, whether electronic or otherwise[
297 (ii) examine into any matter that the auditor considers necessary.
298 (6) The state auditor may require all persons who have had the disposition or
299 management of any property of this state or its political subdivisions to submit statements
300 regarding [
301 (7) The state auditor shall:
302 (a) except where otherwise provided by law, institute suits in Salt Lake County in
303 relation to the assessment, collection, and payment of [
304 (i) persons who by any means have become entrusted with public money or property
305 and have failed to pay over or deliver the money or property; and
306 (ii) all debtors of the state;
307 (b) collect and pay into the state treasury all fees received by the state auditor;
308 (c) perform the duties of a member of all boards of which the state auditor is a member
309 by the constitution or laws of the state, and any other duties that are prescribed by the
310 constitution and by law;
311 (d) stop the payment of the salary of any state official or state employee who:
312 (i) refuses to settle accounts or provide required statements about the custody and
313 disposition of public funds or other state property;
314 (ii) refuses, neglects, or ignores the instruction of the state auditor or any controlling
315 board or department head with respect to the manner of keeping prescribed accounts or funds;
316 or
317 (iii) fails to correct any delinquencies, improper procedures, and errors brought to the
318 official's or employee's attention;
319 (e) establish accounting systems, methods, and forms for public accounts in all taxing
320 or fee-assessing units of the state in the interest of uniformity, efficiency, and economy;
321 (f) superintend the contractual auditing of all state accounts;
322 (g) subject to Subsection (8)(a), withhold state allocated funds or the disbursement of
323 property taxes from a state or local taxing or fee-assessing unit, if necessary, to ensure that
324 officials and employees in those taxing units comply with state laws and procedures in the
325 budgeting, expenditures, and financial reporting of public funds;
326 (h) subject to Subsection (9), withhold the disbursement of tax money from any county,
327 if necessary, to ensure that officials and employees in the county comply with Section
328 59-2-303.1; and
329 (i) withhold state allocated funds or the disbursement of property taxes from a local
330 government entity or a limited purpose entity, as those terms are defined in Section 67-1a-15 if
331 the state auditor finds the withholding necessary to ensure that the entity registers and
332 maintains the entity's registration with the lieutenant governor, in accordance with Section
333 67-1a-15.
334 (8) (a) Except as otherwise provided by law, the state auditor may not withhold funds
335 under Subsection (7)(g) until a state or local taxing or fee-assessing unit has received formal
336 written notice of noncompliance from the auditor and has been given 60 days to make the
337 specified corrections.
338 (b) If, after receiving notice under Subsection (8)(a), a state or independent local
339 fee-assessing unit that exclusively assesses fees has not made corrections to comply with state
340 laws and procedures in the budgeting, expenditures, and financial reporting of public funds, the
341 state auditor:
342 (i) shall provide a recommended timeline for corrective actions; [
343 (ii) may prohibit the state or local fee-assessing unit from accessing money held by the
344 state; and
345 (iii) may prohibit a state or local fee-assessing unit from accessing money held in an
346 account of a financial institution by filing an action in district court requesting an order of the
347 court to prohibit a financial institution from providing the fee-assessing unit access to an
348 account.
349 (c) The state auditor shall remove a limitation on accessing funds under Subsection
350 (8)(b) upon compliance with state laws and procedures in the budgeting, expenditures, and
351 financial reporting of public funds.
352 (d) If a local taxing or fee-assessing unit has not adopted a budget in compliance with
353 state law, the state auditor:
354 (i) shall provide notice to the taxing or fee-assessing unit of the unit's failure to
355 comply;
356 (ii) may prohibit the taxing or fee-assessing unit from accessing money held by the
357 state; and
358 (iii) may prohibit a taxing or fee-assessing unit from accessing money held in an
359 account of a financial institution by:
360 (A) contacting the taxing or fee-assessing unit's financial institution and requesting that
361 the institution prohibit access to the account; or
362 (B) filing an action in district court requesting an order of the court to prohibit a
363 financial institution from providing the taxing or fee-assessing unit access to an account.
364 (e) If the local taxing or fee-assessing unit adopts a budget in compliance with state
365 law, the state auditor shall eliminate a limitation on accessing funds described in Subsection
366 (8)(d).
367 (9) The state auditor may not withhold funds under Subsection (7)(h) until a county has
368 received formal written notice of noncompliance from the auditor and has been given 60 days
369 to make the specified corrections.
370 (10) (a) The state auditor may not withhold funds under Subsection (7)(i) until the state
371 auditor receives a notice of non-registration, as that term is defined in Section 67-1a-15.
372 (b) If the state auditor receives a notice of non-registration, the state auditor may
373 prohibit the local government entity or limited purpose entity, as those terms are defined in
374 Section 67-1a-15, from accessing:
375 (i) money held by the state; and
376 (ii) money held in an account of a financial institution by:
377 (A) contacting the entity's financial institution and requesting that the institution
378 prohibit access to the account; or
379 (B) filing an action in district court requesting an order of the court to prohibit a
380 financial institution from providing the entity access to an account.
381 (c) The state auditor shall remove the prohibition on accessing funds described in
382 Subsection (10)(b) if the state auditor received a notice of registration, as that term is defined in
383 Section 67-1a-15, from the lieutenant governor.
384 (11) Notwithstanding Subsection (7)(g), (7)(h), (7)(i), (8)(b), (8)(d), or (10)(b), the
385 state auditor:
386 (a) shall authorize a disbursement by a local government entity or limited purpose
387 entity, as those terms are defined in Section 67-1a-15, or a state or local taxing or fee-assessing
388 unit if the disbursement is necessary to:
389 (i) avoid a major disruption in the operations of the local government entity, limited
390 purpose entity, or state or local taxing or fee-assessing unit; or
391 (ii) meet debt service obligations; and
392 (b) may authorize a disbursement by a local government entity, limited purpose entity,
393 or state or local taxing or fee-assessing unit as the state auditor determines is appropriate.
394 (12) (a) The state auditor may seek relief under the Utah Rules of Civil Procedure to
395 take temporary custody of public funds if an action is necessary to protect public funds from
396 being improperly diverted from their intended public purpose.
397 (b) If the state auditor seeks relief under Subsection (12)(a):
398 (i) the state auditor is not required to exhaust the procedures in Subsection (7) or (8);
399 and
400 (ii) the state treasurer may hold the public funds in accordance with Section 67-4-1 if a
401 court orders the public funds to be protected from improper diversion from their public
402 purpose.
403 (13) The state auditor shall:
404 (a) establish audit guidelines and procedures for audits of local mental health and
405 substance abuse authorities and their contract providers, conducted pursuant to Title 17,
406 Chapter 43, Part 2, Local Substance Abuse Authorities, Title 17, Chapter 43, Part 3, Local
407 Mental Health Authorities, Title 51, Chapter 2a, Accounting Reports from Political
408 Subdivisions, Interlocal Organizations, and Other Local Entities Act, and Title 62A, Chapter
409 15, Substance Abuse and Mental Health Act; and
410 (b) ensure that those guidelines and procedures provide assurances to the state that:
411 (i) state and federal funds appropriated to local mental health authorities are used for
412 mental health purposes;
413 (ii) a private provider under an annual or otherwise ongoing contract to provide
414 comprehensive mental health programs or services for a local mental health authority is in
415 compliance with state and local contract requirements, and state and federal law;
416 (iii) state and federal funds appropriated to local substance abuse authorities are used
417 for substance abuse programs and services; and
418 (iv) a private provider under an annual or otherwise ongoing contract to provide
419 comprehensive substance abuse programs or services for a local substance abuse authority is in
420 compliance with state and local contract requirements, and state and federal law.
421 (14) The state auditor may, in accordance with the auditor's responsibilities for political
422 subdivisions of the state as provided in Title 51, Chapter 2a, Accounting Reports from Political
423 Subdivisions, Interlocal Organizations, and Other Local Entities Act, initiate audits or
424 investigations of any political subdivision that are necessary to determine honesty and integrity
425 in fiscal affairs, accuracy and reliability of financial statements, effectiveness, and adequacy of
426 financial controls and compliance with the law.
427 (15) (a) The state auditor may not audit work that the state auditor performed before
428 becoming state auditor.
429 (b) If the state auditor has previously been a responsible official in state government
430 whose work has not yet been audited, the Legislature shall:
431 (i) designate how that work shall be audited; and
432 (ii) provide additional funding for those audits, if necessary.
433 (16) The state auditor shall:
434 (a) with the assistance, advice, and recommendations of an advisory committee
435 appointed by the state auditor from among local district boards of trustees, officers, and
436 employees and special service district boards, officers, and employees:
437 (i) prepare a Uniform Accounting Manual for Local Districts that:
438 (A) prescribes a uniform system of accounting and uniform budgeting and reporting
439 procedures for local districts under Title 17B, Limited Purpose Local Government Entities -
440 Local Districts, and special service districts under Title 17D, Chapter 1, Special Service
441 District Act;
442 (B) conforms with generally accepted accounting principles; and
443 (C) prescribes reasonable exceptions and modifications for smaller districts to the
444 uniform system of accounting, budgeting, and reporting;
445 (ii) maintain the manual under this Subsection (16)(a) so that [
446 to reflect generally accepted accounting principles;
447 (iii) conduct a continuing review and modification of procedures in order to improve
448 them;
449 (iv) prepare and supply each district with suitable budget and reporting forms; and
450 (v) (A) prepare instructional materials, conduct training programs, and render other
451 services considered necessary to assist local districts and special service districts in
452 implementing the uniform accounting, budgeting, and reporting procedures; and
453 (B) ensure that any training described in Subsection (16)(a)(v)(A) complies with Title
454 63G, Chapter 22, State Training and Certification Requirements; and
455 (b) continually analyze and evaluate the accounting, budgeting, and reporting practices
456 and experiences of specific local districts and special service districts selected by the state
457 auditor and make the information available to all districts.
458 (17) (a) The following records in the custody or control of the state auditor are
459 protected records under Title 63G, Chapter 2, Government Records Access and Management
460 Act:
461 (i) records that would disclose information relating to allegations of personal
462 misconduct, gross mismanagement, or illegal activity of a past or present governmental
463 employee if the information or allegation cannot be corroborated by the state auditor through
464 other documents or evidence, and the records relating to the allegation are not relied upon by
465 the state auditor in preparing a final audit report;
466 (ii) records and audit workpapers to the extent [
467 the identity of [
468 existence of any waste of public funds, property, or manpower, or a violation or suspected
469 violation of a law, rule, or regulation adopted under the laws of this state, a political
470 subdivision of the state, or any recognized entity of the United States, if the information was
471 disclosed on the condition that the identity of the [
472 (iii) before an audit is completed and the final audit report is released, records or drafts
473 circulated to [
474 for [
475 (iv) records that would disclose an outline or part of any audit survey plans or audit
476 program; and
477 (v) requests for audits, if disclosure would risk circumvention of an audit.
478 (b) The provisions of Subsections (17)(a)(i), (ii), and (iii) do not prohibit the disclosure
479 of records or information that relate to a violation of the law by a governmental entity or
480 employee to a government prosecutor or peace officer.
481 (c) The provisions of this Subsection (17) do not limit the authority otherwise given to
482 the state auditor to classify a document as public, private, controlled, or protected under Title
483 63G, Chapter 2, Government Records Access and Management Act.
484 (d) (i) As used in this Subsection (17)(d), "record dispute" means a dispute between the
485 state auditor and the subject of an audit performed by the state auditor as to whether the state
486 auditor may release a record, as defined in Section 63G-2-103, to the public that the state
487 auditor gained access to in the course of the state auditor's audit but which the subject of the
488 audit claims is not subject to disclosure under Title 63G, Chapter 2, Government Records
489 Access and Management Act.
490 (ii) The state auditor may submit a record dispute to the State Records Committee,
491 created in Section 63G-2-501, for a determination of whether the state auditor may, in
492 conjunction with the state auditor's release of an audit report, release to the public the record
493 that is the subject of the record dispute.
494 (iii) The state auditor or the subject of the audit may seek judicial review of a State
495 Records Committee determination under Subsection (17)(d)(ii), as provided in Section
496 63G-2-404.
497 (18) If the state auditor conducts an audit of an entity that the state auditor has
498 previously audited and finds that the entity has not implemented a recommendation made by
499 the state auditor in a previous audit, the state auditor shall notify the Legislative Management
500 Committee through [
501 entity has not implemented that recommendation.
502 (19) The state auditor shall, with the advice and consent of the Senate, appoint the state
503 privacy officer described in Section 67-3-12.
504 Section 7. Section 67-3-12 is enacted to read:
505 67-3-12. State privacy officer.
506 (1) As used in this section:
507 (a) "Designated government entity" means a government entity that is not a state
508 agency.
509 (b) "Independent entity" means the same as that term is defined in Section 63E-1-102.
510 (c) (i) "Government entity" means the state, a county, a municipality, a higher
511 education institution, a local district, a special service district, a school district, an independent
512 entity, or any other political subdivision of the state or an administrative subunit of any
513 political subdivision, including a law enforcement entity.
514 (ii) "Government entity" includes an agent of an entity described in Subsection
515 (1)(c)(i).
516 (d) (i) "Personal data" means any information relating to an identified or identifiable
517 individual.
518 (ii) "Personal data" includes personally identifying information.
519 (e) (i) "Privacy practice" means the acquisition, use, storage, or disposal of personal
520 data.
521 (ii) "Privacy practice" includes:
522 (A) a technology use related to personal data; and
523 (B) policies related to the protection, storage, sharing, and retention of personal data.
524 (f) (i) "State agency" means the following entities that are under the direct supervision
525 and control of the governor or the lieutenant governor:
526 (A) a department;
527 (B) a commission;
528 (C) a board;
529 (D) a council;
530 (E) an institution;
531 (F) an officer;
532 (G) a corporation;
533 (H) a fund;
534 (I) a division;
535 (J) an office;
536 (K) a committee;
537 (L) an authority;
538 (M) a laboratory;
539 (N) a library;
540 (O) a bureau;
541 (P) a panel;
542 (Q) another administrative unit of the state; or
543 (R) an agent of an entity described in Subsections (A) through (Q).
544 (ii) "State agency" does not include:
545 (A) the legislative branch;
546 (B) the judicial branch;
547 (C) an executive branch agency within the Office of the Attorney General, the state
548 auditor, the state treasurer, or the State Board of Education; or
549 (D) an independent entity.
550 (2) The state privacy officer shall:
551 (a) when completing the duties of this Subsection (2), focus on the privacy practices of
552 designated government entities;
553 (b) compile information about government privacy practices of designated government
554 entities;
555 (c) make public and maintain information about government privacy practices on the
556 state auditor's website;
557 (d) provide designated government entities with educational and training materials
558 developed by the Personal Privacy Oversight Commission established in Section 63C-23-201
559 that include the information described in Subsection 63C-23-202(1)(b);
560 (e) implement a process to analyze and respond to requests from individuals for the
561 state privacy officer to review a designated government entity's privacy practice;
562 (f) identify annually which designated government entities' privacy practices pose the
563 greatest risk to individual privacy and prioritize those privacy practices for review;
564 (g) review each year, in as timely a manner as possible, the privacy practices that the
565 privacy officer identifies under Subsection (2)(e) or (2)(f) as posing the greatest risk to
566 individuals' privacy;
567 (h) when reviewing a designated government entity's privacy practice under Subsection
568 (2)(g), analyze:
569 (i) details about the technology or the policy and the technology's or the policy's
570 application;
571 (ii) information about the type of data being used;
572 (iii) information about how the data is obtained, stored, shared, secured, and disposed;
573 (iv) information about with which persons the designated government entity shares the
574 information;
575 (v) information about whether an individual can or should be able to opt out of the
576 retention and sharing of the individual's data;
577 (vi) information about how the designated government entity de-identifies or
578 anonymizes data;
579 (vii) a determination about the existence of alternative technology or improved
580 practices to protect privacy; and
581 (viii) a finding of whether the designated government entity's current privacy practice
582 adequately protects individual privacy; and
583 (i) after completing a review described in Subsections (2)(g) and (h), determine:
584 (i) each designated government entity's use of personal data, including the designated
585 government entity's practices regarding data:
586 (A) acquisition;
587 (B) storage;
588 (C) disposal;
589 (D) protection; and
590 (E) sharing;
591 (ii) the adequacy of the designated government entity's practices in each of the areas
592 described in Subsection (2)(i)(i); and
593 (iii) for each of the areas described in Subsection (2)(i)(i) that the state privacy officer
594 determines to require reform, provide recommendations for reform to the designated
595 government entity and the legislative body charged with regulating the designated government
596 entity.
597 (3) (a) The legislative body charged with regulating a designated government entity
598 that receives a recommendation described in Subsection (2)(i)(iii) shall hold a public hearing
599 on the proposed reforms:
600 (i) with a quorum of the legislative body present; and
601 (ii) within 90 days after the day on which the legislative body receives the
602 recommendation.
603 (b) (i) The legislative body shall provide notice of the hearing described in Subsection
604 (3)(a).
605 (ii) Notice of the public hearing and the recommendations to be discussed shall be
606 posted on:
607 (A) the Utah Public Notice Website created in Section 63F-1-701 for 30 days before
608 the day on which the legislative body will hold the public hearing; and
609 (B) the website of the designated government entity that received a recommendation, if
610 the designated government entity has a website, for 30 days before the day on which the
611 legislative body will hold the public hearing.
612 (iii) Each notice required under Subsection (3)(b)(i) shall:
613 (A) identify the recommendations to be discussed; and
614 (B) state the date, time, and location of the public hearing.
615 (c) During the hearing described in Subsection (3)(a), the legislative body shall:
616 (i) provide the public the opportunity to ask questions and obtain further information
617 about the recommendations; and
618 (ii) provide any interested person an opportunity to address the legislative body with
619 concerns about the recommendations.
620 (d) At the conclusion of the hearing, the legislative body shall determine whether the
621 legislative body shall adopt reforms to address the recommendations and any concerns raised
622 during the public hearing.
623 (4) (a) Except as provided in Subsection (4)(b), if the government operations privacy
624 officer described in Section 67-1-17 is not conducting reviews of the privacy practices of state
625 agencies, the state privacy officer may review the privacy practices of a state agency in
626 accordance with the processes described in this section.
627 (b) Subsection (3) does not apply to a state agency.
628 (5) The state privacy officer shall:
629 (a) quarterly report, to the Personal Privacy Oversight Commission:
630 (i) recommendations for privacy practices for the commission to review; and
631 (ii) the information provided in Subsection (2)(i); and
632 (b) annually, on or before October 1, report to the Judiciary Interim Committee:
633 (i) the results of any reviews described in Subsection (2)(g), if any reviews have been
634 completed;
635 (ii) reforms, to the extent that the state privacy officer is aware of any reforms, that the
636 designated government entity made in response to any reviews described in Subsection (2)(g);
637 (iii) the information described in Subsection (2)(i); and
638 (iv) recommendations for legislation based on any results of a review described in
639 Subsection (2)(g).