1
2
3
4
5
6
7 LONG TITLE
8 General Description:
9 This bill creates positions to oversee privacy practices in state government.
10 Highlighted Provisions:
11 This bill:
12 ▸ creates the government operations privacy officer, who will be appointed by the
13 governor;
14 ▸ authorizes the government operations privacy officer to review the data practices of
15 state agencies;
16 ▸ creates the Personal Privacy Oversight Commission, whose membership is
17 appointed by the Speaker of the House and the President of the Senate;
18 ▸ directs the Personal Privacy Oversight Commission to establish guidelines and best
19 practices with respect to certain government technology uses related to personal
20 privacy and policies related to data security;
21 ▸ authorizes the Personal Privacy Oversight Commission to review government
22 technology uses related to personal privacy and policies related to data security;
23 ▸ directs the state auditor to appoint and oversee the state privacy officer;
24 ▸ authorizes the state privacy officer to review the data practices of government
25 entities; and
26 ▸ creates a reporting requirement for the operations privacy officer, the Personal
27 Privacy Oversight Committee, and the data privacy officer.
28 Money Appropriated in this Bill:
29 None
30 Other Special Clauses:
31 None
32 Utah Code Sections Affected:
33 AMENDS:
34 67-3-1, as last amended by Laws of Utah 2018, Chapters 200 and 256
35 ENACTS:
36 63C-23-101, Utah Code Annotated 1953
37 63C-23-102, Utah Code Annotated 1953
38 63C-23-201, Utah Code Annotated 1953
39 63C-23-202, Utah Code Annotated 1953
40 67-1-17, Utah Code Annotated 1953
41 67-3-12, Utah Code Annotated 1953
42
43 Be it enacted by the Legislature of the state of Utah:
44 Section 1. Section 63C-23-101 is enacted to read:
45
46
47 63C-23-101. Title.
48 This chapter is known as the "Personal Privacy Oversight Commission."
49 Section 2. Section 63C-23-102 is enacted to read:
50 63C-23-102. Definitions.
51 As used in this chapter:
52 (1) "Commission" means the Personal Privacy Oversight Commission created in
53 Section 63C-23-201.
54 (2) (a) "Personal data" means any information relating to an identified or identifiable
55 individual.
56 (b) "Personal data" includes personally identifying information.
57 (3) (a) "Privacy practice" means the acquisition, use, storage, or disposal of personal
58 data.
59 (b) "Privacy practice" includes:
60 (i) a technology use related to personal data; and
61 (ii) policies related to the protection, storage, sharing, and retention of personal data.
62 Section 3. Section 63C-23-201 is enacted to read:
63
64 63C-23-201. Personal Privacy Oversight Commission created.
65 (1) There is created the Personal Privacy Oversight Commission.
66 (2) (a) The commission shall be composed of 12 members.
67 (b) The president of the Senate shall appoint:
68 (i) one member with experience in internet technology services;
69 (ii) one member with experience in cybersecurity;
70 (iii) one member representing private industry in technology;
71 (iv) one member representing law enforcement;
72 (v) one member with experience in data privacy law; and
73 (vi) one member with experience as a prosecutor in cases involving civil liberties.
74 (c) The speaker of the House of Representative shall appoint:
75 (i) one member who shall provide internet technology services for a county or a
76 municipality;
77 (ii) one member with experience in cybersecurity;
78 (iii) one member representing private industry in technology;
79 (iv) one member representing law enforcement;
80 (v) one member with experience in data privacy law; and
81 (vi) one member with experience in civil liberties law or policy and with specific
82 experience in identifying the disparate impacts of the use of a technology or a policy on
83 different populations.
84 (3) (a) Except as provided in Subsection (3)(b), the members are appointed for a term
85 of four years.
86 (b) (i) The members described in Subsections (2)(b)(i) through (b)(iii) and (2)(c)(iv)
87 through (c)(vi) shall be appointed to an initial term of two years.
88 (c) When the term of a current commission member expires, a member shall be
89 reappointed or a new member shall be appointed in accordance with this Subsection (3).
90 (4) (a) When a vacancy occurs in the membership for any reason, a replacement shall
91 be appointed in accordance with Subsection (3) for the unexpired term.
92 (b) A member whose term has expired may continue to serve until a replacement is
93 appointed.
94 (5) The commission shall select officers from the commission's members as the
95 commission finds necessary.
96 (6) (a) A majority of the members of the commission is a quorum.
97 (b) The action of a majority of a quorum constitutes an action of the commission.
98 (7) A member may not receive compensation or benefits for the member's service but
99 may receive per diem and travel expenses incurred as a member of the commission at the rates
100 established by the Division of Finance under:
101 (a) Sections 63A-3-106 and 63A-3-107; and
102 (b) rules made by the Division of Finance in accordance with Section 63A-3-106 and
103 63A-3-107.
104 (8) A member shall refrain from participating in a review of:
105 (a) an entity of which the member is an employee; or
106 (b) a technology in which the member has a financial interest.
107 (9) The Office of Legislative Research and General Counsel shall provide staff and
108 support to the commission.
109 (10) The commission shall meet up to seven times a year to accomplish the duties
110 described in Section 63C-23-202.
111 Section 4. Section 63C-23-202 is enacted to read:
112 63C-23-202. Commission duties.
113 (1) The commission shall:
114 (a) develop guiding standards for best practices with respect to government privacy
115 practices;
116 (b) develop educational and training materials that include information about:
117 (i) the privacy implications and civil liberties concerns of government privacy
118 practices;
119 (ii) best practices for government collection and retention policies regarding personal
120 information; and
121 (iii) best practices for government data security standards; and
122 (c) review the privacy implications and civil liberties concerns of government privacy
123 practices.
124 (2) The commission may:
125 (a) review specific government privacy practices as referred to the commission by the
126 state privacy officer described in Section 67-3-12 or the government operations privacy officer
127 described in Section 67-1-17; and
128 (b) develop recommendations for legislation to promote the guiding standards and best
129 practices the commission has developed in accordance with Subsection (1)(a).
130 (3) Annually, on or before October 1, the commission shall report to the Judiciary
131 Interim Committee:
132 (a) the results of any reviews the commission has conducted;
133 (b) the guiding standards and best practices described in Subsection (1)(a); and
134 (c) any recommendations for legislation the commission has developed in accordance
135 with Subsection (2)(b).
136 Section 5. Section 67-1-17 is enacted to read:
137 67-1-17. Government operations privacy officer.
138 (1) As used in this section:
139 (a) (i) "Personal data" means any information relating to an identified or identifiable
140 individual.
141 (ii) "Personal data" includes personally identifying information.
142 (b) (i) "Privacy practice" means the acquisition, use, storage, or disposal of personal
143 data.
144 (ii) "Privacy practice" includes:
145 (A) a technology use related to personal data; and
146 (B) policies related to the protection, storage, sharing, and retention of personal data.
147 (c) "State agency" means the same as that term is defined in Section 67-25-102.
148 (2) The governor may, with the advice and consent of the Senate, appoint a
149 government operations privacy officer.
150 (3) The government operations privacy officer shall:
151 (a) compile information about the privacy practices of state agencies;
152 (b) make public and maintain information about the privacy practices of state agencies
153 on the governor's website;
154 (c) provide state agencies with educational and training materials developed by the
155 Personal Privacy Oversight Commission established in Section 63C-23-201 that include the
156 following information:
157 (i) the privacy implications and civil liberties concerns of the privacy practices of state
158 agencies;
159 (ii) best practices for government collection and retention policies regarding personally
160 identifiable information; and
161 (iii) best practices for government data security standards;
162 (d) implement a process to analyze and respond to requests from individuals for the
163 government operations privacy officer to review a state agency's privacy practice;
164 (e) identify annually which state agencies' privacy practices pose the greatest risk to
165 individual privacy and prioritize those privacy practices for review;
166 (f) review each year, in as timely a manner as possible, the privacy practices that the
167 government operations privacy officer identifies under Subsection (d) or (e) as posing the
168 greatest risk to individuals' privacy;
169 (g) when reviewing a state agency's privacy practice under Subsection (3)(f), analyze:
170 (i) details about the privacy practice;
171 (ii) information about the type of data being used;
172 (iii) information about how the data is obtained, stored, kept secure, and disposed;
173 (iv) information about with whom the state agency shares the information;
174 (v) information about whether an individual can or should be able to opt out of the
175 retention and sharing of the individual's data;
176 (vi) information about how the state agency de-identifies or anonymizes data;
177 (vii) a determination about the existence of alternative technology or improved
178 practices to protect privacy; and
179 (viii) a finding of whether the state agency's current privacy practice adequately
180 protects individual privacy; and
181 (h) after completing a review described in Subsections (3)(f) and (g), determine:
182 (i) each state agency's use of personal data, including the state agency's practices
183 regarding data:
184 (A) retention;
185 (B) storage;
186 (C) protection; and
187 (D) sharing;
188 (ii) the adequacy of the state agency's practices in each of the areas described in
189 Subsection (3)(h)(i); and
190 (iii) for each of the areas described in Subsection (3)(h)(i) that require reform, provide
191 recommendations to the state agency for reform.
192 (4) The state officer shall:
193 (a) quarterly report, to the Personal Privacy Oversight Commission:
194 (i) recommendations for privacy practices for the commission to review; and
195 (ii) the information described in Subsection (3)(h); and
196 (b) annually, on or before October 1, report to the Judiciary Interim Committee:
197 (i) the results of any reviews described in Subsection (3)(g), if any reviews have been
198 completed;
199 (ii) the information described in Subsection (3)(h); and
200 (iii) recommendations for legislation based on the results of any reviews described in
201 Subsection (3)(g).
202 Section 6. Section 67-3-1 is amended to read:
203 67-3-1. Functions and duties.
204 (1) (a) The state auditor is the auditor of public accounts and is independent of any
205 executive or administrative officers of the state.
206 (b) The state auditor is not limited in the selection of personnel or in the determination
207 of the reasonable and necessary expenses of the state auditor's office.
208 (2) The state auditor shall examine and certify annually in respect to each fiscal year,
209 financial statements showing:
210 (a) the condition of the state's finances;
211 (b) the revenues received or accrued;
212 (c) expenditures paid or accrued;
213 (d) the amount of unexpended or unencumbered balances of the appropriations to the
214 agencies, departments, divisions, commissions, and institutions; and
215 (e) the cash balances of the funds in the custody of the state treasurer.
216 (3) (a) The state auditor shall:
217 (i) audit each permanent fund, each special fund, the General Fund, and the accounts of
218 any department of state government or any independent agency or public corporation as the law
219 requires, as the auditor determines is necessary, or upon request of the governor or the
220 Legislature;
221 (ii) perform the audits in accordance with generally accepted auditing standards and
222 other auditing procedures as promulgated by recognized authoritative bodies;
223 (iii) as the auditor determines is necessary, conduct the audits to determine:
224 (A) honesty and integrity in fiscal affairs;
225 (B) accuracy and reliability of financial statements;
226 (C) effectiveness and adequacy of financial controls; and
227 (D) compliance with the law.
228 (b) If any state entity receives federal funding, the state auditor shall ensure that the
229 audit is performed in accordance with federal audit requirements.
230 (c) (i) The costs of the federal compliance portion of the audit may be paid from an
231 appropriation to the state auditor from the General Fund.
232 (ii) If an appropriation is not provided, or if the federal government does not
233 specifically provide for payment of audit costs, the costs of the federal compliance portions of
234 the audit shall be allocated on the basis of the percentage that each state entity's federal funding
235 bears to the total federal funds received by the state.
236 (iii) The allocation shall be adjusted to reflect any reduced audit time required to audit
237 funds passed through the state to local governments and to reflect any reduction in audit time
238 obtained through the use of internal auditors working under the direction of the state auditor.
239 (4) (a) Except as provided in Subsection (4)(b), the state auditor shall, in addition to
240 financial audits, and as the auditor determines is necessary, conduct performance and special
241 purpose audits, examinations, and reviews of any entity that receives public funds, including a
242 determination of any or all of the following:
243 (i) the honesty and integrity of all [
244 (ii) whether or not [
245 legislative intent;
246 (iii) whether or not [
247 effective, and cost-efficient manner;
248 (iv) whether or not [
249 intended objectives; and
250 (v) whether or not [
251 adequate, effective, and secure.
252 (b) The auditor may not conduct performance and special purpose audits,
253 examinations, and reviews of any entity that receives public funds if the entity:
254 (i) has an elected auditor; and
255 (ii) has, within the entity's last budget year, had [
256 performance formally reviewed by another outside auditor.
257 (5) The state auditor:
258 (a) shall administer any oath or affirmation necessary to the performance of the duties
259 of the auditor's office[
260 (b) may:
261 (i) subpoena witnesses and documents, whether electronic or otherwise[
262 (ii) examine into any matter that the auditor considers necessary.
263 (6) The state auditor may require all persons who have had the disposition or
264 management of any property of this state or its political subdivisions to submit statements
265 regarding [
266 (7) The state auditor shall:
267 (a) except where otherwise provided by law, institute suits in Salt Lake County in
268 relation to the assessment, collection, and payment of [
269 (i) persons who by any means have become entrusted with public money or property
270 and have failed to pay over or deliver the money or property; and
271 (ii) all debtors of the state;
272 (b) collect and pay into the state treasury all fees received by the state auditor;
273 (c) perform the duties of a member of all boards of which the state auditor is a member
274 by the constitution or laws of the state, and any other duties that are prescribed by the
275 constitution and by law;
276 (d) stop the payment of the salary of any state official or state employee who:
277 (i) refuses to settle accounts or provide required statements about the custody and
278 disposition of public funds or other state property;
279 (ii) refuses, neglects, or ignores the instruction of the state auditor or any controlling
280 board or department head with respect to the manner of keeping prescribed accounts or funds;
281 or
282 (iii) fails to correct any delinquencies, improper procedures, and errors brought to the
283 official's or employee's attention;
284 (e) establish accounting systems, methods, and forms for public accounts in all taxing
285 or fee-assessing units of the state in the interest of uniformity, efficiency, and economy;
286 (f) superintend the contractual auditing of all state accounts;
287 (g) subject to Subsection (8)(a), withhold state allocated funds or the disbursement of
288 property taxes from a state or local taxing or fee-assessing unit, if necessary, to ensure that
289 officials and employees in those taxing units comply with state laws and procedures in the
290 budgeting, expenditures, and financial reporting of public funds;
291 (h) subject to Subsection (9), withhold the disbursement of tax money from any county,
292 if necessary, to ensure that officials and employees in the county comply with Section
293 59-2-303.1; and
294 (i) withhold state allocated funds or the disbursement of property taxes from a local
295 government entity or a limited purpose entity, as those terms are defined in Section 67-1a-15 if
296 the state auditor finds the withholding necessary to ensure that the entity registers and
297 maintains the entity's registration with the lieutenant governor, in accordance with Section
298 67-1a-15.
299 (8) (a) Except as otherwise provided by law, the state auditor may not withhold funds
300 under Subsection (7)(g) until a state or local taxing or fee-assessing unit has received formal
301 written notice of noncompliance from the auditor and has been given 60 days to make the
302 specified corrections.
303 (b) If, after receiving notice under Subsection (8)(a), a state or independent local
304 fee-assessing unit that exclusively assesses fees has not made corrections to comply with state
305 laws and procedures in the budgeting, expenditures, and financial reporting of public funds, the
306 state auditor:
307 (i) shall provide a recommended timeline for corrective actions; [
308 (ii) may prohibit the state or local fee-assessing unit from accessing money held by the
309 state; and
310 (iii) may prohibit a state or local fee-assessing unit from accessing money held in an
311 account of a financial institution by filing an action in district court requesting an order of the
312 court to prohibit a financial institution from providing the fee-assessing unit access to an
313 account.
314 (c) The state auditor shall remove a limitation on accessing funds under Subsection
315 (8)(b) upon compliance with state laws and procedures in the budgeting, expenditures, and
316 financial reporting of public funds.
317 (d) If a local taxing or fee-assessing unit has not adopted a budget in compliance with
318 state law, the state auditor:
319 (i) shall provide notice to the taxing or fee-assessing unit of the unit's failure to
320 comply;
321 (ii) may prohibit the taxing or fee-assessing unit from accessing money held by the
322 state; and
323 (iii) may prohibit a taxing or fee-assessing unit from accessing money held in an
324 account of a financial institution by:
325 (A) contacting the taxing or fee-assessing unit's financial institution and requesting that
326 the institution prohibit access to the account; or
327 (B) filing an action in district court requesting an order of the court to prohibit a
328 financial institution from providing the taxing or fee-assessing unit access to an account.
329 (e) If the local taxing or fee-assessing unit adopts a budget in compliance with state
330 law, the state auditor shall eliminate a limitation on accessing funds described in Subsection
331 (8)(d).
332 (9) The state auditor may not withhold funds under Subsection (7)(h) until a county has
333 received formal written notice of noncompliance from the auditor and has been given 60 days
334 to make the specified corrections.
335 (10) (a) The state auditor may not withhold funds under Subsection (7)(i) until the state
336 auditor receives a notice of non-registration, as that term is defined in Section 67-1a-15.
337 (b) If the state auditor receives a notice of non-registration, the state auditor may
338 prohibit the local government entity or limited purpose entity, as those terms are defined in
339 Section 67-1a-15, from accessing:
340 (i) money held by the state; and
341 (ii) money held in an account of a financial institution by:
342 (A) contacting the entity's financial institution and requesting that the institution
343 prohibit access to the account; or
344 (B) filing an action in district court requesting an order of the court to prohibit a
345 financial institution from providing the entity access to an account.
346 (c) The state auditor shall remove the prohibition on accessing funds described in
347 Subsection (10)(b) if the state auditor received a notice of registration, as that term is defined in
348 Section 67-1a-15, from the lieutenant governor.
349 (11) Notwithstanding Subsection (7)(g), (7)(h), (7)(i), (8)(b), (8)(d), or (10)(b), the
350 state auditor:
351 (a) shall authorize a disbursement by a local government entity or limited purpose
352 entity, as those terms are defined in Section 67-1a-15, or a state or local taxing or fee-assessing
353 unit if the disbursement is necessary to:
354 (i) avoid a major disruption in the operations of the local government entity, limited
355 purpose entity, or state or local taxing or fee-assessing unit; or
356 (ii) meet debt service obligations; and
357 (b) may authorize a disbursement by a local government entity, limited purpose entity,
358 or state or local taxing or fee-assessing unit as the state auditor determines is appropriate.
359 (12) (a) The state auditor may seek relief under the Utah Rules of Civil Procedure to
360 take temporary custody of public funds if an action is necessary to protect public funds from
361 being improperly diverted from their intended public purpose.
362 (b) If the state auditor seeks relief under Subsection (12)(a):
363 (i) the state auditor is not required to exhaust the procedures in Subsection (7) or (8);
364 and
365 (ii) the state treasurer may hold the public funds in accordance with Section 67-4-1 if a
366 court orders the public funds to be protected from improper diversion from their public
367 purpose.
368 (13) The state auditor shall:
369 (a) establish audit guidelines and procedures for audits of local mental health and
370 substance abuse authorities and their contract providers, conducted pursuant to Title 17,
371 Chapter 43, Part 2, Local Substance Abuse Authorities, Title 17, Chapter 43, Part 3, Local
372 Mental Health Authorities, Title 51, Chapter 2a, Accounting Reports from Political
373 Subdivisions, Interlocal Organizations, and Other Local Entities Act, and Title 62A, Chapter
374 15, Substance Abuse and Mental Health Act; and
375 (b) ensure that those guidelines and procedures provide assurances to the state that:
376 (i) state and federal funds appropriated to local mental health authorities are used for
377 mental health purposes;
378 (ii) a private provider under an annual or otherwise ongoing contract to provide
379 comprehensive mental health programs or services for a local mental health authority is in
380 compliance with state and local contract requirements, and state and federal law;
381 (iii) state and federal funds appropriated to local substance abuse authorities are used
382 for substance abuse programs and services; and
383 (iv) a private provider under an annual or otherwise ongoing contract to provide
384 comprehensive substance abuse programs or services for a local substance abuse authority is in
385 compliance with state and local contract requirements, and state and federal law.
386 (14) The state auditor may, in accordance with the auditor's responsibilities for political
387 subdivisions of the state as provided in Title 51, Chapter 2a, Accounting Reports from Political
388 Subdivisions, Interlocal Organizations, and Other Local Entities Act, initiate audits or
389 investigations of any political subdivision that are necessary to determine honesty and integrity
390 in fiscal affairs, accuracy and reliability of financial statements, effectiveness, and adequacy of
391 financial controls and compliance with the law.
392 (15) (a) The state auditor may not audit work that the state auditor performed before
393 becoming state auditor.
394 (b) If the state auditor has previously been a responsible official in state government
395 whose work has not yet been audited, the Legislature shall:
396 (i) designate how that work shall be audited; and
397 (ii) provide additional funding for those audits, if necessary.
398 (16) The state auditor shall:
399 (a) with the assistance, advice, and recommendations of an advisory committee
400 appointed by the state auditor from among local district boards of trustees, officers, and
401 employees and special service district boards, officers, and employees:
402 (i) prepare a Uniform Accounting Manual for Local Districts that:
403 (A) prescribes a uniform system of accounting and uniform budgeting and reporting
404 procedures for local districts under Title 17B, Limited Purpose Local Government Entities -
405 Local Districts, and special service districts under Title 17D, Chapter 1, Special Service
406 District Act;
407 (B) conforms with generally accepted accounting principles; and
408 (C) prescribes reasonable exceptions and modifications for smaller districts to the
409 uniform system of accounting, budgeting, and reporting;
410 (ii) maintain the manual under this Subsection (16)(a) so that [
411 to reflect generally accepted accounting principles;
412 (iii) conduct a continuing review and modification of procedures in order to improve
413 them;
414 (iv) prepare and supply each district with suitable budget and reporting forms; and
415 (v) (A) prepare instructional materials, conduct training programs, and render other
416 services considered necessary to assist local districts and special service districts in
417 implementing the uniform accounting, budgeting, and reporting procedures; and
418 (B) ensure that any training described in Subsection (16)(a)(v)(A) complies with Title
419 63G, Chapter 22, State Training and Certification Requirements; and
420 (b) continually analyze and evaluate the accounting, budgeting, and reporting practices
421 and experiences of specific local districts and special service districts selected by the state
422 auditor and make the information available to all districts.
423 (17) (a) The following records in the custody or control of the state auditor are
424 protected records under Title 63G, Chapter 2, Government Records Access and Management
425 Act:
426 (i) records that would disclose information relating to allegations of personal
427 misconduct, gross mismanagement, or illegal activity of a past or present governmental
428 employee if the information or allegation cannot be corroborated by the state auditor through
429 other documents or evidence, and the records relating to the allegation are not relied upon by
430 the state auditor in preparing a final audit report;
431 (ii) records and audit workpapers to the extent [
432 the identity of [
433 existence of any waste of public funds, property, or manpower, or a violation or suspected
434 violation of a law, rule, or regulation adopted under the laws of this state, a political
435 subdivision of the state, or any recognized entity of the United States, if the information was
436 disclosed on the condition that the identity of the [
437 (iii) before an audit is completed and the final audit report is released, records or drafts
438 circulated to [
439 for [
440 (iv) records that would disclose an outline or part of any audit survey plans or audit
441 program; and
442 (v) requests for audits, if disclosure would risk circumvention of an audit.
443 (b) The provisions of Subsections (17)(a)(i), (ii), and (iii) do not prohibit the disclosure
444 of records or information that relate to a violation of the law by a governmental entity or
445 employee to a government prosecutor or peace officer.
446 (c) The provisions of this Subsection (17) do not limit the authority otherwise given to
447 the state auditor to classify a document as public, private, controlled, or protected under Title
448 63G, Chapter 2, Government Records Access and Management Act.
449 (d) (i) As used in this Subsection (17)(d), "record dispute" means a dispute between the
450 state auditor and the subject of an audit performed by the state auditor as to whether the state
451 auditor may release a record, as defined in Section 63G-2-103, to the public that the state
452 auditor gained access to in the course of the state auditor's audit but which the subject of the
453 audit claims is not subject to disclosure under Title 63G, Chapter 2, Government Records
454 Access and Management Act.
455 (ii) The state auditor may submit a record dispute to the State Records Committee,
456 created in Section 63G-2-501, for a determination of whether the state auditor may, in
457 conjunction with the state auditor's release of an audit report, release to the public the record
458 that is the subject of the record dispute.
459 (iii) The state auditor or the subject of the audit may seek judicial review of a State
460 Records Committee determination under Subsection (17)(d)(ii), as provided in Section
461 63G-2-404.
462 (18) If the state auditor conducts an audit of an entity that the state auditor has
463 previously audited and finds that the entity has not implemented a recommendation made by
464 the state auditor in a previous audit, the state auditor shall notify the Legislative Management
465 Committee through [
466 entity has not implemented that recommendation.
467 (19) The state auditor shall, with the advice and consent of the Senate, appoint the state
468 privacy officer described in Section 67-3-12.
469 Section 7. Section 67-3-12 is enacted to read:
470 67-3-12. State privacy officer.
471 (1) As used in this section:
472 (a) "Government entity" means the state, a county, a municipality, a higher education
473 institution, a local district, a special service district, a school district, or any other political
474 subdivision of the state or an administrative subunit of any political subdivision, including a
475 law enforcement entity.
476 (b) "Local government entity" means a government entity that is not a state agency.
477 (c) (i) "Personal data" means any information relating to an identified or identifiable
478 individual.
479 (ii) "Personal data" includes personally identifying information.
480 (d) (i) "Privacy practice" means the acquisition, use, storage, or disposal of personal
481 data.
482 (ii) "Privacy practice" includes:
483 (A) a technology use related to personal data; and
484 (B) policies related to the protection, storage, sharing, and retention of personal data.
485 (e) "State agency" means the same as that term is defined in Section 67-25-102.
486 (2) The state privacy officer shall:
487 (a) when completing the duties of this Subsection (2), focus on the privacy practices of
488 local government entities;
489 (b) compile information about government privacy practices of local government
490 entities;
491 (c) make public and maintain information about government privacy practices on the
492 state auditor's website;
493 (d) provide local government entities with educational and training materials
494 developed by the Personal Privacy Oversight Commission established in Section 63C-23-201
495 that include the following information:
496 (i) the privacy implications and civil liberties concerns of government privacy
497 practices;
498 (ii) best practices for government collection and retention policies regarding personal
499 data; and
500 (iii) best practices for government data security standards;
501 (e) implement a process to analyze and respond to requests from individuals for the
502 state privacy officer to review a local government entity's privacy practice;
503 (f) identify annually which local government entities' privacy practices pose the
504 greatest risk to individual privacy and prioritize those privacy practices for review;
505 (g) review each year, in as timely a manner as possible, the privacy practices that the
506 privacy officer identifies under Subsection (2)(e) or (2)(f) as posing the greatest risk to
507 individuals' privacy;
508 (h) when reviewing a local government entity's privacy practice under Subsection
509 (2)(g), analyze:
510 (i) details about the technology or the policy and the technology's or the policy's
511 application;
512 (ii) information about the type of data being used;
513 (iii) information about how the data is obtained, stored, kept secure, and disposed;
514 (iv) information about with whom the local government entity shares the information;
515 (v) information about whether an individual can or should be able to opt out of the
516 retention and sharing of the individual's data;
517 (vi) information about how the local government entity de-identifies or anonymizes
518 data;
519 (vii) a determination about the existence of alternative technology or improved
520 practices to protect privacy; and
521 (viii) a finding of whether the local government entity's current privacy practice
522 adequately protects individual privacy; and
523 (i) after completing a review described in Subsections (2)(g) and (h), determine:
524 (i) each local government entity's use of personal data, including the local government
525 entity's practices regarding data:
526 (A) retention;
527 (B) storage;
528 (C) protection; and
529 (D) sharing;
530 (ii) the adequacy of the local government entity's practices in each of the areas
531 described in Subsection (2)(i)(i); and
532 (iii) for each of the areas described in Subsection (2)(i)(i) that require reform, provide
533 recommendations to the local government entity for reform.
534 (3) If the government operations privacy officer described in Section 67-1-17 is not
535 conducting reviews of the privacy practices of state agencies, the state privacy officer may
536 review the privacy practices of a state agency in accordance with the processes described in this
537 section.
538 (4) The state privacy officer shall:
539 (a) quarterly, report to the Personal Privacy Oversight Commission:
540 (i) recommendations for privacy practices for the commission to review; and
541 (ii) the information provided in Subsection (2)(i); and
542 (b) annually, on or before October 1, report to the Judiciary Interim Committee:
543 (i) the results of any reviews described in Subsection (2)(g), if any reviews have been
544 completed;
545 (ii) the information described in Subsection (2)(i); and
546 (iii) recommendations for legislation based on any results of a review described in
547 Subsection (2)(g).