1
2
3
4
5
6
7 LONG TITLE
8 General Description:
9 This bill amends provisions relating to government records, including provisions
10 relating to the Division of Archives and Records Service, the Government Records
11 Access and Management Act, and a chief privacy officer.
12 Highlighted Provisions:
13 This bill:
14 ▸ defines terms;
15 ▸ permits the Division of Archives and Records Service to require a background
16 check of employees and volunteers who have direct access to vulnerable records;
17 ▸ modifies the duties of a records officer;
18 ▸ grants rulemaking authority to the state archivist, the executive director of the
19 Department of Government Operations, and other departments, in relation to
20 government records and the provisions of this bill;
21 ▸ requires executive branch agencies to:
22 • make and maintain an inventory of records that contain personal identifying
23 information; and
24 • prepare and maintain a privacy annotation for each record series collected,
25 maintained, or used by the executive branch agency that discloses whether the
26 record series contains personal identifying information, describes the type of personal
27 identifying information contained in the record series, and provides other information regarding
28 the personal identifying information contained in the record series;
29 ▸ requires the executive director of the Department of Government Operations to
30 make rules for identifying personal identifying information, inventorying the
31 information, and reporting regarding the information;
32 ▸ modifies individual rights with respect to records that may be classified as private or
33 controlled or that may contain personal identifying information;
34 ▸ changes the title of the "government operations privacy officer" to the "chief privacy
35 officer"; and
36 ▸ makes technical and conforming changes.
37 Money Appropriated in this Bill:
38 None
39 Other Special Clauses:
40 None
41 Utah Code Sections Affected:
42 AMENDS:
43 63A-12-100.5, as last amended by Laws of Utah 2015, Chapter 322
44 63A-12-101, as last amended by Laws of Utah 2022, Chapter 169
45 63A-12-108, as renumbered and amended by Laws of Utah 2008, Chapter 382
46 63C-24-202, as enacted by Laws of Utah 2021, Chapter 155
47 63G-2-103, as last amended by Laws of Utah 2021, Chapters 211, 283
48 63G-2-107, as last amended by Laws of Utah 2016, Chapter 380
49 63G-2-201, as last amended by Laws of Utah 2019, Chapter 334
50 63G-2-204, as last amended by Laws of Utah 2021, Chapter 64
51 63G-2-307, as renumbered and amended by Laws of Utah 2008, Chapter 382
52 63G-2-601, as renumbered and amended by Laws of Utah 2008, Chapter 382
53 63G-2-604, as last amended by Laws of Utah 2019, Chapter 254
54 67-1-17, as enacted by Laws of Utah 2021, Chapter 155
55 67-3-13, as enacted by Laws of Utah 2021, Chapter 155
56 77-27-5, as last amended by Laws of Utah 2021, Chapters 21, 246 and 260 and last
57 amended by Coordination Clause, Laws of Utah 2021, Chapter 260
58 ENACTS:
59 63A-12-115, Utah Code Annotated 1953
60 63A-12-116, Utah Code Annotated 1953
61 REPEALS AND REENACTS:
62 63A-12-104, as last amended by Laws of Utah 2022, Chapter 169
63 REPEALS:
64 63A-12-100, as last amended by Laws of Utah 2021, Chapter 84
65
66 Be it enacted by the Legislature of the state of Utah:
67 Section 1. Section 63A-12-100.5 is amended to read:
68
69
70 63A-12-100.5. Definitions.
71 (1) Except as provided under Subsection (2), the definitions in Section 63G-2-103
72 apply to this chapter.
73 (2) As used in this chapter:
74 (a) [
75 Records Service[
76 (b) (i) "Executive branch agency" means the same as that term is defined in Section
77 63A-16-102.
78 (ii) "Executive Branch agency" includes a state agency, as defined in Subsection
79 67-1-17(1)(d).
80 (c) (i) "Personal identifying information" means information about an individual that:
81 (A) identifies, or can be used to identify, an individual;
82 (B) distinguishes an individual from one or more other individuals; or
83 (C) is, or can be, logically associated with other information or data, through
84 technology or otherwise, to identify an individual or distinguish an individual from one or more
85 other individuals.
86 (ii) "Personal identifying information" includes information identified as personal
87 identifying information in accordance with the rules described in Section 63A-12-104.
88 (d) "Privacy annotation" means a summary, described in Subsection 63A-12-115(2)
89 and rules made by the executive director under Subsection 63A-12-104(2), that, for each record
90 series that an executive branch agency collects, maintains, or uses:
91 (i) discloses whether the record series contains personal identifying information; and
92 (ii) if the record series contains personal identifying information, includes the
93 information described in Subsection 63A-12-115(2)(b).
94 [
95 (i) the same as that term is defined in Section 63G-2-103; or
96 (ii) a video or audio recording of an interview, or a transcript of the video or audio
97 recording, that is conducted at a Children's Justice Center established under Section 67-5b-102,
98 the release of which is governed by Section 77-37-4.
99 (f) "State archives" means the Division of Archives and Records Service.
100 (g) "Vulnerable adult" means the same as that term is defined in Section 62A-3-301.
101 (h) "Vulnerable record" means a record or data relating to:
102 (i) national security interests;
103 (ii) the care, custody, or control of a child;
104 (iii) a fiduciary trust over money;
105 (iv) health care of a child; or
106 (v) the following, in relation to a vulnerable adult:
107 (A) protection, health care, or other care; or
108 (B) the provision of food, shelter, clothing, assistance with an activity of daily living,
109 or assistance with financial resource management.
110 Section 2. Section 63A-12-101 is amended to read:
111 63A-12-101. Division of Archives and Records Service created -- Duties.
112 (1) There is created the Division of Archives and Records Service within the
113 department.
114 (2) The state archives shall:
115 (a) administer the state's archives and records management programs, including storage
116 of records, central reformatting programs, and quality control;
117 (b) apply fair, efficient, and economical management methods to the collection,
118 creation, use, maintenance, retention, preservation, disclosure, and disposal of records and
119 documents;
120 (c) establish standards, procedures, and techniques for the effective management and
121 physical care of records;
122 (d) conduct surveys of office operations and recommend improvements in current
123 records management practices, including the use of space, equipment, automation, and supplies
124 used in creating, maintaining, storing, and servicing records;
125 (e) establish standards for the preparation of schedules providing for the retention of
126 records of continuing value and for the prompt and orderly disposal of state records no longer
127 possessing sufficient administrative, historical, legal, or fiscal value to warrant further
128 retention;
129 (f) establish, maintain, and operate centralized reformatting lab facilities and quality
130 control for the state;
131 (g) provide staff and support services to the Records Management Committee created
132 in Section 63A-12-112 and the State Records Committee created in Section 63G-2-501;
133 (h) develop training programs to assist records officers and other interested officers and
134 employees of governmental entities to administer this chapter and Title 63G, Chapter 2,
135 Government Records Access and Management Act;
136 (i) provide access to public records deposited in the archives;
137 (j) administer and maintain the Utah Public Notice Website established under Section
138 63A-16-601;
139 (k) provide assistance to any governmental entity in administering this chapter and
140 Title 63G, Chapter 2, Government Records Access and Management Act;
141 (l) prepare forms for use by all governmental entities for a person requesting access to
142 a record; and
143 (m) if the department operates the Division of Archives and Records Service as an
144 internal service fund agency in accordance with Section 63A-1-109.5, submit to the Rate
145 Committee established in Section 63A-1-114:
146 (i) the proposed rate schedule as required by Section 63A-1-114; and
147 (ii) other information or analysis requested by the Rate Committee.
148 (3) The state archives may:
149 (a) establish a report and directives management program; [
150 (b) establish a forms management program[
151 (c) in accordance with Section 63A-12-101, require that an individual undergo a
152 background check if the individual:
153 (i) applies to be, or currently is, an employee or volunteer of the division; and
154 (ii) will have direct access to a vulnerable record in the capacity described in
155 Subsection (3)(c)(i).
156 (4) The executive director may direct the state archives to administer other functions or
157 services consistent with this chapter and Title 63G, Chapter 2, Government Records Access
158 and Management Act.
159 Section 3. Section 63A-12-104 is repealed and reenacted to read:
160 63A-12-104. Rulemaking authority.
161 (1) In accordance with Title 63G, Chapter 3, Utah Administrative Rulemaking Act:
162 (a) the state archivist may, for an executive branch agency, make rules establishing
163 procedures for the collection, storage, designation, classification, access, mediation for records
164 access, and management of records under this chapter and Title 63G, Chapter 2, Government
165 Records Access and Management Act; and
166 (b) a department may make rules specifying at which level within the department the
167 requirements described in this chapter will be undertaken.
168 (2) In accordance with Title 63G, Chapter 3, Utah Administrative Rulemaking Act, the
169 executive director shall, in consultation with the state archivist and the chief privacy officer,
170 make rules for an executive branch agency that establish:
171 (a) requirements for making an inventory of each record series that contains personal
172 identifying information, including:
173 (i) information collected as part of the inventory;
174 (ii) regularly reviewing, updating, and maintaining the inventory; and
175 (iii) reporting the inventory to the chief privacy officer;
176 (b) a list of information, categories of information, or types of information expressly
177 designated as personal identifying information, in accordance with the criteria described in
178 Subsections 63A-12-100.5(2)(c)(i) through (iii)
179 (c) criteria, variables, and principles for determining whether information in a record
180 series, not expressly designated under Subsection (2)(b), is personal identifying information;
181 (d) a list and description of categories or types of personal identifying information that
182 are collected, maintained, or used by executive branch agencies; and
183 (e) requirements for the form, content, format, review, and update of a privacy
184 annotation.
185 (3) The rules described in Subsection (2)(b) may incorporate, by reference, a data
186 dictionary that a records officer appointed under Subsection 63A-12-103(2)(a) shall use in
187 making the determination described in Subsection (2)(c).
188 Section 4. Section 63A-12-108 is amended to read:
189 63A-12-108. Inspection and summary of record series -- Data dictionary.
190 (1) [
191 (a) the title and a summary description of each record series[
192 (b) for an executive branch agency, the privacy annotation of each record series.
193 (2) The department shall:
194 (a) post the data dictionary described in Subsection 63A-12-104(3) on the department's
195 website; and
196 (b) maintain and update the data dictionary on a regular basis.
197 Section 5. Section 63A-12-115 is enacted to read:
198 63A-12-115. Privacy annotation for records series -- Requirements -- Content.
199 (1) (a) Before January 1, 2026, an executive branch agency shall, for each record series
200 that the executive branch agency collects, maintains, or uses, evaluate the record series and
201 make a privacy annotation that completely and accurately complies with Subsection (2) and the
202 rules described in Subsection 63A-12-104(2)(e).
203 (b) Beginning on January 1, 2026, an executive branch agency may not collect,
204 maintain, or use personal identifying information unless the record series for which the
205 personal identifying information is collected, maintained, or used includes a privacy annotation
206 that completely and accurately complies with Subsection (2) and the rules described in
207 Subsection 63A-12-104(2)(e).
208 (2) A privacy annotation shall include the following:
209 (a) if the record series does not include personal identifying information, a statement
210 indicating that the record series does not include personal identifying information;
211 (b) if the record series includes personal identifying information:
212 (i) an inventory of the personal identifying information included in the record series;
213 and
214 (ii) for the personal identifying information described in Subsection (2)(b)(i):
215 (A) the purpose for which the executive branch agency collects, keeps, or uses the
216 personal identifying information;
217 (B) a citation to the executive branch agency's legal authority for collecting, keeping, or
218 using the personal identifying information; and
219 (C) any other information required by state archives by rule under Subsection
220 63A-12-104(2)(e).
221 Section 6. Section 63A-12-116 is enacted to read:
222 63A-12-116. Background check for individuals with direct access to a vulnerable
223 record.
224 (1) If, under Subsection 63A-12-101(3)(c), state archives requires an individual to
225 undergo a background check:
226 (a) the individual shall:
227 (i) submit to state archives, in a form designated by state archives, a fingerprint card
228 and other information required by state archives for the background check; and
229 (ii) consent to a criminal background check by the Federal Bureau of Investigation, the
230 Bureau of Criminal Identification, or any other state entity that performs criminal background
231 checks; and
232 (b) state archives shall:
233 (i) submit the fingerprint card and information described in Subsection (1)(a)(i) to the
234 Utah Bureau of Criminal Identification; and
235 (ii) pay all fees required to conduct the background check, including fees described in
236 Subsection 53-10-108(15)(a) and fees required by the Federal Bureau of Investigation.
237 (2) The Bureau of Criminal Identification shall provide all results of a criminal
238 background check described in this section to state archives, including results from state,
239 regional, and nationwide background checks.
240 (3) State archives may make rules, in accordance with Title 63G, Chapter 3, Utah
241 Administrative Rulemaking Act, to:
242 (a) establish procedures for requiring and conducting a background check under this
243 section; and
244 (b) specify requirements for the information and fingerprint card required for a
245 background check under this section.
246 Section 7. Section 63C-24-202 is amended to read:
247 63C-24-202. Commission duties.
248 (1) The commission shall:
249 (a) develop guiding standards and best practices with respect to government privacy
250 practices;
251 (b) develop educational and training materials that include information about:
252 (i) the privacy implications and civil liberties concerns of the privacy practices of
253 government entities;
254 (ii) best practices for government collection and retention policies regarding personal
255 data; and
256 (iii) best practices for government personal data security standards; and
257 (c) review the privacy implications and civil liberties concerns of government privacy
258 practices.
259 (2) The commission may:
260 (a) review specific government privacy practices as referred to the commission by the
261 [
262 officer described in Section 67-3-13; and
263 (b) develop recommendations for legislation regarding the guiding standards and best
264 practices the commission has developed in accordance with Subsection (1)(a).
265 (3) Annually, on or before October 1, the commission shall report to the Judiciary
266 Interim Committee:
267 (a) the results of any reviews the commission has conducted;
268 (b) the guiding standards and best practices described in Subsection (1)(a); and
269 (c) any recommendations for legislation the commission has developed in accordance
270 with Subsection (2)(b).
271 Section 8. Section 63G-2-103 is amended to read:
272 63G-2-103. Definitions.
273 As used in this chapter:
274 (1) "Audit" means:
275 (a) a systematic examination of financial, management, program, and related records
276 for the purpose of determining the fair presentation of financial statements, adequacy of
277 internal controls, or compliance with laws and regulations; or
278 (b) a systematic examination of program procedures and operations for the purpose of
279 determining their effectiveness, economy, efficiency, and compliance with statutes and
280 regulations.
281 (2) "Chronological logs" mean the regular and customary summary records of law
282 enforcement agencies and other public safety agencies that show:
283 (a) the time and general nature of police, fire, and paramedic calls made to the agency;
284 and
285 (b) any arrests or jail bookings made by the agency.
286 (3) "Classification," "classify," and their derivative forms mean determining whether a
287 record series, record, or information within a record is public, private, controlled, protected, or
288 exempt from disclosure under Subsection 63G-2-201(3)(b).
289 (4) (a) "Computer program" means:
290 (i) a series of instructions or statements that permit the functioning of a computer
291 system in a manner designed to provide storage, retrieval, and manipulation of data from the
292 computer system; and
293 (ii) any associated documentation and source material that explain how to operate the
294 computer program.
295 (b) "Computer program" does not mean:
296 (i) the original data, including numbers, text, voice, graphics, and images;
297 (ii) analysis, compilation, and other manipulated forms of the original data produced by
298 use of the program; or
299 (iii) the mathematical or statistical formulas, excluding the underlying mathematical
300 algorithms contained in the program, that would be used if the manipulated forms of the
301 original data were to be produced manually.
302 (5) (a) "Contractor" means:
303 (i) any person who contracts with a governmental entity to provide goods or services
304 directly to a governmental entity; or
305 (ii) any private, nonprofit organization that receives funds from a governmental entity.
306 (b) "Contractor" does not mean a private provider.
307 (6) "Controlled record" means a record containing data on individuals that is controlled
308 as provided by Section 63G-2-304.
309 (7) "Designation," "designate," and their derivative forms mean indicating, based on a
310 governmental entity's familiarity with a record series or based on a governmental entity's
311 review of a reasonable sample of a record series, the primary classification that a majority of
312 records in a record series would be given if classified and the classification that other records
313 typically present in the record series would be given if classified.
314 (8) "Elected official" means each person elected to a state office, county office,
315 municipal office, school board or school district office, local district office, or special service
316 district office, but does not include judges.
317 (9) "Explosive" means a chemical compound, device, or mixture:
318 (a) commonly used or intended for the purpose of producing an explosion; and
319 (b) that contains oxidizing or combustive units or other ingredients in proportions,
320 quantities, or packing so that:
321 (i) an ignition by fire, friction, concussion, percussion, or detonator of any part of the
322 compound or mixture may cause a sudden generation of highly heated gases; and
323 (ii) the resultant gaseous pressures are capable of:
324 (A) producing destructive effects on contiguous objects; or
325 (B) causing death or serious bodily injury.
326 (10) "Government audit agency" means any governmental entity that conducts an audit.
327 (11) (a) "Governmental entity" means:
328 (i) executive department agencies of the state, the offices of the governor, lieutenant
329 governor, state auditor, attorney general, and state treasurer, the Board of Pardons and Parole,
330 the Board of Examiners, the National Guard, the Career Service Review Office, the State
331 Board of Education, the Utah Board of Higher Education, and the State Archives;
332 (ii) the Office of the Legislative Auditor General, Office of the Legislative Fiscal
333 Analyst, Office of Legislative Research and General Counsel, the Legislature, and legislative
334 committees, except any political party, group, caucus, or rules or sifting committee of the
335 Legislature;
336 (iii) courts, the Judicial Council, the Administrative Office of the Courts, and similar
337 administrative units in the judicial branch;
338 (iv) any state-funded institution of higher education or public education; or
339 (v) any political subdivision of the state, but, if a political subdivision has adopted an
340 ordinance or a policy relating to information practices pursuant to Section 63G-2-701, this
341 chapter shall apply to the political subdivision to the extent specified in Section 63G-2-701 or
342 as specified in any other section of this chapter that specifically refers to political subdivisions.
343 (b) "Governmental entity" also means:
344 (i) every office, agency, board, bureau, committee, department, advisory board, or
345 commission of an entity listed in Subsection (11)(a) that is funded or established by the
346 government to carry out the public's business;
347 (ii) as defined in Section 11-13-103, an interlocal entity or joint or cooperative
348 undertaking;
349 (iii) as defined in Section 11-13a-102, a governmental nonprofit corporation;
350 (iv) an association as defined in Section 53G-7-1101;
351 (v) the Utah Independent Redistricting Commission; and
352 (vi) a law enforcement agency, as defined in Section 53-1-102, that employs one or
353 more law enforcement officers, as defined in Section 53-13-103.
354 (c) "Governmental entity" does not include the Utah Educational Savings Plan created
355 in Section 53B-8a-103.
356 (12) "Gross compensation" means every form of remuneration payable for a given
357 period to an individual for services provided including salaries, commissions, vacation pay,
358 severance pay, bonuses, and any board, rent, housing, lodging, payments in kind, and any
359 similar benefit received from the individual's employer.
360 (13) "Individual" means a human being.
361 (14) (a) "Initial contact report" means an initial written or recorded report, however
362 titled, prepared by peace officers engaged in public patrol or response duties describing official
363 actions initially taken in response to either a public complaint about or the discovery of an
364 apparent violation of law, which report may describe:
365 (i) the date, time, location, and nature of the complaint, the incident, or offense;
366 (ii) names of victims;
367 (iii) the nature or general scope of the agency's initial actions taken in response to the
368 incident;
369 (iv) the general nature of any injuries or estimate of damages sustained in the incident;
370 (v) the name, address, and other identifying information about any person arrested or
371 charged in connection with the incident; or
372 (vi) the identity of the public safety personnel, except undercover personnel, or
373 prosecuting attorney involved in responding to the initial incident.
374 (b) Initial contact reports do not include follow-up or investigative reports prepared
375 after the initial contact report. However, if the information specified in Subsection (14)(a)
376 appears in follow-up or investigative reports, it may only be treated confidentially if it is
377 private, controlled, protected, or exempt from disclosure under Subsection 63G-2-201(3)(b).
378 (c) Initial contact reports do not include accident reports, as that term is described in
379 Title 41, Chapter 6a, Part 4, Accident Responsibilities.
380 (15) "Legislative body" means the Legislature.
381 (16) "Notice of compliance" means a statement confirming that a governmental entity
382 has complied with an order of the State Records Committee.
383 (17) "Person" means:
384 (a) an individual;
385 (b) a nonprofit or profit corporation;
386 (c) a partnership;
387 (d) a sole proprietorship;
388 (e) other type of business organization; or
389 (f) any combination acting in concert with one another.
390 (18) "Personal identifying information" means the same as that term is defined in
391 Section 63A-12-100.5.
392 (19) "Privacy annotation" means the same as that term is defined in Section
393 63A-12-100.5.
394 [
395 entity to provide services directly to the public.
396 [
397 private as provided by Section 63G-2-302.
398 [
399 Section 63G-2-305.
400 [
401 and that is not exempt from disclosure as provided in Subsection 63G-2-201(3)(b).
402 [
403 film, card, tape, recording, electronic data, or other documentary material regardless of physical
404 form or characteristics:
405 (i) that is prepared, owned, received, or retained by a governmental entity or political
406 subdivision; and
407 (ii) where all of the information in the original is reproducible by photocopy or other
408 mechanical or electronic means.
409 (b) "Record" does not mean:
410 (i) a personal note or personal communication prepared or received by an employee or
411 officer of a governmental entity:
412 (A) in a capacity other than the employee's or officer's governmental capacity; or
413 (B) that is unrelated to the conduct of the public's business;
414 (ii) a temporary draft or similar material prepared for the originator's personal use or
415 prepared by the originator for the personal use of an individual for whom the originator is
416 working;
417 (iii) material that is legally owned by an individual in the individual's private capacity;
418 (iv) material to which access is limited by the laws of copyright or patent unless the
419 copyright or patent is owned by a governmental entity or political subdivision;
420 (v) proprietary software;
421 (vi) junk mail or a commercial publication received by a governmental entity or an
422 official or employee of a governmental entity;
423 (vii) a book that is cataloged, indexed, or inventoried and contained in the collections
424 of a library open to the public;
425 (viii) material that is cataloged, indexed, or inventoried and contained in the collections
426 of a library open to the public, regardless of physical form or characteristics of the material;
427 (ix) a daily calendar or other personal note prepared by the originator for the
428 originator's personal use or for the personal use of an individual for whom the originator is
429 working;
430 (x) a computer program that is developed or purchased by or for any governmental
431 entity for its own use;
432 (xi) a note or internal memorandum prepared as part of the deliberative process by:
433 (A) a member of the judiciary;
434 (B) an administrative law judge;
435 (C) a member of the Board of Pardons and Parole; or
436 (D) a member of any other body, other than an association or appeals panel as defined
437 in Section 53G-7-1101, charged by law with performing a quasi-judicial function;
438 (xii) a telephone number or similar code used to access a mobile communication
439 device that is used by an employee or officer of a governmental entity, provided that the
440 employee or officer of the governmental entity has designated at least one business telephone
441 number that is a public record as provided in Section 63G-2-301;
442 (xiii) information provided by the Public Employees' Benefit and Insurance Program,
443 created in Section 49-20-103, to a county to enable the county to calculate the amount to be
444 paid to a health care provider under Subsection 17-50-319(2)(e)(ii);
445 (xiv) information that an owner of unimproved property provides to a local entity as
446 provided in Section 11-42-205;
447 (xv) a video or audio recording of an interview, or a transcript of the video or audio
448 recording, that is conducted at a Children's Justice Center established under Section 67-5b-102;
449 (xvi) child pornography, as defined by Section 76-5b-103;
450 (xvii) before final disposition of an ethics complaint occurs, a video or audio recording
451 of the closed portion of a meeting or hearing of:
452 (A) a Senate or House Ethics Committee;
453 (B) the Independent Legislative Ethics Commission;
454 (C) the Independent Executive Branch Ethics Commission, created in Section
455 63A-14-202; or
456 (D) the Political Subdivisions Ethics Review Commission established in Section
457 63A-15-201; or
458 (xviii) confidential communication described in Section 58-60-102, 58-61-102, or
459 58-61-702.
460 [
461 purposes of designation, description, management, or disposition.
462 [
463 administrative officer of each governmental entity, or the political subdivision to work with
464 state archives in the care, maintenance, scheduling, designation, classification, disposal, and
465 preservation of records.
466 [
467 specifying the length of time each record series should be retained by a governmental entity for
468 administrative, legal, fiscal, or historical purposes and when each record series should be
469 transferred to the state archives or destroyed.
470 [
471 activities as defined by the federal Executive Office of the President, Office of Management
472 and Budget:
473 (a) conducted:
474 (i) by an institution within the state system of higher education defined in Section
475 53B-1-102; and
476 (ii) through an office responsible for sponsored projects or programs; and
477 (b) funded or otherwise supported by an external:
478 (i) person that is not created or controlled by the institution within the state system of
479 higher education; or
480 (ii) federal, state, or local governmental entity.
481 [
482 created in Section 63A-12-101.
483 [
484 [
485 Section 63G-2-501.
486 [
487 data derived from private, controlled, or protected information but that do not disclose private,
488 controlled, or protected information.
489 Section 9. Section 63G-2-107 is amended to read:
490 63G-2-107. Disclosure of records subject to federal law or other provisions of
491 state law.
492 (1) (a) The disclosure of a record to which access is governed or limited pursuant to
493 court rule, another state statute, federal statute, or federal regulation, including a record for
494 which access is governed or limited as a condition of participation in a state or federal program
495 or for receiving state or federal funds, is governed by the specific provisions of that statute,
496 rule, or regulation.
497 (b) Except as provided in Subsection (2) this chapter applies to records described in
498 Subsection (1)(a) to the extent that this chapter is not inconsistent with the statute, rule, or
499 regulation.
500 [
501 Subsection (3), this chapter does not apply to a record containing protected health information
502 as defined in 45 C.F.R., Part 164, Standards for Privacy of Individually Identifiable Health
503 Information, if the record is:
504 (a) controlled or maintained by a governmental entity; and
505 (b) governed by 45 C.F.R., Parts 160 and 164, Standards for Privacy of Individually
506 Identifiable Health Information.
507 [
508 Rights and Privacy Act, 34 C.F.R. Part 99, that is controlled or maintained by a governmental
509 entity shall be governed by the Family Educational Rights and Privacy Act, 34 C.F.R. Part 99.
510 (3) This section does not exempt any record or record series from the provisions of
511 Subsection 63G-2-601(1)
512 Section 10. Section 63G-2-201 is amended to read:
513 63G-2-201. Provisions relating to records -- Public records -- Private, controlled,
514 protected, and other restricted records -- Disclosure and nondisclosure of records --
515 Certified copy of record -- Limits on obligation to respond to record request.
516 (1) (a) Except as provided in Subsection (1)(b), a person has the right to inspect a
517 public record free of charge, and the right to take a copy of a public record during normal
518 working hours, subject to Sections 63G-2-203 and 63G-2-204.
519 (b) A right under Subsection (1)(a) does not apply with respect to a record:
520 (i) a copy of which the governmental entity has already provided to the person;
521 (ii) that is the subject of a records request that the governmental entity is not required
522 to fill under Subsection [
523 (iii) (A) that is accessible only by a computer or other electronic device owned or
524 controlled by the governmental entity;
525 (B) that is part of an electronic file that also contains a record that is private,
526 controlled, or protected; and
527 (C) that the governmental entity cannot readily segregate from the part of the electronic
528 file that contains a private, controlled, or protected record.
529 (2) A record is public unless otherwise expressly provided by statute.
530 (3) The following records are not public:
531 (a) a record that is private, controlled, or protected under Sections 63G-2-302,
532 63G-2-303, 63G-2-304, and 63G-2-305; and
533 (b) a record to which access is restricted pursuant to court rule, another state statute,
534 federal statute, or federal regulation, including records for which access is governed or
535 restricted as a condition of participation in a state or federal program or for receiving state or
536 federal funds.
537 (4) Only a record specified in Section 63G-2-302, 63G-2-303, 63G-2-304, or
538 63G-2-305 may be classified private, controlled, or protected.
539 (5) (a) A governmental entity may not disclose a record that is private, controlled, or
540 protected to any person except as provided in Subsection (5)(b), Subsection (5)(c), Section
541 63G-2-202, 63G-2-206, or 63G-2-303.
542 (b) A governmental entity may disclose a record that is private under Subsection
543 63G-2-302(2) or protected under Section 63G-2-305 to persons other than those specified in
544 Section 63G-2-202 or 63G-2-206 if the head of a governmental entity, or a designee,
545 determines that:
546 (i) there is no interest in restricting access to the record; or
547 (ii) the interests favoring access are greater than or equal to the interest favoring
548 restriction of access.
549 (c) In addition to the disclosure under Subsection (5)(b), a governmental entity may
550 disclose a record that is protected under Subsection 63G-2-305(51) if:
551 (i) the head of the governmental entity, or a designee, determines that the disclosure:
552 (A) is mutually beneficial to:
553 (I) the subject of the record;
554 (II) the governmental entity; and
555 (III) the public; and
556 (B) serves a public purpose related to:
557 (I) public safety; or
558 (II) consumer protection; and
559 (ii) the person who receives the record from the governmental entity agrees not to use
560 or allow the use of the record for advertising or solicitation purposes.
561 [
562
563
564
565
566 [
567
568 [
569 if:
570 (a) the person requesting the record has a right to inspect it;
571 (b) the person identifies the record with reasonable specificity; and
572 (c) the person pays the lawful fees.
573 [
574 (a) create a record;
575 (b) compile, format, manipulate, package, summarize, or tailor information;
576 (c) provide a record in a particular format, medium, or program not currently
577 maintained by the governmental entity;
578 (d) fulfill a person's records request if the request unreasonably duplicates prior records
579 requests from that person; or
580 (e) fill a person's records request if:
581 (i) the record requested is:
582 (A) publicly accessible online; or
583 (B) included in a public publication or product produced by the governmental entity
584 receiving the request; and
585 (ii) the governmental entity:
586 (A) specifies to the person requesting the record where the record is accessible online;
587 or
588 (B) provides the person requesting the record with the public publication or product
589 and specifies where the record can be found in the public publication or product.
590 [
591 from the person who submitted the records request, compile, format, manipulate, package,
592 summarize, or tailor information or provide a record in a format, medium, or program not
593 currently maintained by the governmental entity.
594 (b) In determining whether to fulfill a request described in Subsection [
595 governmental entity may consider whether the governmental entity is able to fulfill the request
596 without unreasonably interfering with the governmental entity's duties and responsibilities.
597 (c) A governmental entity may require a person who makes a request under Subsection
598 [
599 providing the information or record as requested.
600 [
601 Subsection [
602 record in response to, a record request if the request is submitted by or in behalf of an
603 individual who is confined in a jail or other correctional facility following the individual's
604 conviction.
605 (b) Subsection [
606 (i) the first five record requests submitted to the governmental entity by or in behalf of
607 an individual described in Subsection [
608 a record that contains a specific reference to the individual; or
609 (ii) a record request that is submitted by an attorney of an individual described in
610 Subsection [
611 [
612 pages of records to copy the records if:
613 (i) the records are contained in files that do not contain records that are exempt from
614 disclosure, or the records may be segregated to remove private, protected, or controlled
615 information from disclosure; and
616 (ii) the governmental entity provides reasonable safeguards to protect the public from
617 the potential for loss of a public record.
618 (b) If the requirements of Subsection [
619 may:
620 (i) provide the requester with the facilities for copying the requested records and
621 require that the requester make the copies; or
622 (ii) allow the requester to provide the requester's own copying facilities and personnel
623 to make the copies at the governmental entity's offices and waive the fees for copying the
624 records.
625 [
626 offers the intellectual property right for sale or license may control by ordinance or policy the
627 duplication and distribution of the material based on terms the governmental entity considers to
628 be in the public interest.
629 (b) Nothing in this chapter shall be construed to limit or impair the rights or protections
630 granted to the governmental entity under federal copyright or patent law as a result of its
631 ownership of the intellectual property right.
632 [
633 otherwise, in which a record is stored to deny, or unreasonably hinder the rights of a person to
634 inspect and receive a copy of a record under this chapter.
635 [
636 shall provide access to an electronic copy of a record in lieu of providing access to its paper
637 equivalent if:
638 (a) the person making the request requests or states a preference for an electronic copy;
639 (b) the governmental entity currently maintains the record in an electronic format that
640 is reproducible and may be provided without reformatting or conversion; and
641 (c) the electronic copy of the record:
642 (i) does not disclose other records that are exempt from disclosure; or
643 (ii) may be segregated to protect private, protected, or controlled information from
644 disclosure without the undue expenditure of public resources or funds.
645 [
646 Subsection 63G-2-302(2)(d), the governmental entity, State Records Committee, local appeals
647 board, or court shall consider and weigh:
648 (a) any personal privacy interests, including those in images, that would be affected by
649 disclosure of the records in question; and
650 (b) any public interests served by disclosure.
651 Section 11. Section 63G-2-204 is amended to read:
652 63G-2-204. Record request -- Response -- Time for responding.
653 (1) (a) A person making a request for a record shall submit to the governmental entity
654 that retains the record a written request containing:
655 (i) the person's:
656 (A) name;
657 (B) mailing address;
658 (C) email address, if the person has an email address and is willing to accept
659 communications by email relating to the person's records request; and
660 (D) daytime telephone number; and
661 (ii) a description of the record requested that identifies the record with reasonable
662 specificity.
663 (b) (i) A single record request may not be submitted to multiple governmental entities.
664 (ii) Subsection (1)(b)(i) may not be construed to prevent a person from submitting a
665 separate record request to each of multiple governmental entities, even if each of the separate
666 requests seeks access to the same record.
667 (2) (a) In response to a request for a record, a governmental entity may not provide a
668 record that it has received under Section 63G-2-206 as a shared record.
669 (b) If a governmental entity is prohibited from providing a record under Subsection
670 (2)(a), the governmental entity shall:
671 (i) deny the records request; and
672 (ii) inform the person making the request of the identity of the governmental entity
673 from which the shared record was received.
674 (3) A governmental entity may make rules in accordance with Title 63G, Chapter 3,
675 Utah Administrative Rulemaking Act, specifying where and to whom requests for access shall
676 be directed.
677 (4) After receiving a request for a record, a governmental entity shall:
678 (a) review each request that seeks an expedited response and notify, within five
679 business days after receiving the request, each requester that has not demonstrated that their
680 record request benefits the public rather than the person that their response will not be
681 expedited; and
682 (b) as soon as reasonably possible, but no later than 10 business days after receiving a
683 written request, or five business days after receiving a written request if the requester
684 demonstrates that expedited response to the record request benefits the public rather than the
685 person:
686 (i) approve the request and provide a copy of the record;
687 (ii) deny the request in accordance with the procedures and requirements of Section
688 63G-2-205;
689 (iii) notify the requester that it does not maintain the record requested and provide, if
690 known, the name and address of the governmental entity that does maintain the record; or
691 (iv) notify the requester that because of one of the extraordinary circumstances listed in
692 Subsection (6), it cannot immediately approve or deny the request, and include with the notice:
693 (A) a description of the circumstances that constitute the extraordinary circumstances;
694 and
695 (B) the date when the records will be available, consistent with the requirements of
696 Subsection (7).
697 (5) Any person who requests a record to obtain information for a story or report for
698 publication or broadcast to the general public is presumed to be acting to benefit the public
699 rather than a person.
700 (6) The following circumstances constitute "extraordinary circumstances" that allow a
701 governmental entity to delay approval or denial by an additional period of time as specified in
702 Subsection (7) if the governmental entity determines that due to the extraordinary
703 circumstances it cannot respond within the time limits provided in Subsection (4):
704 (a) another governmental entity is using the record, in which case the originating
705 governmental entity shall promptly request that the governmental entity currently in possession
706 return the record;
707 (b) another governmental entity is using the record as part of an audit, and returning the
708 record before the completion of the audit would impair the conduct of the audit;
709 (c) (i) the request is for a voluminous quantity of records or a record series containing a
710 substantial number of records; or
711 (ii) the requester seeks a substantial number of records or records series in requests
712 filed within five working days of each other;
713 (d) the governmental entity is currently processing a large number of records requests;
714 (e) the request requires the governmental entity to review a large number of records to
715 locate the records requested;
716 (f) the decision to release a record involves legal issues that require the governmental
717 entity to seek legal counsel for the analysis of statutes, rules, ordinances, regulations, or case
718 law;
719 (g) segregating information that the requester is entitled to inspect from information
720 that the requester is not entitled to inspect requires extensive editing; or
721 (h) segregating information that the requester is entitled to inspect from information
722 that the requester is not entitled to inspect requires computer programming.
723 (7) If one of the extraordinary circumstances listed in Subsection (6) precludes
724 approval or denial within the time specified in Subsection (4), the following time limits apply
725 to the extraordinary circumstances:
726 (a) for claims under Subsection (6)(a), the governmental entity currently in possession
727 of the record shall return the record to the originating entity within five business days of the
728 request for the return unless returning the record would impair the holder's work;
729 (b) for claims under Subsection (6)(b), the originating governmental entity shall notify
730 the requester when the record is available for inspection and copying;
731 (c) for claims under Subsections (6)(c), (d), and (e), the governmental entity shall:
732 (i) disclose the records that it has located which the requester is entitled to inspect;
733 (ii) provide the requester with an estimate of the amount of time it will take to finish
734 the work required to respond to the request;
735 (iii) complete the work and disclose those records that the requester is entitled to
736 inspect as soon as reasonably possible; and
737 (iv) for any person that does not establish a right to an expedited response as
738 authorized by Subsection (4), a governmental entity may choose to:
739 (A) require the person to provide for copying of the records as provided in Subsection
740 [
741 (B) treat a request for multiple records as separate record requests, and respond
742 sequentially to each request;
743 (d) for claims under Subsection (6)(f), the governmental entity shall either approve or
744 deny the request within five business days after the response time specified for the original
745 request has expired;
746 (e) for claims under Subsection (6)(g), the governmental entity shall fulfill the request
747 within 15 business days from the date of the original request; or
748 (f) for claims under Subsection (6)(h), the governmental entity shall complete its
749 programming and disclose the requested records as soon as reasonably possible.
750 (8) (a) If a request for access is submitted to an office of a governmental entity other
751 than that specified by rule in accordance with Subsection (3), the office shall promptly forward
752 the request to the appropriate office.
753 (b) If the request is forwarded promptly, the time limit for response begins when the
754 request is received by the office specified by rule.
755 (9) If the governmental entity fails to provide the requested records or issue a denial
756 within the specified time period, that failure is considered the equivalent of a determination
757 denying access to the record.
758 Section 12. Section 63G-2-307 is amended to read:
759 63G-2-307. Duty to evaluate records and make designations, classifications, and
760 annotations.
761 (1) A governmental entity shall, for each record series that the governmental entity
762 keeps, uses, or creates:
763 (a) evaluate all record series [
764 (b) designate [
765 Chapter 12, Division of Archives and Records Service; and
766 (c) report [
767 (i) the designation described in Subsection (1)(b); and
768 (ii) if the governmental entity is an executive branch agency, as defined in Section
769 63A-12-100.5, the privacy annotation.
770 (2) A governmental entity may classify a particular record, record series, or
771 information within a record at any time, but is not required to classify a particular record,
772 record series, or information until access to the record is requested.
773 (3) A governmental entity may redesignate a record series or reclassify a record or
774 record series, or information within a record at any time.
775 Section 13. Section 63G-2-601 is amended to read:
776 63G-2-601. Rights of individuals on whom data is maintained -- Classification
777 and personal identifying information statement -- Notice to provider of information.
778 (1) (a) Each governmental entity shall file with the state archivist a statement
779 explaining, for each record series collected, maintained, or used by the governmental entity, the
780 purposes for which [
781 each private or controlled record in the record series is collected, maintained, or used by that
782 governmental entity.
783 (b) Each executive branch agency, as defined in Section 63A-12-100.5, shall file with
784 the state archivist a statement explaining, for each record series collected, maintained, or used
785 by the executive branch agency, the purposes for which the personal identifying information in
786 the record series is collected, maintained, or used by the executive branch agency.
787 [
788 (i) shall, for each purpose described in Subsection (1)(a) or (b), identify the authority
789 under which the governmental entity or executive branch agency collects the records or
790 information included in the statement described in Subsection (1)(a) or (b); and
791 (ii) is a public record.
792 (2) (a) A governmental entity shall provide [
793 described in this Subsection (2) to a person that is asked to furnish information that could be
794 classified as a private or controlled record[
795 (b) An executive branch agency, as defined in Section 63A-12-100.5, shall provide the
796 notice described in this Subsection (2) to a person that is asked to furnish personal identifying
797 information.
798 (c) The notice required under Subsection (2)(a) or (b) shall:
799 (i) identify the record series that includes the information described in Subsection
800 (2)(a) or (b);
801 [
802 [
803 [
804 [
805 (A) share the information with the governmental entity; or
806 (B) receive the information from the governmental entity on a regular or contractual
807 basis.
808 [
809 (i) [
810 all locations where the governmental entity collects the information; or
811 (ii) [
812 documents or forms that are used by the governmental entity to collect the information.
813 (3) Upon request, each governmental entity shall, in relation to the information
814 described in Subsection (2)(a) or (b), as applicable, explain to a person:
815 (a) the reasons the person is asked to furnish information [
816
817 (b) the intended uses of the information [
818 (c) the consequences for refusing to provide the information [
819
820 (d) the reasons and circumstances under which the information [
821
822 (4) A governmental entity may use [
823 the governmental entity is required to disclose under Subsection (2)(a) or (b) only for those
824 purposes:
825 (a) given in the statement filed with the state archivist under Subsection (1); or
826 (b) for which another governmental entity may use the record under Section
827 63G-2-206.
828 Section 14. Section 63G-2-604 is amended to read:
829 63G-2-604. Retention and disposition of records.
830 (1) (a) Except for a governmental entity that is permitted to maintain the governmental
831 entity's own retention schedules under Part 7, Applicability to Political Subdivisions, the
832 Judiciary, and the Legislature, each governmental entity shall file with the Records
833 Management Committee created in Section 63A-12-112 a proposed schedule for the retention
834 and disposition of each type of material that is defined as a record under this chapter.
835 (b) After a retention schedule is reviewed and approved by the Records Management
836 Committee under Subsection 63A-12-113(1)(b), the governmental entity shall maintain and
837 destroy records in accordance with the retention schedule.
838 (c) If a governmental entity subject to the provisions of this section has not received an
839 approved retention schedule from the Records Management Committee for a specific type of
840 material that is [
841 schedule maintained by the state archivist shall govern the retention and destruction of that type
842 of material.
843 (2) A retention schedule that is filed with or approved by the Records Management
844 Committee under the requirements of this section is a public record.
845 Section 15. Section 67-1-17 is amended to read:
846 67-1-17. Chief privacy officer.
847 (1) As used in this section:
848 (a) "Independent entity" means the same as that term is defined in Section 63E-1-102.
849 (b) (i) "Personal data" means any information relating to an identified or identifiable
850 individual.
851 (ii) "Personal data" includes personally identifying information.
852 (c) (i) "Privacy practice" means the acquisition, use, storage, or disposal of personal
853 data.
854 (ii) "Privacy practice" includes:
855 (A) a technology use related to personal data; and
856 (B) policies related to the protection, storage, sharing, and retention of personal data.
857 (d) (i) "State agency" means the following entities that are under the direct supervision
858 and control of the governor or the lieutenant governor:
859 (A) a department;
860 (B) a commission;
861 (C) a board;
862 (D) a council;
863 (E) an institution;
864 (F) an officer;
865 (G) a corporation;
866 (H) a fund;
867 (I) a division;
868 (J) an office;
869 (K) a committee;
870 (L) an authority;
871 (M) a laboratory;
872 (N) a library;
873 (O) a bureau;
874 (P) a panel;
875 (Q) another administrative unit of the state; or
876 (R) an agent of an entity described in Subsections (A) through (Q).
877 (ii) "State agency" does not include:
878 (A) the legislative branch;
879 (B) the judicial branch;
880 (C) an executive branch agency within the Office of the Attorney General, the state
881 auditor, the state treasurer, or the State Board of Education; or
882 (D) an independent entity.
883 (2) The governor [
884 [
885 (3) The [
886 (a) compile information about the privacy practices of state agencies;
887 (b) make public and maintain information about the privacy practices of state agencies
888 on the governor's website;
889 (c) provide state agencies with educational and training materials developed by the
890 Personal Privacy Oversight Commission established in Section 63C-24-201 that include the
891 information described in Subsection 63C-24-202(1)(b);
892 (d) implement a process to analyze and respond to requests from individuals for the
893 [
894 (e) identify annually which state agencies' privacy practices pose the greatest risk to
895 individual privacy and prioritize those privacy practices for review;
896 (f) review each year, in as timely a manner as possible, the privacy practices that the
897 [
898 posing the greatest risk to individuals' privacy;
899 (g) when reviewing a state agency's privacy practice under Subsection (3)(f), analyze:
900 (i) details about the privacy practice;
901 (ii) information about the type of data being used;
902 (iii) information about how the data is obtained, shared, secured, stored, and disposed;
903 (iv) information about with which persons the state agency shares the information;
904 (v) information about whether an individual can or should be able to opt out of the
905 retention and sharing of the individual's data;
906 (vi) information about how the state agency de-identifies or anonymizes data;
907 (vii) a determination about the existence of alternative technology or improved
908 practices to protect privacy; and
909 (viii) a finding of whether the state agency's current privacy practice adequately
910 protects individual privacy; and
911 (h) after completing a review described in Subsections (3)(f) and (g), determine:
912 (i) each state agency's use of personal data, including the state agency's practices
913 regarding data:
914 (A) acquisition;
915 (B) storage;
916 (C) disposal;
917 (D) protection; and
918 (E) sharing;
919 (ii) the adequacy of the state agency's practices in each of the areas described in
920 Subsection (3)(h)(i); and
921 (iii) for each of the areas described in Subsection (3)(h)(i) that the [
922
923 state agency for reform.
924 (4) The [
925 (a) quarterly report, to the Personal Privacy Oversight Commission:
926 (i) recommendations for privacy practices for the commission to review; and
927 (ii) the information described in Subsection (3)(h); and
928 (b) annually, on or before October 1, report to the Judiciary Interim Committee:
929 (i) the results of any reviews described in Subsection (3)(g), if any reviews have been
930 completed;
931 (ii) reforms, to the extent that the [
932 aware of any reforms, that the state agency made in response to any reviews described in
933 Subsection (3)(g);
934 (iii) the information described in Subsection (3)(h); and
935 (iv) recommendations for legislation based on the results of any reviews described in
936 Subsection (3)(g).
937 (5) The chief privacy officer may make rules, in accordance with Title 63G, Chapter 3,
938 Utah Administrative Rulemaking Act, that establish requirements and standards for
939 determining whether a state agency's privacy practice, in relation to the areas described in
940 Subsection (3)(h)(i), is adequate or requires reform.
941 Section 16. Section 67-3-13 is amended to read:
942 67-3-13. State privacy officer.
943 (1) As used in this section:
944 (a) "Designated government entity" means a government entity that is not a state
945 agency.
946 (b) "Independent entity" means the same as that term is defined in Section 63E-1-102.
947 (c) (i) "Government entity" means the state, a county, a municipality, a higher
948 education institution, a local district, a special service district, a school district, an independent
949 entity, or any other political subdivision of the state or an administrative subunit of any
950 political subdivision, including a law enforcement entity.
951 (ii) "Government entity" includes an agent of an entity described in Subsection
952 (1)(c)(i).
953 (d) (i) "Personal data" means any information relating to an identified or identifiable
954 individual.
955 (ii) "Personal data" includes personally identifying information.
956 (e) (i) "Privacy practice" means the acquisition, use, storage, or disposal of personal
957 data.
958 (ii) "Privacy practice" includes:
959 (A) a technology use related to personal data; and
960 (B) policies related to the protection, storage, sharing, and retention of personal data.
961 (f) (i) "State agency" means the following entities that are under the direct supervision
962 and control of the governor or the lieutenant governor:
963 (A) a department;
964 (B) a commission;
965 (C) a board;
966 (D) a council;
967 (E) an institution;
968 (F) an officer;
969 (G) a corporation;
970 (H) a fund;
971 (I) a division;
972 (J) an office;
973 (K) a committee;
974 (L) an authority;
975 (M) a laboratory;
976 (N) a library;
977 (O) a bureau;
978 (P) a panel;
979 (Q) another administrative unit of the state; or
980 (R) an agent of an entity described in Subsections (A) through (Q).
981 (ii) "State agency" does not include:
982 (A) the legislative branch;
983 (B) the judicial branch;
984 (C) an executive branch agency within the Office of the Attorney General, the state
985 auditor, the state treasurer, or the State Board of Education; or
986 (D) an independent entity.
987 (2) The state privacy officer shall:
988 (a) when completing the duties of this Subsection (2), focus on the privacy practices of
989 designated government entities;
990 (b) compile information about government privacy practices of designated government
991 entities;
992 (c) make public and maintain information about government privacy practices on the
993 state auditor's website;
994 (d) provide designated government entities with educational and training materials
995 developed by the Personal Privacy Oversight Commission established in Section 63C-24-201
996 that include the information described in Subsection 63C-24-202(1)(b);
997 (e) implement a process to analyze and respond to requests from individuals for the
998 state privacy officer to review a designated government entity's privacy practice;
999 (f) identify annually which designated government entities' privacy practices pose the
1000 greatest risk to individual privacy and prioritize those privacy practices for review;
1001 (g) review each year, in as timely a manner as possible, the privacy practices that the
1002 privacy officer identifies under Subsection (2)(e) or (2)(f) as posing the greatest risk to
1003 individuals' privacy;
1004 (h) when reviewing a designated government entity's privacy practice under Subsection
1005 (2)(g), analyze:
1006 (i) details about the technology or the policy and the technology's or the policy's
1007 application;
1008 (ii) information about the type of data being used;
1009 (iii) information about how the data is obtained, stored, shared, secured, and disposed;
1010 (iv) information about with which persons the designated government entity shares the
1011 information;
1012 (v) information about whether an individual can or should be able to opt out of the
1013 retention and sharing of the individual's data;
1014 (vi) information about how the designated government entity de-identifies or
1015 anonymizes data;
1016 (vii) a determination about the existence of alternative technology or improved
1017 practices to protect privacy; and
1018 (viii) a finding of whether the designated government entity's current privacy practice
1019 adequately protects individual privacy; and
1020 (i) after completing a review described in Subsections (2)(g) and (h), determine:
1021 (i) each designated government entity's use of personal data, including the designated
1022 government entity's practices regarding data:
1023 (A) acquisition;
1024 (B) storage;
1025 (C) disposal;
1026 (D) protection; and
1027 (E) sharing;
1028 (ii) the adequacy of the designated government entity's practices in each of the areas
1029 described in Subsection (2)(i)(i); and
1030 (iii) for each of the areas described in Subsection (2)(i)(i) that the state privacy officer
1031 determines to require reform, provide recommendations for reform to the designated
1032 government entity and the legislative body charged with regulating the designated government
1033 entity.
1034 (3) (a) The legislative body charged with regulating a designated government entity
1035 that receives a recommendation described in Subsection (2)(i)(iii) shall hold a public hearing
1036 on the proposed reforms:
1037 (i) with a quorum of the legislative body present; and
1038 (ii) within 90 days after the day on which the legislative body receives the
1039 recommendation.
1040 (b) (i) The legislative body shall provide notice of the hearing described in Subsection
1041 (3)(a).
1042 (ii) Notice of the public hearing and the recommendations to be discussed shall be
1043 posted on:
1044 (A) the Utah Public Notice Website created in Section 63A-16-601 for 30 days before
1045 the day on which the legislative body will hold the public hearing; and
1046 (B) the website of the designated government entity that received a recommendation, if
1047 the designated government entity has a website, for 30 days before the day on which the
1048 legislative body will hold the public hearing.
1049 (iii) Each notice required under Subsection (3)(b)(i) shall:
1050 (A) identify the recommendations to be discussed; and
1051 (B) state the date, time, and location of the public hearing.
1052 (c) During the hearing described in Subsection (3)(a), the legislative body shall:
1053 (i) provide the public the opportunity to ask questions and obtain further information
1054 about the recommendations; and
1055 (ii) provide any interested person an opportunity to address the legislative body with
1056 concerns about the recommendations.
1057 (d) At the conclusion of the hearing, the legislative body shall determine whether the
1058 legislative body shall adopt reforms to address the recommendations and any concerns raised
1059 during the public hearing.
1060 (4) (a) Except as provided in Subsection (4)(b), if the [
1061 privacy officer described in Section 67-1-17 is not conducting reviews of the privacy practices
1062 of state agencies, the state privacy officer may review the privacy practices of a state agency in
1063 accordance with the processes described in this section.
1064 (b) Subsection (3) does not apply to a state agency.
1065 (5) The state privacy officer shall:
1066 (a) quarterly report, to the Personal Privacy Oversight Commission:
1067 (i) recommendations for privacy practices for the commission to review; and
1068 (ii) the information provided in Subsection (2)(i); and
1069 (b) annually, on or before October 1, report to the Judiciary Interim Committee:
1070 (i) the results of any reviews described in Subsection (2)(g), if any reviews have been
1071 completed;
1072 (ii) reforms, to the extent that the state privacy officer is aware of any reforms, that the
1073 designated government entity made in response to any reviews described in Subsection (2)(g);
1074 (iii) the information described in Subsection (2)(i); and
1075 (iv) recommendations for legislation based on any results of a review described in
1076 Subsection (2)(g).
1077 Section 17. Section 77-27-5 is amended to read:
1078 77-27-5. Board of Pardons and Parole authority.
1079 (1) (a) Subject to this chapter and other laws of the state, and except for a conviction
1080 for treason or impeachment, the board shall determine by majority decision when and under
1081 what conditions an offender's conviction may be pardoned or commuted.
1082 (b) The Board of Pardons and Parole shall determine by majority decision when and
1083 under what conditions an offender committed to serve a sentence at a penal or correctional
1084 facility, which is under the jurisdiction of the department, may:
1085 (i) be released upon parole;
1086 (ii) have a fine or forfeiture remitted;
1087 (iii) have the offender's criminal accounts receivable remitted in accordance with
1088 Section 77-32b-105 or 77-32b-106;
1089 (iv) have the offender's payment schedule modified in accordance with Section
1090 77-32b-103; or
1091 (v) have the offender's sentence terminated.
1092 (c) (i) The board may sit together or in panels to conduct hearings.
1093 (ii) The chair shall appoint members to the panels in any combination and in
1094 accordance with rules made in accordance with Title 63G, Chapter 3, Utah Administrative
1095 Rulemaking Act, by the board.
1096 (iii) The chair may participate on any panel and when doing so is chair of the panel.
1097 (iv) The chair of the board may designate the chair for any other panel.
1098 (d) (i) Except after a hearing before the board, or the board's appointed examiner, in an
1099 open session, the board may not:
1100 (A) remit a fine or forfeiture for an offender or the offender's criminal accounts
1101 receivable;
1102 (B) release the offender on parole; or
1103 (C) commute, pardon, or terminate an offender's sentence.
1104 (ii) An action taken under this Subsection (1) other than by a majority of the board
1105 shall be affirmed by a majority of the board.
1106 (e) A commutation or pardon may be granted only after a full hearing before the board.
1107 (2) (a) In the case of any hearings, timely prior notice of the time and location of the
1108 hearing shall be given to the offender.
1109 (b) The county or district attorney's office responsible for prosecution of the case, the
1110 sentencing court, and law enforcement officials responsible for the defendant's arrest and
1111 conviction shall be notified of any board hearings through the board's website.
1112 (c) Whenever possible, the victim or the victim's representative, if designated, shall be
1113 notified of original hearings and any hearing after that if notification is requested and current
1114 contact information has been provided to the board.
1115 (d) (i) Notice to the victim or the victim's representative shall include information
1116 provided in Section 77-27-9.5, and any related rules made by the board under that section.
1117 (ii) The information under Subsection (2)(d)(i) shall be provided in terms that are
1118 reasonable for the lay person to understand.
1119 (3) (a) A decision by the board is final and not subject for judicial review if the
1120 decision is regarding:
1121 (i) a pardon, parole, commutation, or termination of an offender's sentence;
1122 (ii) the modification of an offender's payment schedule for restitution; or
1123 (iii) the remission of an offender's criminal accounts receivable or a fine or forfeiture.
1124 (b) Deliberative processes are not public and the board is exempt from Title 52,
1125 Chapter 4, Open and Public Meetings Act, when the board is engaged in the board's
1126 deliberative process.
1127 (c) Pursuant to Subsection [
1128 the deliberative process are exempt from Title 63G, Chapter 2, Government Records Access
1129 and Management Act.
1130 (d) Unless it will interfere with a constitutional right, deliberative processes are not
1131 subject to disclosure, including discovery.
1132 (e) Nothing in this section prevents the obtaining or enforcement of a civil judgment.
1133 (4) (a) This chapter may not be construed as a denial of or limitation of the governor's
1134 power to grant respite or reprieves in all cases of convictions for offenses against the state,
1135 except treason or conviction on impeachment.
1136 (b) Notwithstanding Subsection (4)(a), respites or reprieves may not extend beyond the
1137 next session of the Board of Pardons and Parole.
1138 (c) At the next session of the board, the board:
1139 (i) shall continue or terminate the respite or reprieve; or
1140 (ii) may commute the punishment or pardon the offense as provided.
1141 (d) In the case of conviction for treason, the governor may suspend execution of the
1142 sentence until the case is reported to the Legislature at the Legislature's next session.
1143 (e) The Legislature shall pardon or commute the sentence or direct the sentence's
1144 execution.
1145 (5) (a) In determining when, where, and under what conditions an offender serving a
1146 sentence may be paroled or pardoned, have a fine or forfeiture remitted, have the offender's
1147 criminal accounts receivable remitted, or have the offender's sentence commuted or terminated,
1148 the board shall:
1149 (i) consider whether the offender has made restitution ordered by the court under
1150 Section 77-38b-205, or is prepared to pay restitution as a condition of any parole, pardon,
1151 remission of a criminal accounts receivable or a fine or forfeiture, or a commutation or
1152 termination of the offender's sentence;
1153 (ii) except as provided in Subsection (5)(b), develop and use a list of criteria for
1154 making determinations under this Subsection (5);
1155 (iii) consider information provided by the Department of Corrections regarding an
1156 offender's individual case action plan; and
1157 (iv) review an offender's status within 60 days after the day on which the board
1158 receives notice from the Department of Corrections that the offender has completed all of the
1159 offender's case action plan components that relate to activities that can be accomplished while
1160 the offender is imprisoned.
1161 (b) The board shall determine whether to remit an offender's criminal accounts
1162 receivable under this Subsection (5) in accordance with Section 77-32b-105 or 77-32b-106.
1163 (6) In determining whether parole may be terminated, the board shall consider:
1164 (a) the offense committed by the parolee; and
1165 (b) the parole period under Section 76-3-202, and in accordance with Section
1166 77-27-13.
1167 (7) For an offender placed on parole after December 31, 2018, the board shall
1168 terminate parole in accordance with the supervision length guidelines established by the Utah
1169 Sentencing Commission under Section 63M-7-404, to the extent the guidelines are consistent
1170 with the requirements of the law.
1171 Section 18. Repealer.
1172 This bill repeals:
1173 Section 63A-12-100, Title.