This document includes Senate Committee Amendments incorporated into the bill on Tue, Feb 27, 2024 at 9:38 PM by lpoole.
Representative Kera Birkeland proposes the following substitute bill:


1     
PROTECTION OF STATE OFFICIAL OR EMPLOYEE PERSONAL

2     
INFORMATION

3     
2024 GENERAL SESSION

4     
STATE OF UTAH

5     
Chief Sponsor: Kera Birkeland

6     
Senate Sponsor: Michael S. Kennedy

7     

8     LONG TITLE
9     General Description:
10          This bill addresses state elected official's or state employee's personal identifying
11     information.
12     Highlighted Provisions:
13          This bill:
14          ▸     defines terms;
15          ▸     permits state elected officials or certain state employees to request the removal of
16     personal identifying information from the open web by the Division of Technology
17     Services (division);
18          ▸     allows for contracting for services;
19          ▸     provides for rulemaking related to requesting the removal;
20          ▸     prohibits charging for the division's services;
21          ▸     addresses liability related to the division's services;
22          ▸     makes information a private record; and
23          ▸     makes technical and conforming amendments.
24     Money Appropriated in this Bill:
25          None

26     Other Special Clauses:
27          None
28     Utah Code Sections Affected:
29     AMENDS:
30          63A-16-104, as last amended by Laws of Utah 2023, Chapter 43
31          63G-2-302, as last amended by Laws of Utah 2023, Chapters 329, 471
32     ENACTS:
33          63A-16-109, Utah Code Annotated 1953
34     

35     Be it enacted by the Legislature of the state of Utah:
36          Section 1. Section 63A-16-104 is amended to read:
37          63A-16-104. Duties of division.
38          The division shall:
39          (1) lead state executive branch agency efforts to establish and reengineer the state's
40     information technology architecture with the goal of coordinating central and individual agency
41     information technology in a manner that:
42          (a) ensures compliance with the executive branch agency strategic plan; and
43          (b) ensures that cost-effective, efficient information and communication systems and
44     resources are being used by agencies to:
45          (i) reduce data, hardware, and software redundancy;
46          (ii) improve system interoperability and data accessibility between agencies; and
47          (iii) meet the agency's and user's business and service needs;
48          (2) coordinate an executive branch strategic plan for all agencies;
49          (3) develop and implement processes to replicate information technology best practices
50     and standards throughout the executive branch;
51          (4) once every three years:
52          (a) conduct an information technology security assessment via an independent third
53     party:
54          (i) to evaluate the adequacy of the division's and the executive branch agencies' data
55     and information technology system security standards; and
56          (ii) that will be completed over a period that does not exceed two years; and

57          (b) communicate the results of the assessment described in Subsection (4)(a) to the
58     appropriate executive branch agencies and to the president of the Senate and the speaker of the
59     House of Representatives;
60          (5) subject to Subsection 63G-6a-109.5(9):
61          (a) advise executive branch agencies on project and contract management principles as
62     they relate to information technology projects within the executive branch; and
63          (b) approve the acquisition of technology services and products by executive branch
64     agencies as required under Section 63G-6a-109.5;
65          (6) work toward building stronger partnering relationships with providers;
66          (7) develop service level agreements with executive branch departments and agencies
67     to ensure quality products and services are delivered on schedule and within budget;
68          (8) develop standards for application development including a standard methodology
69     and cost-benefit analysis that all agencies shall utilize for application development activities;
70          (9) determine and implement statewide efforts to standardize data elements;
71          (10) coordinate with executive branch agencies to provide basic website standards for
72     agencies that address common design standards and navigation standards, including:
73          (a) accessibility for individuals with disabilities in accordance with:
74          (i) the standards of 29 U.S.C. Sec. 794d; and
75          (ii) Section 63A-16-209;
76          (b) consistency with standardized government security standards;
77          (c) designing around user needs with data-driven analysis influencing management and
78     development decisions, using qualitative and quantitative data to determine user goals, needs,
79     and behaviors, and continual testing of the website, web-based form, web-based application, or
80     digital service to ensure that user needs are addressed;
81          (d) providing users of the website, web-based form, web-based application, or digital
82     service with the option for a more customized digital experience that allows users to complete
83     digital transactions in an efficient and accurate manner; and
84          (e) full functionality and usability on common mobile devices;
85          (11) consider, when making a purchase for an information system, cloud computing
86     options, including any security benefits, privacy, data retention risks, and cost savings
87     associated with cloud computing options;

88          (12) develop systems and methodologies to review, evaluate, and prioritize existing
89     information technology projects within the executive branch and report to the governor and the
90     Government Operations Interim Committee in accordance with Section 63A-16-201 on a
91     semiannual basis regarding the status of information technology projects;
92          (13) assist the Governor's Office of Planning and Budget with the development of
93     information technology budgets for agencies;
94          (14) ensure that any training or certification required of a public official or public
95     employee, as those terms are defined in Section 63G-22-102, complies with Title 63G, Chapter
96     22, State Training and Certification Requirements, if the training or certification is required:
97          (a) under this chapter;
98          (b) by the department; or
99          (c) by the division;
100          (15) provide support to executive branch agencies for the information technology
101     assets and functions that are unique to the agency and are mission critical functions of the
102     agency;
103          (16) provide in-house information technology staff support to executive branch
104     agencies;
105          (17) establish a committee composed of agency user groups to coordinate division
106     services with agency needs;
107          (18) assist executive branch agencies in complying with the requirements of any rule
108     made by the chief information officer;
109          (19) develop and implement an effective enterprise architecture governance model for
110     the executive branch;
111          (20) provide oversight of information technology projects that impact statewide
112     information technology services, assets, or functions of state government to:
113          (a) control costs;
114          (b) ensure business value to a project;
115          (c) maximize resources;
116          (d) ensure the uniform application of best practices; and
117          (e) avoid duplication of resources;
118          (21) develop a method of accountability to agencies for services provided by the

119     department through service agreements with the agencies;
120          (22) serve as a project manager for enterprise architecture, including management of
121     applications, standards, and procurement of enterprise architecture;
122          (23) coordinate the development and implementation of advanced state
123     telecommunication systems;
124          (24) provide services, including technical assistance:
125          (a) to executive branch agencies and subscribers to the services; and
126          (b) related to information technology or telecommunications;
127          (25) establish telecommunication system specifications and standards for use by:
128          (a) one or more executive branch agencies; or
129          (b) one or more entities that subscribe to the telecommunication systems in accordance
130     with Section 63A-16-302;
131          (26) coordinate state telecommunication planning, in cooperation with:
132          (a) state telecommunication users;
133          (b) executive branch agencies; and
134          (c) other subscribers to the state's telecommunication systems;
135          (27) cooperate with the federal government, other state entities, counties, and
136     municipalities in the development, implementation, and maintenance of:
137          (a) (i) governmental information technology; or
138          (ii) governmental telecommunication systems; and
139          (b) (i) as part of a cooperative organization; or
140          (ii) through means other than a cooperative organization;
141          (28) establish, operate, manage, and maintain:
142          (a) one or more state data centers; and
143          (b) one or more regional computer centers;
144          (29) design, implement, and manage all state-owned, leased, or rented land, mobile, or
145     radio telecommunication systems that are used in the delivery of services for state government
146     or the state's political subdivisions;
147          (30) in accordance with the executive branch strategic plan, implement minimum
148     standards to be used by the division for purposes of compatibility of procedures, programming
149     languages, codes, and media that facilitate the exchange of information within and among

150     telecommunication systems;
151          (31) establish standards for the information technology needs of a collection of
152     executive branch agencies or programs that share common characteristics relative to the types
153     of stakeholders the agencies or programs serve, including:
154          (a) project management;
155          (b) application development; and
156          (c) subject to Subsections (5) and 63G-6a-109.5(9), procurement;
157          (32) provide oversight of information technology standards that impact multiple
158     executive branch agency information technology services, assets, or functions to:
159          (a) control costs;
160          (b) ensure business value to a project;
161          (c) maximize resources;
162          (d) ensure the uniform application of best practices; and
163          (e) avoid duplication of resources; [and]
164          (33) establish a system of accountability to user agencies through the use of service
165     agreements[.]; and
166          (34) provide the services described in Section 63A-16-109 for a state elected official or
167     state employee who has been threatened.
168          Section 2. Section 63A-16-109 is enacted to read:
169          63A-16-109. Removal of state elected official or employee personal identifying
170     information.
171          (1) As used in this section:
172          (a) "Open web" means the Internet used for everyday activities like browsing,
173     searching, reading media, online shopping, or other website or online applications.
174          (b) Ŝ→ [
(i)] ←Ŝ "Personal identifying information" means Ŝ→ [information that] the
174a     following ←Ŝ :
175          Ŝ→ [
(A) identifies, or can be used to identify, an individual;
176          (B) distinguishes an individual from one or more other individuals; or
177          (C) is, or can be, logically associated with other information or data, through
178     technology or otherwise, to identify an individual or distinguish an individual from one or more
179     other individuals.
180          (ii) "Personal identifying information" includes the following:

181          ☆(A) current name, former names, nicknames, and aliases;
182          (B) date of birth;
183          (C)
] (i) ←Ŝ
physical home address and personal email address;
184          Ŝ→ [
(D)] (ii) ←Ŝ home telephone number and personal mobile telephone number;
185          Ŝ→ [
(E)] (iii) ←Ŝ driver license or other government-issued identification; or
186          Ŝ→ [
(F)] (iv) ←Ŝ social security number.
187          (c) (i) "State elected official" means a person who holds an office in state government
188     that is required by law to be filled by an election, including the offices of governor, lieutenant
189     governor, attorney general, state auditor, state treasurer, and legislator.
190          (ii) "State elected official" does not include a judge.
191          (d) "State employee who has been threatened" means an individual:
192          (i) (A) who is a cabinet level official or senior staff of the governor; or
193          (B) who is an employee of the state executive branch and meets selective criteria
194     implemented by the division that are established by rule made under Subsection (4); and
195          (ii) whose life or safety has been threatened in the course of performing the individual's
196     state duties through a text, phone call, email, postal delivery, face-to-face encounter, or website
197     or online application.
198          (2) At the written request of a state elected official or a state employee who has been
199     threatened, the division shall within 30 days of receipt of the request:
200          (a) search the open web for personal identifying information that is about the state
201     elected official or state employee who has been threatened;
202          (b) when possible, remove the personal identifying information found under
203     Subsection (2)(a) from the open web; and
204          (c) conduct continuous monthly removal when possible of personal identifying
205     information from the open web.
206          (3) The chief information officer may contract, in accordance with Title 63G, Chapter
207     6a, Utah Procurement Code, with a third party to provide the services described in Subsection
208     (2).
209          (4) The chief information officer may by rule made in accordance with Title 63G,
210     Chapter 3, Utah Administrative Rulemaking Act, establish requirements related to:
211          (a) what information the state elected official or state employee who has been

212     threatened shall provide the division as part of the request described in Subsection (2);
213          (b) procedures for submitting the written request to the division; and
214          (c) establishing the selective criteria used to determine whether a state employee may
215     receive the services described in Subsection (2).
216          (5) The division may not charge a rate for the services provided under this section.
217          (6) (a) In addition to the governmental immunity granted in Title 63G, Chapter 7,
218     Governmental Immunity Act of Utah, the division is not liable for actions performed under this
219     section except as a result of intentional misconduct or gross negligence including reckless,
220     willful, or wanton misconduct.
221          (b) This section does not create a special duty of care.
222          (7) A federal, state, or local government record is not subject to this section, even if the
223     government record contains personal identifying information.
224          Section 3. Section 63G-2-302 is amended to read:
225          63G-2-302. Private records.
226          (1) The following records are private:
227          (a) records concerning an individual's eligibility for unemployment insurance benefits,
228     social services, welfare benefits, or the determination of benefit levels;
229          (b) records containing data on individuals describing medical history, diagnosis,
230     condition, treatment, evaluation, or similar medical data;
231          (c) records of publicly funded libraries that when examined alone or with other records
232     identify a patron;
233          (d) records received by or generated by or for:
234          (i) the Independent Legislative Ethics Commission, except for:
235          (A) the commission's summary data report that is required under legislative rule; and
236          (B) any other document that is classified as public under legislative rule; or
237          (ii) a Senate or House Ethics Committee in relation to the review of ethics complaints,
238     unless the record is classified as public under legislative rule;
239          (e) records received by, or generated by or for, the Independent Executive Branch
240     Ethics Commission, except as otherwise expressly provided in Title 63A, Chapter 14, Review
241     of Executive Branch Ethics Complaints;
242          (f) records received or generated for a Senate confirmation committee concerning

243     character, professional competence, or physical or mental health of an individual:
244          (i) if, prior to the meeting, the chair of the committee determines release of the records:
245          (A) reasonably could be expected to interfere with the investigation undertaken by the
246     committee; or
247          (B) would create a danger of depriving a person of a right to a fair proceeding or
248     impartial hearing; and
249          (ii) after the meeting, if the meeting was closed to the public;
250          (g) employment records concerning a current or former employee of, or applicant for
251     employment with, a governmental entity that would disclose that individual's home address,
252     home telephone number, social security number, insurance coverage, marital status, or payroll
253     deductions;
254          (h) records or parts of records under Section 63G-2-303 that a current or former
255     employee identifies as private according to the requirements of that section;
256          (i) that part of a record indicating a person's social security number or federal employer
257     identification number if provided under Section 31A-23a-104, 31A-25-202, 31A-26-202,
258     58-1-301, 58-55-302, 61-1-4, or 61-2f-203;
259          (j) that part of a voter registration record identifying a voter's:
260          (i) driver license or identification card number;
261          (ii) social security number, or last four digits of the social security number;
262          (iii) email address;
263          (iv) date of birth; or
264          (v) phone number;
265          (k) a voter registration record that is classified as a private record by the lieutenant
266     governor or a county clerk under Subsection 20A-2-101.1(5)(a), 20A-2-104(4)(h), or
267     20A-2-204(4)(b);
268          (l) a voter registration record that is withheld under Subsection 20A-2-104(7);
269          (m) a withholding request form described in Subsections 20A-2-104(7) and (8) and any
270     verification submitted in support of the form;
271          (n) a record that:
272          (i) contains information about an individual;
273          (ii) is voluntarily provided by the individual; and

274          (iii) goes into an electronic database that:
275          (A) is designated by and administered under the authority of the Chief Information
276     Officer; and
277          (B) acts as a repository of information about the individual that can be electronically
278     retrieved and used to facilitate the individual's online interaction with a state agency;
279          (o) information provided to the Commissioner of Insurance under:
280          (i) Subsection 31A-23a-115(3)(a);
281          (ii) Subsection 31A-23a-302(4); or
282          (iii) Subsection 31A-26-210(4);
283          (p) information obtained through a criminal background check under Title 11, Chapter
284     40, Criminal Background Checks by Political Subdivisions Operating Water Systems;
285          (q) information provided by an offender that is:
286          (i) required by the registration requirements of Title 77, Chapter 41, Sex and Kidnap
287     Offender Registry or Title 77, Chapter 43, Child Abuse Offender Registry; and
288          (ii) not required to be made available to the public under Subsection 77-41-110(4) or
289     77-43-108(4);
290          (r) a statement and any supporting documentation filed with the attorney general in
291     accordance with Section 34-45-107, if the federal law or action supporting the filing involves
292     homeland security;
293          (s) electronic toll collection customer account information received or collected under
294     Section 72-6-118 and customer information described in Section 17B-2a-815 received or
295     collected by a public transit district, including contact and payment information and customer
296     travel data;
297          (t) an email address provided by a military or overseas voter under Section
298     20A-16-501;
299          (u) a completed military-overseas ballot that is electronically transmitted under Title
300     20A, Chapter 16, Uniform Military and Overseas Voters Act;
301          (v) records received by or generated by or for the Political Subdivisions Ethics Review
302     Commission established in Section 63A-15-201, except for:
303          (i) the commission's summary data report that is required in Section 63A-15-202; and
304          (ii) any other document that is classified as public in accordance with Title 63A,

305     Chapter 15, Political Subdivisions Ethics Review Commission;
306          (w) a record described in Section 53G-9-604 that verifies that a parent was notified of
307     an incident or threat;
308          (x) a criminal background check or credit history report conducted in accordance with
309     Section 63A-3-201;
310          (y) a record described in Subsection 53-5a-104(7);
311          (z) on a record maintained by a county for the purpose of administering property taxes,
312     an individual's:
313          (i) email address;
314          (ii) phone number; or
315          (iii) personal financial information related to a person's payment method;
316          (aa) a record submitted by a taxpayer to establish the taxpayer's eligibility for an
317     exemption, deferral, abatement, or relief under:
318          (i) Title 59, Chapter 2, Part 11, Exemptions;
319          (ii) Title 59, Chapter 2, Part 12, Property Tax Relief;
320          (iii) Title 59, Chapter 2, Part 18, Tax Deferral and Tax Abatement; or
321          (iv) Title 59, Chapter 2, Part 19, Armed Forces Exemptions;
322          (bb) a record provided by the State Tax Commission in response to a request under
323     Subsection 59-1-403(4)(y)(iii);
324          (cc) a record of the Child Welfare Legislative Oversight Panel regarding an individual
325     child welfare case, as described in Subsection 36-33-103(3); [and]
326          (dd) a record relating to drug or alcohol testing of a state employee under Section
327     63A-17-1004[.]; and
328          (ee) a record relating to a request by a state elected official or state employee who has
329     been threatened to the Division of Technology Services to remove personal identifying
330     information from the open web under Section 63A-16-109.
331          (2) The following records are private if properly classified by a governmental entity:
332          (a) records concerning a current or former employee of, or applicant for employment
333     with a governmental entity, including performance evaluations and personal status information
334     such as race, religion, or disabilities, but not including records that are public under Subsection
335     63G-2-301(2)(b) or 63G-2-301(3)(o) or private under Subsection (1)(b);

336          (b) records describing an individual's finances, except that the following are public:
337          (i) records described in Subsection 63G-2-301(2);
338          (ii) information provided to the governmental entity for the purpose of complying with
339     a financial assurance requirement; or
340          (iii) records that must be disclosed in accordance with another statute;
341          (c) records of independent state agencies if the disclosure of those records would
342     conflict with the fiduciary obligations of the agency;
343          (d) other records containing data on individuals the disclosure of which constitutes a
344     clearly unwarranted invasion of personal privacy;
345          (e) records provided by the United States or by a government entity outside the state
346     that are given with the requirement that the records be managed as private records, if the
347     providing entity states in writing that the record would not be subject to public disclosure if
348     retained by it;
349          (f) any portion of a record in the custody of the Division of Aging and Adult Services,
350     created in Section 26B-6-102, that may disclose, or lead to the discovery of, the identity of a
351     person who made a report of alleged abuse, neglect, or exploitation of a vulnerable adult; and
352          (g) audio and video recordings created by a body-worn camera, as defined in Section
353     77-7a-103, that record sound or images inside a home or residence except for recordings that:
354          (i) depict the commission of an alleged crime;
355          (ii) record any encounter between a law enforcement officer and a person that results in
356     death or bodily injury, or includes an instance when an officer fires a weapon;
357          (iii) record any encounter that is the subject of a complaint or a legal proceeding
358     against a law enforcement officer or law enforcement agency;
359          (iv) contain an officer involved critical incident as defined in Subsection
360     76-2-408(1)(f); or
361          (v) have been requested for reclassification as a public record by a subject or
362     authorized agent of a subject featured in the recording.
363          (3) (a) As used in this Subsection (3), "medical records" means medical reports,
364     records, statements, history, diagnosis, condition, treatment, and evaluation.
365          (b) Medical records in the possession of the University of Utah Hospital, its clinics,
366     doctors, or affiliated entities are not private records or controlled records under Section

367     63G-2-304 when the records are sought:
368          (i) in connection with any legal or administrative proceeding in which the patient's
369     physical, mental, or emotional condition is an element of any claim or defense; or
370          (ii) after a patient's death, in any legal or administrative proceeding in which any party
371     relies upon the condition as an element of the claim or defense.
372          (c) Medical records are subject to production in a legal or administrative proceeding
373     according to state or federal statutes or rules of procedure and evidence as if the medical
374     records were in the possession of a nongovernmental medical care provider.
375          Section 4. Effective date.
376          This bill takes effect on May 1, 2024.