1
2
3
4
5
6
7
8 LONG TITLE
9 General Description:
10 This bill addresses state elected official's or state employee's personal identifying
11 information.
12 Highlighted Provisions:
13 This bill:
14 ▸ defines terms;
15 ▸ permits state elected officials or certain state employees to request the removal of
16 personal identifying information from the open web by the Division of Technology
17 Services (division);
18 ▸ allows for contracting for services;
19 ▸ provides for rulemaking related to requesting the removal;
20 ▸ prohibits charging for the division's services;
21 ▸ addresses liability related to the division's services;
22 ▸ makes information a private record; and
23 ▸ makes technical and conforming amendments.
24 Money Appropriated in this Bill:
25 None
26 Other Special Clauses:
27 None
28 Utah Code Sections Affected:
29 AMENDS:
30 63A-16-104, as last amended by Laws of Utah 2023, Chapter 43
31 63G-2-302, as last amended by Laws of Utah 2023, Chapters 329, 471
32 ENACTS:
33 63A-16-109, Utah Code Annotated 1953
34
35 Be it enacted by the Legislature of the state of Utah:
36 Section 1. Section 63A-16-104 is amended to read:
37 63A-16-104. Duties of division.
38 The division shall:
39 (1) lead state executive branch agency efforts to establish and reengineer the state's
40 information technology architecture with the goal of coordinating central and individual agency
41 information technology in a manner that:
42 (a) ensures compliance with the executive branch agency strategic plan; and
43 (b) ensures that cost-effective, efficient information and communication systems and
44 resources are being used by agencies to:
45 (i) reduce data, hardware, and software redundancy;
46 (ii) improve system interoperability and data accessibility between agencies; and
47 (iii) meet the agency's and user's business and service needs;
48 (2) coordinate an executive branch strategic plan for all agencies;
49 (3) develop and implement processes to replicate information technology best practices
50 and standards throughout the executive branch;
51 (4) once every three years:
52 (a) conduct an information technology security assessment via an independent third
53 party:
54 (i) to evaluate the adequacy of the division's and the executive branch agencies' data
55 and information technology system security standards; and
56 (ii) that will be completed over a period that does not exceed two years; and
57 (b) communicate the results of the assessment described in Subsection (4)(a) to the
58 appropriate executive branch agencies and to the president of the Senate and the speaker of the
59 House of Representatives;
60 (5) subject to Subsection 63G-6a-109.5(9):
61 (a) advise executive branch agencies on project and contract management principles as
62 they relate to information technology projects within the executive branch; and
63 (b) approve the acquisition of technology services and products by executive branch
64 agencies as required under Section 63G-6a-109.5;
65 (6) work toward building stronger partnering relationships with providers;
66 (7) develop service level agreements with executive branch departments and agencies
67 to ensure quality products and services are delivered on schedule and within budget;
68 (8) develop standards for application development including a standard methodology
69 and cost-benefit analysis that all agencies shall utilize for application development activities;
70 (9) determine and implement statewide efforts to standardize data elements;
71 (10) coordinate with executive branch agencies to provide basic website standards for
72 agencies that address common design standards and navigation standards, including:
73 (a) accessibility for individuals with disabilities in accordance with:
74 (i) the standards of 29 U.S.C. Sec. 794d; and
75 (ii) Section 63A-16-209;
76 (b) consistency with standardized government security standards;
77 (c) designing around user needs with data-driven analysis influencing management and
78 development decisions, using qualitative and quantitative data to determine user goals, needs,
79 and behaviors, and continual testing of the website, web-based form, web-based application, or
80 digital service to ensure that user needs are addressed;
81 (d) providing users of the website, web-based form, web-based application, or digital
82 service with the option for a more customized digital experience that allows users to complete
83 digital transactions in an efficient and accurate manner; and
84 (e) full functionality and usability on common mobile devices;
85 (11) consider, when making a purchase for an information system, cloud computing
86 options, including any security benefits, privacy, data retention risks, and cost savings
87 associated with cloud computing options;
88 (12) develop systems and methodologies to review, evaluate, and prioritize existing
89 information technology projects within the executive branch and report to the governor and the
90 Government Operations Interim Committee in accordance with Section 63A-16-201 on a
91 semiannual basis regarding the status of information technology projects;
92 (13) assist the Governor's Office of Planning and Budget with the development of
93 information technology budgets for agencies;
94 (14) ensure that any training or certification required of a public official or public
95 employee, as those terms are defined in Section 63G-22-102, complies with Title 63G, Chapter
96 22, State Training and Certification Requirements, if the training or certification is required:
97 (a) under this chapter;
98 (b) by the department; or
99 (c) by the division;
100 (15) provide support to executive branch agencies for the information technology
101 assets and functions that are unique to the agency and are mission critical functions of the
102 agency;
103 (16) provide in-house information technology staff support to executive branch
104 agencies;
105 (17) establish a committee composed of agency user groups to coordinate division
106 services with agency needs;
107 (18) assist executive branch agencies in complying with the requirements of any rule
108 made by the chief information officer;
109 (19) develop and implement an effective enterprise architecture governance model for
110 the executive branch;
111 (20) provide oversight of information technology projects that impact statewide
112 information technology services, assets, or functions of state government to:
113 (a) control costs;
114 (b) ensure business value to a project;
115 (c) maximize resources;
116 (d) ensure the uniform application of best practices; and
117 (e) avoid duplication of resources;
118 (21) develop a method of accountability to agencies for services provided by the
119 department through service agreements with the agencies;
120 (22) serve as a project manager for enterprise architecture, including management of
121 applications, standards, and procurement of enterprise architecture;
122 (23) coordinate the development and implementation of advanced state
123 telecommunication systems;
124 (24) provide services, including technical assistance:
125 (a) to executive branch agencies and subscribers to the services; and
126 (b) related to information technology or telecommunications;
127 (25) establish telecommunication system specifications and standards for use by:
128 (a) one or more executive branch agencies; or
129 (b) one or more entities that subscribe to the telecommunication systems in accordance
130 with Section 63A-16-302;
131 (26) coordinate state telecommunication planning, in cooperation with:
132 (a) state telecommunication users;
133 (b) executive branch agencies; and
134 (c) other subscribers to the state's telecommunication systems;
135 (27) cooperate with the federal government, other state entities, counties, and
136 municipalities in the development, implementation, and maintenance of:
137 (a) (i) governmental information technology; or
138 (ii) governmental telecommunication systems; and
139 (b) (i) as part of a cooperative organization; or
140 (ii) through means other than a cooperative organization;
141 (28) establish, operate, manage, and maintain:
142 (a) one or more state data centers; and
143 (b) one or more regional computer centers;
144 (29) design, implement, and manage all state-owned, leased, or rented land, mobile, or
145 radio telecommunication systems that are used in the delivery of services for state government
146 or the state's political subdivisions;
147 (30) in accordance with the executive branch strategic plan, implement minimum
148 standards to be used by the division for purposes of compatibility of procedures, programming
149 languages, codes, and media that facilitate the exchange of information within and among
150 telecommunication systems;
151 (31) establish standards for the information technology needs of a collection of
152 executive branch agencies or programs that share common characteristics relative to the types
153 of stakeholders the agencies or programs serve, including:
154 (a) project management;
155 (b) application development; and
156 (c) subject to Subsections (5) and 63G-6a-109.5(9), procurement;
157 (32) provide oversight of information technology standards that impact multiple
158 executive branch agency information technology services, assets, or functions to:
159 (a) control costs;
160 (b) ensure business value to a project;
161 (c) maximize resources;
162 (d) ensure the uniform application of best practices; and
163 (e) avoid duplication of resources; [
164 (33) establish a system of accountability to user agencies through the use of service
165 agreements[
166 (34) provide the services described in Section 63A-16-109 for a state elected official or
167 state employee who has been threatened.
168 Section 2. Section 63A-16-109 is enacted to read:
169 63A-16-109. Removal of state elected official or employee personal identifying
170 information.
171 (1) As used in this section:
172 (a) "Open web" means the Internet used for everyday activities like browsing,
173 searching, reading media, online shopping, or other website or online applications.
174 (b) (i) "Personal identifying information" means information that:
175 (A) identifies, or can be used to identify, an individual;
176 (B) distinguishes an individual from one or more other individuals; or
177 (C) is, or can be, logically associated with other information or data, through
178 technology or otherwise, to identify an individual or distinguish an individual from one or more
179 other individuals.
180 (ii) "Personal identifying information" includes the following:
181 (A) current name, former names, nicknames, and aliases;
182 (B) date of birth;
183 (C) physical home address and personal email address;
184 (D) home telephone number and personal mobile telephone number;
185 (E) driver license or other government-issued identification; or
186 (F) social security number.
187 (c) (i) "State elected official" means a person who holds an office in state government
188 that is required by law to be filled by an election, including the offices of governor, lieutenant
189 governor, attorney general, state auditor, state treasurer, and legislator.
190 (ii) "State elected official" does not include a judge.
191 (d) "State employee who has been threatened" means an individual:
192 (i) (A) who is a cabinet level official or senior staff of the governor; or
193 (B) who is an employee of the state executive branch and meets selective criteria
194 implemented by the division that are established by rule made under Subsection (4); and
195 (ii) whose life or safety has been threatened in the course of performing the individual's
196 state duties through a text, phone call, email, postal delivery, face-to-face encounter, or website
197 or online application.
198 (2) At the written request of a state elected official or a state employee who has been
199 threatened, the division shall within 30 days of receipt of the request:
200 (a) search the open web for personal identifying information that is about the state
201 elected official or state employee who has been threatened;
202 (b) when possible, remove the personal identifying information found under
203 Subsection (2)(a) from the open web; and
204 (c) conduct continuous monthly removal when possible of personal identifying
205 information from the open web.
206 (3) The chief information officer may contract, in accordance with Title 63G, Chapter
207 6a, Utah Procurement Code, with a third party to provide the services described in Subsection
208 (2).
209 (4) The chief information officer may by rule made in accordance with Title 63G,
210 Chapter 3, Utah Administrative Rulemaking Act, establish requirements related to:
211 (a) what information the state elected official or state employee who has been
212 threatened shall provide the division as part of the request described in Subsection (2);
213 (b) procedures for submitting the written request to the division; and
214 (c) establishing the selective criteria used to determine whether a state employee may
215 receive the services described in Subsection (2).
216 (5) The division may not charge a rate for the services provided under this section.
217 (6) (a) In addition to the governmental immunity granted in Title 63G, Chapter 7,
218 Governmental Immunity Act of Utah, the division is not liable for actions performed under this
219 section except as a result of intentional misconduct or gross negligence including reckless,
220 willful, or wanton misconduct.
221 (b) This section does not create a special duty of care.
222 (7) A federal, state, or local government record is not subject to this section, even if the
223 government record contains personal identifying information.
224 Section 3. Section 63G-2-302 is amended to read:
225 63G-2-302. Private records.
226 (1) The following records are private:
227 (a) records concerning an individual's eligibility for unemployment insurance benefits,
228 social services, welfare benefits, or the determination of benefit levels;
229 (b) records containing data on individuals describing medical history, diagnosis,
230 condition, treatment, evaluation, or similar medical data;
231 (c) records of publicly funded libraries that when examined alone or with other records
232 identify a patron;
233 (d) records received by or generated by or for:
234 (i) the Independent Legislative Ethics Commission, except for:
235 (A) the commission's summary data report that is required under legislative rule; and
236 (B) any other document that is classified as public under legislative rule; or
237 (ii) a Senate or House Ethics Committee in relation to the review of ethics complaints,
238 unless the record is classified as public under legislative rule;
239 (e) records received by, or generated by or for, the Independent Executive Branch
240 Ethics Commission, except as otherwise expressly provided in Title 63A, Chapter 14, Review
241 of Executive Branch Ethics Complaints;
242 (f) records received or generated for a Senate confirmation committee concerning
243 character, professional competence, or physical or mental health of an individual:
244 (i) if, prior to the meeting, the chair of the committee determines release of the records:
245 (A) reasonably could be expected to interfere with the investigation undertaken by the
246 committee; or
247 (B) would create a danger of depriving a person of a right to a fair proceeding or
248 impartial hearing; and
249 (ii) after the meeting, if the meeting was closed to the public;
250 (g) employment records concerning a current or former employee of, or applicant for
251 employment with, a governmental entity that would disclose that individual's home address,
252 home telephone number, social security number, insurance coverage, marital status, or payroll
253 deductions;
254 (h) records or parts of records under Section 63G-2-303 that a current or former
255 employee identifies as private according to the requirements of that section;
256 (i) that part of a record indicating a person's social security number or federal employer
257 identification number if provided under Section 31A-23a-104, 31A-25-202, 31A-26-202,
258 58-1-301, 58-55-302, 61-1-4, or 61-2f-203;
259 (j) that part of a voter registration record identifying a voter's:
260 (i) driver license or identification card number;
261 (ii) social security number, or last four digits of the social security number;
262 (iii) email address;
263 (iv) date of birth; or
264 (v) phone number;
265 (k) a voter registration record that is classified as a private record by the lieutenant
266 governor or a county clerk under Subsection 20A-2-101.1(5)(a), 20A-2-104(4)(h), or
267 20A-2-204(4)(b);
268 (l) a voter registration record that is withheld under Subsection 20A-2-104(7);
269 (m) a withholding request form described in Subsections 20A-2-104(7) and (8) and any
270 verification submitted in support of the form;
271 (n) a record that:
272 (i) contains information about an individual;
273 (ii) is voluntarily provided by the individual; and
274 (iii) goes into an electronic database that:
275 (A) is designated by and administered under the authority of the Chief Information
276 Officer; and
277 (B) acts as a repository of information about the individual that can be electronically
278 retrieved and used to facilitate the individual's online interaction with a state agency;
279 (o) information provided to the Commissioner of Insurance under:
280 (i) Subsection 31A-23a-115(3)(a);
281 (ii) Subsection 31A-23a-302(4); or
282 (iii) Subsection 31A-26-210(4);
283 (p) information obtained through a criminal background check under Title 11, Chapter
284 40, Criminal Background Checks by Political Subdivisions Operating Water Systems;
285 (q) information provided by an offender that is:
286 (i) required by the registration requirements of Title 77, Chapter 41, Sex and Kidnap
287 Offender Registry or Title 77, Chapter 43, Child Abuse Offender Registry; and
288 (ii) not required to be made available to the public under Subsection 77-41-110(4) or
289 77-43-108(4);
290 (r) a statement and any supporting documentation filed with the attorney general in
291 accordance with Section 34-45-107, if the federal law or action supporting the filing involves
292 homeland security;
293 (s) electronic toll collection customer account information received or collected under
294 Section 72-6-118 and customer information described in Section 17B-2a-815 received or
295 collected by a public transit district, including contact and payment information and customer
296 travel data;
297 (t) an email address provided by a military or overseas voter under Section
298 20A-16-501;
299 (u) a completed military-overseas ballot that is electronically transmitted under Title
300 20A, Chapter 16, Uniform Military and Overseas Voters Act;
301 (v) records received by or generated by or for the Political Subdivisions Ethics Review
302 Commission established in Section 63A-15-201, except for:
303 (i) the commission's summary data report that is required in Section 63A-15-202; and
304 (ii) any other document that is classified as public in accordance with Title 63A,
305 Chapter 15, Political Subdivisions Ethics Review Commission;
306 (w) a record described in Section 53G-9-604 that verifies that a parent was notified of
307 an incident or threat;
308 (x) a criminal background check or credit history report conducted in accordance with
309 Section 63A-3-201;
310 (y) a record described in Subsection 53-5a-104(7);
311 (z) on a record maintained by a county for the purpose of administering property taxes,
312 an individual's:
313 (i) email address;
314 (ii) phone number; or
315 (iii) personal financial information related to a person's payment method;
316 (aa) a record submitted by a taxpayer to establish the taxpayer's eligibility for an
317 exemption, deferral, abatement, or relief under:
318 (i) Title 59, Chapter 2, Part 11, Exemptions;
319 (ii) Title 59, Chapter 2, Part 12, Property Tax Relief;
320 (iii) Title 59, Chapter 2, Part 18, Tax Deferral and Tax Abatement; or
321 (iv) Title 59, Chapter 2, Part 19, Armed Forces Exemptions;
322 (bb) a record provided by the State Tax Commission in response to a request under
323 Subsection 59-1-403(4)(y)(iii);
324 (cc) a record of the Child Welfare Legislative Oversight Panel regarding an individual
325 child welfare case, as described in Subsection 36-33-103(3); [
326 (dd) a record relating to drug or alcohol testing of a state employee under Section
327 63A-17-1004[
328 (ee) a record relating to a request by a state elected official or state employee who has
329 been threatened to the Division of Technology Services to remove personal identifying
330 information from the open web under Section 63A-16-109.
331 (2) The following records are private if properly classified by a governmental entity:
332 (a) records concerning a current or former employee of, or applicant for employment
333 with a governmental entity, including performance evaluations and personal status information
334 such as race, religion, or disabilities, but not including records that are public under Subsection
335 63G-2-301(2)(b) or 63G-2-301(3)(o) or private under Subsection (1)(b);
336 (b) records describing an individual's finances, except that the following are public:
337 (i) records described in Subsection 63G-2-301(2);
338 (ii) information provided to the governmental entity for the purpose of complying with
339 a financial assurance requirement; or
340 (iii) records that must be disclosed in accordance with another statute;
341 (c) records of independent state agencies if the disclosure of those records would
342 conflict with the fiduciary obligations of the agency;
343 (d) other records containing data on individuals the disclosure of which constitutes a
344 clearly unwarranted invasion of personal privacy;
345 (e) records provided by the United States or by a government entity outside the state
346 that are given with the requirement that the records be managed as private records, if the
347 providing entity states in writing that the record would not be subject to public disclosure if
348 retained by it;
349 (f) any portion of a record in the custody of the Division of Aging and Adult Services,
350 created in Section 26B-6-102, that may disclose, or lead to the discovery of, the identity of a
351 person who made a report of alleged abuse, neglect, or exploitation of a vulnerable adult; and
352 (g) audio and video recordings created by a body-worn camera, as defined in Section
353 77-7a-103, that record sound or images inside a home or residence except for recordings that:
354 (i) depict the commission of an alleged crime;
355 (ii) record any encounter between a law enforcement officer and a person that results in
356 death or bodily injury, or includes an instance when an officer fires a weapon;
357 (iii) record any encounter that is the subject of a complaint or a legal proceeding
358 against a law enforcement officer or law enforcement agency;
359 (iv) contain an officer involved critical incident as defined in Subsection
360 76-2-408(1)(f); or
361 (v) have been requested for reclassification as a public record by a subject or
362 authorized agent of a subject featured in the recording.
363 (3) (a) As used in this Subsection (3), "medical records" means medical reports,
364 records, statements, history, diagnosis, condition, treatment, and evaluation.
365 (b) Medical records in the possession of the University of Utah Hospital, its clinics,
366 doctors, or affiliated entities are not private records or controlled records under Section
367 63G-2-304 when the records are sought:
368 (i) in connection with any legal or administrative proceeding in which the patient's
369 physical, mental, or emotional condition is an element of any claim or defense; or
370 (ii) after a patient's death, in any legal or administrative proceeding in which any party
371 relies upon the condition as an element of the claim or defense.
372 (c) Medical records are subject to production in a legal or administrative proceeding
373 according to state or federal statutes or rules of procedure and evidence as if the medical
374 records were in the possession of a nongovernmental medical care provider.
375 Section 4. Effective date.
376 This bill takes effect on May 1, 2024.