(a) The center shall meet the following requirements with regard to the disclosure of information to qualified researchers:

(1) The center shall develop a comprehensive program for the use, access, and disclosure of personal information that includes data use agreements that require data users to comply with this division. The purpose of the program is to ensure that only aggregated, deidentified information is publicly accessible. The program shall be designed to recognize a consumer’s right of privacy and shall include at least the privacy protection standards specified in Section 103206.2.

(2) Access to personal information shall be governed by the use, access, and disclosure program to be developed by the center pursuant to paragraph (1).

(3) The center shall establish a secure research environment for access to personal information. The environment shall include access controls sufficient to ensure that users access only the personal information specified in an approved request and that personal information is protected from unapproved use.

(4) The center shall maintain information about requests and the disposition of requests, and shall develop processes for the timely consideration and release of personal information.

(b) To meet the research and policy goals of the center, it is necessary that access to personal information by qualified researchers is controlled.

(c) Unless otherwise expressly permitted by federal or state law, the center shall not disclose personal information to anyone other than a qualified researcher, or a public health authority as defined in Section 164.501 of Title 45 of the Code of Federal Regulations.

(Added by Stats. 2021, Ch. 696, Sec. 11. (AB 172) Effective October 8, 2021.)