(1) |
As used in this section:
Terms Used In Utah Code 67-1-17- Advice and consent: Under the Constitution, presidential nominations for executive and judicial posts take effect only when confirmed by the Senate, and international treaties become effective only when the Senate approves them by a two-thirds vote.
- Corporation: A legal entity owned by the holders of shares of stock that have been issued, and that can own, receive, and transfer property, and carry on business in its own name.
- Oversight: Committee review of the activities of a Federal agency or program.
- Process: means a writ or summons issued in the course of a judicial proceeding. See Utah Code 68-3-12.5
- State: when applied to the different parts of the United States, includes a state, district, or territory of the United States. See Utah Code 68-3-12.5
(a) |
“Independent entity” means the same as that term is defined in Section 63E-1-102. |
(b) |
(i) |
“Personal data” means any information relating to an identified or identifiable individual. |
(ii) |
“Personal data” includes personally identifying information. |
|
(c) |
(i) |
“Privacy practice” means the acquisition, use, storage, or disposal of personal data. |
(ii) |
“Privacy practice” includes:
(A) |
a technology use related to personal data; and |
(B) |
policies related to the protection, storage, sharing, and retention of personal data. |
|
|
(d) |
(i) |
“State agency” means the following entities that are under the direct supervision and control of the governor or the lieutenant governor:
(Q) |
another administrative unit of the state; or |
(R) |
an agent of an entity described in Subsections (A) through (Q). |
|
(ii) |
“State agency” does not include:
(A) |
the legislative branch; |
(C) |
an executive branch agency within the Office of the Attorney General, the state auditor, the state treasurer, or the State Board of Education; or |
(D) |
an independent entity. |
|
|
|
(2) |
The governor shall, with the advice and consent of the Senate, appoint a chief privacy officer. |
(3) |
The chief privacy officer shall:
(a) |
compile information about the privacy practices of state agencies; |
(b) |
make public and maintain information about the privacy practices of state agencies on the governor’s website; |
(c) |
provide state agencies with educational and training materials developed by the Personal Privacy Oversight Commission established in Section 63C-24-201 that include the information described in Subsection 63C-24-202(1)(b); |
(d) |
implement a process to analyze and respond to requests from individuals for the chief privacy officer to review a state agency’s privacy practice; |
(e) |
identify annually which state agencies’ privacy practices pose the greatest risk to individual privacy and prioritize those privacy practices for review; |
(f) |
review each year, in as timely a manner as possible, the privacy practices that the chief privacy officer identifies under Subsection (3)(d) or (e) as posing the greatest risk to individuals’ privacy; |
(g) |
when reviewing a state agency’s privacy practice under Subsection (3)(f), analyze:
(i) |
details about the privacy practice; |
(ii) |
information about the type of data being used; |
(iii) |
information about how the data is obtained, shared, secured, stored, and disposed; |
(iv) |
information about with which persons the state agency shares the information; |
(v) |
information about whether an individual can or should be able to opt out of the retention and sharing of the individual’s data; |
(vi) |
information about how the state agency de-identifies or anonymizes data; |
(vii) |
a determination about the existence of alternative technology or improved practices to protect privacy; and |
(viii) |
a finding of whether the state agency’s current privacy practice adequately protects individual privacy; and |
|
(h) |
after completing a review described in Subsections (3)(f) and (g), determine:
(i) |
each state agency’s use of personal data, including the state agency’s practices regarding data:
|
(ii) |
the adequacy of the state agency’s practices in each of the areas described in Subsection (3)(h)(i); and |
(iii) |
for each of the areas described in Subsection (3)(h)(i) that the chief privacy officer determines require reform, provide recommendations to the state agency for reform. |
|
|
(4) |
The chief privacy officer shall:
(a) |
quarterly report, to the Personal Privacy Oversight Commission:
(i) |
recommendations for privacy practices for the commission to review; and |
(ii) |
the information described in Subsection (3)(h); and |
|
(b) |
annually, on or before October 1, report to the Judiciary Interim Committee:
(i) |
the results of any reviews described in Subsection (3)(g), if any reviews have been completed; |
(ii) |
reforms, to the extent that the chief privacy officer is aware of any reforms, that the state agency made in response to any reviews described in Subsection (3)(g); |
(iii) |
the information described in Subsection (3)(h); and |
(iv) |
recommendations for legislation based on the results of any reviews described in Subsection (3)(g). |
|
|
(5) |
The chief privacy officer may make rules, in accordance with Title 63G, Chapter 3, Utah Administrative Rulemaking Act, that establish requirements and standards for determining whether a state agency’s privacy practice, in relation to the areas described in Subsection (3)(h)(i), is adequate or requires reform. |
Amended by Chapter 173, 2023 General Session