63A-12-104. Rulemaking authority.
| (1) |
In accordance with Title 63G, Chapter 3, Utah Administrative Rulemaking Act:
Terms Used In Utah Code 63A-12-104- Department: means the Department of Government Operations. See Utah Code 63A-1-103
- Executive branch agency: includes a state agency, as defined in Subsection 67-1-17(1)(d). See Utah Code 63A-12-100.5
- Executive director: means the executive director of the Department of Government Operations. See Utah Code 63A-1-103
- Personal identifying information: includes information identified as personal identifying information in accordance with the rules described in Section 63A-12-104. See Utah Code 63A-12-100.5
- Privacy annotation: means a summary, described in Subsection 63A-12-115(2) and rules made by the executive director under Subsection 63A-12-104(2), that, for each record series that an executive branch agency collects, maintains, or uses:Utah Code 63A-12-100.5
- State: when applied to the different parts of the United States, includes a state, district, or territory of the United States. See Utah Code 68-3-12.5
| (a) |
the state archivist may, for an executive branch agency, make rules establishing procedures for the collection, storage, designation, classification, access, mediation for records access, and management of records under this chapter and Title 63G, Chapter 2, Government Records Access and Management Act; and |
| (b) |
a department may make rules specifying at which level within the department the requirements described in this chapter will be undertaken. |
|
| (2) |
In accordance with Title 63G, Chapter 3, Utah Administrative Rulemaking Act, the executive director shall, in consultation with the state archivist and the chief privacy officer, make rules for an executive branch agency that establish:
| (a) |
requirements for making an inventory of each record series that contains personal identifying information, including:
| (i) |
information collected as part of the inventory; |
| (ii) |
regularly reviewing, updating, and maintaining the inventory; and |
| (iii) |
reporting the inventory to the chief privacy officer; |
|
| (b) |
a list of information, categories of information, or types of information expressly designated as personal identifying information, in accordance with the criteria described in Subsections 63A-12-100.5(2)(c)(i) through (iii); |
| (c) |
criteria, variables, and principles for determining whether information in a record series, not expressly designated under Subsection (2)(b), is personal identifying information; |
| (d) |
a list and description of categories or types of personal identifying information that are collected, maintained, or used by executive branch agencies; and |
| (e) |
requirements for the form, content, format, review, and update of a privacy annotation. |
|
| (3) |
The rules described in Subsection (2)(b) may incorporate, by reference, a data dictionary that a records officer appointed under Subsection 63A-12-103(2)(a) shall use in making the determination described in Subsection (2)(c). |
Repealed and Re-enacted by Chapter 173, 2023 General Session
