| (1) |
As used in this section:
Terms Used In Utah Code 67-1-17- Advice and consent: Under the Constitution, presidential nominations for executive and judicial posts take effect only when confirmed by the Senate, and international treaties become effective only when the Senate approves them by a two-thirds vote.
- Corporation: A legal entity owned by the holders of shares of stock that have been issued, and that can own, receive, and transfer property, and carry on business in its own name.
- Oversight: Committee review of the activities of a Federal agency or program.
- Process: means a writ or summons issued in the course of a judicial proceeding. See Utah Code 68-3-12.5
- State: when applied to the different parts of the United States, includes a state, district, or territory of the United States. See Utah Code 68-3-12.5
| (a) |
“Independent entity” means the same as that term is defined in Section 63E-1-102. |
| (b) |
| (i) |
“Personal data” means any information relating to an identified or identifiable individual. |
| (ii) |
“Personal data” includes personally identifying information. |
|
| (c) |
| (i) |
“Privacy practice” means the acquisition, use, storage, or disposal of personal data. |
| (ii) |
“Privacy practice” includes:
| (A) |
a technology use related to personal data; and |
| (B) |
policies related to the protection, storage, sharing, and retention of personal data. |
|
|
| (d) |
| (i) |
“State agency” means the following entities that are under the direct supervision and control of the governor or the lieutenant governor:
| (Q) |
another administrative unit of the state; or |
| (R) |
an agent of an entity described in Subsections (A) through (Q). |
|
| (ii) |
“State agency” does not include:
| (A) |
the legislative branch; |
| (C) |
an executive branch agency within the Office of the Attorney General, the state auditor, the state treasurer, or the State Board of Education; or |
| (D) |
an independent entity. |
|
|
|
| (2) |
The governor shall, with the advice and consent of the Senate, appoint a chief privacy officer. |
| (3) |
The chief privacy officer shall:
| (a) |
compile information about the privacy practices of state agencies; |
| (b) |
make public and maintain information about the privacy practices of state agencies on the governor’s website; |
| (c) |
provide state agencies with educational and training materials developed by the Personal Privacy Oversight Commission established in Section 63C-24-201 that include the information described in Subsection 63C-24-202(1)(b); |
| (d) |
implement a process to analyze and respond to requests from individuals for the chief privacy officer to review a state agency’s privacy practice; |
| (e) |
identify annually which state agencies’ privacy practices pose the greatest risk to individual privacy and prioritize those privacy practices for review; |
| (f) |
review each year, in as timely a manner as possible, the privacy practices that the chief privacy officer identifies under Subsection (3)(d) or (e) as posing the greatest risk to individuals’ privacy; |
| (g) |
when reviewing a state agency’s privacy practice under Subsection (3)(f), analyze:
| (i) |
details about the privacy practice; |
| (ii) |
information about the type of data being used; |
| (iii) |
information about how the data is obtained, shared, secured, stored, and disposed; |
| (iv) |
information about with which persons the state agency shares the information; |
| (v) |
information about whether an individual can or should be able to opt out of the retention and sharing of the individual’s data; |
| (vi) |
information about how the state agency de-identifies or anonymizes data; |
| (vii) |
a determination about the existence of alternative technology or improved practices to protect privacy; and |
| (viii) |
a finding of whether the state agency’s current privacy practice adequately protects individual privacy; and |
|
| (h) |
after completing a review described in Subsections (3)(f) and (g), determine:
| (i) |
each state agency’s use of personal data, including the state agency’s practices regarding data:
|
| (ii) |
the adequacy of the state agency’s practices in each of the areas described in Subsection (3)(h)(i); and |
| (iii) |
for each of the areas described in Subsection (3)(h)(i) that the chief privacy officer determines require reform, provide recommendations to the state agency for reform. |
|
|
| (4) |
The chief privacy officer shall:
| (a) |
quarterly report, to the Personal Privacy Oversight Commission:
| (i) |
recommendations for privacy practices for the commission to review; and |
| (ii) |
the information described in Subsection (3)(h); and |
|
| (b) |
annually, on or before October 1, report to the Judiciary Interim Committee:
| (i) |
the results of any reviews described in Subsection (3)(g), if any reviews have been completed; |
| (ii) |
reforms, to the extent that the chief privacy officer is aware of any reforms, that the state agency made in response to any reviews described in Subsection (3)(g); |
| (iii) |
the information described in Subsection (3)(h); and |
| (iv) |
recommendations for legislation based on the results of any reviews described in Subsection (3)(g). |
|
|
| (5) |
The chief privacy officer may make rules, in accordance with Title 63G, Chapter 3, Utah Administrative Rulemaking Act, that establish requirements and standards for determining whether a state agency’s privacy practice, in relation to the areas described in Subsection (3)(h)(i), is adequate or requires reform. |
Amended by Chapter 173, 2023 General Session
