Current through the 2024 Fourth Special Session
Section 67-3-13 - State privacy officer(1) As used in this section:(a) "Designated governmental entity" means a governmental entity that is not a state agency.(b) "Independent entity" means the same as that term is defined in Section 63E-1-102.(c) "Governmental entity" means the same as that term is defined in Section 63G-2-103.(d) "Personal data" means the same as that term is defined in Section 63A-19-101.(e)(i) "Privacy practice" means the acquisition, use, storage, or disposal of personal data.(ii) "Privacy practice" includes:(A) a technology use related to personal data; and(B) policies related to the protection, storage, sharing, and retention of personal data.(f)(i) "State agency" means the following entities that are under the direct supervision and control of the governor or the lieutenant governor:(Q) another administrative unit of the state; or(R) an agent of an entity described in Subsections (A) through (Q).(ii) "State agency" does not include: (A) the legislative branch;(C) an executive branch agency within the Office of the Attorney General, the state auditor, the state treasurer, or the State Board of Education; or(D) an independent entity.(2) The state privacy officer shall: (a) when completing the duties of this Subsection (2), focus on the privacy practices of designated governmental entities;(b) compile information about government privacy practices of designated governmental entities;(c) make public and maintain information about government privacy practices on the state auditor's website;(d) provide designated governmental entities with educational and training materials developed by the Utah Privacy Commission established in Section 63C-24-201 that include the information described in Subsection 63C-24-202(1)(b);(e) implement a process to analyze and respond to requests from individuals for the state privacy officer to review a designated governmental entity's privacy practice;(f) identify annually which designated governmental entities' privacy practices pose the greatest risk to individual privacy and prioritize those privacy practices for review;(g) review each year, in as timely a manner as possible, the privacy practices that the privacy officer identifies under Subsection (2)(e) or (2)(f) as posing the greatest risk to individuals' privacy;(h) when reviewing a designated governmental entity's privacy practice under Subsection (2)(g), analyze:(i) details about the technology or the policy and the technology's or the policy's application;(ii) information about the type of data being used;(iii) information about how the data is obtained, stored, shared, secured, and disposed;(iv) information about with which persons the designated governmental entity shares the information;(v) information about whether an individual can or should be able to opt out of the retention and sharing of the individual's data;(vi) information about how the designated governmental entity de-identifies or anonymizes data;(vii) a determination about the existence of alternative technology or improved practices to protect privacy; and(viii) a finding of whether the designated governmental entity's current privacy practice adequately protects individual privacy; and(i) after completing a review described in Subsections (2)(g) and (h), determine:(i) each designated governmental entity's use of personal data, including the designated governmental entity's practices regarding data: (ii) the adequacy of the designated governmental entity's practices in each of the areas described in Subsection (2)(i)(i); and(iii) for each of the areas described in Subsection (2)(i)(i) that the state privacy officer determines to require reform, provide recommendations for reform to the designated governmental entity and the legislative body charged with regulating the designated governmental entity.(3)(a) The legislative body charged with regulating a designated governmental entity that receives a recommendation described in Subsection (2)(i)(iii) shall hold a public hearing on the proposed reforms:(i) with a quorum of the legislative body present; and(ii) within 90 days after the day on which the legislative body receives the recommendation.(b)(i) The legislative body shall provide notice of the hearing described in Subsection (3)(a).(ii) Notice of the public hearing and the recommendations to be discussed shall be posted for the jurisdiction of the designated governmental entity, as a class A notice under Section 63G-30-102, for at least 30 days before the day on which the legislative body will hold the public hearing.(iii) Each notice required under Subsection (3)(b)(i) shall:(A) identify the recommendations to be discussed; and(B) state the date, time, and location of the public hearing.(c) During the hearing described in Subsection (3)(a), the legislative body shall: (i) provide the public the opportunity to ask questions and obtain further information about the recommendations; and(ii) provide any interested person an opportunity to address the legislative body with concerns about the recommendations.(d) At the conclusion of the hearing, the legislative body shall determine whether the legislative body shall adopt reforms to address the recommendations and any concerns raised during the public hearing.(4)(a) Except as provided in Subsection (4)(b), if the chief privacy officer described in Section 63A-19-302 is not conducting reviews of the privacy practices of state agencies, the state privacy officer may review the privacy practices of a state agency in accordance with the processes described in this section.(b) Subsection (3) does not apply to a state agency.(5) The state privacy officer shall: (a) quarterly report, to the Utah Privacy Commission:(i) recommendations for privacy practices for the commission to review; and(ii) the information provided in Subsection (2)(i); and(b) annually, on or before October 1, report to the Judiciary Interim Committee: (i) the results of any reviews described in Subsection (2)(g), if any reviews have been completed;(ii) reforms, to the extent that the state privacy officer is aware of any reforms, that the designated governmental entity made in response to any reviews described in Subsection (2)(g);(iii) the information described in Subsection (2)(i);(iv) reports received from designated governmental entities regarding the sale or sharing of personal data provided under Subsection 63A-19-401(2)(f)(i); and(v) recommendations for legislation based on any results of a review described in Subsection (2)(g).Amended by Chapter 417, 2024 General Session ,§ 20, eff. 5/1/2024.Amended by Chapter 435, 2023 General Session ,§ 167, eff. 5/3/2023.Amended by Chapter 173, 2023 General Session ,§ 16, eff. 5/3/2023.Amended by Chapter 16, 2023 General Session ,§ 144, eff. 2/27/2023.Added by Chapter 155, 2021 General Session ,§ 7, eff. 5/5/2021.Technically renumbered to avoid duplication of section number renumbered and amended in HB27, Chapter 84.