Read the full stored bill text
127
20A-11-1002
53-18-102
53H-14-501
53H-14-502
63A-16-108
63A-19-101
63A-19-202
63A-19-203
63A-19-204
63A-19-301
63A-19-302
63A-19-401
63A-19-401.1
63A-19-401.2
63A-19-401.3
63A-19-401.4
63A-19-403
63A-19-405
63A-19-406
63A-19-407
63G-2-303
63A-19-501
63A-19-502
63G-2-201
63G-2-301
63G-2-302
63G-2-601
63G-2-803
67-1a-15
67-3-1
67-3-13
2
Data Privacy Amendments
2026 GENERAL SESSION
STATE OF UTAH
Chief Sponsor: David Shallenberger
Senate Sponsor: Kirk A. Cullimore
LONG TITLE
General Description:
This bill amends the Government Data Privacy Act and the Government Records Access
and Management Act.
Highlighted Provisions:
This bill:
defines terms;
restructures the Utah Privacy Commission (commission) to include representatives from
state agencies, cities, counties, and public education;
transfers support of the commission from the state a
uditor's office to the Utah Office of
Data Privacy (office);
authorizes the commission to establish participation requirements for commission
members;
authorizes the office to provide recommendations and guidance;
authorizes the office to partner with state institutions of higher education for research and
support functions;
requires the office and the commission to jointly study the use of passive data collection
technology by governmental entities and report findings and recommendations to the
Government Operations Interim Committee;
establishes the data privacy ombudsman as a component of the Office of Data Privacy;
establishes a data privacy complaint process;
removes duplicative provisions from the Government Records Access and Management
Act;
expands amendment and correction procedures to cover information beyond personal
data;
removes the state privacy auditor, and places the state privacy auditor's responsibility
with the state auditor's office and makes conforming changes; and
makes technical and conforming changes.
Money Appropriated in this Bill:
None
Other Special Clauses:
None
Utah Code Sections Affected:
AMENDS:
20A-11-1002
, as last amended by Laws of Utah 2010, Chapter 389
53-18-102
, as last amended by Laws of Utah 2022, Chapter 367
53H-14-501
, as renumbered and amended by Laws of Utah 2025, First Special Session,
Chapter 8
53H-14-502
, as renumbered and amended by Laws of Utah 2025, First Special Session,
Chapter 8
63A-16-108
, as enacted by Laws of Utah 2023, Chapter 201
63A-19-101
, as last amended by Laws of Utah 2025, Chapter 475
63A-19-202
, as enacted by Laws of Utah 2024, Chapter 417
63A-19-203
, as renumbered and amended by Laws of Utah 2025, Chapter 475
63A-19-204
, as renumbered and amended by Laws of Utah 2025, Chapter 475
63A-19-301
, as last amended by Laws of Utah 2025, Chapter 475
63A-19-302
, as enacted by Laws of Utah 2024, Chapter 417
63A-19-401
, as last amended by Laws of Utah 2025, Chapter 475
63A-19-401.1
, as enacted by Laws of Utah 2025, Chapter 475
63A-19-401.2
, as enacted by Laws of Utah 2025, Chapter 475
63A-19-401.3
, as enacted by Laws of Utah 2025, Chapter 475
63A-19-401.4
, as enacted by Laws of Utah 2025, Chapter 475
63A-19-403
, as enacted by Laws of Utah 2024, Chapter 417
63A-19-405
, as last amended by Laws of Utah 2025, Chapter 475
63A-19-406
, as last amended by Laws of Utah 2025, Chapter 475
63A-19-501
, as last amended by Laws of Utah 2025, Chapter 475
63G-2-201
, as last amended by Laws of Utah 2025, Chapters 299, 476
63G-2-301
, as last amended by Laws of Utah 2025, First Special Session, Chapter 9
63G-2-302
, as last amended by Laws of Utah 2025, Chapter 172
63G-2-601
, as last amended by Laws of Utah 2025, Chapter 475
63G-2-803
, as last amended by Laws of Utah 2013, Chapter 426
67-1a-15
, as last amended by Laws of Utah 2025, First Special Session, Chapter 17
67-3-1
, as last amended by Laws of Utah 2025, First Special Session, Chapter 17
67-3-13
, as last amended by Laws of Utah 2025, Chapter 475
ENACTS:
63A-19-407
, Utah Code Annotated 1953
63A-19-502
, Utah Code Annotated 1953
RENUMBERS AND AMENDS:
63A-19-408
, (Renumbered from 63G-2-303, as last amended by Laws of Utah 2025,
Chapter 208)
Be it enacted by the Legislature of the state of Utah:
Section 1. Section
20A-11-1002
is amended to read:
20A-11-1002
. Retention and public inspection of financial statements -- Written
complaint if statement is false or unlawful.
(1)
The chief election officer shall:
(a)
make each financial statement required by this chapter or
Chapter 12, Part 2, Judicial
Retention Elections
:
(i)
open to public inspection in the office of the chief election officer; and
(ii)
available for viewing on the Internet in accordance with Section
20A-11-103
;
(b)
preserve those statements for at least five years; and
(c)
provide certified copies of the financial statements in the same manner as for other
public records.
(2)
Any candidate or voter may file a written complaint with the chief election officer
alleging that a filed financial statement does not conform to law or to the truth.
(3)
(a)
As used in this Subsection
(3)
, "required report" means a report, a financial
statement, or any other type of statement or disclosure that a person is required to
make under this chapter or Chapter 12, Part 2, Judicial Retention Elections.
(b)
Before posting or otherwise publicly disclosing a required report, the lieutenant
governor shall redact from the report the following information relating to each
individual referenced in the report:
(i)
the phone number of the individual; and
(ii)
the street number and street name in the address of the individual.
(c)
The information required to be redacted under Subsection
(3)(b)
is not a record under
Title 63G, Chapter 2, Government Records Access and Management Act.
(d)
It is unlawful to publicly disclose the information required to be redacted under
Subsection
(3)(b)
.
(e)
A government officer or employee who knowingly violates Subsection
(3)(d)
is
guilty of a class B misdemeanor.
Section 2. Section
53-18-102
is amended to read:
53-18-102
. Definitions.
As used in this chapter:
(1)
"Access software provider" means a provider of software, including client or server
software, or enabling tools that do any one or more of the following:
(a)
filter, screen, allow, or disallow content;
(b)
pick, choose, analyze, or digest content; or
(c)
transmit, receive, display, forward, cache, search, subset, organize, reorganize, or
translate content.
(2)
"Correctional facility" means the same as that term is defined in Section
77-16b-102
.
(3)
"Dispatcher" means the same as that term is defined in Section
53-6-102
.
(4)
"Immediate family member" means a public safety employee's spouse, child, parent, or
grandparent who resides with the public safety employee.
(5)
"Interactive computer service" means the same as that term is defined in Subsection 47
U.S.C. 230(f).
(6)
"Law enforcement officer" or "officer":
(a)
means the same as that term is defined in Section
53-13-103
;
(b)
includes correctional officers as defined in Section
53-13-104
; and
(c)
refers only to officers who are currently employed by, retired from, or were killed in
the line of duty while in the employ of a state or local governmental law enforcement
agency.
(7)
(a)
"Personal information" means a public safety employee's or a public safety
employee's immediate family member's home address, home telephone number,
personal mobile telephone number, personal pager number, personal email address,
or personal photograph, directions to locate the public safety employee's home, or
photographs of the public safety employee's or the public safety employee's
immediate family member's home or vehicle.
(b)
"Personal information" includes a record or a part of a record that:
(i)
a public safety employee who qualifies as an at-risk government employee under
Section
63G-2-303
63A-19-408
requests to be classified as private under
Subsection
63G-2-302(1)(h)
; and
(ii)
is classified as private under
Title 63G, Chapter 2, Government Records Access
and Management Act
.
(8)
"Public safety employee" means:
(a)
a law enforcement officer;
(b)
a dispatcher; or
(c)
a current or retired employee or contractor of:
(i)
a law enforcement agency; or
(ii)
a correctional facility.
(9)
"Publicly post" or "publicly display" means to intentionally communicate or otherwise
make available to the general public.
Section 3. Section
53H-14-501
is amended to read:
53H-14-501
. General provisions -- Definitions.
As used in this part:
(1)
"Advisory group" means the institution of higher education privacy advisory group
established by the
state privacy auditor
chief privacy officer
under Section
53H-14-502
.
(2)
"Aggregate data" means data that:
(a)
are totaled and reported at the group, cohort, class, course, institution, region, or state
level, with at least 10 individuals in the level; and
(b)
do not reveal personally identifiable student data.
(3)
"Chief privacy officer" means the individual appointed under Section
63A-19-302
.
(3)
(4)
"Data breach" means an unauthorized release of or unauthorized access to
personally identifiable student data that an education entity maintains.
(4)
(5)
"Data governance plan" means an education entity's comprehensive plan for
managing education data that:
(a)
incorporates reasonable data industry best practices to maintain and protect student
data and other education-related data;
(b)
describes the role, responsibility, and authority of the board or an institution privacy
officer;
(c)
provides for necessary technical assistance, training, support, and auditing;
(d)
describes the process for sharing student data between the education entity and
another person;
(e)
describes the education entity's data expungement process, including how to respond
to requests for expungement;
(f)
describes the data breach response process; and
(g)
is published annually and available on the institution's website or the Utah System of
Higher Education's website.
(5)
(6)
"Education entity" means the Utah Board of Higher Education or an institution.
(6)
(7)
"Higher education privacy officer" means a privacy officer that the board
designates under Section
53H-14-503
.
(7)
(8)
"Minor" means a person younger than 18 years old.
(8)
(9)
(a)
"Personally identifiable student data" means student data that identifies or is
used by the holder to identify a student.
(b)
"Personally identifiable student data" includes:
(i)
a student's first and last name;
(ii)
the first and last name of a student's family member;
(iii)
a student's or a student's family's home or physical address;
(iv)
a student's email address or other online contact information;
(v)
a student's telephone number;
(vi)
a student's social security number;
(vii)
a student's biometric identifier;
(viii)
a student's health or disability data;
(ix)
a student's education entity student identification number;
(x)
a student's social media user name and password or alias;
(xi)
if associated with personally identifiable student data, the student's persistent
identifier, including:
(A)
a customer number held in a cookie; or
(B)
a processor serial number;
(xii)
a combination of a student's last name or photograph with other information that
together permits a person to contact the student online;
(xiii)
information about a student or a student's family that a person collects online
and combines with other personally identifiable student data to identify the
student; and
(xiv)
information that, alone or in combination, is linked or linkable to a specific
student that would allow a reasonable person in the school community, who does
not have personal knowledge of the relevant circumstances, to identify the student
with reasonable certainty.
(9)
"State privacy auditor" means the state privacy auditor described in Section
67-3-13
.
(10)
"Student" means an individual enrolled in an institution.
(11)
(a)
"Student data" means information about a student at the individual student level.
(b)
"Student data" does not include aggregate or de-identified data.
(12)
"Third-party contractor" means a person who:
(a)
is not an institution or an employee of an institution; and
(b)
pursuant to a contract with an education entity, collects or receives student data in
order to provide a product or service, as described in the contract, if the product or
service is not related to school photography, yearbooks, graduation announcements,
or a similar product or service.
Section 4. Section
53H-14-502
is amended to read:
53H-14-502
. State student data protection governance.
(1)
The
state privacy auditor
chief privacy officer
shall establish a higher education
privacy advisory group to advise institutions and institution boards of trustees on student
data protection.
(2)
The advisory group shall consist of:
(a)
the
state privacy auditor
chief privacy officer
;
(b)
the higher education privacy officer; and
(c)
the following members, appointed by the commissioner:
(i)
at least one Utah System of Higher Education employee; and
(ii)
at least one representative of the Utah Board of Higher Education.
(3)
The advisory group shall:
(a)
discuss and make recommendations to the board and institutions regarding:
(i)
existing and proposed:
(A)
board rules; or
(B)
board policies of the Utah Board of Higher Education or institutions; and
(ii)
training on protecting student data privacy; and
(b)
perform other tasks related to student data protection as designated by the Utah
Board of Higher Education.
(4)
The higher education privacy officer shall:
(a)
provide training and support to institution boards and employees; and
(b)
produce:
(i)
resource materials;
(ii)
model data governance plans;
(iii)
model forms for institution student data protection governance; and
(iv)
a model data collection notice.
(5)
The board shall:
(a)
(i)
create and maintain a data governance plan; and
(ii)
annually publish the data governance plan on the Utah System of Higher
Education website; and
(b)
establish standards for:
(i)
institution policies to protect student data;
(ii)
institution data governance plans; and
(iii)
a third-party contractor's use of student data.
Section 5. Section
63A-16-108
is amended to read:
63A-16-108
. Digital verifiable credential and records.
(1)
As used in this section:
(a)
"Blockchain" means a distributed ledger of ordered electronic records that:
(i)
is distributed across a network of computers;
(ii)
utilizes technology to prevent the unauthorized alteration of electronic records;
and
(iii)
is mathematically verified.
(b)
"Chief privacy officer" means the individual appointed under Section
63A-19-302
.
(b)
(c)
"Digital record schema" means a description of the data fields and
tamper-evident technologies required to create a digital verifiable credential or digital
verifiable record that can be registered on a distributed ledger technology.
(c)
(d)
"Digital signature" means a tamper-evident, immutable, electronic seal that is
equivalent in function and status to a notary seal issued by a government entity.
(d)
(e)
"Digital verifiable credential" means a digital document that:
(i)
attests to a fact;
(ii)
is issued by a government entity;
(iii)
can be mathematically verified; and
(iv)
conveys rights, privileges, and legal enforceability equivalent to the possession
of a physical credential of the same type.
(e)
(f)
"Digital verifiable record" means a digital record that:
(i)
is issued by a government entity or has been digitally signed by a government
entity;
(ii)
has a digital signature;
(iii)
can be mathematically verified; and
(iv)
conveys rights, privileges, and legal enforceability equivalent to the possession
of a physical record of the same type.
(f)
(g)
"Distributed ledger" means a decentralized database that is maintained by the
consensus of replicated, shared, and synchronized digital data.
(g)
(h)
"Government entity" means:
(i)
the state;
(ii)
a state agency; or
(iii)
a political subdivision of the state.
(h)
"Government operations privacy officer" means the government operations privacy
officer described in Section
67-1-17
.
(i)
"State archivist" means the state archivist appointed under Section
63A-12-102
.
(j)
"State privacy officer" means the state privacy officer described in Section
67-3-13
.
(k)
(j)
"State registrar" means the state registrar of vital records appointed under
Section
26B-8-102
.
(2)
The Division of Technology Services shall:
(a)
provide recommendations to government entities regarding:
(i)
appropriate digital record schemas that allow a government to issue a digital
verifiable credential or record;
(ii)
policies and procedures to protect the privacy of personal identifying information
maintained within distributed ledger programs;
(iii)
the manner and format in which an issuer may certify a document through
blockchain; and
(iv)
processes and procedures for the preservation, auditability, integrity, security,
and confidentiality of digital verifiable credentials and records;
(b)
create a pilot program for the implementation of digital verifiable credentials by
governmental entities; and
(c)
report to Public Utilities, Energy, and Technology Interim Committee by October 31,
2023, on the duties described in Subsections
(2)(a)
and
(b)
.
(3)
In performing the duties described in Subsections
(2)(a)
and
(b)
, the Division of
Technology Services shall consult with:
(a)
the state archivist;
(b)
the chief privacy officer;
(b)
the state privacy officer;
(c)
the government operations privacy officer;
(d)
(c)
the state registrar;
(e)
(d)
private industry professionals with relevant expertise;
(f)
(e)
the Utah League of Cities and Towns; and
(g)
(f)
an association of counties in the state.
Section 6. Section
63A-19-101
is amended to read:
63A-19-101
. Definitions.
As used in this chapter:
(1)
"Anonymized data" means information that has been irreversibly modified so that there
is no possibility of using the information, alone or in combination with other
information, to identify an individual.
(2)
"At-risk government employee" means the same as that term is defined in Section
63G-2-303
63A-19-408
.
(3)
"Automated decision making" means using personal data to make a decision about an
individual through automated processing, without human review or intervention.
(4)
"Biometric data" means the same as that term is defined in Section
13-61-101
.
(5)
(a)
"Chief administrative officer" means the same as that term is defined in Section
63A-12-100.5
.
(b)
"Chief administrative officer" for a municipality may be, in the municipality's
discretion, a separate and distinct role from the chief administrative officer role
described in Section
11-50-202
.
(6)
"Chief privacy officer" means the individual appointed under Section
63A-19-302
.
(7)
"Commission" means the Utah Privacy Commission established in Section
63A-19-203
.
(8)
"Contract" means an agreement between a governmental entity and a person for goods
or services that involve personal data.
(9)
(a)
"Contractor" means a person who:
(i)
has entered into a contract with a governmental entity; and
(ii)
may process personal data under the contract.
(b)
"Contractor" includes a contractor's employees, agents, or subcontractors.
(10)
"Cyber Center" means the Utah Cyber Center created in Section
63A-16-1102
.
(11)
"Data breach" means the unauthorized access, acquisition, disclosure, loss of access, or
destruction of personal data held by a governmental entity, unless the governmental
entity concludes, according to standards established by the Cyber Center, that there is a
low probability that personal data has been compromised.
(12)
"Data privacy complaint" means a complaint or concern raised by an individual
regarding:
(a)
an alleged infringement on the individual's data privacy interests described in
Subsection
63A-19-102(1)
; or
(b)
a governmental entity's data privacy practices described in Part 4, Duties of
Governmental Entities.
(13)
"De-identified data" means information from which personal data has been removed or
obscured so that the information is not readily identifiable to a specific individual, and
which may not be re-identified.
(13)
(14)
"Genetic data" means the same as that term is defined in Section
13-60-102
.
(14)
(15)
"Governing board" means the Utah Privacy Governing Board established in
Section
63A-19-201
.
(15)
(16)
"Governmental entity" means the same as that term is defined in Section
63G-2-103
.
(16)
(17)
"Government website" means a set of related web pages that is operated by or on
behalf of a governmental entity and is:
(a)
located under a single domain name or web address; and
(b)
accessible directly through the
Internet
internet
or by the use of a software program.
(17)
(18)
(a)
"High-risk processing activities" means a governmental entity's processing
of personal data that may have a significant impact on an individual's privacy
interests, based on factors that include:
(i)
the sensitivity of the personal data processed;
(ii)
the amount of personal data being processed;
(iii)
the individual's ability to consent to the processing of personal data; and
(iv)
risks of unauthorized access or use.
(b)
"High-risk processing activities" may include the use of:
(i)
facial recognition technology;
(ii)
automated decision making;
(iii)
profiling;
(iv)
genetic data
of a living person
;
(v)
biometric data; or
(vi)
specific
geolocation data.
(18)
(19)
"Independent entity" means the same as that term is defined in Section
63E-1-102
.
(19)
(20)
"Individual" means the same as that term is defined in Section
63G-2-103
.
(20)
(21)
"Legal guardian" means:
(a)
the parent of a minor; or
(b)
an individual appointed by a court to be the guardian of a minor or incapacitated
individual and given legal authority to make decisions regarding the person or
property of the minor or incapacitated individual.
(21)
(22)
"Office" means the Utah Office of Data Privacy created in Section
63A-19-301
.
(22)
(23)
"Ombudsperson" means the data privacy ombudsperson appointed under Section
63A-19-501
.
(23)
(24)
"Person" means the same as that term is defined in Section
63G-2-103
.
(24)
(25)
"Personal data" means information that is linked or can be reasonably linked to
an identified individual or an identifiable individual.
(25)
(26)
"Privacy annotation" means a summary of personal data contained in a record
series as described in Section
63A-19-401.1
.
(26)
(27)
"Privacy practice" means a governmental entity's:
(a)
organizational, technical, administrative, and physical safeguards designed to protect
an individual's personal data;
(b)
policies and procedures related to the acquisition, use, storage, sharing, retention,
and disposal of personal data; and
(c)
practice of providing notice to an individual regarding the individual's privacy rights.
(27)
(28)
"Process," "processing," or "processing activity" means any operation or set of
operations performed on personal data, including collection, recording, organization,
structuring, storage, adaptation, alteration, access, retrieval, consultation, use, disclosure
by transmission, transfer, dissemination, alignment, combination, restriction, erasure, or
destruction.
(28)
(29)
"Profiling"
means the processing of personal data to evaluate or predict an
individual's:
means any form of automated processing performed on personal data to
evaluate, analyze, or predict an identified or identifiable individual's economic situation,
health, personal preferences, interests, reliability, behavior, location, or movements.
(a)
economic situation;
(b)
health;
(c)
personal preferences;
(d)
interests;
(e)
reliability;
(f)
behavior;
(g)
location; or
(h)
movements
.
(29)
(30)
(a)
"Purchase" or "purchasing" means the exchange of monetary consideration
to obtain the personal data of an individual who is not a party to the transaction.
(b)
"Purchase" or "purchasing" does not include payment from one governmental entity
to another governmental entity for access to a record in accordance with Section
63G-2-203
.
(30)
(31)
"Record" means the same as that term is defined in Section
63G-2-103
.
(31)
(32)
"Record series" means the same as that term is defined in Section
63G-2-103
.
(32)
(33)
"Retention schedule" means a governmental entity's schedule for the retention or
disposal of records that has been approved by the Records Management Committee
pursuant to Section
63A-12-113
.
(33)
(34)
(a)
"Sell" means
an exchange
the transfer
of personal data
in exchange
for
monetary consideration by a governmental entity to a third party.
(b)
"Sell" does not include a fee:
(i)
charged by a governmental entity for access to a record pursuant to Section
63G-2-203
; or
(ii)
assessed in accordance with an approved fee schedule.
(35)
"Specific geolocation data" means the same as that term is defined in Section
13-61-101
.
(34)
(36)
(a)
"State agency" means the following entities that are under the direct
supervision and control of the governor or the lieutenant governor:
(i)
a department;
(ii)
a commission;
(iii)
a board;
(iv)
a council;
(v)
an institution;
(vi)
an officer;
(vii)
a corporation;
(viii)
a fund;
(ix)
a division;
(x)
an office;
(xi)
a committee;
(xii)
an authority;
(xiii)
a laboratory;
(xiv)
a library;
(xv)
a bureau;
(xvi)
a panel;
(xvii)
another administrative unit of the state; or
(xviii)
an agent of an entity described in Subsections
(34)(a)(i)
(36)(a)(i)
through
(xvii)
.
(b)
"State agency" does not include:
(i)
the legislative branch;
(ii)
the judicial branch;
(iii)
an executive branch agency within the Office of the Attorney General, the state
auditor, the state treasurer, or the State Board of Education; or
(iv)
an independent entity.
(35)
"State privacy auditor" means the same as that term is defined in Section
67-3-13
.
(36)
(37)
"Synthetic data" means artificial data that:
(a)
is generated from personal data; and
(b)
models the statistical properties of the original personal data.
(37)
(38)
"User" means an individual who accesses a government website.
(38)
(39)
(a)
"User data" means any information about a user that is automatically
collected by a government website when a user accesses the government website.
(b)
"User data" includes information that identifies:
(i)
a user as having requested or obtained specific materials or services from a
government website;
(ii)
Internet
internet
sites visited by a user;
(iii)
the contents of a user's data-storage device;
(iv)
any identifying code linked to a user of a government website; and
(v)
a user's:
(A)
IP or Mac address; or
(B)
session ID.
(39)
(40)
"Website tracking technology" means any tool used by a government website to:
(a)
monitor a user's behavior; or
(b)
collect user data.
Section 7. Section
63A-19-202
is amended to read:
2. Utah Privacy Governing Board and Utah Privacy Commission
63A-19-202
. Governing board duties.
(1)
The governing board shall:
(a)
recommend changes to the state data privacy policy;
(b)
by July 1 of each year, approve the data privacy agenda items for the commission
and make recommendations for additional items for the data privacy agenda;
(c)
(b)
hear issues raised by the ombudsperson regarding existing governmental entity
privacy practices;
(d)
(c)
evaluate and recommend the appropriate:
(i)
structure and placement for the office within state government; and
(ii)
authority to be granted to the office, including any authority to make rules; and
(e)
(d)
recommend funding mechanisms and strategies for governmental entities to
enable compliance with data privacy responsibilities, including:
(i)
appropriations;
(ii)
rates;
(iii)
grants; and
(iv)
internal service funds.
(2)
In fulfilling the duties under this part, the governing board may receive and request
input from:
(a)
governmental entities;
(b)
elected officials;
(c)
subject matter experts; and
(d)
other stakeholders.
Section 8. Section
63A-19-203
is amended to read:
63A-19-203
. Utah Privacy Commission created.
(1)
There is created the Utah Privacy Commission.
(2)
(a)
The commission shall be composed of
12
no more than 14
members.
(b)
The governor shall appoint:
(i)
one member who, at the time of appointment provides internet technology services
for a county;
(ii)
one member with experience in cybersecurity;
(iii)
one member representing private industry in technology;
(iv)
one member representing law enforcement;
and
(v)
one member with experience in data privacy law
.
; and
(vi)
one member who is a private citizen representing the public.
(c)
The State Board of Education shall appoint one member representing public
education entities and the privacy interests of students.
(c)
(d)
The state auditor shall appoint:
(i)
one member with experience in internet technology services;
(ii)
one member with experience in cybersecurity;
(iii)
one member representing private industry in technology;
(iv)
one member with experience in data privacy law; and
(v)
one member representing municipalities
who, at the time of appointment, has
expertise in civil liberties law, the ethical use of data, or the impacts of the use of
a technology on different populations.
.
(d)
(e)
The attorney general shall appoint:
(i)
one member with experience as a prosecutor or appellate attorney and with
experience in data privacy or civil liberties law; and
(ii)
one member representing law enforcement.
(3)
(a)
Except as provided in Subsection
(3)(b)
, a member is appointed for a term of four
years.
(b)
The initial appointments of members described in Subsections
(2)(b)(i) through
(b)(iii), (2)(c)(iv) through (c)(v), and (2)(d)(ii)
(2)(b)(i) through
(iii)
, (2)(d)(iv) and
(v), and (2)(e)(ii)
shall be for two-year terms.
(c)
When the term of a current member expires, a member shall be reappointed or a new
member shall be appointed in accordance with Subsection
(2)
.
(4)
(a)
When a vacancy occurs in the membership for any reason, a replacement shall be
appointed in accordance with Subsection
(2)
for the unexpired term.
(b)
A member whose term has expired may continue to serve until a replacement is
appointed.
(5)
The commission shall select officers from the commission's members as the
commission finds necessary.
(6)
(a)
A majority of the members of the commission is a quorum.
(b)
The action of a majority of a quorum constitutes an action of the commission.
(7)
A member may not receive compensation or benefits for the member's service but may
receive per diem and travel expenses incurred as a member of the commission at the
rates established by the Division of Finance under:
(a)
Sections
63A-3-106
and
63A-3-107
; and
(b)
rules made by the Division of Finance in accordance with Sections
63A-3-106
and
63A-3-107
.
(8)
A member shall refrain from participating in a review of:
(a)
an entity of which the member is an employee; or
(b)
a technology in which the member has a financial interest.
(9)
The
state auditor
office
shall provide staff and support to the commission.
(10)
The commission shall meet up to 12 times a year to accomplish the duties described in
Section
63A-19-204
.
(11)
(a)
The commission shall, in accordance with Title 63G, Chapter 3, Utah
Administrative Rulemaking Act, make rules establishing participation requirements
for commission members.
(b)
A commission member who fails to meet the participation requirements established
under Subsection
(11)(a)
may be removed by the official who appointed the member
in accordance with Subsection
(2)
.
Section 9. Section
63A-19-204
is amended to read:
63A-19-204
. Commission duties.
(1)
The commission shall:
(a)
annually develop
, approve, and make public by May 1 of each year
a data privacy
agenda that identifies for the upcoming year:
(i)
governmental entity privacy practices to be reviewed by the commission;
(ii)
educational and training materials that the commission intends to develop;
(iii)
any other items related to data privacy the commission intends to study; and
(iv)
best practices and guiding principles that the commission plans to develop
related to government privacy practices;
(b)
develop guiding standards and best practices with respect to government privacy
practices;
(c)
develop educational and training materials that include information about:
(i)
the privacy implications and civil liberties concerns of the privacy practices of
government entities;
(ii)
best practices for government collection and retention policies regarding personal
data; and
(iii)
best practices for government personal data security standards;
and
(d)
review the privacy implications and civil liberties concerns of government privacy
practices
; and
.
(e)
provide the data privacy agenda to the governing board by May 1 of each year.
(2)
The commission may, in addition to the approved items in the data privacy agenda
prepared under Subsection
(1)(a)
:
(a)
review specific government privacy practices as referred to the commission by the
chief privacy officer described in Section
63A-19-302
or the state
privacy
auditor
described in Section
67-3-13
;
(b)
review a privacy practice not accounted for in the data privacy agenda only upon
referral by the chief privacy officer or the state
privacy
auditor in accordance with
this section;
(c)
review and provide recommendations regarding consent mechanisms used by
governmental entities to collect personal
information
data
;
(d)
develop and provide recommendations to the Legislature on how to balance
transparency and public access of public records against an individual's reasonable
expectations of privacy and data protection;
and
(e)
develop recommendations for legislation regarding the guiding standards and best
practices the commission has developed in accordance with Subsection
(1)(a)
.
;
(f)
consult with relevant public and private entities in the performance of the
commission's duties listed in Subsection
(1)
; and
(g)
study and recommend which information contained in the privacy program report
described in Section
63A-19-401.3
should be a public record.
(3)
At least annually, on or before October 1, the commission shall report to the
Judiciary
Government Operations
Interim Committee:
(a)
the results of any reviews the commission has conducted;
(b)
the guiding standards and best practices described in Subsection
(1)(b)
; and
(c)
any recommendations for legislation the commission has developed in accordance
with Subsection
(2)(e)
(2)(d)
.
(4)
(a)
Upon request by the governing board, a member of the commission shall give an
update on the work of the commission at any governing board meeting.
(b)
The governing board may at any time instruct the commission to review and report
upon any privacy developments related to governmental privacy within the scope of
the commission's duties.
(4)
At least annually, on or before June 1, the commission shall report to the governing
board regarding:
(a)
governmental entity privacy practices the commission plans to review in the next
year;
(b)
any educational and training programs the commission intends to develop in relation
to government data privacy best practices;
(c)
results of the commission's data privacy practice reviews from the previous year; and
(d)
recommendations from the commission related to data privacy legislation,
standards, or best practices.
(5)
The data privacy agenda detailed in Subsection (1)(a) does not add to or expand the
authority of the commission.
Section 10. Section
63A-19-301
is amended to read:
63A-19-301
. Utah Office of Data Privacy.
(1)
There is created within the department the Utah Office of Data Privacy.
(2)
The office shall coordinate with the governing board and the commission to perform the
duties in this section.
(3)
The office shall:
(a)
create and maintain a data privacy framework designed to:
(i)
assist governmental entities to identify and implement effective and efficient data
privacy practices, tools, and systems that:
(A)
protect the privacy of personal data;
(B)
comply with data privacy laws and regulations specific to the governmental
entity, program, or data;
(C)
empower individuals to protect and control their personal data; and
(D)
enable information use and sharing among governmental entities, as allowed
by law; and
(ii)
account for differences in a governmental entity's resources, capabilities,
populations served, data types, and maturity level regarding data privacy practices;
(b)
review statutory provisions related to governmental data privacy and records
management to:
(i)
identify conflicts and gaps in data privacy law; and
(ii)
standardize language;
(c)
work with governmental entities to study, research, and identify:
(i)
additional data privacy practices that are feasible for governmental entities;
(ii)
potential remedies and accountability mechanisms for non-compliance of a
governmental entity;
(iii)
ways to expand an individual's control over the individual's personal data
processed by a governmental entity;
(iv)
resources needed to develop, implement, and improve data privacy programs; and
(v)
best practices regarding:
(A)
automated decision making;
(B)
the creation and use of synthetic, de-identified, or anonymized data; and
(C)
the use of website tracking technology;
(d)
monitor high-risk data processing activities within governmental entities;
(e)
coordinate with the Cyber Center to develop an incident response plan for data
breaches affecting governmental entities;
(f)
coordinate with the state archivist to:
(i)
incorporate data privacy practices into records management; and
(ii)
include data privacy content in the trainings described in Section
63A-12-110
; and
(g)
develop, maintain, and make available data privacy training, education, and
awareness materials that meet the requirements of Section
63A-19-401.2
.
(g)
create a data privacy training program for employees of governmental entities as
described in Section
63A-19-401.3
.
(4)
The office may:
(a)
provide expertise and assistance to governmental entities for high-risk data
processing activities;
(b)
create assessment tools and resources that a governmental entity may use to:
(i)
review, evaluate, and mature the governmental entity's privacy program, practices,
and processing activities; and
(ii)
evaluate the privacy impact, privacy risk, and privacy compliance of the
governmental entity's privacy program, practices, and processing activities;
(c)
charge a governmental entity a service fee, established in accordance with Section
63J-1-504
, for providing services that enable a governmental entity to perform the
governmental entity's duties under Section
63A-19-401
, if the governmental entity
requests the office provide those services;
(d)
bill a state agency, as provided in Section
63J-1-410
, for any services the office
provides to a state agency;
(e)
provide funding to assist a governmental entity in complying with:
(i)
this chapter; and
(ii)
Title 63G, Chapter 2, Part 3, Classification, and Title 63G, Chapter 2, Part 6,
Collection of Information and Accuracy of Records;
(f)
advise the governing board about widespread or systemic data privacy matters or
alleged violations;
(g)
work with the Division of Purchasing and General Services to develop cooperative
contracts that a governmental entity may choose to use to support the governmental
entity's data privacy compliance;
(h)
make available to governmental entities privacy compliance assessment tools that
may be used by governmental entities to assess the governmental entity's reasonable
compliance of processing activities described in this chapter;
(i)
upon request of a governmental entity or on the office's own initiative, issue guidance
or recommendations regarding:
(i)
compliance with this chapter; and
(ii)
best practices for data privacy and data governance;
(j)
contract with an institute, component, or department at a state institution of higher
education to support the office in:
(i)
conducting research and prepare reports regarding data privacy and data
governance;
(ii)
providing support to the commission;
(iii)
holding data governance summits and educational programs;
(iv)
developing systems and tools to support data privacy and data governance; and
(v)
providing other services in support of the office's duties under this chapter;
(k)
create data governance models that may be used by governmental entities;
and
(f)
(l)
make rules in accordance with Title 63G, Chapter 3, Utah Administrative
Rulemaking Act, to administer this
part
chapter
.
(5)
(a)
Upon application by a governmental entity, the office may
:
(i)
grant, for a limited period of time, a governmental entity with an:
(A)
(i)
extension of time to comply with certain requirements of Part 4, Duties of
Governmental Entities; or
(B)
(ii)
exemption from complying with certain requirements of Part 4, Duties of
Governmental Entities
; or
.
(ii)
allow a governmental entity to establish a data privacy training program for the
governmental entity's employees to complete, instead of the data privacy training
program established by the office under Section
63A-19-401.3
, if the
governmental entity's data privacy training program contains the same information
contained in the office's data privacy training program.
(b)
On the office's own initiative, the office may issue a one-time extension to a category
or group of governmental entities to comply with certain requirements of Part 4,
Duties of Governmental Entities.
(c)
An extension issued under Subsection
(5)(b)
:
(i)
shall:
(A)
identify the specific duty for which the extension is granted and the section
that imposes the duty; and
(B)
specify the category or group of governmental entities to which the extension
applies; and
(ii)
may not be longer than 12 months.
(d)
An application for an extension or exemption submitted under Subsection
(5)(a)(i)
(5)(a)
shall:
(i)
identify the specific duty from which the governmental entity seeks an extension
or exemption and the section that imposes that duty; and
(ii)
include a justification for the requested extension or exemption.
(c)
(e)
If the office grants an exemption under Subsection
(5)(a)
, the office shall report
at the next board meeting:
(i)
the name of the governmental entity that received an exemption; and
(ii)
the nature of the exemption.
(d)
The office shall notify the state privacy auditor of any approved extensions or
exemptions.
Section 11. Section
63A-19-302
is amended to read:
63A-19-302
. Chief privacy officer -- Appointment -- Powers -- Reporting.
(1)
The governor shall, with the advice and consent of the Senate, appoint a chief privacy
officer.
(2)
The chief privacy officer is the director of the office.
(3)
The chief privacy officer:
(a)
shall exercise all powers given to and perform all duties imposed on the office;
(b)
has administrative authority over the office;
(c)
may make changes in office personnel and service functions under the chief privacy
officer's administrative authority;
(d)
may authorize a designee to assist with the chief privacy officer's responsibilities; and
(e)
shall report annually, on or before
October 1
June 30
, to the
Judiciary Interim
Committee
Government Operations Interim Committee
regarding:
(i)
recommendations for legislation to address data privacy concerns; and
(ii)
reports received from state agencies regarding the sale or sharing of personal data
provided under
Subsection 63A-19-401(2)(f)(ii).
Section
63A-19-401.3
.
Section 12. Section
63A-19-401
is amended to read:
63A-19-401
. Duties of governmental entities.
(1)
(a)
Except as provided in Subsections
(1)(b)
and
(c)
, a governmental entity shall
comply with the requirements of this part.
(b)
If any provision in this part conflicts with any other provisions of law, the more
specific or more restrictive law shall control
If a more specific or more restrictive law
governs the treatment of a type of personal data, the more specific or more restrictive
law shall control
.
(c)
A governmental entity that is exempt under Section
63G-2-702
,
63G-2-703
, or
63G-2-704
from complying with the requirements in Title 63G, Chapter 2, Part 6,
Collection of Information and Accuracy of Records, is exempt from complying with
the requirements in this chapter.
(2)
(a)
A governmental entity shall:
(i)
initiate a data privacy program before December 31, 2025;
(ii)
obtain and process only the minimum amount of personal data reasonably
necessary to efficiently achieve a specified purpose;
(iii)
meet the requirements of this part for all new processing activities implemented
by a governmental entity; and
(iv)
for any processing activity implemented before May 7, 2025, as soon as is
reasonably practicable, but no later than July 1, 2027:
(A)
identify any non-compliant processing activity;
(B)
document the non-compliant processing activity;
(C)
(B)
prepare a strategy for bringing the non-compliant processing activity into
compliance with this part; and
(D)
(C)
include the information described in Subsections
(2)(a)(iv)(A)
through
(C)
and
(B)
in the privacy program report described in Section
63A-19-401.3
.
(b)
A governmental entity that fulfills the reporting requirement under Section
63A-19-401.3
satisfies the requirement to initiate a privacy program under
Subsection
(2)(a)(i)
.
(3)
A governmental entity may not:
(a)
establish, maintain, or use undisclosed or covert surveillance of individuals unless
permitted by law;
(b)
sell personal data unless expressly required by law; and
(c)
share personal data unless permitted by law.
Section 13. Section
63A-19-401.1
is amended to read:
63A-19-401.1
. Privacy annotations.
(1)
(a)
Beginning July 1, 2027, a state agency shall make a complete and accurate
privacy annotation for each record series containing personal data that the state
agency collects, maintains, or uses.
(b)
After July 1, 2027, a state agency that has not
created
completed
a privacy
annotation for a record series containing personal data, may not collect, maintain, or
use the personal data
in the record series
.
(2)
If a state agency determines that a record series:
(a)
does not contain personal data, the privacy annotation shall be limited to a statement
indicating that the record series does not include personal data; or
(b)
contains personal data, the privacy annotation shall include:
(i)
an inventory of all types of personal data included in the record series;
(ii)
a description of all purposes for which the state agency collects, keeps, or uses the
personal data;
(iii)
a citation to the state agency's legal authority for collecting, keeping, or using the
personal data; and
(iv)
any other information required by the rules created by the office under Section
63A-19-301
.
Section 14. Section
63A-19-401.2
is amended to read:
63A-19-401.2
. Training requirements.
(1)
The data privacy training program created by the office under Section
63A-4-301
shall
be:
(a)
designed to provide instruction regarding:
(i)
data privacy best practices, obligations, and responsibilities; and
(ii)
the relationship between privacy, records management, and security; and
(b)
required for all employees of a governmental entity who:
(i)
have access to personal data as part of the employee's work duties; or
(ii)
supervise an employee who has access to personal data.
(2)
The training described in Subsection (1) shall be completed:
(a)
within 30 days after an employee of a governmental entity begins employment; and
(b)
at least once in each calendar year.
(3)
A governmental entity is responsible for:
(a)
ensuring that each employee of the governmental entity completes the data privacy
training as required by Subsection (2); and
(b)
reporting the governmental entity's compliance with the training requirements as
described in Section
63A-19-401.3
.
(1)
An employee of a governmental entity shall complete data privacy training that includes
instruction on:
(a)
data privacy best practices, obligations, and responsibilities;
(b)
the relationship between privacy, records management, and security;
(c)
the privacy interests and requirements of this chapter; and
(d)
as applicable, the privacy interests and requirements of Title 63G, Chapter 2,
Government Records Access and Management Act.
(2)
An employee of a governmental entity shall complete the data privacy training
described in Subsection
(1)
if the employee:
(a)
has access to personal data as part of the employee's assigned duties; or
(b)
supervises an employee who has access to personal data.
(3)
The training described in Subsection
(1)
shall be completed:
(a)
within 30 days after the day on which the employee begins employment with a
governmental entity; and
(b)
at least once in each calendar year.
(4)
A governmental entity shall:
(a)
ensure that each employee described in Subsection
(2)
completes a data privacy
training that meets the requirements described in Subsection
(1)
; and
(b)
report the percentage of the governmental entity's employees required to complete
the data privacy training under this section that have completed the training as part of
the privacy program report described in Section
63A-19-401.3
.
(5)
A governmental entity may use the data privacy training created by the office to satisfy
the requirements of this section, or may provide separate data privacy training that meets
the requirements of this section.
Section 15. Section
63A-19-401.3
is amended to read:
63A-19-401.3
. Privacy program report.
(1)
On or before December 31 of each year, the chief administrative officer of each
governmental entity shall prepare a report that includes:
(a)
whether
how
the governmental entity has initiated
a
the governmental entity's
privacy program;
(b)
a description of:
(i)
any privacy practices implemented by the governmental entity
the governmental
entity's privacy program including privacy practices
;
(ii)
strategies for improving
and maturing
the governmental entity's privacy program
and practices; and
(iii)
the governmental entity's high-risk processing activities;
(c)
a list of the types of personal data the governmental entity currently shares, sells, or
purchases;
(d)
the legal basis for sharing, selling, or purchasing personal data;
(e)
the category of individuals or entities:
(i)
with whom the governmental entity shares personal data;
(ii)
to whom the governmental entity sells personal data; or
(iii)
from whom the governmental entity purchases personal data;
(f)
the percentage of the governmental entity's employees that have fulfilled the data
privacy training requirements described in Section
63A-19-401.2
the percentage of
the governmental entity's employees required to complete the data privacy training
under Section
63A-19-401.2
that have completed the training
; and
(g)
a description of any non-compliant processing activities identified under Subsection
63A-19-401(2)(a)(iv)
and the governmental entity's strategy for bringing those
activities into compliance with this part.
(2)
The report described in Subsection
(1)
shall be
:
(a)
shall be
considered a protected record under Section
63G-2-305
;
and
(b)
may be made available at the request of the office.
shared with the office, in
accordance with Section
63G-2-206
, on or before December 31 each year; and
(c)
retained by the governmental entity for no less than five years.
Section 16. Section
63A-19-401.4
is amended to read:
63A-19-401.4
. Requirements for contractors.
(1)
Except as provided in Subsection
(4)
, a contractor that processes or has access to
personal data as a part of the contractor's duties under a contract with a governmental
entity is subject to the requirements of this chapter to the same extent as the
governmental entity for any personal data the contractor processes or has access to under
a contract with the governmental entity.
(2)
A contract entered into or renewed between a contractor and a governmental entity after
July 1,
2026
2027
, shall contain specific language that requires a contractor to comply
with the requirements of this chapter with regard to the personal data processed or
accessed by the contractor as a part of the contractor's duties under a contract to the
same extent as required of the governmental entity.
(3)
The requirements under this section are in addition to and do not replace any other
requirements or liability that may be imposed for the contractor's violation of other laws
protecting privacy rights or government records.
(4)
A contractor is not subject to the data privacy training program requirements described
in Section
63A-19-401.2
.
Section 17. Section
63A-19-403
is amended to read:
63A-19-403
. Procedure to request amendment or correction of personal data.
(1)
A governmental entity that collects personal data shall provide a procedure by which an
individual or legal guardian of an individual may request an amendment or correction of
:
(a)
personal data that has been furnished to the governmental entity
.
; and
(b)
information concerning an identifiable individual contained in a record maintained
by the governmental entity, as allowed by law.
(2)
The procedure by which an individual or legal guardian of an individual may request an
amendment or correction shall comply with all applicable laws and regulations to which
the personal data
or information
at issue and to which the governmental entity is subject.
(3)
The procedure to request an amendment or correction described in this section does not
obligate the governmental entity to make the requested amendment or correction.
Section 18. Section
63A-19-405
is amended to read:
63A-19-405
. Data breach notification to the Cyber Center and the Office of the
Attorney General.
(1)
(a)
A governmental entity that identifies a data breach affecting 500 or more
individuals shall notify the Cyber Center and the attorney general of the data breach.
(b)
In addition to the notification required by Subsection
(1)(a),
a governmental entity
that identifies the unauthorized access, acquisition, disclosure, loss of access, or
destruction of data that compromises the security, confidentiality, availability, or
integrity of the computer systems used or information maintained by the
governmental entity shall
notify
provide notification to
the Cyber Center
in
accordance with Section
63A-16-1103
.
(c)
A governmental entity that identifies the unauthorized access, unauthorized
acquisition, unauthorized disclosure, loss of access, or unauthorized destruction of
personal data that is used or is reasonably likely to be used to commit theft, fraud, or
other criminal acts shall provide notification of the breach to:
(i)
each individual whose personal data is involved in the breach; and
(ii)
the attorney general.
(2)
The notification under Subsection
(1)
shall:
(a)
be made without unreasonable delay, but no later than five days from the discovery
of the data breach; and
(b)
include the following information:
(i)
the date and time the data breach occurred;
(ii)
the date the data breach was discovered;
(iii)
a short description of the data breach that occurred;
(iv)
the means by which access was gained to the system, computer, or network;
(v)
the person who perpetrated the data breach;
(vi)
steps the governmental entity is or has taken to mitigate the impact of the data
breach; and
(vii)
any other details requested by the Cyber Center.
(3)
For a data breach
under
described in
Subsection
(1)(a),
the governmental entity shall
provide the following information to the Cyber Center and the attorney general in
addition to the information required under Subsection
(2)(b)
:
(a)
the total number of individuals affected by the data breach, including the total
number of Utah residents affected; and
(b)
the type of personal data involved in the data breach.
(4)
If the information required by Subsections
(2)(b)
and (3) is not available within five
days of discovering the breach, the governmental entity shall provide as much of the
information required under Subsections
(2)(b)
and
(3)
as is available and supplement
the notification with additional information as soon as the information becomes
available.
(5)
(a)
A governmental entity that experiences a data breach affecting fewer than 500
individuals shall create an internal incident report containing the information in
Subsection
(2)(b)
as soon as practicable and shall provide additional information as
the information becomes available.
(b)
A governmental entity shall provide to the Cyber Center:
(i)
an internal incident report described in Subsection
(5)(a)
upon request of the
Cyber Center; and
(ii)
an annual report logging all of the governmental entity's data breach incidents
affecting fewer than 500 individuals.
Section 19. Section
63A-19-406
is amended to read:
63A-19-406
. Data breach notice to individuals affected by data breach.
(1)
(a)
Except as provided in Subsection
(1)(b),
a governmental entity shall provide
cause
a data breach notice to
be sent to
an individual or legal guardian of an individual
affected by the data breach:
(i)
after determining the scope of the data breach;
(ii)
after restoring the reasonable integrity of the affected system, if necessary; and
(iii)
without unreasonable delay except as provided in Subsection
(2).
(b)
A governmental entity
or the governmental entity's contractor
is not required to
provide a data breach notice to an affected individual as described in Subsection
(1)(a)
if the:
(i)
personal data involved in the data breach would be classified as a public record
under Section
63G-2-301
; and
(ii)
the governmental entity prominently posts notice of the data breach on the
homepage of the governmental entity's government website.
(2)
A governmental entity
or the governmental entity's contractor
shall delay providing
notification under Subsection
(1)
at the request of a law enforcement agency that
determines that notification may impede a criminal investigation, until
such time as
the
law enforcement agency informs the governmental entity that notification will no longer
impede the criminal investigation.
(3)
The data breach notice to an affected individual shall include:
(a)
a description of the data breach;
(b)
the individual's personal data that was accessed or may have been accessed;
(c)
steps the governmental entity is taking or has taken to mitigate the impact of the data
breach;
and
(d)
recommendations to the individual on how to protect
themselves
the individual
from identity theft and other financial losses
; and
.
(e)
any other language required by the Cyber Center.
(4)
Unless the governmental entity reasonably believes that providing notification would
pose a threat to the safety of an individual, or unless an individual has designated to the
governmental entity a preferred method of communication, a governmental entity
or the
governmental entity's contractor
shall provide notice by:
(a)
(i)
email, if reasonably available and allowed by law; or
(ii)
mail; and
(b)
one of the following methods, if the individual's contact information is reasonably
available and the method is allowed by law:
(i)
text message with a summary of the data breach notice and instructions for
accessing the full notice; or
(ii)
telephone message with a summary of the data breach notice and instructions for
accessing the full data breach notice.
(5)
A governmental entity shall also provide a data breach notice in a manner that is
reasonably calculated to have the best chance of being received by the affected
individual or the legal guardian of an individual, such as through a press release, posting
on appropriate social media accounts, or publishing notice in a newspaper of general
circulation when:
(a)
a data breach affects more than 500 individuals; and
(b)
a governmental entity is unable to obtain an individual's contact information to
provide notice for any method listed in Subsection
(4).
Section 20. Section
63A-19-407
is enacted to read:
63A-19-407
. Technology transparency study -- Report to Legislature.
(1)
The office and the commission shall jointly study the implementation of processing
activities for which an individual's personal data may be collected without the ability to
provide direct notice:
(a)
the public safety benefits and legitimate governmental purposes served by the
processing activities described in this Subsection
(1)
;
(b)
the privacy implications of the processing activities described in this Subsection
(1)
;
and
(c)
appropriate frameworks for governing the processing activities described in this
Subsection
(1)
by governmental entities.
(2)
In conducting the study described in Subsection
(1)
, the office and the commission shall
solicit input from:
(a)
state and local law enforcement agencies;
(b)
civil liberties organizations;
(c)
governmental entities that use or are considering the use of data collection
technology; and
(d)
other interested stakeholders.
(3)
On or before the November 2027 interim meeting, the office shall report the findings
and recommendations of the study described in Subsection
(2)
to the Government
Operations Interim Committee, including any recommended legislation.
Section 21. Section
63A-19-408
, which is renumbered from Section 63G-2-303 is renumbered
and amended to read:
63G-2-303
63A-19-408
. Private information concerning certain government
employees.
(1)
As used in this section:
(a)
"At-risk government employee" means a current or former:
(i)
peace officer as specified in Section
53-13-102
;
(ii)
state or federal judge of an appellate, district, justice, or juvenile court, or court
commissioner;
(iii)
judge authorized by Title 39A, Chapter 5, Utah Code of Military Justice;
(iv)
judge authorized by Armed Forces, Title 10, United States Code;
(v)
federal prosecutor;
(vi)
prosecutor appointed pursuant to Armed Forces, Title 10, United States Code;
(vii)
law enforcement official as defined in Section
53-5a-311
;
(viii)
prosecutor authorized by Title 39A, Chapter 5, Utah Code of Military Justice; or
(ix)
state
, federal,
or local government employee who, because of the unique nature
of the employee's regular work assignments or because of one or more recent
credible threats directed to or against the employee, would be at immediate and
substantial risk of physical harm if the employee's personal information is
disclosed.
(b)
"Family member" means the spouse, child, sibling, parent, or grandparent of an
at-risk government employee who is living with the employee.
(c)
"Personal information" means the employee's or the employee's family member's
home address, home telephone number, personal mobile telephone number, personal
pager number, personal email address, social security number, insurance coverage,
marital status, or payroll deductions.
(2)
(a)
Pursuant to Subsection
63G-2-302(1)(h)
, an at-risk government employee may
file a written application that:
(i)
gives notice of the employee's status as an at-risk government employee to each
agency of a government entity holding a record or a part of a record that would
disclose the employee's personal information; and
(ii)
requests that the government agency classify those records or parts of records as
private.
(b)
An at-risk government employee desiring to file an application under this section
may request assistance from the government agency to identify the individual records
containing personal information.
(c)
Each government agency shall develop a form that:
(i)
requires the at-risk government employee to designate each specific record or part
of a record containing the employee's personal information that the applicant
desires to be classified as private;
(ii)
affirmatively requests that the government entity holding those records classify
them as private;
(iii)
informs the employee that by submitting a completed form the employee may
not receive official announcements affecting the employee's property, including
notices about proposed municipal annexations, incorporations, or zoning
modifications; and
(iv)
contains a place for the signature required under Subsection
(2)(d)
.
(d)
A form submitted by an employee under Subsection
(2)(c)
shall be signed by the
highest ranking elected or appointed official in the employee's chain of command
certifying that the employee submitting the form is an at-risk government employee.
(3)
A county recorder, county treasurer, county auditor, or a county tax assessor may fully
satisfy the requirements of this section by:
(a)
providing a method for the assessment roll and index and the tax roll and index that
will block public access to the home address, home telephone number, situs address,
and Social Security number; and
(b)
providing the at-risk government employee requesting the classification with a
disclaimer informing the employee that the employee may not receive official
announcements affecting the employee's property, including notices about proposed
annexations, incorporations, or zoning modifications.
(4)
A government agency holding records of an at-risk government employee classified as
private under this section may release the record or part of the record if:
(a)
the employee or former employee gives written consent;
(b)
a court orders release of the records;
(c)
the government agency receives a certified death certificate for the employee or
former employee; or
(d)
as it relates to the employee's voter registration record:
(i)
the person to whom the record or part of the record is released is a qualified
person under Subsection
20A-2-104(4)(n)
; and
(ii)
the government agency's release of the record or part of the record complies with
the requirements of Subsection
20A-2-104(4)(o)
.
(5)
(a)
If the government agency holding the private record receives a subpoena for the
records, the government agency shall attempt to notify the at-risk government
employee or former employee by mailing a copy of the subpoena to the employee's
last-known mailing address together with a request that the employee either:
(i)
authorize release of the record; or
(ii)
within 10 days of the date that the copy and request are mailed, deliver to the
government agency holding the private record a copy of a motion to quash filed
with the court who issued the subpoena.
(b)
The government agency shall comply with the subpoena if the government agency
has:
(i)
received permission from the at-risk government employee or former employee to
comply with the subpoena;
(ii)
not received a copy of a motion to quash within 10 days of the date that the copy
of the subpoena was mailed; or
(iii)
received a court order requiring release of the records.
(6)
(a)
Except as provided in Subsection
(6)(b)
, a form submitted under this section
remains in effect until the earlier of:
(i)
four years after the date the employee signs the form, whether or not the
employee's employment terminates before the end of the four-year period; and
(ii)
one year after the government agency receives official notice of the death of the
employee.
(b)
A form submitted under this section may be rescinded at any time by:
(i)
the at-risk government employee who submitted the form; or
(ii)
if the at-risk government employee is deceased, a member of the employee's
immediate family.
Section 22. Section
63A-19-501
is amended to read:
63A-19-501
. Data privacy ombudsperson.
(1)
The governor shall appoint a data privacy ombudsperson with the advice of the
governing board.
There is created within the office the position of data privacy
ombudsperson.
(2)
The governor shall appoint the ombudsperson with the advice of the governing board.
(2)
(3)
The ombudsperson shall:
(a)
be an attorney in good standing and authorized to practice law in this state;
(b)
be familiar with the provisions of:
(i)
this chapter;
(ii)
Chapter 12, Division of Archives and Records Service and Management of
Government Records; and
(iii)
Title 63G, Chapter 2, Government Records Access and Management Act; and
(b)
(c)
serve as a resource for:
(i)
an individual who is making
or responding to a complaint about a governmental
entity's data privacy practice
a data privacy complaint
; and
(ii)
a governmental entity
which
that
is the subject of a data privacy complaint.
(3)
(4)
The ombudsperson may
,
:
(a)
(i)
upon request by a governmental entity or individual, mediate
data privacy
disputes between individuals and governmental entities
a dispute between the
governmental entity and the individual regarding the individual's data privacy
complaint; and
(ii)
upon resolution of a data privacy complaint described in Subsection
(4)(a)(i)
, post
on the office's website a brief summary of the data privacy complaint and the
resolution of the matter; and
(b)
provide data privacy education and training in accordance with Subsection
63A-19-301(3)(g)
.
(5)
The ombudsperson may not:
(a)
mediate a dispute between a governmental entity and an individual if the individual's
data privacy complaint is within the authority of:
(i)
the Government Records Office created in Section
63A-12-202
; or
(ii)
the government records ombudsman established in Section
63A-12-204
;
(b)
expand the scope of a mediation beyond the individual's data privacy complaint;
(c)
testify, or be compelled to testify, regarding a matter for which the ombudsperson
provides services under this section; or
(d)
conduct an audit of a governmental entity's privacy practices.
(4)
(6)
After consultation with the chief privacy officer, the ombudsperson may raise
issues
matters
and questions
before
to
the governing board
regarding serious and
repeated violations of data privacy from:
.
(a)
a specific governmental entity; or
(b)
widespread governmental entity data privacy practices.
(5)
When a data privacy complaint has been resolved, the ombudsperson shall post on the
office's website a summary of the complaint and the resolution of the matter.
Section 23. Section
63A-19-502
is enacted to read:
63A-19-502
. Data privacy complaint process.
(1)
An individual who makes a data privacy complaint shall first submit the complaint to
the chief administrative officer of the governmental entity that is the subject of the
complaint.
(2)
Upon receipt of a data privacy complaint under Subsection
(1)
, the chief administrative
officer shall attempt to resolve the complaint with the individual.
(3)
If the chief administrative officer is unable to resolve a data privacy complaint with the
individual under Subsection
(2)
, the individual or the governmental entity may request
mediation with the ombudsperson in accordance with Section
63A-19-501
.
(4)
If an individual submits a data privacy complaint directly to the ombudsperson, the
ombudsperson shall:
(a)
notify the individual and the governmental entity that the complaint will be referred
to the chief administrative officer of the governmental entity; and
(b)
refer the complaint to the chief administrative officer.
(5)
This section does not apply to a complaint about data privacy that is within the authority
of:
(a)
the Government Records Office created in Section
63A-12-202
; or
(b)
the government records ombudsman established in Section
63A-12-204
.
(6)
An employee of a governmental entity may submit a confidential and anonymous data
privacy complaint directly to the attorney general.
(7)
An employee of a governmental entity who submits a complaint under Subsection
(6)
is
entitled to the protections described in Title 67, Chapter 21, Utah Protection of Public
Employees Act.
Section 24. Section
63G-2-201
is amended to read:
63G-2-201
. Provisions relating to records -- Public records -- Private, controlled,
protected, and other restricted records -- Disclosure and nondisclosure of records --
Certified copy of record -- Limits on obligation to respond to record request.
(1)
(a)
Except as provided in Subsection
(1)(b)
, a person has the right to inspect a public
record free of charge, and the right to take a copy of a public record during normal
working hours, subject to Sections
63G-2-203
and
63G-2-204
.
(b)
A right under Subsection
(1)(a)
does not apply with respect to a record:
(i)
a copy of which the governmental entity has already provided to the person;
(ii)
that is the subject of a records request that the governmental entity is not required
to fill under Subsection
(7)(a)(v)
; or
(iii)
(A)
that is accessible only by a computer or other electronic device owned or
controlled by the governmental entity;
(B)
that is part of an electronic file that also contains a record that is private,
controlled, or protected; and
(C)
that the governmental entity cannot readily segregate from the part of the
electronic file that contains a private, controlled, or protected record.
(2)
A record is public unless otherwise expressly provided by statute.
(3)
The following records are not public:
(a)
a record that is private, controlled, or protected under Sections
63G-2-302
,
63G-2-303
63A-19-408
,
63G-2-304
, and
63G-2-305
; and
(b)
a record to which access is restricted pursuant to court rule, another state statute,
federal statute, or federal regulation, including records for which access is governed
or restricted as a condition of participation in a state or federal program or for
receiving state or federal funds.
(4)
Only a record specified in Section
63G-2-302
,
63G-2-303
63A-19-408
,
63G-2-304
, or
63G-2-305
may be classified private, controlled, or protected.
(5)
(a)
A governmental entity may not disclose a record that is private, controlled, or
protected to any person except as provided in Subsection
(5)(b)
, Subsection
(5)(c)
,
Section
63G-2-202
,
63G-2-206
, or
63G-2-303
63A-19-408
.
(b)
A governmental entity may disclose a record that is private under Subsection
63G-2-302(2)
or protected under Section
63G-2-305
to persons other than those
specified in Section
63G-2-202
or
63G-2-206
if the head of a governmental entity, or
a designee, determines that:
(i)
there is no interest in restricting access to the record; or
(ii)
the interests favoring access are greater than or equal to the interest favoring
restriction of access.
(c)
In addition to the disclosure under Subsection
(5)(b)
, a governmental entity may
disclose a record that is protected under Subsection
63G-2-305(51)
if:
(i)
the head of the governmental entity, or a designee, determines that the disclosure:
(A)
is mutually beneficial to:
(I)
the subject of the record;
(II)
the governmental entity; and
(III)
the public; and
(B)
serves a public purpose related to:
(I)
public safety; or
(II)
consumer protection; and
(ii)
the person who receives the record from the governmental entity agrees not to use
or allow the use of the record for advertising or solicitation purposes.
(6)
A governmental entity shall provide a person with a certified copy of a record if:
(a)
the person requesting the record has a right to inspect it;
(b)
the person identifies the record with reasonable specificity; and
(c)
the person pays the lawful fees.
(7)
(a)
In response to a request, a governmental entity is not required to:
(i)
create a record;
(ii)
compile, format, manipulate, package, summarize, or tailor information;
(iii)
provide a record in a particular format, medium, or program not currently
maintained by the governmental entity;
(iv)
fulfill a person's records request if the request unreasonably duplicates prior
records requests from that person;
(v)
fill a person's records request if:
(A)
the record requested is:
(I)
publicly accessible online; or
(II)
included in a public publication or product produced by the governmental
entity receiving the request; and
(B)
the governmental entity:
(I)
specifies to the person requesting the record where the record is accessible
online; or
(II)
provides the person requesting the record with the public publication or
product and specifies where the record can be found in the public
publication or product; or
(vi)
fulfill a person's records request if:
(A)
the person has been determined under Section
63G-2-209
to be a vexatious
requester;
(B)
the order of the director of the Government Records Office determining the
person to be a vexatious requester provides that the governmental entity is not
required to fulfill a request from the person for a period of time; and
(C)
the period of time described in Subsection
(7)(a)(vi)(B)
has not expired.
(b)
A governmental entity shall conduct a reasonable search for a requested record.
(8)
(a)
Although not required to do so, a governmental entity may, upon request from the
person who submitted the records request, compile, format, manipulate, package,
summarize, or tailor information or provide a record in a format, medium, or program
not currently maintained by the governmental entity.
(b)
In determining whether to fulfill a request described in Subsection
(8)(a)
, a
governmental entity may consider whether the governmental entity is able to fulfill
the request without unreasonably interfering with the governmental entity's duties
and responsibilities.
(c)
A governmental entity may require a person who makes a request under Subsection
(8)(a)
to pay the governmental entity, in accordance with Section
63G-2-203
, for
providing the information or record as requested.
(9)
(a)
Notwithstanding any other provision of this chapter, and subject to Subsection
(9)(b)
, a governmental entity is not required to respond to, or provide a record in
response to, a record request if the request is submitted by or in behalf of an
individual who is on parole or confined in a jail or other correctional facility
following the individual's conviction.
(b)
Subsection
(9)(a)
does not apply to:
(i)
the first five record requests submitted to the governmental entity by or in behalf
of an individual described in Subsection
(9)(a)
during any calendar year
requesting only a record that contains a specific reference to the individual; or
(ii)
a record request that is submitted by an attorney of an individual described in
Subsection
(9)(a)
.
(10)
(a)
A governmental entity may allow a person requesting more than 50 pages of
records to copy the records if:
(i)
the records are contained in files that do not contain records that are exempt from
disclosure, or the records may be segregated to remove private, protected, or
controlled information from disclosure; and
(ii)
the governmental entity provides reasonable safeguards to protect the public from
the potential for loss of a public record.
(b)
If the requirements of Subsection
(10)(a)
are met, the governmental entity may:
(i)
provide the requester with the facilities for copying the requested records and
require that the requester make the copies; or
(ii)
allow the requester to provide the requester's own copying facilities and personnel
to make the copies at the governmental entity's offices and waive the fees for
copying the records.
(11)
(a)
A governmental entity that owns an intellectual property right and that offers the
intellectual property right for sale or license may control by ordinance or policy the
duplication and distribution of the material based on terms the governmental entity
considers to be in the public interest.
(b)
Nothing in this chapter shall be construed to limit or impair the rights or protections
granted to the governmental entity under federal copyright or patent law as a result of
its ownership of the intellectual property right.
(12)
A governmental entity may not use the physical form, electronic or otherwise, in
which a record is stored to deny, or unreasonably hinder the rights of a person to inspect
and receive a copy of a record under this chapter.
(13)
Subject to the requirements of Subsection
(7)
, a governmental entity shall provide
access to an electronic copy of a record in lieu of providing access to its paper
equivalent if:
(a)
the person making the request requests or states a preference for an electronic copy;
(b)
the governmental entity currently maintains the record in an electronic format that is
reproducible and may be provided without reformatting or conversion; and
(c)
the electronic copy of the record:
(i)
does not disclose other records that are exempt from disclosure; or
(ii)
may be segregated to protect private, protected, or controlled information from
disclosure without the undue expenditure of public resources or funds.
(14)
In determining whether a record is properly classified as private under Subsection
63G-2-302(2)(d)
, the governmental entity, the director of the Government Records
Office, local appeals board, or court shall consider and weigh:
(a)
any personal privacy interests, including those in images, that would be affected by
disclosure of the records in question; and
(b)
any public interests served by disclosure.
Section 25. Section
63G-2-301
is amended to read:
63G-2-301
. Public records.
(1)
As used in this section:
(a)
"Business address" means a single address of a governmental agency designated for
the public to contact an employee or officer of the governmental agency.
(b)
"Business email address" means a single email address of a governmental agency
designated for the public to contact an employee or officer of the governmental
agency.
(c)
"Business telephone number" means a single telephone number of a governmental
agency designated for the public to contact an employee or officer of the
governmental agency.
(d)
"Correctional facility" means the same as that term is defined in Section
77-16b-102
.
(2)
The following records are public except to the extent they contain information expressly
permitted to be treated confidentially under the provisions of Subsections
63G-2-201(3)(b)
and
(6)(a)
:
(a)
laws;
(b)
the name, gender, gross compensation, job title, job description, business address,
business email address, business telephone number, number of hours worked per pay
period, dates of employment, and relevant education, previous employment, and
similar job qualifications of a current or former employee or officer of the
governmental entity, excluding:
(i)
undercover law enforcement personnel; and
(ii)
investigative personnel if disclosure could reasonably be expected to impair the
effectiveness of investigations or endanger any individual's safety;
(c)
final opinions, including concurring and dissenting opinions, and orders that are
made by a governmental entity in an administrative, adjudicative, or judicial
proceeding except that if the proceedings were properly closed to the public, the
opinion and order may be withheld to the extent that they contain information that is
private, controlled, or protected;
(d)
final interpretations of statutes or rules by a governmental entity unless classified as
protected as provided in Subsection
63G-2-305(17)
or
(18)
;
(e)
information contained in or compiled from a transcript, minutes, or report of the open
portions of a meeting of a governmental entity as provided by
Title 52, Chapter 4,
Open and Public Meetings Act
, including the records of all votes of each member of
the governmental entity;
(f)
judicial records unless a court orders the records to be restricted under the rules of
civil or criminal procedure or unless the records are private under this chapter;
(g)
unless otherwise classified as private under Section
63G-2-303
63A-19-408
, records
or parts of records filed with or maintained by county recorders, clerks, treasurers,
surveyors, zoning commissions, the Division of Forestry, Fire, and State Lands, the
School and Institutional Trust Lands Administration, the Division of Oil, Gas, and
Mining, the Division of Water Rights, or other governmental entities that give public
notice of:
(i)
titles or encumbrances to real property;
(ii)
restrictions on the use of real property;
(iii)
the capacity of persons to take or convey title to real property; or
(iv)
tax status for real and personal property;
(h)
records of the Department of Commerce that evidence incorporations, mergers, name
changes, and uniform commercial code filings;
(i)
data on individuals that would otherwise be private under this chapter if the
individual who is the subject of the record has given the governmental entity written
permission to make the records available to the public;
(j)
documentation of the compensation that a governmental entity pays to a contractor or
private provider;
(k)
summary data;
(l)
voter registration records, including an individual's voting history, except for a voter
registration record or those parts of a voter registration record that are classified as
private under Subsections
63G-2-302(1)(j)
through (n) or withheld under Subsection
20A-2-104(7)
;
(m)
for an elected official, as defined in Section
11-47-102
, a telephone number, if
available, and email address, if available, where that elected official may be reached
as required in
Title 11, Chapter 47, Access to Elected Officials
;
(n)
for a school community council member, a telephone number, if available, and email
address, if available, where that elected official may be reached directly as required
in Section
53G-7-1203
;
(o)
annual audited financial statements of the Utah Educational Savings Plan described
in Section
53H-10-210
; and
(p)
an initiative packet, as defined in Section
20A-7-101
, and a referendum packet, as
defined in Section
20A-7-101
, after the packet is submitted to a county clerk.
(3)
The following records are normally public, but to the extent that a record is expressly
exempt from disclosure, access may be restricted under Subsection
63G-2-201(3)(b)
,
Section
63G-2-302
,
63G-2-304
, or
63G-2-305
:
(a)
administrative staff manuals, instructions to staff, and statements of policy;
(b)
records documenting a contractor's or private provider's compliance with the terms
of a contract with a governmental entity;
(c)
records documenting the services provided by a contractor or a private provider to
the extent the records would be public if prepared by the governmental entity;
(d)
contracts entered into by a governmental entity;
(e)
any account, voucher, or contract that deals with the receipt or expenditure of funds
by a governmental entity;
(f)
records relating to government assistance or incentives publicly disclosed, contracted
for, or given by a governmental entity, encouraging a person to expand or relocate a
business in Utah, except as provided in Subsection
63G-2-305(35)
;
(g)
chronological logs and initial contact reports;
(h)
correspondence by and with a governmental entity in which the governmental entity
determines or states an opinion upon the rights of the state, a political subdivision,
the public, or any person;
(i)
empirical data contained in drafts if:
(i)
the empirical data is not reasonably available to the requester elsewhere in similar
form; and
(ii)
the governmental entity is given a reasonable opportunity to correct any errors or
make nonsubstantive changes before release;
(j)
drafts that are circulated to anyone other than:
(i)
a governmental entity;
(ii)
a political subdivision;
(iii)
a federal agency if the governmental entity and the federal agency are jointly
responsible for implementation of a program or project that has been legislatively
approved;
(iv)
a government-managed corporation; or
(v)
a contractor or private provider;
(k)
drafts that have never been finalized but were relied upon by the governmental entity
in carrying out action or policy;
(l)
original data in a computer program if the governmental entity chooses not to
disclose the program;
(m)
arrest warrants after issuance, except that, for good cause, a court may order
restricted access to arrest warrants prior to service;
(n)
search warrants after execution and filing of the return, except that a court, for good
cause, may order restricted access to search warrants prior to trial;
(o)
records that would disclose information relating to formal charges or disciplinary
actions against a past or present governmental entity employee if:
(i)
the disciplinary action has been completed and all time periods for administrative
appeal have expired; and
(ii)
the charges on which the disciplinary action was based were sustained;
(p)
records maintained by the Division of Forestry, Fire, and State Lands, the School and
Institutional Trust Lands Administration, or the Division of Oil, Gas, and Mining that
evidence mineral production on government lands;
(q)
final audit reports;
(r)
occupational and professional licenses;
(s)
business licenses;
(t)
a notice of violation, a notice of agency action under Section
63G-4-201
, or similar
records used to initiate proceedings for discipline or sanctions against persons
regulated by a governmental entity, but not including records that initiate employee
discipline; and
(u)
(i)
records that disclose a standard, regulation, policy, guideline, or rule regarding
the operation of a correctional facility or the care and control of inmates
committed to the custody of a correctional facility; and
(ii)
records that disclose the results of an audit or other inspection assessing a
correctional facility's compliance with a standard, regulation, policy, guideline, or
rule described in Subsection
(3)(u)(i)
.
(4)
The list of public records in this section is not exhaustive and should not be used to limit
access to records.
Section 26. Section
63G-2-302
is amended to read:
63G-2-302
. Private records.
(1)
The following records are private:
(a)
records concerning an individual's eligibility for unemployment insurance benefits,
social services, welfare benefits, or the determination of benefit levels;
(b)
records containing data on individuals describing medical history, diagnosis,
condition, treatment, evaluation, or similar medical data;
(c)
records of publicly funded libraries that when examined alone or with other records
identify a patron;
(d)
records received by or generated by or for:
(i)
the Independent Legislative Ethics Commission, except for:
(A)
the commission's summary data report that is required under legislative rule;
and
(B)
any other document that is classified as public under legislative rule; or
(ii)
a Senate or House Ethics Committee in relation to the review of ethics
complaints, unless the record is classified as public under legislative rule;
(e)
records received by, or generated by or for, the Independent Executive Branch Ethics
Commission, except as otherwise expressly provided in Title 63A, Chapter 14,
Review of Executive Branch Ethics Complaints;
(f)
records received or generated for a Senate confirmation committee concerning
character, professional competence, or physical or mental health of an individual:
(i)
if, prior to the meeting, the chair of the committee determines release of the
records:
(A)
reasonably could be expected to interfere with the investigation undertaken by
the committee; or
(B)
would create a danger of depriving a person of a right to a fair proceeding or
impartial hearing; and
(ii)
after the meeting, if the meeting was closed to the public;
(g)
employment records concerning a current or former employee of, or applicant for
employment with, a governmental entity that would disclose that individual's home
address, home telephone number, social security number, insurance coverage, marital
status, or payroll deductions;
(h)
records or parts of records under Section
63G-2-303
63A-19-408
that a current or
former employee identifies as private according to the requirements of that section;
(i)
that part of a record indicating a person's social security number or federal employer
identification number if provided under Section
31A-23a-104
,
31A-25-202
,
31A-26-202
,
58-1-301
,
58-55-302
,
61-1-4
, or
61-2f-203
;
(j)
that part of a voter registration record identifying a voter's:
(i)
driver license or identification card number;
(ii)
social security number, or last four digits of the social security number;
(iii)
email address;
(iv)
date of birth; or
(v)
phone number;
(k)
a voter registration record that is classified as a private record by the lieutenant
governor or a county clerk under Subsection
20A-2-101.1(5)(a)
,
20A-2-104(4)(h
), or
20A-2-204(4)(b
);
(l)
a voter registration record that is withheld under Subsection
20A-2-104(7)
;
(m)
a withholding request form described in Subsections
20A-2-104(7)
and
(8)
and any
verification submitted in support of the form;
(n)
a record or information regarding whether a voter returned a ballot with postage
attached;
(o)
a record that:
(i)
contains information about an individual;
(ii)
is voluntarily provided by the individual; and
(iii)
goes into an electronic database that:
(A)
is designated by and administered under the authority of the
Chief
Information Officer
chief information officer
; and
(B)
acts as a repository of information about the individual that can be
electronically retrieved and used to facilitate the individual's online interaction
with a state agency;
(p)
information provided to the
Commissioner of Insurance
commissioner of insurance
under:
(i)
Subsection
31A-23a-115(3)(a)
;
(ii)
Subsection
31A-23a-302(4)
; or
(iii)
Subsection
31A-26-210(4)
;
(q)
information obtained through a criminal background check under Title 11, Chapter
40, Criminal Background Checks by Political Subdivisions Operating Water Systems;
(r)
information provided by an offender that is:
(i)
required by the registration requirements of Title 53, Chapter 29, Sex, Kidnap, and
Child Abuse Offender Registry; and
(ii)
not required to be made available to the public under Subsection
53-29-404(3)(a)
;
(s)
a statement and any supporting documentation filed with the attorney general in
accordance with Section
34-45-107
, if the federal law or action supporting the filing
involves homeland security;
(t)
electronic toll collection customer account information received or collected under
Section
72-6-118
and customer information described in Section
17B-2a-815
received or collected by a public transit district, including contact and payment
information and customer travel data;
(u)
an email address provided by a military or overseas voter under Section
20A-16-501
;
(v)
a completed military-overseas ballot that is electronically transmitted under Title
20A, Chapter 16, Uniform Military and Overseas Voters Act;
(w)
records received by or generated by or for the Political Subdivisions Ethics Review
Commission established in Section
63A-15-201
, except for:
(i)
the commission's summary data report that is required in Section
63A-15-202
; and
(ii)
any other document that is classified as public in accordance with Title 63A,
Chapter 15, Political Subdivisions Ethics Review Commission;
(x)
a record described in Section
53G-9-604
that verifies that a parent was notified of an
incident or threat;
(y)
a criminal background check or credit history report conducted in accordance with
Section
63A-3-201
;
(z)
a record described in Subsection
53-5a-104(7)
;
(aa)
on a record maintained by a county for the purpose of administering property taxes,
an individual's:
(i)
email address;
(ii)
phone number; or
(iii)
personal financial information related to a person's payment method;
(bb)
a record submitted by a taxpayer to establish the taxpayer's eligibility for an
exemption, deferral, abatement, or relief under:
(i)
Title 59, Chapter 2, Part 11, Exemptions; or
(ii)
Title 59, Chapter 2a, Tax Relief Through Property Tax;
(cc)
a record provided by the State Tax Commission in response to a request under
Subsection
59-1-403(4)(y)(iii)
;
(dd)
a record of the Child Welfare Legislative Oversight Panel regarding an individual
child welfare case, as described in Subsection
36-33-103(3)
;
(ee)
a record relating to drug or alcohol testing of a state employee under Section
63A-17-1004
;
(ff)
a record relating to a request by a state elected official or state employee who has
been threatened to the Division of Technology Services to remove personal
identifying information from the open web under Section
63A-16-109
;
(gg)
a record including confidential information as that term is defined in Section
67-27-106
; and
(hh)
a record or notice received or generated under Title 53, Chapter 30, Security
Improvements Act, relating to:
(i)
an application for certification described in Section
53-30-201
; or
(ii)
a security improvement, including a building permit application or building
permit for a security improvement described in Section
53-30-301
.
(2)
The following records are private if properly classified by a governmental entity:
(a)
records concerning a current or former employee of, or applicant for employment
with a governmental entity, including performance evaluations and personal status
information such as race, religion, or disabilities, but not including records that are
public under Subsection
63G-2-301(2)(b)
or
63G-2-301(3)(o
) or private under
Subsection
(1)(b)
;
(b)
records describing an individual's finances, except that the following are public:
(i)
records described in Subsection
63G-2-301(2)
;
(ii)
information provided to the governmental entity for the purpose of complying
with a financial assurance requirement; or
(iii)
records that must be disclosed in accordance with another statute;
(c)
records of independent state agencies if the disclosure of those records would
conflict with the fiduciary obligations of the agency;
(d)
other records containing data on individuals the disclosure of which constitutes a
clearly unwarranted invasion of personal privacy;
(e)
records provided by the United States or by a government entity outside the state that
are given with the requirement that the records be managed as private records, if the
providing entity states in writing that the record would not be subject to public
disclosure if retained by it;
(f)
any portion of a record in the custody of the Division of Aging and Adult Services,
created in Section
26B-6-102
, that may disclose, or lead to the discovery of, the
identity of a person who made a report of alleged abuse, neglect, or exploitation of a
vulnerable adult; and
(g)
audio and video recordings created by a body-worn camera, as defined in Section
77-7a-103
, that record sound or images inside a home or residence except for
recordings that:
(i)
depict the commission of an alleged crime;
(ii)
record any encounter between a law enforcement officer and a person that results
in death or bodily injury, or includes an instance when an officer fires a weapon;
(iii)
record any encounter that is the subject of a complaint or a legal proceeding
against a law enforcement officer or law enforcement agency;
(iv)
contain an officer-involved critical incident as defined in Subsection
76-2-408(1)(f)
; or
(v)
have been requested for reclassification as a public record by a subject or
authorized agent of a subject featured in the recording.
(3)
(a)
As used in this Subsection
(3)
, "medical records" means medical reports, records,
statements, history, diagnosis, condition, treatment, and evaluation.
(b)
Medical records in the possession of the University of Utah Hospital, its clinics,
doctors, or affiliated entities are not private records or controlled records under
Section
63G-2-304
when the records are sought:
(i)
in connection with any legal or administrative proceeding in which the patient's
physical, mental, or emotional condition is an element of any claim or defense; or
(ii)
after a patient's death, in any legal or administrative proceeding in which any
party relies upon the condition as an element of the claim or defense.
(c)
Medical records are subject to production in a legal or administrative proceeding
according to state or federal statutes or rules of procedure and evidence as if the
medical records were in the possession of a nongovernmental medical care provider.
Section 27. Section
63G-2-601
is amended to read:
63G-2-601
. Rights of individuals on whom data is maintained -- Classification
statement filed with state archivist -- Notice to provider of information.
(1)
(a)
Each governmental entity shall file with the state archivist a statement explaining,
for each record series collected, maintained, or used by the governmental entity, the
purposes for which each private or controlled record in the record series is collected,
maintained, or used by that governmental entity.
(b)
The statement filed under Subsection
(1)(a)
:
(i)
shall identify the authority under which the governmental entity collects the
records or information included in the statement described in Subsection
(1)(a)
;
and
(ii)
is a public record.
(2)
A governmental entity may only use the information contained in a controlled or private
record for:
(a)
the purposes described in the statement provided under Subsection
(1)
; or
(b)
the purposes for which another governmental entity may use the record under
Section
63G-2-206
.
(2)
(a)
A governmental entity shall provide the notice described in this Subsection
(2)
to a person that is asked to furnish information that could be classified as a private or
controlled record.
(b)
The notice required under Subsection
(2)(a)
shall:
(i)
identify the record series that includes the information described in Subsection
(2)(a)
;
(ii)
state the reasons the person is asked to furnish the information;
(iii)
state the intended uses of the information;
(iv)
state the consequences for refusing to provide the information; and
(v)
disclose the classes of persons and the governmental entities that currently:
(A)
share the information with the governmental entity; or
(B)
receive the information from the governmental entity on a regular or
contractual basis.
(c)
The governmental entity shall:
(i)
post the notice required under this Subsection
(2)
in a prominent place at all
locations where the governmental entity collects the information; or
(ii)
include the notice required under this Subsection
(2)
as part of the documents or
forms that are used by the governmental entity to collect the information.
(3)
Upon request, each governmental entity shall, in relation to the information described
in Subsection
(2)(a)
, as applicable, explain to a person:
(a)
the reasons the person is asked to furnish information;
(b)
the intended uses of the information;
(c)
the consequences for refusing to provide the information; and
(d)
the reasons and circumstances under which the information may be shared with, or
provided to, other persons or governmental entities.
(4)
A governmental entity may use the information that the governmental entity is required
to disclose under Subsection
(2)(a)
only for those purposes:
(a)
given in the statement filed with the state archivist under Subsection
(1)
; or
(b)
for which another governmental entity may use the record under Section
63G-2-206
.
Section 28. Section
63G-2-803
is amended to read:
63G-2-803
. No individual liability for certain decisions of a governmental entity.
(1)
Neither the governmental entity, nor any officer or employee of the governmental
entity, is liable for damages resulting from the release of a record where the person or
government requesting the record presented evidence of authority to obtain the record
even if it is subsequently determined that the requester had no authority.
(2)
Neither the governmental entity, nor any officer or employee of the governmental
entity, is liable for damages arising from the negligent disclosure of records classified as
private under Subsection
63G-2-302(1)(g)
unless:
(a)
the disclosure was of employment records maintained by the governmental entity; or
(b)
the current or former government employee had previously filed the notice required
by Section
63G-2-303
63A-19-408
and:
(i)
the government entity did not take reasonable steps to preclude access or
distribution of the record; or
(ii)
the release of the record was otherwise willfully or grossly negligent.
(3)
A mailing from a government agency to an individual who has filed an application
under Section
63G-2-303
63A-19-408
is not a wrongful disclosure under this chapter or
under
Title 63A, Chapter 12, Division of Archives and Records Service and
Management of Government Records
.
Section 29. Section
67-1a-15
is amended to read:
67-1a-15
. Local government and limited purpose entity registry.
(1)
As used in this section:
(a)
"Entity" means a limited purpose entity or a local government entity.
(b)
(i)
"Limited purpose entity" means a legal entity that:
(A)
performs a single governmental function or limited governmental functions;
and
(B)
is not a state executive branch agency, a state legislative office, or within the
judicial branch.
(ii)
"Limited purpose entity" includes:
(A)
area agencies, area agencies on aging, and area agencies on high risk adults, as
those terms are defined in Section
26B-6-101
;
(B)
charter schools created under
Title 53G, Chapter 5, Charter Schools
;
(C)
community reinvestment agencies, as that term is defined in Section
17C-1-102
;
(D)
conservation districts, as that term is defined in Section
17D-3-102
;
(E)
governmental nonprofit corporations, as that term is defined in Section
11-13a-102
;
(F)
housing authorities, as that term is defined in Section
35A-8-401
;
(G)
independent entities and independent state agencies, as those terms are
defined in Section
63E-1-102
;
(H)
interlocal entities, as that term is defined in Section
11-13-103
;
(I)
local building authorities, as that term is defined in Section
17D-2-102
;
(J)
special districts, as that term is defined in Section
17B-1-102
;
(K)
local health departments, as that term is defined in Section
26A-1-102
;
(L)
local mental health authorities, as that term is defined in Section
62A-15-102
;
(M)
nonprofit corporations that receive an amount of money requiring an
accounting report under Section
51-2a-201.5
;
(N)
school districts under
Title 53G, Chapter 3, School District Creation and
Change
;
(O)
special service districts, as that term is defined in Section
17D-1-102
; and
(P)
substance abuse authorities, as that term is defined in Section
62A-15-102
.
(c)
"Local government and limited purpose entity registry" or "registry" means the
registry of local government entities and limited purpose entities created under this
section.
(d)
"Local government entity" means:
(i)
a county, as that term is defined in Section
17-60-101
; and
(ii)
a municipality, as that term is defined in Section
10-1-104
.
(e)
"Notice of failure to register" means the notice the lieutenant governor sends, in
accordance with Subsection
(7)(a)
, to an entity that does not register.
(f)
"Notice of failure to renew" means the notice the lieutenant governor sends to a
registered entity, in accordance with Subsection
(7)(b)
.
(g)
"Notice of noncompliance" means the notice the lieutenant governor sends to a
registered entity, in accordance with Subsection
(6)(c)
.
(h)
"Notice of non-registration" means the notice the lieutenant governor sends to an
entity and the state auditor, in accordance with Subsection
(9)
.
(i)
"Notice of registration or renewal" means the notice the lieutenant governor sends, in
accordance with Subsection
(6)(b)(i)
.
(j)
"Registered entity" means an entity with a valid registration as described in
Subsection
(8)
.
(2)
The lieutenant governor shall:
(a)
create a registry of each local government entity and limited purpose entity within
the state that:
(i)
contains the information described in Subsection
(4)
; and
(ii)
is accessible on the lieutenant governor's website or otherwise publicly available;
and
(b)
establish fees for registration and renewal, in accordance with Section
63J-1-504
,
based on and to directly offset the cost of creating, administering, and maintaining
the registry.
(3)
Each local government entity and limited purpose entity shall:
(a)
on or before July 1, 2019, register with the lieutenant governor as described in
Subsection
(4)
;
(b)
on or before one year after the day on which the lieutenant governor issues the notice
of registration or renewal, annually renew the entity's registration in accordance with
Subsection
(5)
; and
(c)
on or before 30 days after the day on which any of the information described in
Subsection
(4)
changes, send notice of the changes to the lieutenant governor.
(4)
Each entity shall include the following information in the entity's registration
submission:
(a)
the resolution or other legal or formal document creating the entity or, if the
resolution or other legal or formal document creating the entity cannot be located,
conclusive proof of the entity's lawful creation;
(b)
if the entity has geographic boundaries, a map or plat identifying the current
geographic boundaries of the entity, or if it is impossible or unreasonably expensive
to create a map or plat, a metes and bounds description, or another legal description
that identifies the current boundaries of the entity;
(c)
the entity's name;
(d)
the entity's type of local government entity or limited purpose entity;
(e)
the entity's governmental function;
(f)
the entity's website, physical address, and phone number, including the name and
contact information of an individual whom the entity designates as the primary
contact for the entity;
(g)
(i)
names, email addresses, and phone numbers of the members of the entity's
governing board or commission, managing officers, or other similar managers and
the method by which the members or officers are appointed, elected, or otherwise
designated;
(ii)
the date of the most recent appointment or election of each entity governing board
or commission member; and
(iii)
the date of the anticipated end of each entity governing board or commission
member's term;
(h)
the entity's sources of revenue; and
(i)
if the entity has created an assessment area, as that term is defined in Section
11-42-102
, information regarding the creation, purpose, and boundaries of the
assessment area.
(5)
Each entity shall include the following information in the entity's renewal submission:
(a)
identify and update any incorrect or outdated information the entity previously
submitted during registration under Subsection
(4)
; or
(b)
certify that the information the entity previously submitted during registration under
Subsection
(4)
is correct without change.
(6)
Within 30 days of receiving an entity's registration or renewal submission, the lieutenant
governor shall:
(a)
review the submission to determine compliance with Subsection
(4)
or
(5)
;
(b)
if the lieutenant governor determines that the entity's submission complies with
Subsection
(4)
or
(5)
:
(i)
send a notice of registration or renewal that includes the information that the entity
submitted under Subsection
(4)
or
(5)
to:
(A)
the registering or renewing entity;
(B)
each county in which the entity operates, either in whole or in part, or where
the entity's geographic boundaries overlap or are contained within the
boundaries of the county;
(C)
the Division of Archives and Records Service; and
(D)
the Office of the Utah State Auditor; and
(ii)
publish the information from the submission on the registry, except any email
address or phone number that is personal information as defined in Section
63G-2-303
63A-19-408
; and
(c)
if the lieutenant governor determines that the entity's submission does not comply
with Subsection
(4)
or
(5)
or is otherwise inaccurate or deficient, send a notice of
noncompliance to the registering or renewing entity that:
(i)
identifies each deficiency in the entity's submission with the corresponding
statutory requirement;
(ii)
establishes a deadline to cure the entity's noncompliance that is the first business
day that is at least 30 calendar days after the day on which the lieutenant governor
sends the notice of noncompliance; and
(iii)
states that failure to comply by the deadline the lieutenant governor establishes
under Subsection
(6)(c)(ii)
will result in the lieutenant governor sending a notice
of non-registration to the Office of the Utah State Auditor, in accordance with
Subsection
(9)
.
(7)
(a)
If the lieutenant governor identifies an entity that does not make a registration
submission in accordance with Subsection
(4)
by the deadline described in
Subsection
(3)
, the lieutenant governor shall send a notice of failure to register to the
registered entity that:
(i)
identifies the statutorily required registration deadline described in Subsection
(3)
that the entity did not meet;
(ii)
establishes a deadline to cure the entity's failure to register that is the first
business day that is at least 10 calendar days after the day on which the lieutenant
governor sends the notice of failure to register; and
(iii)
states that failure to comply by the deadline the lieutenant governor establishes
under Subsection
(7)(a)(ii)
will result in the lieutenant governor sending a notice
of non-registration to the Office of the Utah State Auditor, in accordance with
Subsection
(9)
.
(b)
If a registered entity does not make a renewal submission in accordance with
Subsection
(5)
by the deadline described in Subsection
(3)
, the lieutenant governor
shall send a notice of failure to renew to the registered entity that:
(i)
identifies the renewal deadline described in Subsection
(3)
that the entity did not
meet;
(ii)
establishes a deadline to cure the entity's failure to renew that is the first business
day that is at least 30 calendar days after the day on which the lieutenant governor
sends the notice of failure to renew; and
(iii)
states that failure to comply by the deadline the lieutenant governor establishes
under Subsection
(7)(b)(ii)
will result in the lieutenant governor sending a notice
of non-registration to the Office of the Utah State Auditor, in accordance with
Subsection
(9)
.
(8)
An entity's registration is valid:
(a)
if the entity makes a registration or renewal submission in accordance with the
deadlines described in Subsection
(3)
;
(b)
during the period the lieutenant governor establishes in the notice of noncompliance
or notice of failure to renew during which the entity may cure the identified
registration deficiencies; and
(c)
for one year beginning on the day the lieutenant governor issues the notice of
registration or renewal.
(9)
(a)
The lieutenant governor shall send a notice of non-registration to the Office of the
Utah State Auditor if an entity fails to:
(i)
cure the entity's noncompliance by the deadline the lieutenant governor establishes
in the notice of noncompliance;
(ii)
register by the deadline the lieutenant governor establishes in the notice of failure
to register; or
(iii)
cure the entity's failure to renew by the deadline the lieutenant governor
establishes in the notice of failure to renew.
(b)
The lieutenant governor shall ensure that the notice of non-registration:
(i)
includes a copy of the notice of noncompliance, the notice of failure to register, or
the notice of failure to renew; and
(ii)
requests that the state auditor withhold state allocated funds or the disbursement
of property taxes and prohibit the entity from accessing money held by the state or
money held in an account of a financial institution, in accordance with
Subsections
67-3-1(7)(i)
and
67-3-1(10)
.
(10)
The lieutenant governor may extend a deadline under this section if an entity notifies
the lieutenant governor, before the deadline to be extended, of the existence of an
extenuating circumstance that is outside the control of the entity.
(11)
(a)
An entity is not required to renew submission of a registration under this section
if an entity provides a record of dissolution.
(b)
The lieutenant governor shall include in the registry an entity's record of dissolution
and indicate on the registry that the entity is dissolved.
Section 30. Section
67-3-1
is amended to read:
67-3-1
. Functions and duties.
(1)
(a)
The state auditor is the auditor of public accounts and is independent of any
executive or administrative officers of the state.
(b)
The state auditor is not limited in the selection of personnel or in the determination
of the reasonable and necessary expenses of the state auditor's office.
(2)
The state auditor shall examine and certify annually in respect to each fiscal year,
financial statements showing:
(a)
the condition of the state's finances;
(b)
the revenues received or accrued;
(c)
expenditures paid or accrued;
(d)
the amount of unexpended or unencumbered balances of the appropriations to the
agencies, departments, divisions, commissions, and institutions; and
(e)
the cash balances of the funds in the custody of the state treasurer.
(3)
(a)
The state auditor shall:
(i)
audit each permanent fund, each special fund, the General Fund, and the accounts
of any department of state government or any independent agency or public
corporation as the law requires, as the auditor determines is necessary, or upon
request of the governor or the Legislature;
(ii)
perform the audits in accordance with generally accepted auditing standards and
other auditing procedures as promulgated by recognized authoritative bodies; and
(iii)
as the auditor determines is necessary, conduct the audits to determine:
(A)
honesty and integrity in fiscal affairs;
(B)
accuracy and reliability of financial statements;
(C)
effectiveness and adequacy of financial controls; and
(D)
compliance with the law.
(b)
If any state entity receives federal funding, the state auditor shall ensure that the
audit is performed in accordance with federal audit requirements.
(c)
(i)
The costs of the federal compliance portion of the audit may be paid from an
appropriation to the state auditor from the General Fund.
(ii)
If an appropriation is not provided, or if the federal government does not
specifically provide for payment of audit costs, the costs of the federal compliance
portions of the audit shall be allocated on the basis of the percentage that each
state entity's federal funding bears to the total federal funds received by the state.
(iii)
The allocation shall be adjusted to reflect any reduced audit time required to
audit funds passed through the state to local governments and to reflect any
reduction in audit time obtained through the use of internal auditors working
under the direction of the state auditor.
(4)
(a)
Except as provided in Subsection
(4)(b)
, the state auditor shall, in addition to
financial audits, and as the auditor determines is necessary, conduct performance and
special purpose audits, examinations, and reviews of any entity that receives public
funds, including a determination of any or all of the following:
(i)
the honesty and integrity of all the entity's fiscal affairs;
(ii)
whether the entity's administrators have faithfully complied with legislative intent;
(iii)
whether the entity's operations have been conducted in an efficient, effective, and
cost-efficient manner;
(iv)
whether the entity's programs have been effective in accomplishing the intended
objectives; and
(v)
whether the entity's management, control, and information systems are adequate,
effective, and secure.
(b)
The auditor may not conduct performance and special purpose audits, examinations,
and reviews of any entity that receives public funds if the entity:
(i)
has an elected auditor; and
(ii)
has, within the entity's last budget year, had the entity's financial statements or
performance formally reviewed by another outside auditor.
(5)
The state auditor:
(a)
shall administer any oath or affirmation necessary to the performance of the duties of
the auditor's office; and
(b)
may:
(i)
subpoena witnesses and documents, whether electronic or otherwise; and
(ii)
examine into any matter that the auditor considers necessary.
(6)
The state auditor may require all persons who have had the disposition or management
of any property of this state or its political subdivisions to submit statements regarding
the property at the time and in the form that the auditor requires.
(7)
The state auditor shall:
(a)
except where otherwise provided by law, institute suits in Salt Lake County in
relation to the assessment, collection, and payment of revenues against:
(i)
persons who by any means have become entrusted with public money or property
and have failed to pay over or deliver the money or property; and
(ii)
all debtors of the state;
(b)
collect and pay into the state treasury all fees received by the state auditor;
(c)
perform the duties of a member of all boards of which the state auditor is a member
by the constitution or laws of the state, and any other duties that are prescribed by the
constitution and by law;
(d)
stop the payment of the salary of any state official or state employee who:
(i)
refuses to settle accounts or provide required statements about the custody and
disposition of public funds or other state property;
(ii)
refuses, neglects, or ignores the instruction of the state auditor or any controlling
board or department head with respect to the manner of keeping prescribed
accounts or funds; or
(iii)
fails to correct any delinquencies, improper procedures, and errors brought to the
official's or employee's attention;
(e)
establish accounting systems, methods, and forms for public accounts in all taxing or
fee-assessing units of the state in the interest of uniformity, efficiency, and economy;
(f)
superintend the contractual auditing of all state accounts;
(g)
subject to Subsection
(8)(a)
, withhold state allocated funds or the disbursement of
property taxes from a state or local taxing or fee-assessing unit, if necessary, to
ensure that officials and employees in those taxing units comply with state laws and
procedures in the budgeting, expenditures, and financial reporting of public funds;
(h)
subject to Subsection
(9)
, withhold the disbursement of tax money from any county,
if necessary, to ensure that officials and employees in the county comply with
Section
59-2-303.1
; and
(i)
withhold state allocated funds or the disbursement of property taxes from a local
government entity or a limited purpose entity, as those terms are defined in Section
67-1a-15
if the state auditor finds the withholding necessary to ensure that the entity
registers and maintains the entity's registration with the lieutenant governor, in
accordance with Section
67-1a-15
.
(8)
(a)
Except as otherwise provided by law, the state auditor may not withhold funds
under Subsection
(7)(g)
until a state or local taxing or fee-assessing unit has received
formal written notice of noncompliance from the auditor and has been given 60 days
to make the specified corrections.
(b)
If, after receiving notice under Subsection
(8)(a)
, a state or independent local
fee-assessing unit that exclusively assesses fees has not made corrections to comply
with state laws and procedures in the budgeting, expenditures, and financial reporting
of public funds, the state auditor:
(i)
shall provide a recommended timeline for corrective actions;
(ii)
may prohibit the state or local fee-assessing unit from accessing money held by
the state; and
(iii)
may prohibit a state or local fee-assessing unit from accessing money held in an
account of a financial institution by filing an action in a court with jurisdiction
under Title
78A, Judiciary and Judicial Administration
, requesting an order of the
court to prohibit a financial institution from providing the fee-assessing unit
access to an account.
(c)
The state auditor shall remove a limitation on accessing funds under Subsection
(8)(b)
upon compliance with state laws and procedures in the budgeting, expenditures, and
financial reporting of public funds.
(d)
If a local taxing or fee-assessing unit has not adopted a budget in compliance with
state law, the state auditor:
(i)
shall provide notice to the taxing or fee-assessing unit of the unit's failure to
comply;
(ii)
may prohibit the taxing or fee-assessing unit from accessing money held by the
state; and
(iii)
may prohibit a taxing or fee-assessing unit from accessing money held in an
account of a financial institution by:
(A)
contacting the taxing or fee-assessing unit's financial institution and
requesting that the institution prohibit access to the account; or
(B)
filing an action in a court with jurisdiction under Title
78A, Judiciary and
Judicial Administration
, requesting an order of the court to prohibit a financial
institution from providing the taxing or fee-assessing unit access to an account.
(e)
If the local taxing or fee-assessing unit adopts a budget in compliance with state law,
the state auditor shall eliminate a limitation on accessing funds described in
Subsection
(8)(d)
.
(9)
The state auditor may not withhold funds under Subsection
(7)(h)
until a county has
received formal written notice of noncompliance from the auditor and has been given 60
days to make the specified corrections.
(10)
(a)
The state auditor may not withhold funds under Subsection
(7)(i)
until the state
auditor receives a notice of non-registration, as that term is defined in Section
67-1a-15
.
(b)
If the state auditor receives a notice of non-registration, the state auditor may
prohibit the local government entity or limited purpose entity, as those terms are
defined in Section
67-1a-15
, from accessing:
(i)
money held by the state; and
(ii)
money held in an account of a financial institution by:
(A)
contacting the entity's financial institution and requesting that the institution
prohibit access to the account; or
(B)
filing an action in a court with jurisdiction under Title
78A, Judiciary and
Judicial Administration
, requesting an order of the court to prohibit a financial
institution from providing the entity access to an account.
(c)
The state auditor shall remove the prohibition on accessing funds described in
Subsection
(10)(b)
if the state auditor received a notice of registration, as that term is
defined in Section
67-1a-15
, from the lieutenant governor.
(11)
Notwithstanding Subsection
(7)(g)
,
(7)(h)
,
(7)(i
),
(8)(b)
,
(8)(d)
, or
(10)(b
), the state
auditor:
(a)
shall authorize a disbursement by a local government entity or limited purpose entity,
as those terms are defined in Section
67-1a-15
, or a state or local taxing or
fee-assessing unit if the disbursement is necessary to:
(i)
avoid a major disruption in the operations of the local government entity, limited
purpose entity, or state or local taxing or fee-assessing unit; or
(ii)
meet debt service obligations; and
(b)
may authorize a disbursement by a local government entity, limited purpose entity,
or state or local taxing or fee-assessing unit as the state auditor determines is
appropriate.
(12)
(a)
The state auditor may seek relief under the Utah Rules of Civil Procedure to take
temporary custody of public funds if an action is necessary to protect public funds
from being improperly diverted from their intended public purpose.
(b)
If the state auditor seeks relief under Subsection
(12)(a)
:
(i)
the state auditor is not required to exhaust the procedures in Subsection
(7)
or
(8)
;
and
(ii)
the state treasurer may hold the public funds in accordance with Section
67-4-1
if
a court orders the public funds to be protected from improper diversion from their
public purpose.
(13)
The state auditor shall:
(a)
establish audit guidelines and procedures for audits of local mental health and
substance abuse authorities and their contract providers, conducted pursuant to Title
17, Chapter 77
, Local Health and Human Services, Title
26B, Chapter 5
, Health Care
- Substance Use and Mental Health, and Title
51, Chapter 2a
, Accounting Reports
from Political Subdivisions, Interlocal Organizations, and Other Local Entities Act;
and
(b)
ensure that those guidelines and procedures provide assurances to the state that:
(i)
state and federal funds appropriated to local mental health authorities are used for
mental health purposes;
(ii)
a private provider under an annual or otherwise ongoing contract to provide
comprehensive mental health programs or services for a local mental health
authority is in compliance with state and local contract requirements and state and
federal law;
(iii)
state and federal funds appropriated to local substance abuse authorities are used
for substance abuse programs and services; and
(iv)
a private provider under an annual or otherwise ongoing contract to provide
comprehensive substance abuse programs or services for a local substance abuse
authority is in compliance with state and local contract requirements, and state and
federal law.
(14)
(a)
The state auditor may, in accordance with the auditor's responsibilities for
political subdivisions of the state as provided in Title
51, Chapter 2a
, Accounting
Reports from Political Subdivisions, Interlocal Organizations, and Other Local
Entities Act, initiate audits or investigations of any political subdivision that are
necessary to determine honesty and integrity in fiscal affairs, accuracy and reliability
of financial statements, effectiveness, and adequacy of financial controls and
compliance with the law.
(b)
If the state auditor receives notice under Subsection
11-41-104(7)
from the
Governor's Office of Economic Opportunity on or after July 1, 2024, the state auditor
may initiate an audit or investigation of the public entity subject to the notice to
determine compliance with Section
11-41-103
.
(15)
(a)
The state auditor may not audit work that the state auditor performed before
becoming state auditor.
(b)
If the state auditor has previously been a responsible official in state government
whose work has not yet been audited, the Legislature shall:
(i)
designate how that work shall be audited; and
(ii)
provide additional funding for those audits, if necessary.
(16)
The state auditor shall:
(a)
with the assistance, advice, and recommendations of an advisory committee
appointed by the state auditor from among special district boards of trustees, officers,
and employees and special service district boards, officers, and employees:
(i)
prepare a Uniform Accounting Manual for Special Districts that:
(A)
prescribes a uniform system of accounting and uniform budgeting and
reporting procedures for special districts under Title
17B, Limited Purpose
Local Government Entities - Special Districts
, and special service districts
under Title
17D, Chapter 1
, Special Service District Act;
(B)
conforms with generally accepted accounting principles; and
(C)
prescribes reasonable exceptions and modifications for smaller districts to the
uniform system of accounting, budgeting, and reporting;
(ii)
maintain the manual under this Subsection
(16)(a)
so that the manual continues to
reflect generally accepted accounting principles;
(iii)
conduct a continuing review and modification of procedures in order to improve
them;
(iv)
prepare and supply each district with suitable budget and reporting forms; and
(v)
(A)
prepare instructional materials, conduct training programs, and render other
services considered necessary to assist special districts and special service
districts in implementing the uniform accounting, budgeting, and reporting
procedures; and
(B)
ensure that any training described in Subsection
(16)(a)(v)(A)
complies with
Title
63G, Chapter 22
, State Training and Certification Requirements; and
(b)
continually analyze and evaluate the accounting, budgeting, and reporting practices
and experiences of specific special districts and special service districts selected by
the state auditor and make the information available to all districts.
(17)
(a)
The following records in the custody or control of the state auditor are protected
records under Title
63G, Chapter 2
, Government Records Access and Management
Act:
(i)
records that would disclose information relating to allegations of personal
misconduct, gross mismanagement, or illegal activity of a past or present
governmental employee if the information or allegation cannot be corroborated by
the state auditor through other documents or evidence, and the records relating to
the allegation are not relied upon by the state auditor in preparing a final audit
report;
(ii)
records and audit workpapers to the extent the workpapers would disclose the
identity of an individual who during the course of an audit, communicated the
existence of any waste of public funds, property, or manpower, or a violation or
suspected violation of a law, rule, or regulation adopted under the laws of this
state, a political subdivision of the state, or any recognized entity of the United
States, if the information was disclosed on the condition that the identity of the
individual be protected;
(iii)
before an audit is completed and the final audit report is released, records or
drafts circulated to an individual who is not an employee or head of a
governmental entity for the individual's response or information;
(iv)
records that would disclose an outline or part of any audit survey plans or audit
program; and
(v)
requests for audits, if disclosure would risk circumvention of an audit.
(b)
The provisions of Subsections
(17)(a)(i)
,
(ii)
, and
(iii)
do not prohibit the disclosure
of records or information that relate to a violation of the law by a governmental entity
or employee to a government prosecutor or peace officer.
(c)
The provisions of this Subsection
(17)
do not limit the authority otherwise given to
the state auditor to classify a document as public, private, controlled, or protected
under Title
63G, Chapter 2
, Government Records Access and Management Act.
(d)
(i)
As used in this Subsection
(17)(d)
, "record dispute" means a dispute between
the state auditor and the subject of an audit performed by the state auditor as to
whether the state auditor may release a record, as defined in Section
63G-2-103
,
to the public that the state auditor gained access to in the course of the state
auditor's audit but which the subject of the audit claims is not subject to disclosure
under Title
63G, Chapter 2
, Government Records Access and Management Act.
(ii)
The state auditor may submit a record dispute to the director of the Government
Records Office, created in Section
63A-12-202
, for a determination of whether the
state auditor may, in conjunction with the state auditor's release of an audit report,
release to the public the record that is the subject of the record dispute.
(iii)
The state auditor or the subject of the audit may seek judicial review of the
director's determination, described in Subsection
(17)(d)(ii)
, as provided in
Section
63G-2-404
.
(18)
If the state auditor conducts an audit of an entity that the state auditor has previously
audited and finds that the entity has not implemented a recommendation made by the
state auditor in a previous audit, the state auditor shall notify the Legislative
Management Committee through the Legislative Management Committee's Audit
Subcommittee that the entity has not implemented that recommendation.
(19)
The state auditor shall, with the advice and consent of the Senate, appoint the state
privacy auditor described in Section
67-3-13
.
(20)
(19)
Except as provided in Subsection
(21)
(20)
, the state auditor shall report, or
ensure that another government entity reports, on the financial, operational, and
performance metrics for the state system of higher education and the state system of
public education, including metrics in relation to students, programs, and schools within
those systems.
(21)
(20)
(a)
Notwithstanding Subsection
(20)
(19)
, the state auditor shall conduct
regular audits of:
(i)
the scholarship granting organization for the Carson Smith Opportunity
Scholarship Program, created in Section
53E-7-402
;
(ii)
the State Board of Education for the Carson Smith Scholarship Program, created
in Section
53F-4-302
; and
(iii)
the scholarship program manager for the Utah Fits All Scholarship Program,
created in Section
53F-6-402
, including an analysis of the cost effectiveness of the
program, taking into consideration the amount of the scholarship and the amount
of state and local funds dedicated on a per-student basis within the traditional
public education system.
(b)
Nothing in this subsection limits or impairs the authority of the State Board of
Education to administer the programs described in Subsection
(21)(a)
(20)(a)
.
(22)
(21)
The state auditor shall, based on the information posted by the Office of
Legislative Research and General Counsel under Subsection
36-12-12.1(2)
, for each
policy, track and post the following information on the state auditor's website:
(a)
the information posted under Subsections
36-12-12.1(2)(a)
through
(e)
;
(b)
an indication regarding whether the policy is timely adopted, adopted late, or not
adopted;
(c)
an indication regarding whether the policy complies with the requirements
established by law for the policy; and
(d)
a link to the policy.
(23)
(22)
(a)
A legislator may request that the state auditor conduct an inquiry to
determine whether a government entity, government official, or government
employee has complied with a legal obligation directly imposed, by statute, on the
government entity, government official, or government employee.
(b)
The state auditor may, upon receiving a request under Subsection
(23)(a)
(22)(a)
,
conduct the inquiry requested.
(c)
If the state auditor conducts the inquiry described in Subsection
(23)(b)
(22)(b)
, the
state auditor shall post the results of the inquiry on the state auditor's website.
(d)
The state auditor may limit the inquiry described in this Subsection
(23)
(22)
to a
simple determination, without conducting an audit, regarding whether the obligation
was fulfilled.
(24)
(23)
The state auditor shall:
(a)
ensure compliance with Title
63G, Chapter 31
, Distinctions on the Basis of Sex, in
accordance with Section
63G-31-401
; and
(b)
report to the Legislative Management Committee, upon request, regarding the state
auditor's actions under this Subsection
(24)
(23)
.
(25)
(24)
The state auditor shall report compliance with Sections
67-27-107
,
67-27-108
,
and
67-27-109
by:
(a)
establishing a process to receive and audit each alleged violation; and
(b)
reporting to the Legislative Management Committee, upon request, regarding the
state auditor's findings and recommendations under this Subsection
(25)
(24)
.
(26)
(25)
The state auditor shall ensure compliance with Section
63G-1-704
regarding the
display of flags in or on government property.
(27)
(26)
(a)
On or before January 31 each year, the state auditor shall prepare a report
that states, for each entity that holds public funds as defined in Section
51-7-3
, the
entity's total balance, as of the last day of the immediately preceding fiscal year, of
cash, cash equivalents, and investments, as those terms are defined under the
standards established by the Governmental Accounting Standards Board.
(b)
The state auditor shall make the report described in Subsection
(27)(a)
(26)(a)
publicly available on a website that the state auditor maintains.
(27)
The state auditor may audit the privacy practices of governmental entities.
Section 31. Section
67-3-13
is amended to read:
67-3-13
. State auditor data privacy responsibilities.
(1)
As used in this section:
(a)
"Governmental entity" means the same as that term is defined in Section
63G-2-103
.
(b)
"Personal data" means the same as that term is defined in Section
63A-19-101
.
(c)
"Privacy practice" means the same as that term is defined in Section
63A-19-101
.
(d)
"State agency" means the same as that term is defined in Section
63A-19-101
.
(e)
"State privacy auditor" means the individual appointed as state privacy auditor by
the state auditor under Section
67-3-1
.
(2)
The state
privacy
auditor shall:
(a)
compile information about the privacy practices of governmental entities;
(b)
make public and maintain information about the privacy practices of governmental
entities on the state auditor's website;
(c)
provide governmental entities with guidance and training regarding the data privacy
auditing standards developed by the state
privacy
auditor;
(d)
implement a process to analyze and respond to requests from individuals for the state
privacy
auditor to audit a governmental entity's privacy practice;
(e)
identify annually which governmental entities' privacy practices pose the greatest
risk to individual privacy and prioritize those privacy practices to be audited;
(f)
audit each year, in as timely a manner as possible, the privacy practices that the state
privacy
auditor identifies under Subsection
(2)(d)
or
(2)(e)
as posing the greatest risk
to individuals' privacy;
(g)
when auditing a governmental entity's privacy practice under Subsection
(2)(f)
,
analyze:
(i)
details about the technology or the policy and the technology's or the policy's
application;
(ii)
information about the type of personal data being used;
(iii)
information about how the personal data is obtained, stored, shared, secured, and
disposed;
(iv)
information about the governmental entity's sharing or selling of personal data;
(v)
information about whether an individual can or should be able to opt out of the
retention, selling, and sharing of the individual's personal data;
(vi)
information about how the governmental entity de-identifies or anonymizes
personal data;
(vii)
a determination about the existence of alternative technology or improved
practices to protect privacy; and
(viii)
a finding of whether the governmental entity's current privacy practices
adequately protect individual privacy; and
(h)
after completing an audit described in Subsections
(2)(f)
and
(g)
, determine:
(i)
each governmental entity's use of personal data, including the governmental
entity's privacy practices regarding personal data:
(A)
acquisition;
(B)
storage;
(C)
disposal;
(D)
protection; and
(E)
sharing;
(ii)
the adequacy of the governmental entity's practices in each of the areas described
in Subsection
(2)(h)(i)
; and
(iii)
for each of the areas described in Subsection
(2)(h)(i)
that the state
privacy
auditor determines to require reform, provide recommendations for reform to the
governmental entity and the legislative body charged with regulating the
governmental entity.
(3)
(a)
The legislative body charged with regulating a governmental entity that receives a
recommendation described in Subsection
(2)(h)(iii)
shall hold a public hearing on the
proposed reforms:
(i)
with a quorum of the legislative body present; and
(ii)
within 90 days after the day on which the legislative body receives the
recommendation.
(b)
(i)
The legislative body shall provide notice of the hearing described in Subsection
(3)(a)
.
(ii)
Notice of the public hearing and the recommendations to be discussed shall be
posted for the jurisdiction of the governmental entity, as a class A notice under
Section
63G-30-102
, for at least 30 days before the day on which the legislative
body will hold the public hearing.
(iii)
Each notice required under Subsection
(3)(b)(i)
shall:
(A)
identify the recommendations to be discussed; and
(B)
state the date, time, and location of the public hearing.
(c)
During the hearing described in Subsection
(3)(a)
, the legislative body shall:
(i)
provide the public the opportunity to ask questions and obtain further information
about the recommendations; and
(ii)
provide any interested person an opportunity to address the legislative body with
concerns about the recommendations.
(d)
At the conclusion of the hearing, the legislative body shall determine whether the
legislative body shall adopt reforms to address the recommendations and any
concerns raised during the public hearing.
(4)
Subsection
(3)
does not apply to:
(a)
a state agency;
(b)
the legislative branch;
(c)
the judicial branch;
(d)
an executive branch agency within the Office of the Attorney General, the state
auditor, the state treasurer, or the State Board of Education; or
(e)
an independent entity.
(5)
The state
privacy
auditor shall:
(a)
quarterly report, to the Utah Privacy Commission:
(i)
recommendations for privacy practices for the commission to review; and
(ii)
the information provided in Subsection
(2)(h)
; and
(b)
annually, on or before October 1, report to the Judiciary Interim Committee:
(i)
the results of any audits described in Subsection
(2)(f)
, if any audits have been
completed;
(ii)
reforms, to the extent that the state
privacy
auditor is aware of any reforms, that
the governmental entity made in response to any audits described in Subsection
(2)(f)
;
(iii)
the information described in Subsection
(2)(h)
; and
(iv)
recommendations for legislation based on any results of an audit described in
Subsection
(2)(f)
.
Section 32.
Effective Date.
This bill takes effect on
May 6, 2026
.
3-12-26 2:39 PM