HB0343 - Utah codifies new government privacy standards

Bill Sponsor:

Rep. Moss, Jefferson
Floor Sponsor:

Sen. Cullimore, Kirk A.
Substitute Sponsor: Rep. Moss, Jefferson
Drafting Attorney: Thomas R. Vaughn
Fiscal Analyst: Heidi Jo Tak
Bill Tracking
Tracking Page
Bill Text
Introduced
Enrolled (Currently Displayed)
Other Versions
H.B. 343
Related Documents
Fiscal Note
HB0343 comparison
Information
Last Action: 14 Mar 2023, Governor Signed
Last Location: Lieutenant Governor's office for filing
Effective Date: 3 May 2023
Session Law Chapter: 173
Similar Bills
Technology
Government Records
Public Utilities and Technology
Background Checks
Law Enforcement and Criminal Justice
Administrative Rulemaking and Procedures
Public Safety
Department of Government Operations
Government Operations (State Issues)
Archives and Records
Data and Cyber Security
New Rulemaking Authority
Sections Affected
63A-12-100
63A-12-100.5
63A-12-101
63A-12-104
63A-12-108
63C-24-202
63G-2-103
63G-2-107
63G-2-201
63G-2-204
63G-2-307
63G-2-601
63G-2-604
67-1-17
67-3-13
77-27-5
Enrolled
Printer Friendly
H.B. 343
1
GOVERNMENT RECORDS MODIFICATIONS

2
2023 GENERAL SESSION

3
STATE OF UTAH

4
Chief Sponsor: Jefferson Moss

5
Senate Sponsor: Kirk A. Cullimore

6

7 LONG TITLE
8 General Description:
9 This bill amends provisions relating to government records, including provisions
10 relating to the Division of Archives and Records Service, the Government Records
11 Access and Management Act, and a chief privacy officer.
12 Highlighted Provisions:
13 This bill:
14 ▸ defines terms;
15 ▸ permits the Division of Archives and Records Service to require a background
16 check of employees and volunteers who have direct access to vulnerable records;
17 ▸ modifies the duties of a records officer;
18 ▸ grants rulemaking authority to the state archivist, the executive director of the
19 Department of Government Operations, and other departments, in relation to
20 government records and the provisions of this bill;
21 ▸ requires executive branch agencies to:
22 • make and maintain an inventory of records that contain personal identifying
23 information; and
24 • prepare and maintain a privacy annotation for each record series collected,
25 maintained, or used by the executive branch agency that discloses whether the
26 record series contains personal identifying information, describes the type of
27 personal identifying information contained in the record series, and provides
28 other information regarding the personal identifying information contained in
29 the record series;
30 ▸ requires the executive director of the Department of Government Operations to
31 make rules for identifying personal identifying information, inventorying the
32 information, and reporting regarding the information;
33 ▸ modifies individual rights with respect to records that may be classified as private or
34 controlled or that may contain personal identifying information;
35 ▸ changes the title of the "government operations privacy officer" to the "chief privacy
36 officer"; and
37 ▸ makes technical and conforming changes.
38 Money Appropriated in this Bill:
39 None
40 Other Special Clauses:
41 None
42 Utah Code Sections Affected:
43 AMENDS:
44 63A-12-100.5, as last amended by Laws of Utah 2015, Chapter 322
45 63A-12-101, as last amended by Laws of Utah 2022, Chapter 169
46 63A-12-108, as renumbered and amended by Laws of Utah 2008, Chapter 382
47 63C-24-202, as enacted by Laws of Utah 2021, Chapter 155
48 63G-2-103, as last amended by Laws of Utah 2021, Chapters 211, 283
49 63G-2-107, as last amended by Laws of Utah 2016, Chapter 380
50 63G-2-201, as last amended by Laws of Utah 2019, Chapter 334
51 63G-2-204, as last amended by Laws of Utah 2021, Chapter 64
52 63G-2-307, as renumbered and amended by Laws of Utah 2008, Chapter 382
53 63G-2-601, as renumbered and amended by Laws of Utah 2008, Chapter 382
54 63G-2-604, as last amended by Laws of Utah 2019, Chapter 254
55 67-1-17, as enacted by Laws of Utah 2021, Chapter 155
56 67-3-13, as enacted by Laws of Utah 2021, Chapter 155
57 77-27-5, as last amended by Laws of Utah 2021, Chapters 21, 246 and 260 and last
58 amended by Coordination Clause, Laws of Utah 2021, Chapter 260
59 ENACTS:
60 63A-12-115, Utah Code Annotated 1953
61 63A-12-116, Utah Code Annotated 1953
62 REPEALS AND REENACTS:
63 63A-12-104, as last amended by Laws of Utah 2022, Chapter 169
64 REPEALS:
65 63A-12-100, as last amended by Laws of Utah 2021, Chapter 84
66

67 Be it enacted by the Legislature of the state of Utah:
68 Section 1. Section 63A-12-100.5 is amended to read:
69
CHAPTER 12. DIVISION OF ARCHIVES AND RECORDS SERVICE AND

70
MANAGEMENT OF GOVERNMENT RECORDS

71 63A-12-100.5. Definitions.
72 (1) Except as provided under Subsection (2), the definitions in Section 63G-2-103
73 apply to this chapter.
74 (2) As used in this chapter:
75 (a) ["division" or "state archives"] "Division" means the Division of Archives and
76 Records Service[; and].
77 (b) (i) "Executive branch agency" means the same as that term is defined in Section
78 63A-16-102.
79 (ii) "Executive branch agency" includes a state agency, as defined in Subsection
80 67-1-17(1)(d).
81 (c) (i) "Personal identifying information" means information about an individual that:
82 (A) identifies, or can be used to identify, an individual;
83 (B) distinguishes an individual from one or more other individuals; or
84 (C) is, or can be, logically associated with other information or data, through
85 technology or otherwise, to identify an individual or distinguish an individual from one or more
86 other individuals.
87 (ii) "Personal identifying information" includes information identified as personal
88 identifying information in accordance with the rules described in Section 63A-12-104.
89 (d) "Privacy annotation" means a summary, described in Subsection 63A-12-115(2)
90 and rules made by the executive director under Subsection 63A-12-104(2), that, for each record
91 series that an executive branch agency collects, maintains, or uses:
92 (i) discloses whether the record series contains personal identifying information; and
93 (ii) if the record series contains personal identifying information, includes the
94 information described in Subsection 63A-12-115(2)(b).
95 [(b)] (e) ["record"] Record" means:
96 (i) the same as that term is defined in Section 63G-2-103; or
97 (ii) a video or audio recording of an interview, or a transcript of the video or audio
98 recording, that is conducted at a Children's Justice Center established under Section 67-5b-102,
99 the release of which is governed by Section 77-37-4.
100 (f) "State archives" means the Division of Archives and Records Service.
101 (g) "Vulnerable adult" means the same as that term is defined in Section 62A-3-301.
102 (h) "Vulnerable record" means a record or data relating to:
103 (i) national security interests;
104 (ii) the care, custody, or control of a child;
105 (iii) a fiduciary trust over money;
106 (iv) health care of a child; or
107 (v) the following, in relation to a vulnerable adult:
108 (A) protection, health care, or other care; or
109 (B) the provision of food, shelter, clothing, assistance with an activity of daily living,
110 or assistance with financial resource management.
111 Section 2. Section 63A-12-101 is amended to read:
112 63A-12-101. Division of Archives and Records Service created -- Duties.
113 (1) There is created the Division of Archives and Records Service within the
114 department.
115 (2) The state archives shall:
116 (a) administer the state's archives and records management programs, including storage
117 of records, central reformatting programs, and quality control;
118 (b) apply fair, efficient, and economical management methods to the collection,
119 creation, use, maintenance, retention, preservation, disclosure, and disposal of records and
120 documents;
121 (c) establish standards, procedures, and techniques for the effective management and
122 physical care of records;
123 (d) conduct surveys of office operations and recommend improvements in current
124 records management practices, including the use of space, equipment, automation, and supplies
125 used in creating, maintaining, storing, and servicing records;
126 (e) establish standards for the preparation of schedules providing for the retention of
127 records of continuing value and for the prompt and orderly disposal of state records no longer
128 possessing sufficient administrative, historical, legal, or fiscal value to warrant further
129 retention;
130 (f) establish, maintain, and operate centralized reformatting lab facilities and quality
131 control for the state;
132 (g) provide staff and support services to the Records Management Committee created
133 in Section 63A-12-112 and the State Records Committee created in Section 63G-2-501;
134 (h) develop training programs to assist records officers and other interested officers and
135 employees of governmental entities to administer this chapter and Title 63G, Chapter 2,
136 Government Records Access and Management Act;
137 (i) provide access to public records deposited in the archives;
138 (j) administer and maintain the Utah Public Notice Website established under Section
139 63A-16-601;
140 (k) provide assistance to any governmental entity in administering this chapter and
141 Title 63G, Chapter 2, Government Records Access and Management Act;
142 (l) prepare forms for use by all governmental entities for a person requesting access to
143 a record; and
144 (m) if the department operates the Division of Archives and Records Service as an
145 internal service fund agency in accordance with Section 63A-1-109.5, submit to the Rate
146 Committee established in Section 63A-1-114:
147 (i) the proposed rate schedule as required by Section 63A-1-114; and
148 (ii) other information or analysis requested by the Rate Committee.
149 (3) The state archives may:
150 (a) establish a report and directives management program; [and]
151 (b) establish a forms management program[.]; and
152 (c) in accordance with Section 63A-12-101, require that an individual undergo a
153 background check if the individual:
154 (i) applies to be, or currently is, an employee or volunteer of the division; and
155 (ii) will have direct access to a vulnerable record in the capacity described in
156 Subsection (3)(c)(i).
157 (4) The executive director may direct the state archives to administer other functions or
158 services consistent with this chapter and Title 63G, Chapter 2, Government Records Access
159 and Management Act.
160 Section 3. Section 63A-12-104 is repealed and reenacted to read:
161 63A-12-104. Rulemaking authority.
162 (1) In accordance with Title 63G, Chapter 3, Utah Administrative Rulemaking Act:
163 (a) the state archivist may, for an executive branch agency, make rules establishing
164 procedures for the collection, storage, designation, classification, access, mediation for records
165 access, and management of records under this chapter and Title 63G, Chapter 2, Government
166 Records Access and Management Act; and
167 (b) a department may make rules specifying at which level within the department the
168 requirements described in this chapter will be undertaken.
169 (2) In accordance with Title 63G, Chapter 3, Utah Administrative Rulemaking Act, the
170 executive director shall, in consultation with the state archivist and the chief privacy officer,
171 make rules for an executive branch agency that establish:
172 (a) requirements for making an inventory of each record series that contains personal
173 identifying information, including:
174 (i) information collected as part of the inventory;
175 (ii) regularly reviewing, updating, and maintaining the inventory; and
176 (iii) reporting the inventory to the chief privacy officer;
177 (b) a list of information, categories of information, or types of information expressly
178 designated as personal identifying information, in accordance with the criteria described in
179 Subsections 63A-12-100.5(2)(c)(i) through (iii);
180 (c) criteria, variables, and principles for determining whether information in a record
181 series, not expressly designated under Subsection (2)(b), is personal identifying information;
182 (d) a list and description of categories or types of personal identifying information that
183 are collected, maintained, or used by executive branch agencies; and
184 (e) requirements for the form, content, format, review, and update of a privacy
185 annotation.
186 (3) The rules described in Subsection (2)(b) may incorporate, by reference, a data
187 dictionary that a records officer appointed under Subsection 63A-12-103(2)(a) shall use in
188 making the determination described in Subsection (2)(c).
189 Section 4. Section 63A-12-108 is amended to read:
190 63A-12-108. Inspection and summary of record series -- Data dictionary.
191 (1) [The state] State archives shall provide for public inspection of:
192 (a) the title and a summary description of each record series[.]; and
193 (b) for an executive branch agency, the privacy annotation of each record series.
194 (2) The department shall:
195 (a) post the data dictionary described in Subsection 63A-12-104(3) on the department's
196 website; and
197 (b) maintain and update the data dictionary on a regular basis.
198 Section 5. Section 63A-12-115 is enacted to read:
199 63A-12-115. Privacy annotation for records series -- Requirements -- Content.
200 (1) (a) Before January 1, 2026, an executive branch agency shall, for each record series
201 that the executive branch agency collects, maintains, or uses, evaluate the record series and
202 make a privacy annotation that completely and accurately complies with Subsection (2) and the
203 rules described in Subsection 63A-12-104(2)(e).
204 (b) Beginning on January 1, 2026, an executive branch agency may not collect,
205 maintain, or use personal identifying information unless the record series for which the
206 personal identifying information is collected, maintained, or used includes a privacy annotation
207 that completely and accurately complies with Subsection (2) and the rules described in
208 Subsection 63A-12-104(2)(e).
209 (2) A privacy annotation shall include the following:
210 (a) if the record series does not include personal identifying information, a statement
211 indicating that the record series does not include personal identifying information;
212 (b) if the record series includes personal identifying information:
213 (i) an inventory of the personal identifying information included in the record series;
214 and
215 (ii) for the personal identifying information described in Subsection (2)(b)(i):
216 (A) the purpose for which the executive branch agency collects, keeps, or uses the
217 personal identifying information;
218 (B) a citation to the executive branch agency's legal authority for collecting, keeping, or
219 using the personal identifying information; and
220 (C) any other information required by state archives by rule under Subsection
221 63A-12-104(2)(e).
222 Section 6. Section 63A-12-116 is enacted to read:
223 63A-12-116. Background check for individuals with direct access to a vulnerable
224 record.
225 (1) If, under Subsection 63A-12-101(3)(c), state archives requires an individual to
226 undergo a background check:
227 (a) the individual shall:
228 (i) submit to state archives, in a form designated by state archives, a fingerprint card
229 and other information required by state archives for the background check; and
230 (ii) consent to a criminal background check by the Federal Bureau of Investigation, the
231 Bureau of Criminal Identification, or any other state entity that performs criminal background
232 checks; and
233 (b) state archives shall:
234 (i) submit the fingerprint card and information described in Subsection (1)(a)(i) to the
235 Utah Bureau of Criminal Identification; and
236 (ii) pay all fees required to conduct the background check, including fees described in
237 Subsection 53-10-108(15)(a) and fees required by the Federal Bureau of Investigation.
238 (2) The Bureau of Criminal Identification shall provide all results of a criminal
239 background check described in this section to state archives, including results from state,
240 regional, and nationwide background checks.
241 (3) State archives may make rules, in accordance with Title 63G, Chapter 3, Utah
242 Administrative Rulemaking Act, to:
243 (a) establish procedures for requiring and conducting a background check under this
244 section; and
245 (b) specify requirements for the information and fingerprint card required for a
246 background check under this section.
247 Section 7. Section 63C-24-202 is amended to read:
248 63C-24-202. Commission duties.
249 (1) The commission shall:
250 (a) develop guiding standards and best practices with respect to government privacy
251 practices;
252 (b) develop educational and training materials that include information about:
253 (i) the privacy implications and civil liberties concerns of the privacy practices of
254 government entities;
255 (ii) best practices for government collection and retention policies regarding personal
256 data; and
257 (iii) best practices for government personal data security standards; and
258 (c) review the privacy implications and civil liberties concerns of government privacy
259 practices.
260 (2) The commission may:
261 (a) review specific government privacy practices as referred to the commission by the
262 [government operations] chief privacy officer described in Section 67-1-17 or the state privacy
263 officer described in Section 67-3-13; and
264 (b) develop recommendations for legislation regarding the guiding standards and best
265 practices the commission has developed in accordance with Subsection (1)(a).
266 (3) Annually, on or before October 1, the commission shall report to the Judiciary
267 Interim Committee:
268 (a) the results of any reviews the commission has conducted;
269 (b) the guiding standards and best practices described in Subsection (1)(a); and
270 (c) any recommendations for legislation the commission has developed in accordance
271 with Subsection (2)(b).
272 Section 8. Section 63G-2-103 is amended to read:
273 63G-2-103. Definitions.
274 As used in this chapter:
275 (1) "Audit" means:
276 (a) a systematic examination of financial, management, program, and related records
277 for the purpose of determining the fair presentation of financial statements, adequacy of
278 internal controls, or compliance with laws and regulations; or
279 (b) a systematic examination of program procedures and operations for the purpose of
280 determining their effectiveness, economy, efficiency, and compliance with statutes and
281 regulations.
282 (2) "Chronological logs" mean the regular and customary summary records of law
283 enforcement agencies and other public safety agencies that show:
284 (a) the time and general nature of police, fire, and paramedic calls made to the agency;
285 and
286 (b) any arrests or jail bookings made by the agency.
287 (3) "Classification," "classify," and their derivative forms mean determining whether a
288 record series, record, or information within a record is public, private, controlled, protected, or
289 exempt from disclosure under Subsection 63G-2-201(3)(b).
290 (4) (a) "Computer program" means:
291 (i) a series of instructions or statements that permit the functioning of a computer
292 system in a manner designed to provide storage, retrieval, and manipulation of data from the
293 computer system; and
294 (ii) any associated documentation and source material that explain how to operate the
295 computer program.
296 (b) "Computer program" does not mean:
297 (i) the original data, including numbers, text, voice, graphics, and images;
298 (ii) analysis, compilation, and other manipulated forms of the original data produced by
299 use of the program; or
300 (iii) the mathematical or statistical formulas, excluding the underlying mathematical
301 algorithms contained in the program, that would be used if the manipulated forms of the
302 original data were to be produced manually.
303 (5) (a) "Contractor" means:
304 (i) any person who contracts with a governmental entity to provide goods or services
305 directly to a governmental entity; or
306 (ii) any private, nonprofit organization that receives funds from a governmental entity.
307 (b) "Contractor" does not mean a private provider.
308 (6) "Controlled record" means a record containing data on individuals that is controlled
309 as provided by Section 63G-2-304.
310 (7) "Designation," "designate," and their derivative forms mean indicating, based on a
311 governmental entity's familiarity with a record series or based on a governmental entity's
312 review of a reasonable sample of a record series, the primary classification that a majority of
313 records in a record series would be given if classified and the classification that other records
314 typically present in the record series would be given if classified.
315 (8) "Elected official" means each person elected to a state office, county office,
316 municipal office, school board or school district office, local district office, or special service
317 district office, but does not include judges.
318 (9) "Explosive" means a chemical compound, device, or mixture:
319 (a) commonly used or intended for the purpose of producing an explosion; and
320 (b) that contains oxidizing or combustive units or other ingredients in proportions,
321 quantities, or packing so that:
322 (i) an ignition by fire, friction, concussion, percussion, or detonator of any part of the
323 compound or mixture may cause a sudden generation of highly heated gases; and
324 (ii) the resultant gaseous pressures are capable of:
325 (A) producing destructive effects on contiguous objects; or
326 (B) causing death or serious bodily injury.
327 (10) "Government audit agency" means any governmental entity that conducts an audit.
328 (11) (a) "Governmental entity" means:
329 (i) executive department agencies of the state, the offices of the governor, lieutenant
330 governor, state auditor, attorney general, and state treasurer, the Board of Pardons and Parole,
331 the Board of Examiners, the National Guard, the Career Service Review Office, the State
332 Board of Education, the Utah Board of Higher Education, and the State Archives;
333 (ii) the Office of the Legislative Auditor General, Office of the Legislative Fiscal
334 Analyst, Office of Legislative Research and General Counsel, the Legislature, and legislative
335 committees, except any political party, group, caucus, or rules or sifting committee of the
336 Legislature;
337 (iii) courts, the Judicial Council, the Administrative Office of the Courts, and similar
338 administrative units in the judicial branch;
339 (iv) any state-funded institution of higher education or public education; or
340 (v) any political subdivision of the state, but, if a political subdivision has adopted an
341 ordinance or a policy relating to information practices pursuant to Section 63G-2-701, this
342 chapter shall apply to the political subdivision to the extent specified in Section 63G-2-701 or
343 as specified in any other section of this chapter that specifically refers to political subdivisions.
344 (b) "Governmental entity" also means:
345 (i) every office, agency, board, bureau, committee, department, advisory board, or
346 commission of an entity listed in Subsection (11)(a) that is funded or established by the
347 government to carry out the public's business;
348 (ii) as defined in Section 11-13-103, an interlocal entity or joint or cooperative
349 undertaking;
350 (iii) as defined in Section 11-13a-102, a governmental nonprofit corporation;
351 (iv) an association as defined in Section 53G-7-1101;
352 (v) the Utah Independent Redistricting Commission; and
353 (vi) a law enforcement agency, as defined in Section 53-1-102, that employs one or
354 more law enforcement officers, as defined in Section 53-13-103.
355 (c) "Governmental entity" does not include the Utah Educational Savings Plan created
356 in Section 53B-8a-103.
357 (12) "Gross compensation" means every form of remuneration payable for a given
358 period to an individual for services provided including salaries, commissions, vacation pay,
359 severance pay, bonuses, and any board, rent, housing, lodging, payments in kind, and any
360 similar benefit received from the individual's employer.
361 (13) "Individual" means a human being.
362 (14) (a) "Initial contact report" means an initial written or recorded report, however
363 titled, prepared by peace officers engaged in public patrol or response duties describing official
364 actions initially taken in response to either a public complaint about or the discovery of an
365 apparent violation of law, which report may describe:
366 (i) the date, time, location, and nature of the complaint, the incident, or offense;
367 (ii) names of victims;
368 (iii) the nature or general scope of the agency's initial actions taken in response to the
369 incident;
370 (iv) the general nature of any injuries or estimate of damages sustained in the incident;
371 (v) the name, address, and other identifying information about any person arrested or
372 charged in connection with the incident; or
373 (vi) the identity of the public safety personnel, except undercover personnel, or
374 prosecuting attorney involved in responding to the initial incident.
375 (b) Initial contact reports do not include follow-up or investigative reports prepared
376 after the initial contact report. However, if the information specified in Subsection (14)(a)
377 appears in follow-up or investigative reports, it may only be treated confidentially if it is
378 private, controlled, protected, or exempt from disclosure under Subsection 63G-2-201(3)(b).
379 (c) Initial contact reports do not include accident reports, as that term is described in
380 Title 41, Chapter 6a, Part 4, Accident Responsibilities.
381 (15) "Legislative body" means the Legislature.
382 (16) "Notice of compliance" means a statement confirming that a governmental entity
383 has complied with an order of the State Records Committee.
384 (17) "Person" means:
385 (a) an individual;
386 (b) a nonprofit or profit corporation;
387 (c) a partnership;
388 (d) a sole proprietorship;
389 (e) other type of business organization; or
390 (f) any combination acting in concert with one another.
391 (18) "Personal identifying information" means the same as that term is defined in
392 Section 63A-12-100.5.
393 (19) "Privacy annotation" means the same as that term is defined in Section
394 63A-12-100.5.
395 [(18)] (20) "Private provider" means any person who contracts with a governmental
396 entity to provide services directly to the public.
397 [(19)] (21) "Private record" means a record containing data on individuals that is
398 private as provided by Section 63G-2-302.
399 [(20)] (22) "Protected record" means a record that is classified protected as provided by
400 Section 63G-2-305.
401 [(21)] (23) "Public record" means a record that is not private, controlled, or protected
402 and that is not exempt from disclosure as provided in Subsection 63G-2-201(3)(b).
403 [(22)] (24) (a) "Record" means a book, letter, document, paper, map, plan, photograph,
404 film, card, tape, recording, electronic data, or other documentary material regardless of physical
405 form or characteristics:
406 (i) that is prepared, owned, received, or retained by a governmental entity or political
407 subdivision; and
408 (ii) where all of the information in the original is reproducible by photocopy or other
409 mechanical or electronic means.
410 (b) "Record" does not mean:
411 (i) a personal note or personal communication prepared or received by an employee or
412 officer of a governmental entity:
413 (A) in a capacity other than the employee's or officer's governmental capacity; or
414 (B) that is unrelated to the conduct of the public's business;
415 (ii) a temporary draft or similar material prepared for the originator's personal use or
416 prepared by the originator for the personal use of an individual for whom the originator is
417 working;
418 (iii) material that is legally owned by an individual in the individual's private capacity;
419 (iv) material to which access is limited by the laws of copyright or patent unless the
420 copyright or patent is owned by a governmental entity or political subdivision;
421 (v) proprietary software;
422 (vi) junk mail or a commercial publication received by a governmental entity or an
423 official or employee of a governmental entity;
424 (vii) a book that is cataloged, indexed, or inventoried and contained in the collections
425 of a library open to the public;
426 (viii) material that is cataloged, indexed, or inventoried and contained in the collections
427 of a library open to the public, regardless of physical form or characteristics of the material;
428 (ix) a daily calendar or other personal note prepared by the originator for the
429 originator's personal use or for the personal use of an individual for whom the originator is
430 working;
431 (x) a computer program that is developed or purchased by or for any governmental
432 entity for its own use;
433 (xi) a note or internal memorandum prepared as part of the deliberative process by:
434 (A) a member of the judiciary;
435 (B) an administrative law judge;
436 (C) a member of the Board of Pardons and Parole; or
437 (D) a member of any other body, other than an association or appeals panel as defined
438 in Section 53G-7-1101, charged by law with performing a quasi-judicial function;
439 (xii) a telephone number or similar code used to access a mobile communication
440 device that is used by an employee or officer of a governmental entity, provided that the
441 employee or officer of the governmental entity has designated at least one business telephone
442 number that is a public record as provided in Section 63G-2-301;
443 (xiii) information provided by the Public Employees' Benefit and Insurance Program,
444 created in Section 49-20-103, to a county to enable the county to calculate the amount to be
445 paid to a health care provider under Subsection 17-50-319(2)(e)(ii);
446 (xiv) information that an owner of unimproved property provides to a local entity as
447 provided in Section 11-42-205;
448 (xv) a video or audio recording of an interview, or a transcript of the video or audio
449 recording, that is conducted at a Children's Justice Center established under Section 67-5b-102;
450 (xvi) child pornography, as defined by Section 76-5b-103;
451 (xvii) before final disposition of an ethics complaint occurs, a video or audio recording
452 of the closed portion of a meeting or hearing of:
453 (A) a Senate or House Ethics Committee;
454 (B) the Independent Legislative Ethics Commission;
455 (C) the Independent Executive Branch Ethics Commission, created in Section
456 63A-14-202; or
457 (D) the Political Subdivisions Ethics Review Commission established in Section
458 63A-15-201; or
459 (xviii) confidential communication described in Section 58-60-102, 58-61-102, or
460 58-61-702.
461 [(23)] (25) "Record series" means a group of records that may be treated as a unit for
462 purposes of designation, description, management, or disposition.
463 [(24)] (26) "Records officer" means the individual appointed by the chief
464 administrative officer of each governmental entity, or the political subdivision to work with
465 state archives in the care, maintenance, scheduling, designation, classification, disposal, and
466 preservation of records.
467 [(25)] (27) "Schedule," "scheduling," and their derivative forms mean the process of
468 specifying the length of time each record series should be retained by a governmental entity for
469 administrative, legal, fiscal, or historical purposes and when each record series should be
470 transferred to the state archives or destroyed.
471 [(26)] (28) "Sponsored research" means research, training, and other sponsored
472 activities as defined by the federal Executive Office of the President, Office of Management
473 and Budget:
474 (a) conducted:
475 (i) by an institution within the state system of higher education defined in Section
476 53B-1-102; and
477 (ii) through an office responsible for sponsored projects or programs; and
478 (b) funded or otherwise supported by an external:
479 (i) person that is not created or controlled by the institution within the state system of
480 higher education; or
481 (ii) federal, state, or local governmental entity.
482 [(27)] (29) "State archives" means the Division of Archives and Records Service
483 created in Section 63A-12-101.
484 [(28)] (30) "State archivist" means the director of the state archives.
485 [(29)] (31) "State Records Committee" means the State Records Committee created in
486 Section 63G-2-501.
487 [(30)] (32) "Summary data" means statistical records and compilations that contain
488 data derived from private, controlled, or protected information but that do not disclose private,
489 controlled, or protected information.
490 Section 9. Section 63G-2-107 is amended to read:
491 63G-2-107. Disclosure of records subject to federal law or other provisions of
492 state law.
493 (1) (a) The disclosure of a record to which access is governed or limited pursuant to
494 court rule, another state statute, federal statute, or federal regulation, including a record for
495 which access is governed or limited as a condition of participation in a state or federal program
496 or for receiving state or federal funds, is governed by the specific provisions of that statute,
497 rule, or regulation.
498 (b) Except as provided in Subsection (2), this chapter applies to records described in
499 Subsection (1)(a) to the extent that this chapter is not inconsistent with the statute, rule, or
500 regulation.
501 [(1)] (2) [Notwithstanding Subsection 63G-2-201(6), this] Except as provided in
502 Subsection (3), this chapter does not apply to a record containing protected health information
503 as defined in 45 C.F.R., Part 164, Standards for Privacy of Individually Identifiable Health
504 Information, if the record is:
505 (a) controlled or maintained by a governmental entity; and
506 (b) governed by 45 C.F.R., Parts 160 and 164, Standards for Privacy of Individually
507 Identifiable Health Information.
508 [(2)] (c) The disclosure of an education record as defined in the Family Educational
509 Rights and Privacy Act, 34 C.F.R. Part 99, that is controlled or maintained by a governmental
510 entity shall be governed by the Family Educational Rights and Privacy Act, 34 C.F.R. Part 99.
511 (3) This section does not exempt any record or record series from the provisions of
512 Subsection 63G-2-601(1).
513 Section 10. Section 63G-2-201 is amended to read:
514 63G-2-201. Provisions relating to records -- Public records -- Private, controlled,
515 protected, and other restricted records -- Disclosure and nondisclosure of records --
516 Certified copy of record -- Limits on obligation to respond to a record request.
517 (1) (a) Except as provided in Subsection (1)(b), a person has the right to inspect a
518 public record free of charge, and the right to take a copy of a public record during normal
519 working hours, subject to Sections 63G-2-203 and 63G-2-204.
520 (b) A right under Subsection (1)(a) does not apply with respect to a record:
521 (i) a copy of which the governmental entity has already provided to the person;
522 (ii) that is the subject of a records request that the governmental entity is not required
523 to fill under Subsection [(8)(e)] (7)(e); or
524 (iii) (A) that is accessible only by a computer or other electronic device owned or
525 controlled by the governmental entity;
526 (B) that is part of an electronic file that also contains a record that is private,
527 controlled, or protected; and
528 (C) that the governmental entity cannot readily segregate from the part of the electronic
529 file that contains a private, controlled, or protected record.
530 (2) A record is public unless otherwise expressly provided by statute.
531 (3) The following records are not public:
532 (a) a record that is private, controlled, or protected under Sections 63G-2-302,
533 63G-2-303, 63G-2-304, and 63G-2-305; and
534 (b) a record to which access is restricted pursuant to court rule, another state statute,
535 federal statute, or federal regulation, including records for which access is governed or
536 restricted as a condition of participation in a state or federal program or for receiving state or
537 federal funds.
538 (4) Only a record specified in Section 63G-2-302, 63G-2-303, 63G-2-304, or
539 63G-2-305 may be classified private, controlled, or protected.
540 (5) (a) A governmental entity may not disclose a record that is private, controlled, or
541 protected to any person except as provided in Subsection (5)(b), Subsection (5)(c), Section
542 63G-2-202, 63G-2-206, or 63G-2-303.
543 (b) A governmental entity may disclose a record that is private under Subsection
544 63G-2-302(2) or protected under Section 63G-2-305 to persons other than those specified in
545 Section 63G-2-202 or 63G-2-206 if the head of a governmental entity, or a designee,
546 determines that:
547 (i) there is no interest in restricting access to the record; or
548 (ii) the interests favoring access are greater than or equal to the interest favoring
549 restriction of access.
550 (c) In addition to the disclosure under Subsection (5)(b), a governmental entity may
551 disclose a record that is protected under Subsection 63G-2-305(51) if:
552 (i) the head of the governmental entity, or a designee, determines that the disclosure:
553 (A) is mutually beneficial to:
554 (I) the subject of the record;
555 (II) the governmental entity; and
556 (III) the public; and
557 (B) serves a public purpose related to:
558 (I) public safety; or
559 (II) consumer protection; and
560 (ii) the person who receives the record from the governmental entity agrees not to use
561 or allow the use of the record for advertising or solicitation purposes.
562 [(6) (a) The disclosure of a record to which access is governed or limited pursuant to
563 court rule, another state statute, federal statute, or federal regulation, including a record for
564 which access is governed or limited as a condition of participation in a state or federal program
565 or for receiving state or federal funds, is governed by the specific provisions of that statute,
566 rule, or regulation.]
567 [(b) This chapter applies to records described in Subsection (6)(a) insofar as this
568 chapter is not inconsistent with the statute, rule, or regulation.]
569 [(7)] (6) A governmental entity shall provide a person with a certified copy of a record
570 if:
571 (a) the person requesting the record has a right to inspect it;
572 (b) the person identifies the record with reasonable specificity; and
573 (c) the person pays the lawful fees.
574 [(8)] (7) In response to a request, a governmental entity is not required to:
575 (a) create a record;
576 (b) compile, format, manipulate, package, summarize, or tailor information;
577 (c) provide a record in a particular format, medium, or program not currently
578 maintained by the governmental entity;
579 (d) fulfill a person's records request if the request unreasonably duplicates prior records
580 requests from that person; or
581 (e) fill a person's records request if:
582 (i) the record requested is:
583 (A) publicly accessible online; or
584 (B) included in a public publication or product produced by the governmental entity
585 receiving the request; and
586 (ii) the governmental entity:
587 (A) specifies to the person requesting the record where the record is accessible online;
588 or
589 (B) provides the person requesting the record with the public publication or product
590 and specifies where the record can be found in the public publication or product.
591 [(9)] (8) (a) Although not required to do so, a governmental entity may, upon request
592 from the person who submitted the records request, compile, format, manipulate, package,
593 summarize, or tailor information or provide a record in a format, medium, or program not
594 currently maintained by the governmental entity.
595 (b) In determining whether to fulfill a request described in Subsection [(9)(a)] (8)(a), a
596 governmental entity may consider whether the governmental entity is able to fulfill the request
597 without unreasonably interfering with the governmental entity's duties and responsibilities.
598 (c) A governmental entity may require a person who makes a request under Subsection
599 [(9)(a)] (8)(a) to pay the governmental entity, in accordance with Section 63G-2-203, for
600 providing the information or record as requested.
601 [(10)] (9) (a) Notwithstanding any other provision of this chapter, and subject to
602 Subsection [(10)(b)] (9)(b), a governmental entity is not required to respond to, or provide a
603 record in response to, a record request if the request is submitted by or in behalf of an
604 individual who is confined in a jail or other correctional facility following the individual's
605 conviction.
606 (b) Subsection [(10)(a)] (9)(a) does not apply to:
607 (i) the first five record requests submitted to the governmental entity by or in behalf of
608 an individual described in Subsection [(10)(a)] (9)(a) during any calendar year requesting only
609 a record that contains a specific reference to the individual; or
610 (ii) a record request that is submitted by an attorney of an individual described in
611 Subsection [(10)(a)] (9)(a).
612 [(11)] (10) (a) A governmental entity may allow a person requesting more than 50
613 pages of records to copy the records if:
614 (i) the records are contained in files that do not contain records that are exempt from
615 disclosure, or the records may be segregated to remove private, protected, or controlled
616 information from disclosure; and
617 (ii) the governmental entity provides reasonable safeguards to protect the public from
618 the potential for loss of a public record.
619 (b) If the requirements of Subsection [(11)(a)] (10)(a) are met, the governmental entity
620 may:
621 (i) provide the requester with the facilities for copying the requested records and
622 require that the requester make the copies; or
623 (ii) allow the requester to provide the requester's own copying facilities and personnel
624 to make the copies at the governmental entity's offices and waive the fees for copying the
625 records.
626 [(12)] (11) (a) A governmental entity that owns an intellectual property right and that
627 offers the intellectual property right for sale or license may control by ordinance or policy the
628 duplication and distribution of the material based on terms the governmental entity considers to
629 be in the public interest.
630 (b) Nothing in this chapter shall be construed to limit or impair the rights or protections
631 granted to the governmental entity under federal copyright or patent law as a result of its
632 ownership of the intellectual property right.
633 [(13)] (12) A governmental entity may not use the physical form, electronic or
634 otherwise, in which a record is stored to deny, or unreasonably hinder the rights of a person to
635 inspect and receive a copy of a record under this chapter.
636 [(14)] (13) Subject to the requirements of Subsection [(8)] (7), a governmental entity
637 shall provide access to an electronic copy of a record in lieu of providing access to its paper
638 equivalent if:
639 (a) the person making the request requests or states a preference for an electronic copy;
640 (b) the governmental entity currently maintains the record in an electronic format that
641 is reproducible and may be provided without reformatting or conversion; and
642 (c) the electronic copy of the record:
643 (i) does not disclose other records that are exempt from disclosure; or
644 (ii) may be segregated to protect private, protected, or controlled information from
645 disclosure without the undue expenditure of public resources or funds.
646 [(15)] (14) In determining whether a record is properly classified as private under
647 Subsection 63G-2-302(2)(d), the governmental entity, State Records Committee, local appeals
648 board, or court shall consider and weigh:
649 (a) any personal privacy interests, including those in images, that would be affected by
650 disclosure of the records in question; and
651 (b) any public interests served by disclosure.
652 Section 11. Section 63G-2-204 is amended to read:
653 63G-2-204. Record request -- Response -- Time for responding.
654 (1) (a) A person making a request for a record shall submit to the governmental entity
655 that retains the record a written request containing:
656 (i) the person's:
657 (A) name;
658 (B) mailing address;
659 (C) email address, if the person has an email address and is willing to accept
660 communications by email relating to the person's records request; and
661 (D) daytime telephone number; and
662 (ii) a description of the record requested that identifies the record with reasonable
663 specificity.
664 (b) (i) A single record request may not be submitted to multiple governmental entities.
665 (ii) Subsection (1)(b)(i) may not be construed to prevent a person from submitting a
666 separate record request to each of multiple governmental entities, even if each of the separate
667 requests seeks access to the same record.
668 (2) (a) In response to a request for a record, a governmental entity may not provide a
669 record that it has received under Section 63G-2-206 as a shared record.
670 (b) If a governmental entity is prohibited from providing a record under Subsection
671 (2)(a), the governmental entity shall:
672 (i) deny the records request; and
673 (ii) inform the person making the request of the identity of the governmental entity
674 from which the shared record was received.
675 (3) A governmental entity may make rules in accordance with Title 63G, Chapter 3,
676 Utah Administrative Rulemaking Act, specifying where and to whom requests for access shall
677 be directed.
678 (4) After receiving a request for a record, a governmental entity shall:
679 (a) review each request that seeks an expedited response and notify, within five
680 business days after receiving the request, each requester that has not demonstrated that their
681 record request benefits the public rather than the person that their response will not be
682 expedited; and
683 (b) as soon as reasonably possible, but no later than 10 business days after receiving a
684 written request, or five business days after receiving a written request if the requester
685 demonstrates that expedited response to the record request benefits the public rather than the
686 person:
687 (i) approve the request and provide a copy of the record;
688 (ii) deny the request in accordance with the procedures and requirements of Section
689 63G-2-205;
690 (iii) notify the requester that it does not maintain the record requested and provide, if
691 known, the name and address of the governmental entity that does maintain the record; or
692 (iv) notify the requester that because of one of the extraordinary circumstances listed in
693 Subsection (6), it cannot immediately approve or deny the request, and include with the notice:
694 (A) a description of the circumstances that constitute the extraordinary circumstances;
695 and
696 (B) the date when the records will be available, consistent with the requirements of
697 Subsection (7).
698 (5) Any person who requests a record to obtain information for a story or report for
699 publication or broadcast to the general public is presumed to be acting to benefit the public
700 rather than a person.
701 (6) The following circumstances constitute "extraordinary circumstances" that allow a
702 governmental entity to delay approval or denial by an additional period of time as specified in
703 Subsection (7) if the governmental entity determines that due to the extraordinary
704 circumstances it cannot respond within the time limits provided in Subsection (4):
705 (a) another governmental entity is using the record, in which case the originating
706 governmental entity shall promptly request that the governmental entity currently in possession
707 return the record;
708 (b) another governmental entity is using the record as part of an audit, and returning the
709 record before the completion of the audit would impair the conduct of the audit;
710 (c) (i) the request is for a voluminous quantity of records or a record series containing a
711 substantial number of records; or
712 (ii) the requester seeks a substantial number of records or records series in requests
713 filed within five working days of each other;
714 (d) the governmental entity is currently processing a large number of records requests;
715 (e) the request requires the governmental entity to review a large number of records to
716 locate the records requested;
717 (f) the decision to release a record involves legal issues that require the governmental
718 entity to seek legal counsel for the analysis of statutes, rules, ordinances, regulations, or case
719 law;
720 (g) segregating information that the requester is entitled to inspect from information
721 that the requester is not entitled to inspect requires extensive editing; or
722 (h) segregating information that the requester is entitled to inspect from information
723 that the requester is not entitled to inspect requires computer programming.
724 (7) If one of the extraordinary circumstances listed in Subsection (6) precludes
725 approval or denial within the time specified in Subsection (4), the following time limits apply
726 to the extraordinary circumstances:
727 (a) for claims under Subsection (6)(a), the governmental entity currently in possession
728 of the record shall return the record to the originating entity within five business days of the
729 request for the return unless returning the record would impair the holder's work;
730 (b) for claims under Subsection (6)(b), the originating governmental entity shall notify
731 the requester when the record is available for inspection and copying;
732 (c) for claims under Subsections (6)(c), (d), and (e), the governmental entity shall:
733 (i) disclose the records that it has located which the requester is entitled to inspect;
734 (ii) provide the requester with an estimate of the amount of time it will take to finish
735 the work required to respond to the request;
736 (iii) complete the work and disclose those records that the requester is entitled to
737 inspect as soon as reasonably possible; and
738 (iv) for any person that does not establish a right to an expedited response as
739 authorized by Subsection (4), a governmental entity may choose to:
740 (A) require the person to provide for copying of the records as provided in Subsection
741 [63G-2-201(11)] 63G-2-201(10); or
742 (B) treat a request for multiple records as separate record requests, and respond
743 sequentially to each request;
744 (d) for claims under Subsection (6)(f), the governmental entity shall either approve or
745 deny the request within five business days after the response time specified for the original
746 request has expired;
747 (e) for claims under Subsection (6)(g), the governmental entity shall fulfill the request
748 within 15 business days from the date of the original request; or
749 (f) for claims under Subsection (6)(h), the governmental entity shall complete its
750 programming and disclose the requested records as soon as reasonably possible.
751 (8) (a) If a request for access is submitted to an office of a governmental entity other
752 than that specified by rule in accordance with Subsection (3), the office shall promptly forward
753 the request to the appropriate office.
754 (b) If the request is forwarded promptly, the time limit for response begins when the
755 request is received by the office specified by rule.
756 (9) If the governmental entity fails to provide the requested records or issue a denial
757 within the specified time period, that failure is considered the equivalent of a determination
758 denying access to the record.
759 Section 12. Section 63G-2-307 is amended to read:
760 63G-2-307. Duty to evaluate records and make designations, classifications, and
761 annotations.
762 (1) A governmental entity shall, for each record series that the governmental entity
763 keeps, uses, or creates:
764 (a) evaluate all record series [that it uses or creates];
765 (b) designate [those] each record series as provided by this chapter and Title 63A,
766 Chapter 12, Division of Archives and Records Service; and
767 (c) report [the designations of its record series] to the state archives:
768 (i) the designation described in Subsection (1)(b); and
769 (ii) if the governmental entity is an executive branch agency, as defined in Section
770 63A-12-100.5, the privacy annotation.
771 (2) A governmental entity may classify a particular record, record series, or
772 information within a record at any time, but is not required to classify a particular record,
773 record series, or information until access to the record is requested.
774 (3) A governmental entity may redesignate a record series or reclassify a record or
775 record series, or information within a record at any time.
776 Section 13. Section 63G-2-601 is amended to read:
777 63G-2-601. Rights of individuals on whom data is maintained -- Classification
778 and personal identifying information statement -- Notice to provider of information.
779 (1) (a) Each governmental entity shall file with the state archivist a statement
780 explaining, for each record series collected, maintained, or used by the governmental entity, the
781 purposes for which [a record series that is designated as private or controlled is collected and]
782 each private or controlled record in the record series is collected, maintained, or used by that
783 governmental entity.
784 (b) Each executive branch agency, as defined in Section 63A-12-100.5, shall file with
785 the state archivist a statement explaining, for each record series collected, maintained, or used
786 by the executive branch agency, the purposes for which the personal identifying information in
787 the record series is collected, maintained, or used by the executive branch agency.
788 [(b)] (c) The statement filed under Subsection (1)(a) or (b):
789 (i) shall, for each purpose described in Subsection (1)(a) or (b), identify the authority
790 under which the governmental entity or executive branch agency collects the records or
791 information included in the statement described in Subsection (1)(a) or (b); and
792 (ii) is a public record.
793 (2) (a) A governmental entity shall provide [notice of the following] the notice
794 described in this Subsection (2) to a person that is asked to furnish information that could be
795 classified as a private or controlled record[:].
796 (b) An executive branch agency, as defined in Section 63A-12-100.5, shall provide the
797 notice described in this Subsection (2) to a person that is asked to furnish personal identifying
798 information.
799 (c) The notice required under Subsection (2)(a) or (b) shall:
800 (i) identify the record series that includes the information described in Subsection
801 (2)(a) or (b);
802 [(i)] (ii) state the reasons the person is asked to furnish the information;
803 [(ii)] (iii) state the intended uses of the information;
804 [(iii)] (iv) state the consequences for refusing to provide the information; and
805 [(iv)] (v) disclose the classes of persons and the governmental entities that currently:
806 (A) share the information with the governmental entity; or
807 (B) receive the information from the governmental entity on a regular or contractual
808 basis.
809 [(b)] (d) The [notice shall be] governmental entity shall:
810 (i) [posted] post the notice required under this Subsection (2) in a prominent place at
811 all locations where the governmental entity collects the information; or
812 (ii) [included] include the notice required under this Subsection (2) as part of the
813 documents or forms that are used by the governmental entity to collect the information.
814 (3) Upon request, each governmental entity shall, in relation to the information
815 described in Subsection (2)(a) or (b), as applicable, explain to a person:
816 (a) the reasons the person is asked to furnish information [that could be classified as a
817 private or controlled record];
818 (b) the intended uses of the information [referred to in Subsection (3)(a)];
819 (c) the consequences for refusing to provide the information [referred to in Subsection
820 (3)(a)]; and
821 (d) the reasons and circumstances under which the information [referred to in
822 Subsection (3)(a)] may be shared with, or provided to, other persons or governmental entities.
823 (4) A governmental entity may use [private or controlled records] the information that
824 the governmental entity is required to disclose under Subsection (2)(a) or (b) only for those
825 purposes:
826 (a) given in the statement filed with the state archivist under Subsection (1); or
827 (b) for which another governmental entity may use the record under Section
828 63G-2-206.
829 Section 14. Section 63G-2-604 is amended to read:
830 63G-2-604. Retention and disposition of records.
831 (1) (a) Except for a governmental entity that is permitted to maintain the governmental
832 entity's own retention schedules under Part 7, Applicability to Political Subdivisions, the
833 Judiciary, and the Legislature, each governmental entity shall file with the Records
834 Management Committee created in Section 63A-12-112 a proposed schedule for the retention
835 and disposition of each type of material that is defined as a record under this chapter.
836 (b) After a retention schedule is reviewed and approved by the Records Management
837 Committee under Subsection 63A-12-113(1)(b), the governmental entity shall maintain and
838 destroy records in accordance with the retention schedule.
839 (c) If a governmental entity subject to the provisions of this section has not received an
840 approved retention schedule from the Records Management Committee for a specific type of
841 material that is [classified] defined as a record under this chapter, the [model] general retention
842 schedule maintained by the state archivist shall govern the retention and destruction of that type
843 of material.
844 (2) A retention schedule that is filed with or approved by the Records Management
845 Committee under the requirements of this section is a public record.
846 Section 15. Section 67-1-17 is amended to read:
847 67-1-17. Chief privacy officer.
848 (1) As used in this section:
849 (a) "Independent entity" means the same as that term is defined in Section 63E-1-102.
850 (b) (i) "Personal data" means any information relating to an identified or identifiable
851 individual.
852 (ii) "Personal data" includes personally identifying information.
853 (c) (i) "Privacy practice" means the acquisition, use, storage, or disposal of personal
854 data.
855 (ii) "Privacy practice" includes:
856 (A) a technology use related to personal data; and
857 (B) policies related to the protection, storage, sharing, and retention of personal data.
858 (d) (i) "State agency" means the following entities that are under the direct supervision
859 and control of the governor or the lieutenant governor:
860 (A) a department;
861 (B) a commission;
862 (C) a board;
863 (D) a council;
864 (E) an institution;
865 (F) an officer;
866 (G) a corporation;
867 (H) a fund;
868 (I) a division;
869 (J) an office;
870 (K) a committee;
871 (L) an authority;
872 (M) a laboratory;
873 (N) a library;
874 (O) a bureau;
875 (P) a panel;
876 (Q) another administrative unit of the state; or
877 (R) an agent of an entity described in Subsections (A) through (Q).
878 (ii) "State agency" does not include:
879 (A) the legislative branch;
880 (B) the judicial branch;
881 (C) an executive branch agency within the Office of the Attorney General, the state
882 auditor, the state treasurer, or the State Board of Education; or
883 (D) an independent entity.
884 (2) The governor [may] shall, with the advice and consent of the Senate, appoint a
885 [government operations] chief privacy officer.
886 (3) The [government operations] chief privacy officer shall:
887 (a) compile information about the privacy practices of state agencies;
888 (b) make public and maintain information about the privacy practices of state agencies
889 on the governor's website;
890 (c) provide state agencies with educational and training materials developed by the
891 Personal Privacy Oversight Commission established in Section 63C-24-201 that include the
892 information described in Subsection 63C-24-202(1)(b);
893 (d) implement a process to analyze and respond to requests from individuals for the
894 [government operations] chief privacy officer to review a state agency's privacy practice;
895 (e) identify annually which state agencies' privacy practices pose the greatest risk to
896 individual privacy and prioritize those privacy practices for review;
897 (f) review each year, in as timely a manner as possible, the privacy practices that the
898 [government operations] chief privacy officer identifies under Subsection (3)(d) or (e) as
899 posing the greatest risk to individuals' privacy;
900 (g) when reviewing a state agency's privacy practice under Subsection (3)(f), analyze:
901 (i) details about the privacy practice;
902 (ii) information about the type of data being used;
903 (iii) information about how the data is obtained, shared, secured, stored, and disposed;
904 (iv) information about with which persons the state agency shares the information;
905 (v) information about whether an individual can or should be able to opt out of the
906 retention and sharing of the individual's data;
907 (vi) information about how the state agency de-identifies or anonymizes data;
908 (vii) a determination about the existence of alternative technology or improved
909 practices to protect privacy; and
910 (viii) a finding of whether the state agency's current privacy practice adequately
911 protects individual privacy; and
912 (h) after completing a review described in Subsections (3)(f) and (g), determine:
913 (i) each state agency's use of personal data, including the state agency's practices
914 regarding data:
915 (A) acquisition;
916 (B) storage;
917 (C) disposal;
918 (D) protection; and
919 (E) sharing;
920 (ii) the adequacy of the state agency's practices in each of the areas described in
921 Subsection (3)(h)(i); and
922 (iii) for each of the areas described in Subsection (3)(h)(i) that the [government
923 operations] chief privacy officer determines require reform, provide recommendations to the
924 state agency for reform.
925 (4) The [government operations] chief privacy officer shall:
926 (a) quarterly report, to the Personal Privacy Oversight Commission:
927 (i) recommendations for privacy practices for the commission to review; and
928 (ii) the information described in Subsection (3)(h); and
929 (b) annually, on or before October 1, report to the Judiciary Interim Committee:
930 (i) the results of any reviews described in Subsection (3)(g), if any reviews have been
931 completed;
932 (ii) reforms, to the extent that the [government operations] chief privacy officer is
933 aware of any reforms, that the state agency made in response to any reviews described in
934 Subsection (3)(g);
935 (iii) the information described in Subsection (3)(h); and
936 (iv) recommendations for legislation based on the results of any reviews described in
937 Subsection (3)(g).
938 (5) The chief privacy officer may make rules, in accordance with Title 63G, Chapter 3,
939 Utah Administrative Rulemaking Act, that establish requirements and standards for
940 determining whether a state agency's privacy practice, in relation to the areas described in
941 Subsection (3)(h)(i), is adequate or requires reform.
942 Section 16. Section 67-3-13 is amended to read:
943 67-3-13. State privacy officer.
944 (1) As used in this section:
945 (a) "Designated government entity" means a government entity that is not a state
946 agency.
947 (b) "Independent entity" means the same as that term is defined in Section 63E-1-102.
948 (c) (i) "Government entity" means the state, a county, a municipality, a higher
949 education institution, a local district, a special service district, a school district, an independent
950 entity, or any other political subdivision of the state or an administrative subunit of any
951 political subdivision, including a law enforcement entity.
952 (ii) "Government entity" includes an agent of an entity described in Subsection
953 (1)(c)(i).
954 (d) (i) "Personal data" means any information relating to an identified or identifiable
955 individual.
956 (ii) "Personal data" includes personally identifying information.
957 (e) (i) "Privacy practice" means the acquisition, use, storage, or disposal of personal
958 data.
959 (ii) "Privacy practice" includes:
960 (A) a technology use related to personal data; and
961 (B) policies related to the protection, storage, sharing, and retention of personal data.
962 (f) (i) "State agency" means the following entities that are under the direct supervision
963 and control of the governor or the lieutenant governor:
964 (A) a department;
965 (B) a commission;
966 (C) a board;
967 (D) a council;
968 (E) an institution;
969 (F) an officer;
970 (G) a corporation;
971 (H) a fund;
972 (I) a division;
973 (J) an office;
974 (K) a committee;
975 (L) an authority;
976 (M) a laboratory;
977 (N) a library;
978 (O) a bureau;
979 (P) a panel;
980 (Q) another administrative unit of the state; or
981 (R) an agent of an entity described in Subsections (A) through (Q).
982 (ii) "State agency" does not include:
983 (A) the legislative branch;
984 (B) the judicial branch;
985 (C) an executive branch agency within the Office of the Attorney General, the state
986 auditor, the state treasurer, or the State Board of Education; or
987 (D) an independent entity.
988 (2) The state privacy officer shall:
989 (a) when completing the duties of this Subsection (2), focus on the privacy practices of
990 designated government entities;
991 (b) compile information about government privacy practices of designated government
992 entities;
993 (c) make public and maintain information about government privacy practices on the
994 state auditor's website;
995 (d) provide designated government entities with educational and training materials
996 developed by the Personal Privacy Oversight Commission established in Section 63C-24-201
997 that include the information described in Subsection 63C-24-202(1)(b);
998 (e) implement a process to analyze and respond to requests from individuals for the
999 state privacy officer to review a designated government entity's privacy practice;
1000 (f) identify annually which designated government entities' privacy practices pose the
1001 greatest risk to individual privacy and prioritize those privacy practices for review;
1002 (g) review each year, in as timely a manner as possible, the privacy practices that the
1003 privacy officer identifies under Subsection (2)(e) or (2)(f) as posing the greatest risk to
1004 individuals' privacy;
1005 (h) when reviewing a designated government entity's privacy practice under Subsection
1006 (2)(g), analyze:
1007 (i) details about the technology or the policy and the technology's or the policy's
1008 application;
1009 (ii) information about the type of data being used;
1010 (iii) information about how the data is obtained, stored, shared, secured, and disposed;
1011 (iv) information about with which persons the designated government entity shares the
1012 information;
1013 (v) information about whether an individual can or should be able to opt out of the
1014 retention and sharing of the individual's data;
1015 (vi) information about how the designated government entity de-identifies or
1016 anonymizes data;
1017 (vii) a determination about the existence of alternative technology or improved
1018 practices to protect privacy; and
1019 (viii) a finding of whether the designated government entity's current privacy practice
1020 adequately protects individual privacy; and
1021 (i) after completing a review described in Subsections (2)(g) and (h), determine:
1022 (i) each designated government entity's use of personal data, including the designated
1023 government entity's practices regarding data:
1024 (A) acquisition;
1025 (B) storage;
1026 (C) disposal;
1027 (D) protection; and
1028 (E) sharing;
1029 (ii) the adequacy of the designated government entity's practices in each of the areas
1030 described in Subsection (2)(i)(i); and
1031 (iii) for each of the areas described in Subsection (2)(i)(i) that the state privacy officer
1032 determines to require reform, provide recommendations for reform to the designated
1033 government entity and the legislative body charged with regulating the designated government
1034 entity.
1035 (3) (a) The legislative body charged with regulating a designated government entity
1036 that receives a recommendation described in Subsection (2)(i)(iii) shall hold a public hearing
1037 on the proposed reforms:
1038 (i) with a quorum of the legislative body present; and
1039 (ii) within 90 days after the day on which the legislative body receives the
1040 recommendation.
1041 (b) (i) The legislative body shall provide notice of the hearing described in Subsection
1042 (3)(a).
1043 (ii) Notice of the public hearing and the recommendations to be discussed shall be
1044 posted on:
1045 (A) the Utah Public Notice Website created in Section 63A-16-601 for 30 days before
1046 the day on which the legislative body will hold the public hearing; and
1047 (B) the website of the designated government entity that received a recommendation, if
1048 the designated government entity has a website, for 30 days before the day on which the
1049 legislative body will hold the public hearing.
1050 (iii) Each notice required under Subsection (3)(b)(i) shall:
1051 (A) identify the recommendations to be discussed; and
1052 (B) state the date, time, and location of the public hearing.
1053 (c) During the hearing described in Subsection (3)(a), the legislative body shall:
1054 (i) provide the public the opportunity to ask questions and obtain further information
1055 about the recommendations; and
1056 (ii) provide any interested person an opportunity to address the legislative body with
1057 concerns about the recommendations.
1058 (d) At the conclusion of the hearing, the legislative body shall determine whether the
1059 legislative body shall adopt reforms to address the recommendations and any concerns raised
1060 during the public hearing.
1061 (4) (a) Except as provided in Subsection (4)(b), if the [government operations] chief
1062 privacy officer described in Section 67-1-17 is not conducting reviews of the privacy practices
1063 of state agencies, the state privacy officer may review the privacy practices of a state agency in
1064 accordance with the processes described in this section.
1065 (b) Subsection (3) does not apply to a state agency.
1066 (5) The state privacy officer shall:
1067 (a) quarterly report, to the Personal Privacy Oversight Commission:
1068 (i) recommendations for privacy practices for the commission to review; and
1069 (ii) the information provided in Subsection (2)(i); and
1070 (b) annually, on or before October 1, report to the Judiciary Interim Committee:
1071 (i) the results of any reviews described in Subsection (2)(g), if any reviews have been
1072 completed;
1073 (ii) reforms, to the extent that the state privacy officer is aware of any reforms, that the
1074 designated government entity made in response to any reviews described in Subsection (2)(g);
1075 (iii) the information described in Subsection (2)(i); and
1076 (iv) recommendations for legislation based on any results of a review described in
1077 Subsection (2)(g).
1078 Section 17. Section 77-27-5 is amended to read:
1079 77-27-5. Board of Pardons and Parole authority.
1080 (1) (a) Subject to this chapter and other laws of the state, and except for a conviction
1081 for treason or impeachment, the board shall determine by majority decision when and under
1082 what conditions an offender's conviction may be pardoned or commuted.
1083 (b) The Board of Pardons and Parole shall determine by majority decision when and
1084 under what conditions an offender committed to serve a sentence at a penal or correctional
1085 facility, which is under the jurisdiction of the department, may:
1086 (i) be released upon parole;
1087 (ii) have a fine or forfeiture remitted;
1088 (iii) have the offender's criminal accounts receivable remitted in accordance with
1089 Section 77-32b-105 or 77-32b-106;
1090 (iv) have the offender's payment schedule modified in accordance with Section
1091 77-32b-103; or
1092 (v) have the offender's sentence terminated.
1093 (c) (i) The board may sit together or in panels to conduct hearings.
1094 (ii) The chair shall appoint members to the panels in any combination and in
1095 accordance with rules made in accordance with Title 63G, Chapter 3, Utah Administrative
1096 Rulemaking Act, by the board.
1097 (iii) The chair may participate on any panel and when doing so is chair of the panel.
1098 (iv) The chair of the board may designate the chair for any other panel.
1099 (d) (i) Except after a hearing before the board, or the board's appointed examiner, in an
1100 open session, the board may not:
1101 (A) remit a fine or forfeiture for an offender or the offender's criminal accounts
1102 receivable;
1103 (B) release the offender on parole; or
1104 (C) commute, pardon, or terminate an offender's sentence.
1105 (ii) An action taken under this Subsection (1) other than by a majority of the board
1106 shall be affirmed by a majority of the board.
1107 (e) A commutation or pardon may be granted only after a full hearing before the board.
1108 (2) (a) In the case of any hearings, timely prior notice of the time and location of the
1109 hearing shall be given to the offender.
1110 (b) The county or district attorney's office responsible for prosecution of the case, the
1111 sentencing court, and law enforcement officials responsible for the defendant's arrest and
1112 conviction shall be notified of any board hearings through the board's website.
1113 (c) Whenever possible, the victim or the victim's representative, if designated, shall be
1114 notified of original hearings and any hearing after that if notification is requested and current
1115 contact information has been provided to the board.
1116 (d) (i) Notice to the victim or the victim's representative shall include information
1117 provided in Section 77-27-9.5, and any related rules made by the board under that section.
1118 (ii) The information under Subsection (2)(d)(i) shall be provided in terms that are
1119 reasonable for the lay person to understand.
1120 (3) (a) A decision by the board is final and not subject for judicial review if the
1121 decision is regarding:
1122 (i) a pardon, parole, commutation, or termination of an offender's sentence;
1123 (ii) the modification of an offender's payment schedule for restitution; or
1124 (iii) the remission of an offender's criminal accounts receivable or a fine or forfeiture.
1125 (b) Deliberative processes are not public and the board is exempt from Title 52,
1126 Chapter 4, Open and Public Meetings Act, when the board is engaged in the board's
1127 deliberative process.
1128 (c) Pursuant to Subsection [63G-2-103(22)(b)(xi)] 63G-2-103(24)(b)(xi), records of
1129 the deliberative process are exempt from Title 63G, Chapter 2, Government Records Access
1130 and Management Act.
1131 (d) Unless it will interfere with a constitutional right, deliberative processes are not
1132 subject to disclosure, including discovery.
1133 (e) Nothing in this section prevents the obtaining or enforcement of a civil judgment.
1134 (4) (a) This chapter may not be construed as a denial of or limitation of the governor's
1135 power to grant respite or reprieves in all cases of convictions for offenses against the state,
1136 except treason or conviction on impeachment.
1137 (b) Notwithstanding Subsection (4)(a), respites or reprieves may not extend beyond the
1138 next session of the Board of Pardons and Parole.
1139 (c) At the next session of the board, the board:
1140 (i) shall continue or terminate the respite or reprieve; or
1141 (ii) may commute the punishment or pardon the offense as provided.
1142 (d) In the case of conviction for treason, the governor may suspend execution of the
1143 sentence until the case is reported to the Legislature at the Legislature's next session.
1144 (e) The Legislature shall pardon or commute the sentence or direct the sentence's
1145 execution.
1146 (5) (a) In determining when, where, and under what conditions an offender serving a
1147 sentence may be paroled or pardoned, have a fine or forfeiture remitted, have the offender's
1148 criminal accounts receivable remitted, or have the offender's sentence commuted or terminated,
1149 the board shall:
1150 (i) consider whether the offender has made restitution ordered by the court under
1151 Section 77-38b-205, or is prepared to pay restitution as a condition of any parole, pardon,
1152 remission of a criminal accounts receivable or a fine or forfeiture, or a commutation or
1153 termination of the offender's sentence;
1154 (ii) except as provided in Subsection (5)(b), develop and use a list of criteria for
1155 making determinations under this Subsection (5);
1156 (iii) consider information provided by the Department of Corrections regarding an
1157 offender's individual case action plan; and
1158 (iv) review an offender's status within 60 days after the day on which the board
1159 receives notice from the Department of Corrections that the offender has completed all of the
1160 offender's case action plan components that relate to activities that can be accomplished while
1161 the offender is imprisoned.
1162 (b) The board shall determine whether to remit an offender's criminal accounts
1163 receivable under this Subsection (5) in accordance with Section 77-32b-105 or 77-32b-106.
1164 (6) In determining whether parole may be terminated, the board shall consider:
1165 (a) the offense committed by the parolee; and
1166 (b) the parole period under Section 76-3-202, and in accordance with Section
1167 77-27-13.
1168 (7) For an offender placed on parole after December 31, 2018, the board shall
1169 terminate parole in accordance with the supervision length guidelines established by the Utah
1170 Sentencing Commission under Section 63M-7-404, to the extent the guidelines are consistent
1171 with the requirements of the law.
1172 Section 18. Repealer.
1173 This bill repeals:
1174 Section 63A-12-100, Title.