63A-16 - Utah Technology Governance Act
Title 63A > 63A-16
Sections (48)
General Provisions
63A-16-101 - Title.
This chapter is known as the “Utah Technology Governance Act.”
63A-16-102 - Definitions.
As used in this chapter: 63A-16-102(1) “Chief information officer” means the chief information officer appointed under Section 63A-16-201. 63A-16-102(2) “Data center” means a centralized repository for the storage, management, and dissemination of data. 63A-16-102(3) “Division” means the Division of Technology Services. 63A-16-102(4) “Enterprise architecture” means:
information technology assets and functions that can be applied across state government, including: mainframes, servers, desktop devices, peripherals, and other computing devices; networks; enterprise-wide applications; maintenance and help desk functions for common hardware and applications; standards for other computing devices, operating systems, common applications, and software; and master contracts that are available for use by agencies for various systems, including operating systems, databases, enterprise resource planning and customer relationship management software, application development services, and enterprise integration; and support for information technology that can be applied across state government, including: technical support; master software licenses; and hardware and software standards. 63A-16-102(5) “Executive branch agency” means an agency or administrative subunit of state government. “Executive branch agency” does not include: the legislative branch; the judicial branch; the State Board of Education; the Utah Board of Higher Education; institutions of higher education; independent entities as defined in Section 63E-1-102; or the following elective constitutional offices of the executive department:
the state auditor; the state treasurer; and the attorney general. 63A-16-102(6) “Executive branch strategic plan” means the executive branch strategic plan created under Section 63A-16-202. 63A-16-102(7) “Individual with a disability” means an individual with a condition that meets the definition of “disability” in 42 U.S.C. Sec. 12102. 63A-16-102(8) “Information technology” means all computerized and auxiliary automated information handling, including:
systems design and analysis; acquisition, storage, and conversion of data; computer programming; information storage and retrieval; voice, video, and data communications; requisite systems controls; simulation; and all related interactions between people and machines. 63A-16-102(9) “State information architecture” means a logically consistent set of principles, policies, and standards that guide the engineering of state government’s information technology and infrastructure in a way that ensures alignment with state government’s business and service needs.
63A-16-103 - Division of Technology Services.
63A-16-103(1) There is created within the department the Division of Technology Services. 63A-16-103(2) The division has authority to operate as an internal service fund agency as provided in Section 63J-1-410.
63A-16-104 - Duties of division.
The division shall: 63A-16-104(1) lead state executive branch agency efforts to establish and reengineer the state’s information technology architecture with the goal of coordinating central and individual agency information technology in a manner that:ensures compliance with the executive branch agency strategic plan; andensures that cost-effective, efficient information and communication systems and resources are being used by agencies to:reduce data, hardware, and software redundancy;improve system interoperability and data accessibility between agencies; andmeet the agency’s and user’s business and service needs; 63A-16-104(2) coordinate an executive branch strategic plan for all agencies; 63A-16-104(3) develop and implement processes to replicate information technology best practices and standards throughout the executive branch; 63A-16-104(4) once every three years:conduct an information technology security assessment via an independent third party:to evaluate the adequacy of the division’s and the executive branch agencies’ data and information technology system security standards; andthat will be completed over a period that does not exceed two years; andcommunicate the results of the assessment described in Subsection (4)(a) to the appropriate executive branch agencies and to the president of the Senate and the speaker of the House of Representatives; 63A-16-104(5) subject to Subsection 63G-6a-109.5(9):advise executive branch agencies on project and contract management principles as they relate to information technology projects within the executive branch; andapprove the acquisition of technology services and products by executive branch agencies as required under Section 63G-6a-109.5; 63A-16-104(6) work toward building stronger partnering relationships with providers; 63A-16-104(7) develop service level agreements with executive branch departments and agencies to ensure quality products and services are delivered on schedule and within budget; 63A-16-104(8) develop standards for application development including a standard methodology and cost-benefit analysis that all agencies shall utilize for application development activities; 63A-16-104(9) determine and implement statewide efforts to standardize data elements; 63A-16-104(10) coordinate with executive branch agencies to provide basic website standards for agencies that address common design standards and navigation standards, including:accessibility for individuals with disabilities in accordance with:the standards of 29 U.S.C. Sec. 794d; andSection 63A-16-209;consistency with standardized government security standards;designing around user needs with data-driven analysis influencing management and development decisions, using qualitative and quantitative data to determine user goals, needs, and behaviors, and continual testing of the website, web-based form, web-based application, or digital service to ensure that user needs are addressed;providing users of the website, web-based form, web-based application, or digital service with the option for a more customized digital experience that allows users to complete digital transactions in an efficient and accurate manner; andfull functionality and usability on common mobile devices; 63A-16-104(11) consider, when making a purchase for an information system, cloud computing options, including any security benefits, privacy, data retention risks, and cost savings associated with cloud computing options; 63A-16-104(12) develop systems and methodologies to review, evaluate, and prioritize existing information technology projects within the executive branch and report to the governor and the Government Operations Interim Committee in accordance with Section 63A-16-201 on a semiannual basis regarding the status of information technology projects; 63A-16-104(13) assist the Governor’s Office of Planning and Budget with the development of information technology budgets for agencies; 63A-16-104(14) ensure that any training or certification required of a public official or public employee, as those terms are defined in Section 63G-22-102, complies with Title 63G, Chapter 22, State Training and Certification Requirements, if the training or certification is required:under this chapter;by the department; orby the division; 63A-16-104(15) provide support to executive branch agencies for the information technology assets and functions that are unique to the agency and are mission critical functions of the agency; 63A-16-104(16) provide in-house information technology staff support to executive branch agencies; 63A-16-104(17) establish a committee composed of agency user groups to coordinate division services with agency needs; 63A-16-104(18) assist executive branch agencies in complying with the requirements of any rule made by the chief information officer; 63A-16-104(19) develop and implement an effective enterprise architecture governance model for the executive branch; 63A-16-104(20) provide oversight of information technology projects that impact statewide information technology services, assets, or functions of state government to:control costs;ensure business value to a project;maximize resources;ensure the uniform application of best practices; andavoid duplication of resources; 63A-16-104(21) develop a method of accountability to agencies for services provided by the department through service agreements with the agencies; 63A-16-104(22) serve as a project manager for enterprise architecture, including management of applications, standards, and procurement of enterprise architecture; 63A-16-104(23) coordinate the development and implementation of advanced state telecommunication systems; 63A-16-104(24) provide services, including technical assistance:to executive branch agencies and subscribers to the services; andrelated to information technology or telecommunications; 63A-16-104(25) establish telecommunication system specifications and standards for use by:one or more executive branch agencies; orone or more entities that subscribe to the telecommunication systems in accordance with Section 63A-16-302; 63A-16-104(26) coordinate state telecommunication planning, in cooperation with:state telecommunication users;executive branch agencies; andother subscribers to the state’s telecommunication systems; 63A-16-104(27) cooperate with the federal government, other state entities, counties, and municipalities in the development, implementation, and maintenance of:governmental information technology; orgovernmental telecommunication systems; andas part of a cooperative organization; orthrough means other than a cooperative organization; 63A-16-104(28) establish, operate, manage, and maintain:one or more state data centers; andone or more regional computer centers; 63A-16-104(29) design, implement, and manage all state-owned, leased, or rented land, mobile, or radio telecommunication systems that are used in the delivery of services for state government or the state’s political subdivisions; 63A-16-104(30) in accordance with the executive branch strategic plan, implement minimum standards to be used by the division for purposes of compatibility of procedures, programming languages, codes, and media that facilitate the exchange of information within and among telecommunication systems; 63A-16-104(31) establish standards for the information technology needs of a collection of executive branch agencies or programs that share common characteristics relative to the types of stakeholders the agencies or programs serve, including:project management;application development; andsubject to Subsections (5) and 63G-6a-109.5(9), procurement; 63A-16-104(32) provide oversight of information technology standards that impact multiple executive branch agency information technology services, assets, or functions to:control costs;ensure business value to a project;maximize resources;ensure the uniform application of best practices; andavoid duplication of resources; 63A-16-104(33) establish a system of accountability to user agencies through the use of service agreements; and 63A-16-104(34) provide the services described in Section 63A-16-109 for a state elected official or state employee who has been threatened.
63A-16-105 - Director — Authority.
63A-16-105(1) The executive director shall, with the approval of the governor, appoint the director. 63A-16-105(2) The director:
shall exercise all powers given to, and perform all duties imposed on, the division; has administrative jurisdiction over the division and each office within the division; may make changes in division personnel and service functions under the director’s administrative jurisdiction; and may authorize a designee to perform appropriate responsibilities. 63A-16-105(3) The director may, to facilitate division management, establish offices and bureaus to perform division functions. 63A-16-105(4) The director may hire employees in the division and offices of the division as permitted by division resources. Except as provided in Subsection (5), each employee of the division is exempt from career service or classified service status as provided in Section 63A-17-301. 63A-16-105(5) Unless the employee voluntarily converted to an exempt position described in Section 63A-17-301, an employee of an executive branch agency who was a career service employee as of July 1, 2005, who was transferred to the division at the time it was newly created as the Department of Technology Services continues in the employee’s career service status during the employee’s service to the division if the duties of the position in the division are substantially similar to those in the employee’s previous position. A career service employee transferred under the provisions of Subsection (5)(a), whose duties or responsibilities subsequently change, may not be converted to exempt status without the review process required by Subsection 63A-17-301(3).
63A-16-107 - Utah Open Data Portal Website.
63A-16-107(1) As used in this section:
“Governmental entity” means the same as that term is defined in Section 63G-2-103. “Public information” means: a record of a state governmental entity, a local governmental entity, or an independent entity that is classified as public under Title 63G, Chapter 2, Government Records Access and Management Act; or subject to any specific limitations and requirements regarding the provision of financial information from the entity under Section 67-3-12, for an entity that is exempt from Title 63G, Chapter 2, Government Records Access and Management Act, records that would normally be classified as public if the entity were not exempt from Title 63G, Chapter 2, Government Records Access and Management Act. “Private, controlled, or protected information” means information classified as private, controlled, or protected under Title 63G, Chapter 2, Government Records Access and Management Act. “Website” means the Utah Open Data Portal Website created in this section. 63A-16-107(2) There is created the Utah Open Data Portal Website to be administered by the division. 63A-16-107(3) The website shall serve as a point of access for public information. 63A-16-107(4) The division shall:
establish and maintain the website; provide equipment, resources, and personnel as needed to establish and maintain the website; provide a mechanism for a governmental entity to gain access to the website for the purpose of posting and modifying public information; and maintain an archive of all public information posted to the website. 63A-16-107(5) The timing for posting and the content of the public information posted to the website is the responsibility of the governmental entity posting the public information. 63A-16-107(6) A governmental entity may not post private, controlled, or protected information to the website. 63A-16-107(7) A person who negligently discloses private, controlled, or protected information is not criminally or civilly liable for improper disclosure of the information if the information is disclosed solely as a result of the preparation or publication of the website.
63A-16-108 - Digital verifiable credential and records.
63A-16-108(1) As used in this section:
“Blockchain” means a distributed ledger of ordered electronic records that: is distributed across a network of computers; utilizes technology to prevent the unauthorized alteration of electronic records; and is mathematically verified. “Digital record schema” means a description of the data fields and tamper-evident technologies required to create a digital verifiable credential or digital verifiable record that can be registered on a distributed ledger technology. “Digital signature” means a tamper-evident, immutable, electronic seal that is equivalent in function and status to a notary seal issued by a government entity. “Digital verifiable credential” means a digital document that: attests to a fact; is issued by a government entity; can be mathematically verified; and conveys rights, privileges, and legal enforceability equivalent to the possession of a physical credential of the same type. “Digital verifiable record” means a digital record that: is issued by a government entity or has been digitally signed by a government entity; has a digital signature; can be mathematically verified; and conveys rights, privileges, and legal enforceability equivalent to the possession of a physical record of the same type. “Distributed ledger” means a decentralized database that is maintained by the consensus of replicated, shared, and synchronized digital data. “Government entity” means: the state; a state agency; or a political subdivision of the state. “Government operations privacy officer” means the government operations privacy officer described in Section 67-1-17. “State archivist” means the state archivist appointed under Section 63A-12-102. “State privacy officer” means the state privacy officer described in Section 67-3-13. “State registrar” means the state registrar of vital records appointed under Section 26B-8-102. 63A-16-108(2) The Division of Technology Services shall:
provide recommendations to government entities regarding: appropriate digital record schemas that allow a government to issue a digital verifiable credential or record; policies and procedures to protect the privacy of personal identifying information maintained within distributed ledger programs; the manner and format in which an issuer may certify a document through blockchain; and processes and procedures for the preservation, auditability, integrity, security, and confidentiality of digital verifiable credentials and records; create a pilot program for the implementation of digital verifiable credentials by governmental entities; and report to Public Utilities, Energy, and Technology Interim Committee by October 31, 2023, on the duties described in Subsections (2)(a) and (b). 63A-16-108(3) In performing the duties described in Subsections (2)(a) and (b), the Division of Technology Services shall consult with:
the state archivist; the state privacy officer; the government operations privacy officer; the state registrar; private industry professionals with relevant expertise; the Utah League of Cities and Towns; and an association of counties in the state.
63A-16-109 - Removal of state elected official or employee personal identifying information.
63A-16-109(1) As used in this section:“Open web” means the Internet used for everyday activities like browsing, searching, reading media, online shopping, or other website or online applications.”Personal identifying information” means the following:physical home address and personal email address;home telephone number and personal mobile telephone number;driver license or other government-issued identification; orsocial security number.”State elected official” means a person who holds an office in state government that is required by law to be filled by an election, including the offices of governor, lieutenant governor, attorney general, state auditor, state treasurer, and legislator.”State elected official” does not include a judge.”State employee who has been threatened” means an individual:who is a cabinet level official or senior staff of the governor; orwho is an employee of the state executive branch and meets selective criteria implemented by the division that are established by rule made under Subsection (4); andwhose life or safety has been threatened in the course of performing the individual’s state duties through a text, phone call, email, postal delivery, face-to-face encounter, or website or online application. 63A-16-109(2) At the written request of a state elected official or a state employee who has been threatened, the division shall within 30 days of receipt of the request:search the open web for personal identifying information that is about the state elected official or state employee who has been threatened;when possible, remove the personal identifying information found under Subsection (2)(a) from the open web; andconduct continuous monthly removal when possible of personal identifying information from the open web. 63A-16-109(3) The chief information officer may contract, in accordance with Title 63G, Chapter 6a, Utah Procurement Code, with a third party to provide the services described in Subsection (2). 63A-16-109(4) The chief information officer may by rule made in accordance with Title 63G, Chapter 3, Utah Administrative Rulemaking Act, establish requirements related to:what information the state elected official or state employee who has been threatened shall provide the division as part of the request described in Subsection (2);procedures for submitting the written request to the division; andestablishing the selective criteria used to determine whether a state employee may receive the services described in Subsection (2). 63A-16-109(5) The division may not charge a rate for the services provided under this section. 63A-16-109(6) In addition to the governmental immunity granted in Title 63G, Chapter 7, Governmental Immunity Act of Utah, the division is not liable for actions performed under this section except as a result of intentional misconduct or gross negligence including reckless, willful, or wanton misconduct.This section does not create a special duty of care. 63A-16-109(7) A federal, state, or local government record is not subject to this section, even if the government record contains personal identifying information.
63A-16-110 - Use of authorized domain extensions for government websites.
63A-16-110(1) As used in this section: “Authorized top-level domain” means any of the following suffixes that follow the domain name in a website address:gov;edu; andmil.”Governmental entity” means the same as that term is defined in Section 63G-2-103.”Government website” means the same as that term is defined in Section 63A-19-101.”Person” means the same as that term is defined in Section 63G-2-103.”School” means a public elementary or secondary school. 63A-16-110(2) Beginning July 1, 2025, a governmental entity shall use an authorized top-level domain for:the website address for the governmental entity’s government website; andthe email addresses used by the governmental entity and the governmental entity’s employees. 63A-16-110(3) Notwithstanding Subsection (2), a governmental entity may operate a website that uses a top-level domain that is not an authorized top-level domain if:a reasonable person would not mistake the website as the governmental entity’s primary government website; andthe government website is:solely for internal use and not intended for use by members of the public;temporary and in use by the governmental entity for a period of less than one year; orrelated to an event, program, or informational campaign operated by the governmental entity in partnership with another person that is not a governmental entity; orthe governmental entity is a school district or a school that is not an institution of higher education and the use of an authorized top-level domain is otherwise prohibited, provided that once the use of an authorized top-level domain is not otherwise prohibited, the school district or school shall transition to an authorized top-level domain within 15 months. 63A-16-110(4) The chief information officer appointed under Section 63A-16-201 may authorize a waiver of the requirement in Subsection (2) if:there are extraordinary circumstances under which use of an authorized domain extension would cause demonstrable harm to citizens or businesses; andthe executive director or chief executive of the governmental entity submits a written request to the chief information officer that includes a justification for the waiver.
Chief Information Officer
63A-16-201 - Chief information officer — Appointment — Powers — Reporting.
63A-16-201(1) The director of the division shall serve as the state’s chief information officer. 63A-16-201(2) The chief information officer shall:
advise the governor on information technology policy; and perform those duties given the chief information officer by statute. 63A-16-201(3) The chief information officer shall report annually to: the governor; and the Government Operations Interim Committee. The report required under Subsection (3)(a) shall: summarize the state’s current and projected use of information technology; summarize the executive branch strategic plan including a description of major changes in the executive branch strategic plan; provide a brief description of each state agency’s information technology plan; include the status of information technology projects described in Subsection 63A-16-104(10); include the performance report described in Section 63A-16-211; and include the expenditure of the funds provided for electronic technology, equipment, and hardware.
63A-16-202 - Executive branch information technology strategic plan.
63A-16-202(1) In accordance with this section, the chief information officer shall prepare an executive branch information technology strategic plan:
that complies with this chapter; and that includes: a strategic plan for the:
interchange of information related to information technology between executive branch agencies; coordination between executive branch agencies in the development and maintenance of information technology and information systems, including the coordination of agency information technology plans described in Section 63A-16-203; and protection of the privacy of individuals who use state information technology or information systems, including the implementation of industry best practices for data and system security; priorities for the development and implementation of information technology or information systems including priorities determined on the basis of:
the importance of the information technology or information system; and the time sequencing of the information technology or information system; and maximizing the use of existing state information technology resources. 63A-16-202(2) In the development of the executive branch strategic plan, the chief information officer shall consult with all cabinet level officials. 63A-16-202(3) Unless withdrawn by the chief information officer or the governor in accordance with Subsection (3)(b), the executive branch strategic plan takes effect 30 days after the day on which the executive branch strategic plan is submitted to: the governor; and the Government Operations Interim Committee. The chief information officer or the governor may withdraw the executive branch strategic plan submitted under Subsection (3)(a) if the governor or chief information officer determines that the executive branch strategic plan: should be modified; or for any other reason should not take effect. The Government Operations Interim Committee may make recommendations to the governor and to the chief information officer if the commission determines that the executive branch strategic plan should be modified or for any other reason should not take effect. Modifications adopted by the chief information officer shall be resubmitted to the governor and the Government Operations Interim Committee for their review or approval as provided in Subsections (3)(a) and (b). 63A-16-202(4) The chief information officer shall annually, on or before January 1, modify the executive branch information technology strategic plan to incorporate security standards that: are identified as industry best practices in accordance with Subsections 63A-16-104(3) and (4); and can be implemented within the budget of the department or the executive branch agencies. The chief information officer shall inform the speaker of the House of Representatives and the president of the Senate on or before January 1 of each year if best practices identified in Subsection (4)(a)(i) are not adopted due to budget issues considered under Subsection (4)(a)(ii). 63A-16-202(5) Each executive branch agency shall implement the executive branch strategic plan by adopting an agency information technology plan in accordance with Section 63A-16-203.
63A-16-203 - Agency information technology plans.
63A-16-203(1) On or before July 1 each year, each executive branch agency shall submit an agency information technology plan to the chief information officer at the department level, unless the governor or the chief information officer request an information technology plan be submitted by a subunit of a department, or by an executive branch agency other than a department. The information technology plans required by this section shall be in the form and level of detail required by the chief information officer, by administrative rule under Section 63A-16-205, and shall include, at least: the information technology objectives of the agency; any performance measures used by the agency for implementing the agency’s information technology objectives; any planned expenditures related to information technology; the agency’s need for appropriations for information technology; how the agency’s development of information technology coordinates with other state and local governmental entities; any efforts the agency has taken to develop public and private partnerships to accomplish the information technology objectives of the agency; the efforts the executive branch agency has taken to conduct transactions electronically in compliance with Section 46-4-503; and the executive branch agency’s plan for the timing and method of verifying the department’s security standards, if an agency intends to verify the department’s security standards for the data that the agency maintains or transmits through the department’s servers. 63A-16-203(2) Except as provided in Subsection (2)(b), an agency information technology plan described in Subsection (1) shall comply with the executive branch strategic plan established in accordance with Section 63A-16-202. If the executive branch agency submitting the agency information technology plan justifies the need to depart from the executive branch strategic plan, an agency information technology plan may depart from the executive branch strategic plan to the extent approved by the chief information officer. 63A-16-203(3) The chief information officer shall review each agency plan to determine:
whether the agency plan complies with the executive branch strategic plan and state information architecture; or to the extent that the agency plan does not comply with the executive branch strategic plan or state information architecture, whether the executive branch entity is justified in departing from the executive branch strategic plan, or state information architecture; and whether the agency plan meets the information technology and other needs of: the executive branch agency submitting the plan; and the state. 63A-16-203(4) After the chief information officer conducts the review described in Subsection (3) of an agency information technology plan, the chief information officer may:
approve the agency information technology plan; disapprove the agency information technology plan; or recommend modifications to the agency information technology plan. 63A-16-203(5) An executive branch agency or the department may not submit a request for appropriation related to information technology or an information technology system to the governor in accordance with Section 63J-1-201 until after the executive branch agency’s information technology plan is approved by the chief information officer.
63A-16-205 - Rulemaking — Policies.
63A-16-205(1) Except as provided in Subsection (2), the chief information officer shall, by rule made in accordance with Title 63G, Chapter 3, Utah Administrative Rulemaking Act: establish standards that impose requirements on executive branch agencies related to the security of the statewide area network; establish standards for when an agency must obtain approval before obtaining items described in Subsection 63G-6a-109.5(2); specify the detail and format required in an agency information technology plan submitted in accordance with Section 63A-16-203; establish standards related to the privacy policies of websites operated by or on behalf of an executive branch agency; subject to Subsection 63G-6a-109.5(9), establish standards for the acquisition, licensing, and sale of computer software; specify the requirements for the project plan and business case analysis required under Section 63G-6a-109.5; provide for project oversight of agency technology projects when required under Section 63G-6a-109.5; establish, in accordance with Subsection 63G-6a-109.5(3), the implementation of the needs assessment for information technology purchases; establish telecommunications standards and specifications in accordance with Subsection 63G-6a-109.5(25); and establish standards for accessibility of information technology by individuals with disabilities in accordance with Section 63A-16-209. The rulemaking authority granted by Subsection (1)(a) is in addition to any other rulemaking authority granted under this chapter. 63A-16-205(2) Notwithstanding Title 63G, Chapter 3, Utah Administrative Rulemaking Act, and subject to Subsection (2)(b), the chief information officer may adopt a policy that outlines procedures to be followed by the chief information officer in facilitating the implementation of this title by executive branch agencies if the policy: is consistent with the executive branch strategic plan; and is not required to be made by rule under Subsection (1) or Section 63G-3-201. A policy adopted by the chief information officer under Subsection (2)(a) may not take effect until 30 days after the day on which the chief information officer submits the policy to:
the governor; and all cabinet level officials. During the 30-day period described in Subsection (2)(b)(i), cabinet level officials may review and comment on a policy submitted under Subsection (2)(b)(i). 63A-16-205(3) Notwithstanding Subsection (1) or (2) or Title 63G, Chapter 3, Utah Administrative Rulemaking Act, without following the procedures of Subsection (1) or (2), the chief information officer may adopt a security procedure to be followed by executive branch agencies to protect the statewide area network if: broad communication of the security procedure would create a significant potential for increasing the vulnerability of the statewide area network to breach or attack; and after consultation with the chief information officer, the governor agrees that broad communication of the security procedure would create a significant potential increase in the vulnerability of the statewide area network to breach or attack. A security procedure described in Subsection (3)(a) is classified as a protected record under Title 63G, Chapter 2, Government Records Access and Management Act. The chief information officer shall provide a copy of the security procedure as a protected record to: the chief justice of the Utah Supreme Court for the judicial branch; the speaker of the House of Representatives and the president of the Senate for the legislative branch; the chair of the Utah Board of Higher Education; and the chair of the State Board of Education.
63A-16-206 - Coordination within the executive branch — Cooperation with other branches.
63A-16-206(1) In accordance with the executive branch strategic plan and the requirements of this title, the chief information officer shall coordinate the development of information technology systems between two or more executive branch agencies subject to:
the budget approved by the Legislature; andTitle 63J, Chapter 1, Budgetary Procedures Act. 63A-16-206(2) In addition to the coordination described in Subsection (1), the chief information officer shall promote cooperation regarding information technology between branches of state government.
63A-16-207 - Delegation of division functions.
63A-16-207(1) If the conditions of Subsections (1)(b) and (2) are met and subject to the other provisions of this section, the chief information officer may delegate a function of the division to another executive branch agency or an institution of higher education by contract or other means authorized by law. The chief information officer may delegate a function of the division as provided in Subsection (1)(a) if in the judgment of the director of the executive branch agency and the chief information officer: the executive branch agency or institution of higher education has requested that the function be delegated; the executive branch agency or institution of higher education has the necessary resources and skills to perform or control the function to be delegated; and the function to be delegated is a unique or mission-critical function of the agency or institution of higher education. 63A-16-207(2) The chief information officer may delegate a function of the division only when the delegation results in net cost savings or improved service delivery to the state as a whole or to the unique mission critical function of the executive branch agency. 63A-16-207(3) The delegation of a function under this section shall:
be in writing; contain all of the following: a precise definition of each function to be delegated; a clear description of the standards to be met in performing each function delegated; a provision for periodic administrative audits by the division; a date on which the agreement shall terminate if the agreement has not been previously terminated or renewed; and any delegation of division staff to the agency to support the function in-house with the agency and rates to be charged for the delegated staff; and include a cost-benefit analysis justifying the delegation. 63A-16-207(4) An agreement to delegate functions to an executive branch agency or an institution of higher education may be terminated by the division if the results of an administrative audit conducted by the division reveals a lack of compliance with the terms of the agreement by the executive branch agency or institution of higher education.
63A-16-208 - Delegation of division staff to executive branch agencies — Prohibition against executive branch agency information technology staff.
63A-16-208(1) The chief information officer shall assign division staff to serve an agency in-house if the chief information officer and the executive branch agency director jointly determine it is appropriate to provide information technology services to: the agency’s unique mission-critical functions and applications; the agency’s participation in and use of statewide enterprise architecture; and the agency’s use of coordinated technology services with other agencies that share similar characteristics with the agency. An agency may request the chief information officer to assign in-house staff support from the division. The chief information officer shall respond to the agency’s request for in-house staff support in accordance with Subsection (1)(a). The division shall enter into service agreements with an agency when division staff is assigned in-house to the agency under the provisions of this section. An agency that receives in-house staff support assigned from the division under the provision of this section is responsible for paying the rates charged by the division for that staff as established under Section 63A-16-301. 63A-16-208(2) An executive branch agency may not create a full-time equivalent position or part-time position, or request an appropriation to fund a full-time equivalent position or part-time position under the provisions of Section 63J-1-201 for the purpose of providing information technology services to the agency unless: the chief information officer has approved a delegation under Section 63A-16-207; and the division conducts an audit in relation to Section 63A-16-102 and finds that the delegation of information technology services to the agency meets the requirements of Section 63A-16-207. The prohibition against a request for appropriation under Subsection (2)(a) does not apply to a request for appropriation needed to pay rates imposed under Subsection (1)(d).
63A-16-209 - Accessibility standards for executive branch agency information technology.
63A-16-209(1) The chief information officer shall establish, by rule made in accordance with Title 63G, Chapter 3, Utah Administrative Rulemaking Act:
minimum standards for accessibility of executive branch agency information technology by an individual with a disability that: include accessibility criteria for:
agency websites; hardware and software procured by an executive branch agency; and information systems used by executive branch agency employees; include a protocol to evaluate the standards via testing by individuals with a variety of access limitations; and are, at minimum, consistent with the most recent Web Content Accessibility guidelines published by the World Wide Web Consortium; and grievance procedures for an individual with a disability who is unable to access executive branch agency information technology, including: a process for an individual with a disability to report the access issue to the chief information officer; and a mechanism through which the chief information officer can respond to the report. 63A-16-209(2) The chief information officer shall update the standards described in Subsection (1)(a) at least every three years to reflect advances in technology.
63A-16-210 - Chief information security officer.
63A-16-210(1) The chief information officer shall appoint a chief information security officer. 63A-16-210(2) The chief information security officer described in Subsection (1) shall:
assess cybersecurity risks; coordinate with executive branch agencies to assess the sensitivity of information; and manage cybersecurity support for the department and executive branch agencies.
63A-16-211 - Report to the Legislature.
The division shall, in accordance with Section 63A-16-201 , before November 1 each year, report to the Government Operations Interim Committee on: 63A-16-211(1) performance measures that the division uses to assess the division’s effectiveness in performing the division’s duties under this part; and 63A-16-211(2) the division’s performance, evaluated in accordance with the performance measures described in Subsection (1).
63A-16-214 - Zero trust architectures — Implementation — Requirements — Reporting.
63A-16-214(1) As used in this section:
“Endpoint detection and response” means a cybersecurity solution that continuously monitors end-user devices to detect and respond to cyber threats. “Governmental entity” means: the state; a political subdivision of the state; and an entity created by the state or a political subdivision of the state, including an agency, board, bureau, commission, committee, department, division, institution, instrumentality, or office. “Multi-factor authentication” means using two or more different types of identification factors to authenticate a user’s identity for the purpose of accessing systems and data, which may include: knowledge-based factors, which require the user to provide information that only the user knows, such as a password or personal identification number; possession-based factors, which require the user to have a physical item that only the user possesses, such as a security token, key fob, subscriber identity module card, or smart phone application; or inherence-based credentials, which require the user to demonstrate specific known biological traits attributable only to the user, such as fingerprints or facial recognition. “Zero trust architecture” means a security model, a set of system design principles, and a coordinated cybersecurity and system management strategy that employs continuous monitoring, risk-based access controls, secure identity and access management practices, and system security automation techniques to address the cybersecurity risk from threats inside and outside traditional network boundaries. 63A-16-214(2) This section applies to:
all systems and data owned, managed, maintained, or utilized by or on behalf of an executive branch agency to access state systems or data; and all hardware, software, internal systems, and essential third-party software, including for on-premises, cloud, and hybrid environments. 63A-16-214(3) On or before November 1, 2023, the chief information officer shall develop uniform technology policies, standards, and procedures for use by executive branch agencies in implementing zero trust architecture and multi-factor authentication on all systems in accordance with this section. On or before July 1, 2024, the division shall consider adopting the enterprise security practices described in this section and consider implementing zero trust architecture and robust identity management practices, including: multi-factor authentication; cloud-based enterprise endpoint detection and response solutions to promote real-time detection, and rapid investigation and remediation capabilities; and robust logging practices to provide adequate data to support security investigations and proactive threat hunting. 63A-16-214(4) If implementing a zero trust architecture and multi-factor authentication, the division shall consider prioritizing the use of third-party cloud computing solutions that meet or exceed industry standards. The division shall consider giving preference to zero trust architecture solutions that comply with, are authorized by, or align to applicable federal guidelines, programs, and frameworks, including: the Federal Risk and Authorization Management Program; the Continuous Diagnostics and Mitigation Program; and guidance and frameworks from the National Institute of Standards and Technology. 63A-16-214(5) In procuring third-party cloud computing solutions, the division may utilize established purchasing vehicles, including cooperative purchasing contracts and federal supply contracts, to facilitate efficient purchasing. The chief information officer shall establish a list of approved vendors that are authorized to provide zero trust architecture to governmental entities in the state. If an executive branch agency determines that procurement of a third-party cloud computing solution is not feasible, the executive branch agency shall provide a written explanation to the division of the reasons that a cloud computing solution is not feasible, including: the reasons why the executive branch agency determined that a third-party cloud computing solution is not feasible; specific challenges or difficulties of migrating existing solutions to a cloud environment; and the total expected cost of ownership of existing or alternative solutions compared to a cloud computing solution. 63A-16-214(6) On or before November 30 of each year, the chief information officer shall report on the progress of implementing zero trust architecture and multi-factor authentication to: the Public Utilities, Energy, and Technology Interim Committee; and the Cybersecurity Commission created in Section 63C-25-201. The report described in Subsection (6)(a) may include information on: applicable guidance issued by the United States Cybersecurity and Infrastructure Security Agency; and the progress of the division, executive branch agencies, and governmental entities with respect to:
shifting away from a paradigm of trusted networks toward implementation of security controls based on a presumption of compromise; implementing principles of least privilege in administering information security programs; limiting the ability of entities that cause incidents to move laterally through or between agency systems; identifying incidents quickly; and isolating and removing unauthorized entities from agency systems as quickly as practicable, accounting for cyber threat intelligence or law enforcement purposes.
Information Technology Services and Rates
63A-16-301 - Cost based services — Rates — Submission to rate committee.
63A-16-301(1) The chief information officer shall:
at the lowest practical cost, manage the delivery of efficient and cost-effective information technology and telecommunication services for: all executive branch agencies; and entities that subscribe to the services in accordance with Section 63A-16-302; and provide priority service to public safety agencies. 63A-16-301(2) In accordance with this Subsection (2), the chief information officer shall prescribe a schedule of rates for all services rendered by the division to: an executive branch entity; or an entity that subscribes to services rendered by the division in accordance with Section 63A-16-302. Each rate included in the schedule of rates required by Subsection (2)(a): shall be equitable; should be based upon a zero based, full cost accounting of activities necessary to provide each service for which a rate is established; and for each service multiplied by the projected consumption of the service recovers no more or less than the full cost of each service. Before charging a rate for its services to an executive branch agency or to a subscriber of services other than an executive branch agency, the chief information officer shall: submit the proposed rates and cost analysis to the Rate Committee established in Section 63A-1-114; and obtain the approval of the Legislature as required by Section 63J-1-410. The chief information officer shall periodically conduct a market analysis of proposed rates, which analysis shall include a comparison of the division’s rates with the rates of other public or private sector providers where comparable services and rates are reasonably available.
63A-16-302 - Executive branch agencies — Subscription by institutions.
63A-16-302(1) An executive branch agency in accordance with its agency information technology plan approved by the chief information officer shall:
subscribe to the information technology services provided by the division; or contract with one or more alternate private providers of information technology services if the chief information officer determines that the purchase of the services from a private provider will: result in:
cost savings; increased efficiency; or improved quality of services; and not impair the interoperability of the state’s information technology services. 63A-16-302(2) An institution of higher education may subscribe to the services provided by the division if:
the president of the institution recommends that the institution subscribe to the services of the division; and the Utah Board of Higher Education determines that subscription to the services of the division will result in cost savings or increased efficiency to the institution. 63A-16-302(3) The following may subscribe to information technology services by requesting that the services be provided from the division:
the legislative branch; the judicial branch; the State Board of Education; a political subdivision of the state; an agency of the federal government; an independent entity as defined in Section 63E-1-102; and an elective constitutional officer of the executive department as defined in Subsection 63A-16-102(5)(b)(vii).
63A-16-302.1 - Reporting on consolidation of certain information technology services.
63A-16-302.1(1) The division shall, in collaboration with the Cybersecurity Commission created in Section 63C-27-201, identify opportunities, limitations, and barriers to enhancing the overall cybersecurity resilience of the state by consolidating:certain information technology services utilized by governmental entities; andto the extent feasible, the information technology networks that are operated or utilized by governmental entities. 63A-16-302.1(2) On or before November 15, 2023, the division shall report the information described in Subsection (1) to:the Government Operations Interim Committee;the General Government Appropriations Subcommittee; andthe Cybersecurity Commission created in Section 63C-27-201.
Integrated Technology
63A-16-501 - Definitions.
As used in this part: 63A-16-501(1) “Center” means the Utah Geospatial Resource Center created in Section 63A-16-505. 63A-16-501(2) “Database” means the State Geographic Information Database created in Section 63A-16-506. 63A-16-501(3) “Geographic Information System” or “GIS” means a computer driven data integration and map production system that interrelates disparate layers of data to specific geographic locations. 63A-16-501(4) “State Geographic Information Database” means the database created in Section 63A-16-506. 63A-16-501(5) “Statewide Global Positioning Reference Network” or “network” means the network created in Section 63A-16-508.
63A-16-504 - Information technology plan.
63A-16-504(1) In accordance with this section, the division shall submit an information technology plan to the chief information officer. 63A-16-504(2) The information technology plan submitted by the division under this section shall include:
the information required by Section 63A-16-202; a list of the services the division offers or plans to offer; and a description of the performance measures used by the division to measure the quality of the services described in Subsection (2)(b). 63A-16-504(3) In submitting the information technology plan under this section, the division shall comply with Section 63A-16-203. The information technology plan submitted by the division under this section is subject to the approval of the chief information officer as provided in Section 63A-16-203.
63A-16-505 - Utah Geospatial Resource Center.
63A-16-505(1) There is created the Utah Geospatial Resource Center as part of the division. 63A-16-505(2) The center shall:provide geographic information system services to state agencies under rules made under Section 63A-16-104 and policies established by the office;provide geographic information system services to federal government, local political subdivisions, and private persons under rules and policies established by the office;manage the State Geographic Information Database; andestablish standard format, lineage, and other requirements for the database. 63A-16-505(3) There is created a position of surveyor within the center.The surveyor under this Subsection (3) shall:be licensed as a professional land surveyor under Title 58, Chapter 22, Professional Engineers and Professional Land Surveyors Licensing Act;provide technical support to the office of lieutenant governor in the lieutenant governor’s evaluation under Section 67-1a-6.5 of a proposed boundary action, as defined in Section 17-73-101;as requested by a county surveyor, provide technical assistance to the county surveyor with respect to the county surveyor’s responsibilities under Section 17-73-507;fulfill the duties described in Section 17-61-102, if engaged to do so as provided in that section;assist the State Tax Commission in processing and quality assurance of boundary descriptions or maps into digital format for inclusion in the State Geographic Information Database;coordinate with county recorders and surveyors to create a statewide parcel layer in the State Geographic Information Database containing parcel boundary, parcel identifier, parcel address, owner type, and county recorder contact information; andfacilitate and integrate the collection efforts of local government and federal agencies for data collection to densify and enhance the statewide Public Land Survey System reference network in the State Geographic Information Database. 63A-16-505(4) The office may:make rules and establish policies to govern the center and the center’s operations; andset fees for the services provided by the center. 63A-16-505(5) The state may not sell information obtained from counties under Subsection (3)(b)(v).
63A-16-506 - State Geographic Information Database.
63A-16-506(1) There is created a State Geographic Information Database to be managed by the center. 63A-16-506(2) The database shall:
serve as the central reference for all information contained in any GIS database by any state agency; serve as a clearing house and repository for all data layers required by multiple users; serve as a standard format for geographic information acquired, purchased, or produced by any state agency; include an accurate representation of all civil subdivision boundaries of the state; and for each public highway, as defined in Section 72-1-102, in the state, include an accurate representation of the highway’s centerline, physical characteristics, and associated street address ranges. 63A-16-506(3) The center shall, in coordination with municipalities, counties, emergency communications centers, and the Department of Transportation:
develop the information described in Subsection (2)(e); and update the information described in Subsection (2)(e) in a timely manner after a county recorder records a final plat. 63A-16-506(4) The center, in coordination with county assessors and metropolitan planning organizations:
shall inventory existing housing units and their general characteristics within each county of the first or second class to support infrastructure planning and economic development in each of those counties; and may inventory existing housing units and their general characteristics within one or more counties of the third, fourth, fifth, or sixth class to support infrastructure planning and economic development in one or more of those counties. 63A-16-506(5) The center shall, in coordination with the Governor’s Office of Planning and Budget and county assessors, annually compile a statewide GIS database of all government-owned property parcels in internet-accessible, searchable, and map format. The database described in Subsection (5)(a) shall include a parcel’s: number, if available; owner; location; and size. 63A-16-506(6) Each state agency that acquires, purchases, or produces digital geographic information data shall:
inform the center of the existence of the data layers and their geographic extent; allow the center access to all data classified public; and comply with any database requirements established by the center. 63A-16-506(7) At least annually, the State Tax Commission shall deliver to the center information the State Tax Commission receives under Section 67-1a-6.5 relating to the creation or modification of the boundaries of political subdivisions. 63A-16-506(8) The boundary of a political subdivision within the State Geographic Information Database is the official boundary of the political subdivision for purposes of meeting the needs of the United States Bureau of the Census in identifying the boundary of the political subdivision.
63A-16-508 - Statewide Global Positioning Reference Network created — Rulemaking authority.
63A-16-508(1) There is created the Statewide Global Positioning Reference Network to improve the quality of geographic information system data and the productivity, efficiency, and cost-effectiveness of government services. The network shall provide a system of permanently mounted, fully networked, global positioning system base stations that will provide real time radio navigation and establish a standard statewide coordinate reference system. The center shall administer the network. 63A-16-508(2) In accordance with Title 63G, Chapter 3, Utah Administrative Rulemaking Act, the chief information officer shall make rules providing for operating policies and procedures for the network. When making rules under this section, the chief information officer shall consider: network development that serves a public purpose; increased productivity and efficiency for state agencies; and costs and longevity of the network.
63A-16-509 - Monument Replacement and Restoration Committee.
63A-16-509(1) As used in this section:“Committee” means the Monument Replacement and Restoration Committee created in this section.”Corner” means the same as that term is defined in Section 17-73-101.”Monument” means the same as that term is defined in Section 17-73-101. 63A-16-509(2) There is created the Monument Replacement and Restoration Committee composed of the following seven members:five members appointed by an organization or association that represents Utah counties:that have knowledge and understanding of the Public Land Survey System; andwho each represents a different county; andtwo members, appointed by the center, who have a knowledge and understanding of the Public Land Survey System.Except as provided in Subsection (2)(b)(ii), a member appointed to the committee is appointed for a four-year term.The director of the center shall, at the time an entity appoints or reappoints an individual to serve on the committee, adjust the length of the appointed individual’s term, as necessary, to ensure that the terms of committee members are staggered so that approximately half of the committee members are appointed every two years.When a vacancy occurs on the committee for any reason, the replacement appointee shall serve on the committee for the unexpired term.The committee shall elect one committee member to serve as chair of the committee for a term of two years.A majority of the committee constitutes a quorum, and the action of a majority of a quorum constitutes the action of the committee.The center shall provide staff support to the committee.An individual who is a member of the committee may not serve as staff to the committee.A member of the committee may not receive compensation for the member’s service on the committee.The committee may adopt bylaws to govern the committee’s operation. 63A-16-509(3) The committee shall administer a grant program to assist counties in maintaining and protecting corners or monuments.A county wishing to receive a grant under the program described in Subsection (3)(a) shall submit to the committee an application that:identifies one or more monuments in the county that are in need of protection or rehabilitation;establishes a plan that is consistent with federal law or rule to protect or rehabilitate each monument identified under Subsection (3)(b)(i); andrequests a specific amount of funding to complete the plan established under Subsection (3)(b)(ii).The committee shall:adopt criteria to:evaluate whether a monument identified by a county under Subsection (3)(b)(i) needs protection or rehabilitation; andidentify which monuments identified by a county under Subsection (3)(b)(i) have the greatest need of protection or rehabilitation;evaluate each application submitted by a county under Subsection (3)(b) using the criteria adopted by the committee under Subsection (3)(c)(i);subject to sufficient funding and Subsection (3)(d), award grants to counties whose applications are most favorably evaluated under Subsection (3)(c)(ii); andestablish a date by which a county awarded a grant under Subsection (3)(c)(iii) shall report back to the committee.The committee may not award a grant to a county under this section in an amount greater than $100,000. 63A-16-509(4) A county that is awarded a grant under this section shall:document the work performed by the county, pursuant to the plan established by the county under Subsection (3)(b)(ii), to protect or rehabilitate a monument; andbefore the date established under Subsection (3)(c)(iv), report to the committee on the work performed by the county. 63A-16-509(5) If the committee has not expended all of the funds appropriated to the committee by the Legislature for the fulfillment of the committee’s duties under this section before December 31, 2017, the committee shall disburse any remaining funds equally among all counties that have established a preservation fund by ordinance as provided in Section 17-63-710.A county to which the center has disbursed funds under Subsection (5)(a) shall:deposit the funds into the county’s preservation fund; andexpend the funds, in consultation with the committee, for the maintenance and preservation of monuments in the county.
Utah Public Notice Website
63A-16-601 - Utah Public Notice Website — Establishment and administration.
63A-16-601(1) As used in this part:
“Executive board” means the same as that term is defined in Section 67-1-2.5. “Public body” means the same as that term is defined in Section 52-4-103. “Public information” means a public body’s public notices, minutes, audio recordings, and other materials that are required to be posted to the website under Title 52, Chapter 4, Open and Public Meetings Act, or other statute or state agency rule. “Website” means the Utah Public Notice Website created in this section. 63A-16-601(2) There is created the Utah Public Notice Website to be administered by the division. 63A-16-601(3) The website shall consist of an Internet website provided to assist the public to find posted public information. 63A-16-601(4) The Division of Archives and Records Service, with the technical assistance of the Division of Technology Services, shall create the website that shall:
allow a public body, or other certified entity, to easily post any public information, including the contact information required under Subsections 17B-1-303(9) and 17D-1-106(1)(b)(ii); allow the public to easily search the public information by: public body name; date of posting of the notice; date of any meeting or deadline included as part of the public information; and any other criteria approved by the Division of Archives and Records Service; allow the public to easily search and view past, archived public information; allow an individual to subscribe to receive updates and notices associated with a public body or a particular type of public information; have a unique and simplified website address; be directly accessible via a link from the main page of the official state website; and allow a newspaper to request and automatically receive a transmission of a posting to the website as the posting occurs; include other links, features, or functionality that will assist the public in obtaining and reviewing public information posted on the website, as may be approved by the division; and be guided by the principles described in Subsection 63A-16-202(2). 63A-16-601(5) Subject to Subsection (5)(b), the Division of Archives and Records Service and the governor’s office shall coordinate to ensure that the website, the database described in Section 67-1-2.5, and the website described in Section 67-1-2.5 automatically share appropriate information in order to ensure that: an individual who subscribes to receive information under Subsection (4)(d) for an executive board automatically receives notifications of vacancies on the executive board that will be publicly filled, including a link to information regarding how an individual may apply to fill the vacancy; and an individual who accesses an executive board’s information on the website has access to the following through the website:
the executive board’s information in the database, except an individual’s physical address, e-mail address, or phone number; and the portal described in Section 67-1-2.5 through which an individual may provide input on an appointee to, or member of, the executive board. The Division of Archives and Records Service and the governor’s office shall comply with Subsection (5)(a) as soon as reasonably possible within existing funds appropriated to the Division of Archives and Records Service and the governor’s office. 63A-16-601(6) Before August 1 of each year, the Division of Archives and Records Service shall:
identify each executive board that is a public body that did not submit to the website a notice of a public meeting during the previous fiscal year; and report the name of each identified executive board to the governor’s boards and commissions administrator. 63A-16-601(7) The Division of Archives and Records Service is responsible for:
establishing and maintaining the website, including the provision of equipment, resources, and personnel as is necessary; providing a mechanism for public bodies or other certified entities to have access to the website for the purpose of posting and modifying public information; and maintaining an archive of all public information posted to the website. 63A-16-601(8) A public body is responsible for the content the public body is required to post to the website and the timing of posting of that information.
63A-16-602 - Notice and training by the Division of Archives and Records Service.
63A-16-602(1) The Division of Archives and Records Service shall provide notice of the provisions and requirements of this chapter to all public bodies that are subject to the provision of Subsection 52-4-202(3)(a). 63A-16-602(2) The Division of Archives and Records Service shall, as necessary, provide periodic training on the use of the website to public bodies that are authorized to post notice on the website.
Single Sign-on Portal
63A-16-801 - Definitions.
As used in this part: 63A-16-801(1) “Business data” means data collected by the state about a person doing business in the state. 63A-16-801(2) “Single sign-on business portal” means the web portal described in Section 63A-16-802. 63A-16-801(3) “Single sign-on citizen portal” means the web portal described in Section 63A-16-803. 63A-16-801(4) “Web portal” means an Internet webpage that can be accessed by a person that enters the person’s unique user information in order to access secure information.
63A-16-802 - Single sign-on business portal — Creation.
63A-16-802(1) The division shall, in consultation with the entities described in Subsection (4), design and create a single sign-on business portal that is:
a web portal through which a person may access data described in Subsection (2), as agreed upon by the entities described in Subsection (4); and secure, centralized, and interconnected. 63A-16-802(2) The division shall ensure that the single sign-on business portal allows a person doing business in the state to access, at a single point of entry, all relevant state-collected business data about the person, including information related to:
business registration; workers’ compensation; beginning December 1, 2020, tax liability and payment; and other information collected by the state that the department determines is relevant to a person doing business in the state. 63A-16-802(3) The division shall develop the single sign-on business portal:
using an open platform that: facilitates participation in the web portal by a state entity; allows for optional participation by a political subdivision of the state; and contains a link to the State Tax Commission website; and in a manner that anticipates the creation of the single sign-on citizen portal described in Section 63A-16-803. 63A-16-802(4) In developing the single sign-on business portal, the division shall consult with:
the Department of Commerce; the State Tax Commission; the Labor Commission; the Department of Workforce Services; the Governor’s Office of Planning and Budget; the Utah League of Cities and Towns; the Utah Association of Counties; and the business community that is likely to use the single sign-on business portal. 63A-16-802(5) The division shall ensure that the single sign-on business portal is fully operational no later than May 1, 2021.
63A-16-803 - Single sign-on citizen portal — Creation.
63A-16-803(1) The division shall, in consultation with the entities described in Subsection (4), design and create a single sign-on citizen portal that is:a web portal through which an individual may access information and services described in Subsection (2), as agreed upon by the entities described in Subsection (4); andsecure, centralized, and interconnected. 63A-16-803(2) The division shall ensure that the single sign-on citizen portal allows an individual, at a single point of entry, to:access and submit an application for:medical and support programs including:a medical assistance program administered under Title 26B, Chapter 3, Health Care - Administration and Assistance, including Medicaid;the Children’s Health Insurance Program under Title 26B, Chapter 3, Part 9, Utah Children’s Health Insurance Program;the Primary Care Network as defined in Section 26B-3-211; andthe Women, Infants, and Children program administered under 42 U.S.C. Sec. 1786;unemployment insurance under Title 35A, Chapter 4, Employment Security Act;workers’ compensation under Title 34A, Chapter 2, Workers’ Compensation Act;employment with a state agency;a driver license or state identification card renewal under Title 53, Chapter 3, Uniform Driver License Act;a birth or death certificate under Title 26B, Chapter 8, Part 1, Vital Statistics; anda hunting or fishing license under Title 23A, Chapter 4, Licenses, Permits, Certificates of Registration, and Tags;access the individual’s:transcripts from an institution of higher education listed in Section 53H-1-102; andimmunization records maintained by the Department of Health and Human Services;register the individual’s vehicle under Title 41, Chapter 1a, Part 2, Registration, with the Motor Vehicle Division of the State Tax Commission;file the individual’s state income taxes under Title 59, Chapter 10, Individual Income Tax Act, beginning December 1, 2020;access information about positions available for employment with the state; andaccess any other service or information the department determines is appropriate in consultation with the entities described in Subsection (4). 63A-16-803(3) The division shall develop the single sign-on citizen portal using an open platform that:facilitates participation in the portal by a state entity;allows for optional participation in the portal by a political subdivision of the state; andcontains a link to the State Tax Commission website. 63A-16-803(4) In developing the single sign-on citizen portal, the department shall consult with:each state executive branch agency that administers a program, provides a service, or manages applicable information described in Subsection (2);the Utah League of Cities and Towns;the Utah Association of Counties; andother appropriate state executive branch agencies. 63A-16-803(5) The division shall ensure that the single sign-on citizen portal is fully operational no later than January 1, 2025. 63A-16-803(6) As used in this Subsection (6):“Digital verifiable credential” means the same as that term is defined in Section 63A-16-108.”Digital verifiable record” means the same as that term is defined in Section 63A-16-108. “Offender” means the same as that term is defined in Section 64-13-1.No later than January 1, 2027, the division shall ensure that a version of the single sign-on citizen portal is made available to an individual who:is a Utah resident; andis an offender; orpreviously was an offender resulting from a conviction that occurred on or after January 1, 2027.The portal described in Subsection (6)(b) shall include:if possible, an electronic copy of, or link to, the individual’s digital verifiable credentials and digital verifiable records; andif available:information on the individual’s debts such as restitution, court costs, fines, tax obligations, alimony, child support, other court-ordered payments, and similar debts; andlinks or another method to access more information concerning the debts listed in Subsection (6)(c)(ii)(A).
63A-16-804 - Report.
63A-16-804(1) The division shall report to the Government Operations Interim Committee before November 30 of each year regarding:
the progress the division has made in developing the single sign-on business portal and the single sign-on citizen portal and, once that development is complete, regarding the operation of the single sign-on business portal and the single sign-on citizen portal; the division’s goals and plan for each of the next five years to fulfill the division’s responsibilities described in this part; and whether the division recommends any change to the single sign-on fee being charged under Section 13-1-2. 63A-16-804(2) The Government Operations Interim Committee shall annually:
review the single sign-on fee being charged under Section 13-1-2; determine whether the revenue from the single sign-on fee is adequate for designing and developing and then, once developed, operating and maintaining the single sign-on web portal; and make any recommendation to the Legislature that the committee considers appropriate concerning: the single sign-on fee; and the development or operation of the single sign-on business portal and the single sign-on citizen portal.
Technology Innovation Act
63A-16-901 - Definitions.
As used in this part: 63A-16-901(1) “Executive branch agency” means a department, division, or other agency within the executive branch of state government. 63A-16-901(2) “Governor’s budget office” means the Governor’s Office of Planning and Budget, created in Section 63J-4-201. 63A-16-901(3) “Review board” means the Architecture Review Board established within the department. 63A-16-901(4) “Technology innovation” means a new information technology not previously in use or a substantial adaptation or modification of an existing information technology. 63A-16-901(5) “Technology proposal” means a proposal to implement a technology innovation designed to result in a greater efficiency in a government process or a cost saving in the delivery of a government service, or both.
63A-16-902 - Submitting a technology proposal — Review process.
63A-16-902(1) Multiple executive branch agencies may jointly submit to the chief information officer a technology proposal, on a form or in a format specified by the division. 63A-16-902(2) The chief information officer shall transmit to the review board each technology proposal the chief information officer determines meets the form or format requirements of the division. 63A-16-902(3) The review board shall:
conduct a technical review of a technology proposal transmitted by the chief information officer; determine whether the technology proposal merits further review and consideration by the chief information officer, based on the technology proposal’s likelihood to: be capable of being implemented effectively; and result in greater efficiency in a government process or a cost saving in the delivery of a government service, or both; and transmit a technology proposal to the chief information officer and to the governor’s budget office, if the review board determines that the technology proposal merits further review and consideration by the chief information officer.
63A-16-903 - Chief information officer review and approval of technology proposals.
63A-16-903(1) The chief information officer shall review and evaluate each technology proposal that the review board transmits to the chief information officer. 63A-16-903(2) The chief information officer may approve and recommend that the division provide funding from legislative appropriations for a technology proposal if, after the chief information officer’s review and evaluation of the technology proposal:
the chief information officer determines that there is a reasonably good likelihood that the technology proposal: is capable of being implemented effectively; and will result in greater efficiency in a government process or a cost saving in the delivery of a government service, or both; and the chief information officer receives approval from the governor’s budget office for the technology proposal. 63A-16-903(3) The chief information officer may:
prioritize multiple approved technology proposals based on their relative likelihood of achieving the goals described in Subsection (2); and recommend funding based on the chief information officer’s prioritization under Subsection (3)(a). 63A-16-903(4) The division shall:
track the implementation and success of a technology proposal approved by the chief information officer; evaluate the level of the technology proposal’s implementation effectiveness and whether the implementation results in greater efficiency in a government process or a cost saving in the delivery of a government service, or both; and report the results of the division’s tracking and evaluation: to the chief information officer, as frequently as the chief information officer requests; and at least annually to the Government Operations Interim Committee. 63A-16-903(5) The division may expend money appropriated by the Legislature to pay for expenses incurred by executive branch agencies in implementing a technology proposal that the chief information officer has approved.
Criminal and Juvenile Justice Database
63A-16-1001 - Definitions.
As used in this part: 63A-16-1001(1) “Commission” means the State Commission on Criminal and Juvenile Justice created in Section 63M-7-201. 63A-16-1001(2) “Criminal justice agency” means an agency or institution directly involved in the apprehension, prosecution, and incarceration of an individual involved in criminal activity, including law enforcement, correctional facilities, jails, courts, probation, and parole. 63A-16-1001(3) “Division” means the Division of Technology Services created in Section 63A-16-103. 63A-16-1001(4) “Grant” means a grant awarded under Section 63A-16-1003. 63A-16-1001(5) “Program” means the public safety portal grant program created in Section 63A-16-1003. 63A-16-1001(6) “Public safety portal” means the data portal created in Section 63A-16-1002. 63A-16-1001(7) “State board” means the State Board of Education.
63A-16-1002 - Public safety portal.
63A-16-1002(1) The commission shall oversee the creation and management of a public safety portal for information and data required to be reported to the commission and accessible to all criminal justice agencies in the state. 63A-16-1002(2) The division shall assist with the development and management of the public safety portal. 63A-16-1002(3) The division, in collaboration with the commission, shall create:master standards and formats for information submitted to the public safety portal;a gateway, bridge, website, or other method for reporting entities to provide the information;a master data management index or system to assist in the retrieval of information from the public safety portal;a protocol for accessing information in the public safety portal that complies with state privacy regulations; anda protocol for real-time audit capability of all data accessed from the public safety portal by participating data source, data use entities, and regulators. 63A-16-1002(4) The public safety portal shall be the repository for the statutorily required data described in:Section 13-53-111, Recidivism reporting requirements;Section 17-72-408, County jail reporting requirements;Section 17E-2-201, Criminal Justice Coordinating Councils reporting;Section 26B-1-427, Alcohol Abuse Tracking Committee;Section 41-6a-511, Courts to collect and maintain data;Section 53-10-118, Regarding driving under the influence data;Section 53-25-301, Reporting requirements for reverse-location warrants;Section 53-25-202, Sexual assault offense reporting requirements for law enforcement agencies;Section 53E-3-516, School disciplinary and law enforcement action report;Section 53-25-501, Reporting requirements for seized firearms;Section 53-25-502, Law enforcement agency reporting requirements for certain firearm data;Section 63M-7-214, Law enforcement agency grant reporting;Section 63M-7-216, Prosecutorial data collection;Section 63M-7-216.1, Prosecutorial data collection regarding certain prosecutions, dismissals, and declinations to prosecute;Section 63M-7-220, Domestic violence data collection;Section 64-14-204, Supervision of sentenced offenders placed in community;Section 64-13-25, Standards for programs;Section 64-13-45, Department reporting requirements;Section 64-13e-104, County correctional facility reimbursement program for state probationary inmates and state parole inmates;Section 77-7-8.5, Use of tactical groups;Section 77-11b-404, Forfeiture reporting requirements;Section 77-20-103, Release data requirements;Section 77-22-2.5, Court orders for criminal investigations;Section 78A-2-109.5, Court data collection on criminal cases;Section 80-6-104, Data collection on offenses committed by minors; andany other statutes that require the collection of specific data and the reporting of that data to the commission. 63A-16-1002(5) Before October 1, 2025, the commission shall report all data collected to the Law Enforcement and Criminal Justice Interim Committee. 63A-16-1002(6) The commission may:enter into contracts with private or governmental entities to assist entities in complying with the data reporting requirements of Subsection (4); andmake, in accordance with Title 63G, Chapter 3, Utah Administrative Rulemaking Act, rules to administer this section, including establishing requirements and procedures for collecting the data described in Subsection (4).
63A-16-1003 - Public safety portal grant program.
63A-16-1003(1) There is created within the commission the public safety portal grant program.The purpose of the program is to award grants to assist entities in complying with the data reporting requirements described in Subsection 63A-16-1002(4).The program is funded with existing appropriations previously designated for the purpose of facilitating data collection and any ongoing appropriations made by the Legislature for the program. 63A-16-1003(2) An entity that submits a proposal for a grant to the commission shall include details in the proposal regarding:how the entity plans to use the grant to fulfill the purpose described in Subsection (1)(b);any plan to use funding sources in addition to the grant for proposal;any existing or planned partnerships with another individual or entity to implement the proposal; andother information the commission determines is necessary to evaluate the proposal. 63A-16-1003(3) When evaluating a proposal for a grant, the commission shall consider:the likelihood that the proposal will accomplish the purpose described in Subsection (1)(b);the cost of the proposal; andthe viability and sustainability of the proposal. 63A-16-1003(4) Subject to Subsection (2), the commission may make rules, in accordance with Title 63G, Chapter 3, Utah Administrative Rulemaking Act, to establish:eligibility criteria for a grant;the form and process for submitting a proposal to the commission for a grant;the method and formula for determining a grant amount; andreporting requirements for a grant recipient.
63A-16-1004 - Software service required to be compatible with public safety portal.
63A-16-1004(1) A vendor that operates a software service described in Subsection (2) shall:establish an automated connection to the commission’s public safety portal; andensure that the connection described in Subsection (1)(a) is operational within one year of the criminal justice agency’s system that uses the software service becoming active. 63A-16-1004(2) A software service is subject to Subsection (1) if the software service:is for use by a criminal justice agency within the state’s criminal justice system; andcollects and stores data required by statute to be reported to the commission.
Utah Cyber Center
63A-16-1101 - Definitions.
As used in this part: 63A-16-1101(1) “Cyber Center” means the Utah Cyber Center created in Section 63A-16-1102. 63A-16-1101(2) “Data breach” means the unauthorized access, acquisition, disclosure, loss of access, or destruction of:personal data affecting 500 or more individuals; ordata that compromises the security, confidentiality, availability, or integrity of the computer systems used or information maintained by the governmental entity. 63A-16-1101(3) “Governmental entity” means the same as that term is defined in Section 63G-2-103. 63A-16-1101(4) “Personal data” means information that is linked or can be reasonably linked to an identified individual or an identifiable individual.
63A-16-1102 - Utah Cyber Center — Creation — Duties.
63A-16-1102(1) There is created within the division the Utah Cyber Center.The chief information security officer appointed under Section 63A-16-210 shall serve as the director of the Cyber Center. 63A-16-1102(2) The division shall operate the Cyber Center in partnership with the following entities within the Department of Public Safety created in Section 53-1-103:the Statewide Information and Analysis Center;the State Bureau of Investigation created in Section 53-10-301; andthe Division of Emergency Management created in Section 53-2a-103. 63A-16-1102(3) In addition to the entities described in Subsection (3), the Cyber Center shall collaborate with:the Cybersecurity Commission created in Section 63C-27-201;the Office of the Attorney General;the Utah Education and Telehealth Network created in Section 53H-4-213.4;appropriate federal partners, including the Federal Bureau of Investigation and the Cybersecurity and Infrastructure Security Agency;appropriate information sharing and analysis centers;information technology directors, cybersecurity professionals, or equivalent individuals representing political subdivisions in the state; andany other person the division believes is necessary to carry out the duties described in Subsection (4). 63A-16-1102(4) The Cyber Center shall, within legislative appropriations:by June 30, 2024, develop a statewide strategic cybersecurity plan for governmental entities;with respect to executive branch agencies:identify, analyze, and, when appropriate, mitigate cyber threats and vulnerabilities;coordinate cybersecurity resilience planning;provide cybersecurity incident response capabilities; andrecommend to the division standards, policies, or procedures to increase the cyber resilience of executive branch agencies individually or collectively;at the request of a governmental entity, coordinate cybersecurity incident response for a data breach affecting the governmental entity in accordance with Section 63A-19-405;promote cybersecurity best practices;share cyber threat intelligence with governmental entities and, through the Statewide Information and Analysis Center, with other public and private sector organizations;serve as the state cybersecurity incident response repository to receive reports of breaches of system security, including notification or disclosure under Section 13-44-202 and data breaches under Section 63A-16-1103;develop incident response plans to coordinate federal, state, local, and private sector activities and manage the risks associated with an attack or malfunction of critical information technology systems within the state;coordinate, develop, and share best practices for cybersecurity resilience in the state;identify sources of funding to make cybersecurity improvements throughout the state;develop a sharing platform to provide resources based on information, recommendations, and best practices; andpartner with institutions of higher education and other public and private sector organizations to increase the state’s cyber resilience.
63A-16-1103 - Assistance to governmental entities — Records.
63A-16-1103(1) The Cyber Center shall provide a governmental entity with assistance in responding to a data breach reported under Section 63A-19-405, which may include:conducting all or part of an internal investigation into the data breach;assisting law enforcement with the law enforcement investigation if needed;determining the scope of the data breach;assisting the governmental entity in restoring the reasonable integrity of the system; orproviding any other assistance in response to the reported data breach. 63A-16-1103(2) A governmental entity that is required to submit information under Section 63A-19-405 shall provide records to the Cyber Center as a shared record in accordance with Section 63G-2-206.The following information may be deemed confidential and may only be shared as provided in Section 63G-2-206:the information provided to the Cyber Center by a governmental entity under Section 63A-19-405; andinformation produced by the Cyber Center in response to a report of a data breach under Subsection (1).
State-endorsed Digital Identity
63A-16-1201 - Definitions.
63A-16-1201(1) “Biometric data” means the same as that term is defined in Section 13-61-101. 63A-16-1201(2) “Chief privacy officer” means the chief privacy officer appointed in accordance with Section 63A-19-302. 63A-16-1201(3) “Digital identity” means an electronic record that an individual may use to assert the individual’s identity. 63A-16-1201(4) “Governmental entity” means the same as that term is described in Section 63G-2-103. 63A-16-1201(5) “Guardian” means an individual or entity authorized to act on behalf of an individual.”Guardian” includes:a representative designated by an individual;the parent or legal guardian of an unemancipated minor; orthe legal guardian of a legally incapacitated individual. 63A-16-1201(6) “Identity” means any attribute used to identify or distinguish a specific individual.”Identity” includes an individual’s:personal data;biometric data;physical and non-physical characteristics;image or likeness;signature; andany other unique physical or digital identifier related to the individual. 63A-16-1201(7) “Individual” means the same as that term is described in Section 63G-2-103. 63A-16-1201(8) “Mobile communication device” means any wireless communication device with Internet capability capable of displaying or providing a state-endorsed digital identity.”Mobile communication device” includes a:cellular telephone; orwireless tablet. 63A-16-1201(9) “Office” means the Office of Data Privacy created in Section 63A-19-301. 63A-16-1201(10) “Person” means the same as that term is defined in Section 63G-2-103. 63A-16-1201(11) “Personal data” means the same as that term is defined in Section 63A-19-101. 63A-16-1201(12) “Physical identity” means a physical record that an individual may use to prove the individual’s identity issued by:a governmental entity;the equivalent of a governmental entity in another state;the federal government; oranother country. 63A-16-1201(13) “State-endorsed digital identity” means an individual’s digital identity that:is controlled by the individual; andhas been officially recognized by the state. 63A-16-1201(14) “State-endorsed digital identity program” means a state initiative which is designed to develop methods, policies, and procedures to endorse an individual’s digital identity. 63A-16-1201(15) “System” means the technological infrastructure, processes, and procedures used to create, store, manage, and validate a state-endorsed digital identity.
63A-16-1202 - State digital identity policy.
63A-16-1202(1) It is the policy of Utah that:each individual has a unique identity;the state does not establish an individual’s identity;the state may, in certain circumstances, recognize and endorse an individual’s identity;the state is obligated to respect an individual’s privacy interest associated with the individual’s identity;the state is the only governmental entity that may endorse an individual’s digital identity for the purpose of establishing a state-endorsed digital identity;the state may only endorse an individual’s digital identity if the state-endorsed digital identity program is expressly authorized by the Legislature;an individual whose digital identity has been endorsed by the state is entitled to:choose:how the individual discloses the individual’s state-endorsed digital identity;to whom the individual discloses the individual’s state-endorsed digital identity;which elements of the individual’s state-endorsed digital identity to disclose;where the individual’s state-endorsed digital identity is stored; andwhether to use a state-endorsed digital identity or physical identity to prove the individual’s identity;allow a governmental entity or a person to use information related to the individual’s use of the individual’s state-endorsed digital identity for a purpose other than the primary purpose for which the governmental entity or person collected the information; andhave a guardian obtain or use a state-endorsed digital identity on the individual’s behalf;a governmental entity or person that accepts a state-endorsed digital identity shall:collect, use, and retain an individual’s state-endorsed digital identity in a secure manner; andcomply with the requirements of this part through technological means;a governmental entity may not:convey a material benefit upon an individual for using a state-endorsed digital identity instead of a physical identity; orwithhold services or benefits from an individual if the individual uses a physical identity or is otherwise unable to use a state-endorsed digital identity; anda governmental entity or a person may not require an individual to surrender the individual’s mobile communication device to verify the individual’s identity. 63A-16-1202(2) The state may not endorse an individual’s digital identity unless:the state has verified an individual’s identity before endorsement;the state-endorsed digital identity:incorporates state-of-the-art safeguards for protecting the individual’s identity;includes methods to establish authenticity;is easy for an individual to adopt and use; andis compatible with a wide variety of technological systems without sacrificing privacy or security;the state provides clear information to an individual regarding how the individual may:maintain and control the individual’s state-endorsed digital identity;use the individual’s state-endorsed digital identity;limit access to:the individual’s state-endorsed digital identity; andany elements of the individual’s identity disclosed by the state-endorsed digital identity; andobtain a new state-endorsed digital identity if the individual’s state-endorsed digital identity is compromised;the state ensures that when an individual uses a state-endorsed digital identity:any record of the individual’s use:is only used for the primary purpose for which the individual disclosed the state-endorsed digital identity; andis not disclosed, shared, or compared by the governmental entity or person receiving the state-endorsed digital identity; andthe use is free from surveillance, visibility, tracking, or monitoring by any other governmental entity or person; andthe state-endorsed digital identity enables an individual to:selectively disclose elements of the individual’s identity; andverify that the individual’s age satisfies an age requirement without revealing the individual’s age or date of birth. 63A-16-1202(3) The state may only revoke or withdraw the state’s endorsement of an individual’s state-endorsed digital identity if:the state-endorsed digital identity has been compromised;the state’s endorsement was:issued in error; orbased on fraudulent information; orthe individual requests that the state revoke or withdraw the endorsement of the individual’s state-endorsed digital identity.
63A-16-1203 - Department duties.
63A-16-1203(1) The department shall:explore ways in which the state may implement a state-endorsed digital identity program consistent with the state policy expressed in Section 63A-16-1202;study and identify best practices regarding the use of a digital identity;propose policies, procedures, standards, and technology that should be incorporated in the state-endorsed digital identity program;examine how the state-endorsed digital identity program may be implemented in the most cost-effective manner possible using state resources that are already available; andevaluate and make recommendations regarding any changes to existing statutes, rules, or policies that may be necessary to facilitate the creation of a state-endorsed digital identity program. 63A-16-1203(2) In performing the duties described in Subsection (1), the department shall consult with:the chief information officer;the chief privacy officer;the Utah League of Cities and Towns;the Utah Association of Counties; andindividuals who have relevant expertise, including representatives from:governmental entities;other states; andthe private sector. 63A-16-1203(3) The department shall report to the Public Utilities, Energy, and Technology Interim Committee regarding the duties described in Subsection (1) and recommendations for the implementation of a state-endorsed digital identity program on or before October 31 of each year.