63A-19 - Government Data Privacy Act
Title 63A > 63A-19
Sections (22)
General Provisions — State Data Privacy Policy
63A-19-101 - Definitions.
As used in this chapter: 63A-19-101(1) “Anonymized data” means information that has been irreversibly modified so that there is no possibility of using the information, alone or in combination with other information, to identify an individual. 63A-19-101(2) “At-risk government employee” means the same as that term is defined in Section 63G-2-303. 63A-19-101(3) “Automated decision making” means using personal data to make a decision about an individual through automated processing, without human review or intervention. 63A-19-101(4) “Biometric data” means the same as that term is defined in Section 13-61-101. 63A-19-101(5) “Chief administrative officer” means the same as that term is defined in Section 63A-12-100.5. 63A-19-101(6) “Chief privacy officer” means the individual appointed under Section 63A-19-302. 63A-19-101(7) “Commission” means the Utah Privacy Commission established in Section 63A-19-203. 63A-19-101(8) “Contract” means an agreement between a governmental entity and a person for goods or services that involve personal data. 63A-19-101(9) “Contractor” means a person who:has entered into a contract with a governmental entity; andmay process personal data under the contract.”Contractor” includes a contractor’s employees, agents, or subcontractors. 63A-19-101(10) “Cyber Center” means the Utah Cyber Center created in Section 63A-16-1102. 63A-19-101(11) “Data breach” means the unauthorized access, acquisition, disclosure, loss of access, or destruction of personal data held by a governmental entity, unless the governmental entity concludes, according to standards established by the Cyber Center, that there is a low probability that personal data has been compromised. 63A-19-101(12) “De-identified data” means information from which personal data has been removed or obscured so that the information is not readily identifiable to a specific individual, and which may not be re-identified. 63A-19-101(13) “Genetic data” means the same as that term is defined in Section 13-60-102. 63A-19-101(14) “Governing board” means the Utah Privacy Governing Board established in Section 63A-19-201. 63A-19-101(15) “Governmental entity” means the same as that term is defined in Section 63G-2-103. 63A-19-101(16) “Government website” means a set of related web pages that is operated by or on behalf of a governmental entity and is:located under a single domain name or web address; andaccessible directly through the Internet or by the use of a software program. 63A-19-101(17) “High-risk processing activities” means a governmental entity’s processing of personal data that may have a significant impact on an individual’s privacy interests, based on factors that include:the sensitivity of the personal data processed;the amount of personal data being processed;the individual’s ability to consent to the processing of personal data; andrisks of unauthorized access or use.”High-risk processing activities” may include the use of:facial recognition technology;automated decision making;profiling;genetic data;biometric data; orgeolocation data. 63A-19-101(18) “Independent entity” means the same as that term is defined in Section 63E-1-102. 63A-19-101(19) “Individual” means the same as that term is defined in Section 63G-2-103. 63A-19-101(20) “Legal guardian” means:the parent of a minor; oran individual appointed by a court to be the guardian of a minor or incapacitated individual and given legal authority to make decisions regarding the person or property of the minor or incapacitated individual. 63A-19-101(21) “Office” means the Utah Office of Data Privacy created in Section 63A-19-301. 63A-19-101(22) “Ombudsperson” means the data privacy ombudsperson appointed under Section 63A-19-501. 63A-19-101(23) “Person” means the same as that term is defined in Section 63G-2-103. 63A-19-101(24) “Personal data” means information that is linked or can be reasonably linked to an identified individual or an identifiable individual. 63A-19-101(25) “Privacy annotation” means a summary of personal data contained in a record series as described in Section 63A-19-401.1. 63A-19-101(26) “Privacy practice” means a governmental entity’s:organizational, technical, administrative, and physical safeguards designed to protect an individual’s personal data;policies and procedures related to the acquisition, use, storage, sharing, retention, and disposal of personal data; andpractice of providing notice to an individual regarding the individual’s privacy rights. 63A-19-101(27) “Process,” “processing,” or “processing activity” means any operation or set of operations performed on personal data, including collection, recording, organization, structuring, storage, adaptation, alteration, access, retrieval, consultation, use, disclosure by transmission, transfer, dissemination, alignment, combination, restriction, erasure, or destruction. 63A-19-101(28) “Profiling” means the processing of personal data to evaluate or predict an individual’s:economic situation;health;personal preferences;interests;reliability;behavior;location; ormovements. 63A-19-101(29) “Purchase” or “purchasing” means the exchange of monetary consideration to obtain the personal data of an individual who is not a party to the transaction. 63A-19-101(30) “Record” means the same as that term is defined in Section 63G-2-103. 63A-19-101(31) “Record series” means the same as that term is defined in Section 63G-2-103. 63A-19-101(32) “Retention schedule” means a governmental entity’s schedule for the retention or disposal of records that has been approved by the Records Management Committee pursuant to Section 63A-12-113. 63A-19-101(33) “Sell” means an exchange of personal data for monetary consideration by a governmental entity to a third party.”Sell” does not include a fee:charged by a governmental entity for access to a record pursuant to Section 63G-2-203; orassessed in accordance with an approved fee schedule. 63A-19-101(34) “State agency” means the following entities that are under the direct supervision and control of the governor or the lieutenant governor:a department;a commission;a board;a council;an institution;an officer;a corporation;a fund;a division;an office;a committee;an authority;a laboratory;a library;a bureau;a panel;another administrative unit of the state; oran agent of an entity described in Subsections (34)(a)(i) through (xvii).”State agency” does not include:the legislative branch;the judicial branch;an executive branch agency within the Office of the Attorney General, the state auditor, the state treasurer, or the State Board of Education; oran independent entity. 63A-19-101(35) “State privacy auditor” means the same as that term is defined in Section 67-3-13. 63A-19-101(36) “Synthetic data” means artificial data that:is generated from personal data; andmodels the statistical properties of the original personal data. 63A-19-101(37) “User” means an individual who accesses a government website. 63A-19-101(38) “User data” means any information about a user that is automatically collected by a government website when a user accesses the government website.”User data” includes information that identifies:a user as having requested or obtained specific materials or services from a government website;Internet sites visited by a user;the contents of a user’s data-storage device;any identifying code linked to a user of a government website; anda user’s:IP or Mac address; orsession ID. 63A-19-101(39) “Website tracking technology” means any tool used by a government website to:monitor a user’s behavior; orcollect user data.
63A-19-102 - State data privacy policy.
It is the policy of Utah that: 63A-19-102(1) an individual has a fundamental interest in and inherent expectation of privacy regarding the individual’s personal data that the individual provides to a governmental entity; 63A-19-102(2) a governmental entity shall process personal data in a manner that is consistent with the interests and expectations described in Subsection (1); 63A-19-102(3) the state shall encourage innovation to enhance the ability of a governmental entity to:protect the privacy of an individual’s personal data;provide clear notice to an individual regarding the governmental entity’s processing of the individual’s personal data;process personal data only for specified, lawful purposes and only process the minimum amount of an individual’s personal data necessary to achieve those purposes;implement appropriate consent mechanisms regarding the uses of an individual’s personal data;provide an individual with the ability to access, control, and request corrections to the individual’s personal data held by a governmental entity;maintain appropriate safeguards to protect the confidentiality, integrity, and availability of personal data;account for compliance with privacy related laws, rules, and regulations that are specific to a particular governmental entity, program, or personal data; andmeet a governmental entity’s and an individual’s business and service needs; 63A-19-102(4) the state shall promote training and education programs for employees of governmental entities focused on:data privacy best practices, obligations, and responsibilities; andthe overlapping relationship with privacy, records management, and security; and 63A-19-102(5) the state shall promote consistent terminology in data privacy requirements across governmental entities.
Utah Privacy Governing Board
63A-19-201 - Utah Privacy Governing Board.
63A-19-201(1) There is created the Utah Privacy Governing Board. 63A-19-201(2) The governing board shall be composed of five members as follows:the governor, or the governor’s designee;the president of the Senate, or the president’s designee;the speaker of the House of Representatives, or the speaker’s designee;the attorney general, or the attorney general’s designee; andthe state auditor, or the state auditor’s designee. 63A-19-201(3) A majority of the members of the governing board is a quorum.The action of a majority of a quorum constitutes an action of the governing board. 63A-19-201(4) The governor, or the governor’s designee is chair of the governing board. 63A-19-201(5) The governing board shall meet at least two times a year. 63A-19-201(6) The governing board may recommend specific matters to the state auditor under Section 63A-19-601. 63A-19-201(7) The office shall provide staff and support to the governing board.
63A-19-202 - Governing board duties.
63A-19-202(1) The governing board shall:recommend changes to the state data privacy policy;by July 1 of each year, approve the data privacy agenda items for the commission and make recommendations for additional items for the data privacy agenda;hear issues raised by the ombudsperson regarding existing governmental entity privacy practices;evaluate and recommend the appropriate:structure and placement for the office within state government; andauthority to be granted to the office, including any authority to make rules; andrecommend funding mechanisms and strategies for governmental entities to enable compliance with data privacy responsibilities, including:appropriations;rates;grants; andinternal service funds. 63A-19-202(2) In fulfilling the duties under this part, the governing board may receive and request input from:governmental entities;elected officials;subject matter experts; andother stakeholders.
63A-19-203 - Utah Privacy Commission created.
63A-19-203(1) There is created the Utah Privacy Commission. 63A-19-203(2) The commission shall be composed of 12 members.The governor shall appoint:one member who, at the time of appointment provides internet technology services for a county;one member with experience in cybersecurity;one member representing private industry in technology;one member representing law enforcement; andone member with experience in data privacy law.The state auditor shall appoint:one member with experience in internet technology services;one member with experience in cybersecurity;one member representing private industry in technology;one member with experience in data privacy law; andone member representing municipalities who, at the time of appointment, has expertise in civil liberties law, the ethical use of data, or the impacts of the use of a technology on different populations.The attorney general shall appoint:one member with experience as a prosecutor or appellate attorney and with experience in data privacy or civil liberties law; andone member representing law enforcement. 63A-19-203(3) Except as provided in Subsection (3)(b), a member is appointed for a term of four years.The initial appointments of members described in Subsections (2)(b)(i) through (b)(iii), (2)(c)(iv) through (c)(v), and (2)(d)(ii) shall be for two-year terms.When the term of a current member expires, a member shall be reappointed or a new member shall be appointed in accordance with Subsection (2). 63A-19-203(4) When a vacancy occurs in the membership for any reason, a replacement shall be appointed in accordance with Subsection (2) for the unexpired term.A member whose term has expired may continue to serve until a replacement is appointed. 63A-19-203(5) The commission shall select officers from the commission’s members as the commission finds necessary. 63A-19-203(6) A majority of the members of the commission is a quorum.The action of a majority of a quorum constitutes an action of the commission. 63A-19-203(7) A member may not receive compensation or benefits for the member’s service but may receive per diem and travel expenses incurred as a member of the commission at the rates established by the Division of Finance under:Sections 63A-3-106 and 63A-3-107; andrules made by the Division of Finance in accordance with Sections 63A-3-106 and 63A-3-107. 63A-19-203(8) A member shall refrain from participating in a review of:an entity of which the member is an employee; ora technology in which the member has a financial interest. 63A-19-203(9) The state auditor shall provide staff and support to the commission. 63A-19-203(10) The commission shall meet up to 12 times a year to accomplish the duties described in Section 63A-19-204.
63A-19-204 - Commission duties.
63A-19-204(1) The commission shall:annually develop a data privacy agenda that identifies for the upcoming year:governmental entity privacy practices to be reviewed by the commission;educational and training materials that the commission intends to develop;any other items related to data privacy the commission intends to study; andbest practices and guiding principles that the commission plans to develop related to government privacy practices;develop guiding standards and best practices with respect to government privacy practices;develop educational and training materials that include information about:the privacy implications and civil liberties concerns of the privacy practices of government entities;best practices for government collection and retention policies regarding personal data; andbest practices for government personal data security standards; review the privacy implications and civil liberties concerns of government privacy practices; andprovide the data privacy agenda to the governing board by May 1 of each year. 63A-19-204(2) The commission may, in addition to the approved items in the data privacy agenda prepared under Subsection (1)(a):review specific government privacy practices as referred to the commission by the chief privacy officer described in Section 63A-19-302 or the state privacy auditor described in Section 67-3-13; review a privacy practice not accounted for in the data privacy agenda only upon referral by the chief privacy officer or the state privacy auditor in accordance with this section;review and provide recommendations regarding consent mechanisms used by governmental entities to collect personal information;develop and provide recommendations to the Legislature on how to balance transparency and public access of public records against an individual’s reasonable expectations of privacy and data protection; anddevelop recommendations for legislation regarding the guiding standards and best practices the commission has developed in accordance with Subsection (1)(a). 63A-19-204(3) At least annually, on or before October 1, the commission shall report to the Judiciary Interim Committee:the results of any reviews the commission has conducted;the guiding standards and best practices described in Subsection (1)(b); andany recommendations for legislation the commission has developed in accordance with Subsection (2)(e). 63A-19-204(4) At least annually, on or before June 1, the commission shall report to the governing board regarding:governmental entity privacy practices the commission plans to review in the next year;any educational and training programs the commission intends to develop in relation to government data privacy best practices;results of the commission’s data privacy practice reviews from the previous year; andrecommendations from the commission related to data privacy legislation, standards, or best practices. 63A-19-204(5) The data privacy agenda detailed in Subsection (1)(a) does not add to or expand the authority of the commission.
Office of Data Privacy
63A-19-301 - Utah Office of Data Privacy.
63A-19-301(1) There is created within the department the Utah Office of Data Privacy. 63A-19-301(2) The office shall coordinate with the governing board and the commission to perform the duties in this section. 63A-19-301(3) The office shall:create and maintain a data privacy framework designed to:assist governmental entities to identify and implement effective and efficient data privacy practices, tools, and systems that:protect the privacy of personal data;comply with data privacy laws and regulations specific to the governmental entity, program, or data;empower individuals to protect and control their personal data; andenable information use and sharing among governmental entities, as allowed by law; andaccount for differences in a governmental entity’s resources, capabilities, populations served, data types, and maturity level regarding data privacy practices;review statutory provisions related to governmental data privacy and records management to:identify conflicts and gaps in data privacy law; andstandardize language;work with governmental entities to study, research, and identify:additional data privacy practices that are feasible for governmental entities;potential remedies and accountability mechanisms for non-compliance of a governmental entity;ways to expand an individual’s control over the individual’s personal data processed by a governmental entity;resources needed to develop, implement, and improve data privacy programs; andbest practices regarding:automated decision making;the creation and use of synthetic, de-identified, or anonymized data; andthe use of website tracking technology;monitor high-risk data processing activities within governmental entities;coordinate with the Cyber Center to develop an incident response plan for data breaches affecting governmental entities;coordinate with the state archivist to:incorporate data privacy practices into records management; andinclude data privacy content in the trainings described in Section 63A-12-110; andcreate a data privacy training program for employees of governmental entities as described in Section 63A-19-401.3. 63A-19-301(4) The office may:provide expertise and assistance to governmental entities for high-risk data processing activities;create assessment tools and resources that a governmental entity may use to:review, evaluate, and mature the governmental entity’s privacy program, practices, and processing activities; andevaluate the privacy impact, privacy risk, and privacy compliance of the governmental entity’s privacy program, practices, and processing activities;charge a governmental entity a service fee, established in accordance with Section 63J-1-504, for providing services that enable a governmental entity to perform the governmental entity’s duties under Section 63A-19-401, if the governmental entity requests the office provide those services;bill a state agency, as provided in Section 63J-1-410, for any services the office provides to a state agency;provide funding to assist a governmental entity in complying with:this chapter; andTitle 63G, Chapter 2, Part 3, Classification, and Title 63G, Chapter 2, Part 6, Collection of Information and Accuracy of Records; andmake rules in accordance with Title 63G, Chapter 3, Utah Administrative Rulemaking Act, to administer this part. 63A-19-301(5) Upon application by a governmental entity, the office may:grant, for a limited period of time, a governmental entity with an:extension of time to comply with certain requirements of Part 4, Duties of Governmental Entities; orexemption from complying with certain requirements of Part 4, Duties of Governmental Entities; orallow a governmental entity to establish a data privacy training program for the governmental entity’s employees to complete, instead of the data privacy training program established by the office under Section 63A-19-401.3, if the governmental entity’s data privacy training program contains the same information contained in the office’s data privacy training program.An application for an extension or exemption submitted under Subsection (5)(a)(i) shall:identify the specific duty from which the governmental entity seeks an extension or exemption and the section that imposes that duty; andinclude a justification for the requested extension or exemption.If the office grants an exemption under Subsection (5)(a), the office shall report at the next board meeting:the name of the governmental entity that received an exemption; andthe nature of the exemption.The office shall notify the state privacy auditor of any approved extensions or exemptions.
63A-19-302 - Chief privacy officer — Appointment — Powers — Reporting.
63A-19-302(1) The governor shall, with the advice and consent of the Senate, appoint a chief privacy officer. 63A-19-302(2) The chief privacy officer is the director of the office. 63A-19-302(3) The chief privacy officer:shall exercise all powers given to and perform all duties imposed on the office;has administrative authority over the office;may make changes in office personnel and service functions under the chief privacy officer’s administrative authority;may authorize a designee to assist with the chief privacy officer’s responsibilities; andshall report annually, on or before October 1, to the Judiciary Interim Committee regarding:recommendations for legislation to address data privacy concerns; andreports received from state agencies regarding the sale or sharing of personal data provided under Subsection 63A-19-401(2)(f)(ii).
Duties of Governmental Entities
63A-19-401 - Duties of governmental entities.
63A-19-401(1) Except as provided in Subsections (1)(b) and (c), a governmental entity shall comply with the requirements of this part.If any provision in this part conflicts with any other provisions of law, the more specific or more restrictive law shall control.A governmental entity that is exempt under Section 63G-2-702, 63G-2-703, or 63G-2-704 from complying with the requirements in Title 63G, Chapter 2, Part 6, Collection of Information and Accuracy of Records, is exempt from complying with the requirements in this chapter. 63A-19-401(2) A governmental entity shall:initiate a data privacy program before December 31, 2025;obtain and process only the minimum amount of personal data reasonably necessary to efficiently achieve a specified purpose;meet the requirements of this part for all new processing activities implemented by a governmental entity; andfor any processing activity implemented before May 7, 2025, as soon as is reasonably practicable, but no later than July 1, 2027:identify any non-compliant processing activity;document the non-compliant processing activity;prepare a strategy for bringing the non-compliant processing activity into compliance with this part; andinclude the information described in Subsections (2)(a)(iv)(A) through (C) in the privacy program report described in Section 63A-19-401.3.A governmental entity that fulfills the reporting requirement under Section 63A-19-401.3 satisfies the requirement to initiate a privacy program under Subsection (2)(a)(i). 63A-19-401(3) A governmental entity may not:establish, maintain, or use undisclosed or covert surveillance of individuals unless permitted by law;sell personal data unless expressly required by law; andshare personal data unless permitted by law.
63A-19-401.1 - Privacy annotations.
63A-19-401.1(1) Beginning July 1, 2027, a state agency shall make a complete and accurate privacy annotation for each record series containing personal data that the state agency collects, maintains, or uses.After July 1, 2027, a state agency that has not created a privacy annotation for a record series containing personal data, may not collect, maintain, or use the personal data. 63A-19-401.1(2) If a state agency determines that a record series:does not contain personal data, the privacy annotation shall be limited to a statement indicating that the record series does not include personal data; orcontains personal data, the privacy annotation shall include:an inventory of all types of personal data included in the record series;a description of all purposes for which the state agency collects, keeps, or uses the personal data;a citation to the state agency’s legal authority for collecting, keeping, or using the personal data; andany other information required by the rules created by the office under Section 63A-19-301.
63A-19-401.2 - Training requirements.
63A-19-401.2(1) The data privacy training program created by the office under Section 63A-4-301 shall be:designed to provide instruction regarding:data privacy best practices, obligations, and responsibilities; andthe relationship between privacy, records management, and security; andrequired for all employees of a governmental entity who:have access to personal data as part of the employee’s work duties; orsupervise an employee who has access to personal data. 63A-19-401.2(2) The training described in Subsection (1) shall be completed:within 30 days after an employee of a governmental entity begins employment; andat least once in each calendar year. 63A-19-401.2(3) A governmental entity is responsible for:ensuring that each employee of the governmental entity completes the data privacy training as required by Subsection (2); andreporting the governmental entity’s compliance with the training requirements as described in Section 63A-19-401.3.
63A-19-401.3 - Privacy program report.
63A-19-401.3(1) On or before December 31 of each year, the chief administrative officer of each governmental entity shall prepare a report that includes:whether the governmental entity has initiated a privacy program;a description of:any privacy practices implemented by the governmental entity;strategies for improving the governmental entity’s privacy program and practices; andthe governmental entity’s high-risk processing activities;a list of the types of personal data the governmental entity currently shares, sells, or purchases;the legal basis for sharing, selling, or purchasing personal data;the category of individuals or entities:with whom the governmental entity shares personal data;to whom the governmental entity sells personal data; orfrom whom the governmental entity purchases personal data;the percentage of the governmental entity’s employees that have fulfilled the data privacy training requirements described in Section 63A-19-401.2; anda description of any non-compliant processing activities identified under Subsection 63A-19-401(2)(a)(iv) and the governmental entity’s strategy for bringing those activities into compliance with this part. 63A-19-401.3(2) The report described in Subsection (1):shall be considered a protected record under Section 63G-2-305; andmay be made available at the request of the office.
63A-19-401.4 - Requirements for contractors.
63A-19-401.4(1) Except as provided in Subsection (4), a contractor that processes or has access to personal data as a part of the contractor’s duties under a contract with a governmental entity is subject to the requirements of this chapter to the same extent as the governmental entity for any personal data the contractor processes or has access to under a contract with the governmental entity. 63A-19-401.4(2) A contract entered into or renewed between a contractor and a governmental entity after July 1, 2026, shall contain specific language that requires a contractor to comply with the requirements of this chapter with regard to the personal data processed or accessed by the contractor as a part of the contractor’s duties under a contract to the same extent as required of the governmental entity. 63A-19-401.4(3) The requirements under this section are in addition to and do not replace any other requirements or liability that may be imposed for the contractor’s violation of other laws protecting privacy rights or government records. 63A-19-401.4(4) A contractor is not subject to the data privacy training program requirements described in Section 63A-19-401.2.
63A-19-402 - Personal data collection — Privacy notice.
63A-19-402(1) A governmental entity shall provide a privacy notice to an individual, or the legal guardian of an individual, from whom the governmental entity requests or collects personal data. 63A-19-402(2) If the personal data collected by a governmental entity:would be classified as a public record under Section 63G-2-301, the privacy notice shall be limited to a statement indicating that the individual’s personal data may be available to the public as provided by Section 63G-2-201; andwould not be classified as a public record under Section 63G-2-301, the privacy notice shall describe:all intended purposes and uses of the personal data;the consequences for refusing to provide the personal data;the classes of persons and governmental entities:with whom the governmental entity shares personal data; orto whom the governmental entity sells personal data; andthe record series in which the personal data is included. 63A-19-402(3) The governmental entity shall provide the privacy notice by:posting the privacy notice in a prominent place where the governmental entity collects the personal data;including the privacy notice as part of any document or form used by the governmental entity to collect the personal data; orincluding as part of any document or form used by the governmental entity to collect personal data, a conspicuous link or QR code that links to an electronic version of the privacy notice. 63A-19-402(4) The privacy notice required by this section is in addition to, and does not supersede, any other notice requirement otherwise applicable to the governmental entity. 63A-19-402(5) Notwithstanding Subsections (1) through (4), a governmental entity may provide the privacy notice required under this section by posting the privacy notice on the governmental entity’s government website, or on the public notice website if the governmental entity does not have a government website, when the privacy notice relates to processing activities that:serve a public safety interest; andproduce a public benefit that is greater than or equal to the potential impact on an individual’s privacy interest that the privacy notice protects.The processing activities related to public safety described in Subsection (5)(a) may include:the provision of emergency services;law enforcement body or dash camera recordings;security camera monitoring;ambulance and emergency medical services; and911 emergency communications. 63A-19-402(6) The governmental entity shall, upon request, provide the privacy notice to an individual, or the legal guardian of an individual, regarding personal data previously furnished by that individual. 63A-19-402(7) The governmental entity may only use personal data furnished by an individual for the purposes identified in the privacy notice provided to that individual.
63A-19-402.5 - Website privacy notice.
63A-19-402.5(1) A governmental entity’s government website shall include notice to a user of:the identity of the governmental entity responsible for the government website;how to contact the governmental entity that is responsible for the government website;the method by which a user may:seek access to the user’s personal data or user data;request to correct or amend the user’s personal data or user data; andfile a complaint with the data privacy ombudsperson; andhow an at-risk employee may request that the at-risk employee’s personal information be classified as a private record under Section 63G-2-302. 63A-19-402.5(2) In addition to the website privacy notice requirement described in Subsection (1)(a), a government website that collects user data shall include in the website privacy notice the following information:any website tracking technology that is used to collect user data on the government website;what user data is collected by the government website;all intended purposes and uses of the user data;the classes of persons and governmental entities:with whom the governmental entity shares user data; orto whom the governmental entity sells user data; andthe record series in which the user data is included. 63A-19-402.5(3) A notice described in Subsection (1) or (2) shall be provided by prominently posting on the homepage of the government website:the notice; ora link to a separate webpage containing the notice. 63A-19-402.5(4) A governmental entity may not collect user data on a government website unless the governmental entity has complied with the requirements in this section.
63A-19-403 - Procedure to request amendment or correction of personal data.
63A-19-403(1) A governmental entity that collects personal data shall provide a procedure by which an individual or legal guardian of an individual may request an amendment or correction of personal data that has been furnished to the governmental entity. 63A-19-403(2) The procedure by which an individual or legal guardian of an individual may request an amendment or correction shall comply with all applicable laws and regulations to which the personal data at issue and to which the governmental entity is subject. 63A-19-403(3) The procedure to request an amendment or correction described in this section does not obligate the governmental entity to make the requested amendment or correction.
63A-19-404 - Retention and disposition of personal data.
63A-19-404(1) A governmental entity that collects personal data shall retain and dispose of the personal data in accordance with a documented record retention schedule. 63A-19-404(2) Compliance with Subsection (1) does not exempt a governmental entity from complying with other applicable laws or regulations related to retention or disposition of specific personal data held by that governmental entity.
63A-19-405 - Data breach notification to the Cyber Center and the Office of the Attorney General.
63A-19-405(1) A governmental entity that identifies a data breach affecting 500 or more individuals shall notify the Cyber Center and the attorney general of the data breach.In addition to the notification required by Subsection (1)(a), a governmental entity that identifies the unauthorized access, acquisition, disclosure, loss of access, or destruction of data that compromises the security, confidentiality, availability, or integrity of the computer systems used or information maintained by the governmental entity shall notify the Cyber Center. 63A-19-405(2) The notification under Subsection (1) shall:be made without unreasonable delay, but no later than five days from the discovery of the data breach; andinclude the following information:the date and time the data breach occurred;the date the data breach was discovered;a short description of the data breach that occurred;the means by which access was gained to the system, computer, or network;the person who perpetrated the data breach;steps the governmental entity is or has taken to mitigate the impact of the data breach; andany other details requested by the Cyber Center. 63A-19-405(3) For a data breach under Subsection (1)(a), the governmental entity shall provide the following information to the Cyber Center and the attorney general in addition to the information required under Subsection (2)(b):the total number of individuals affected by the data breach, including the total number of Utah residents affected; andthe type of personal data involved in the data breach. 63A-19-405(4) If the information required by Subsections (2)(b) and (3) is not available within five days of discovering the breach, the governmental entity shall provide as much of the information required under Subsections (2)(b) and (3) as is available and supplement the notification with additional information as soon as the information becomes available. 63A-19-405(5) A governmental entity that experiences a data breach affecting fewer than 500 individuals shall create an internal incident report containing the information in Subsection (2)(b) as soon as practicable and shall provide additional information as the information becomes available.A governmental entity shall provide to the Cyber Center:an internal incident report described in Subsection (5)(a) upon request of the Cyber Center; andan annual report logging all of the governmental entity’s data breach incidents affecting fewer than 500 individuals.
63A-19-406 - Data breach notice to individuals affected by data breach.
63A-19-406(1) Except as provided in Subsection (1)(b), a governmental entity shall provide a data breach notice to an individual or legal guardian of an individual affected by the data breach:after determining the scope of the data breach;after restoring the reasonable integrity of the affected system, if necessary; andwithout unreasonable delay except as provided in Subsection (2).A governmental entity is not required to provide a data breach notice to an affected individual as described in Subsection (1)(a) if the:personal data involved in the data breach would be classified as a public record under Section 63G-2-301; andthe governmental entity prominently posts notice of the data breach on the homepage of the governmental entity’s government website. 63A-19-406(2) A governmental entity shall delay providing notification under Subsection (1) at the request of a law enforcement agency that determines that notification may impede a criminal investigation, until such time as the law enforcement agency informs the governmental entity that notification will no longer impede the criminal investigation. 63A-19-406(3) The data breach notice to an affected individual shall include:a description of the data breach;the individual’s personal data that was accessed or may have been accessed;steps the governmental entity is taking or has taken to mitigate the impact of the data breach;recommendations to the individual on how to protect themselves from identity theft and other financial losses; andany other language required by the Cyber Center. 63A-19-406(4) Unless the governmental entity reasonably believes that providing notification would pose a threat to the safety of an individual, or unless an individual has designated to the governmental entity a preferred method of communication, a governmental entity shall provide notice by:email, if reasonably available and allowed by law; ormail; andone of the following methods, if the individual’s contact information is reasonably available and the method is allowed by law:text message with a summary of the data breach notice and instructions for accessing the full notice; ortelephone message with a summary of the data breach notice and instructions for accessing the full data breach notice. 63A-19-406(5) A governmental entity shall also provide a data breach notice in a manner that is reasonably calculated to have the best chance of being received by the affected individual or the legal guardian of an individual, such as through a press release, posting on appropriate social media accounts, or publishing notice in a newspaper of general circulation when:a data breach affects more than 500 individuals; anda governmental entity is unable to obtain an individual’s contact information to provide notice for any method listed in Subsection (4).
Data Privacy Ombudsperson
63A-19-501 - Data privacy ombudsperson.
63A-19-501(1) The governor shall appoint a data privacy ombudsperson with the advice of the governing board. 63A-19-501(2) The ombudsperson shall:be familiar with the provisions of:this chapter;Chapter 12, Division of Archives and Records Service and Management of Government Records; andTitle 63G, Chapter 2, Government Records Access and Management Act; andserve as a resource for:an individual who is making or responding to a complaint about a governmental entity’s data privacy practice; anda governmental entity which is the subject of a data privacy complaint. 63A-19-501(3) The ombudsperson may, upon request by a governmental entity or individual, mediate data privacy disputes between individuals and governmental entities. 63A-19-501(4) After consultation with the chief privacy officer, the ombudsperson may raise issues and questions before the governing board regarding serious and repeated violations of data privacy from:a specific governmental entity; orwidespread governmental entity data privacy practices. 63A-19-501(5) When a data privacy complaint has been resolved, the ombudsperson shall post on the office’s website a summary of the complaint and the resolution of the matter.
Remedies
63A-19-601 - Enforcement.
63A-19-601(1) Upon instruction by the board, the state auditor shall:investigate alleged violations of this chapter by a governmental entity;provide notice to the relevant governmental entity of an alleged violation of this chapter; andfor a violation that the state auditor substantiates, provide an opportunity for the governmental entity to cure the violation within 30 days. 63A-19-601(2) If a governmental entity fails to cure a violation as provided in Subsection (1)(c), the state auditor shall report the governmental entity’s failure:for a governmental entity that is not a state agency, to the attorney general for enforcement under Subsection (3); andfor a state agency, to the Legislative Management Committee. 63A-19-601(3) After referral by the state auditor under Subsection (2)(a), the attorney general may file an action in district court to:enjoin a governmental entity that is not a state agency from violating this chapter; orrequire a governmental entity that is not a state agency to comply with this chapter.