(1)There is created within the department the Utah Office of Data Privacy.
(2)The office shall coordinate with the governing board and the commission to perform the duties in this section.
(3)The office shall:
(3)(a) create and maintain a data privacy framework designed to:
(3)(a)(i) assist governmental entities to identify and implement effective and efficient data privacy practices, tools, and systems that:
(3)(a)(i)(A) protect the privacy of personal data;
(3)(a)(i)(B) comply with data privacy laws and regulations specific to the governmental entity, program, or data;
(3)(a)(i)(C) empower individuals to protect and control their personal data; and
(3)(a)(i)(D) enable information use and sharing among governmental entities, as allowed by law; and
(3)(a)(ii) account for differences in
Free access — add to your briefcase to read the full text and ask questions with AI
(1) There is created within the department the Utah Office of Data Privacy.
(2) The office shall coordinate with the governing board and the commission to perform the duties in this section.
(3) The office shall:
(3)(a) create and maintain a data privacy framework designed to:
(3)(a)(i) assist governmental entities to identify and implement effective and efficient data privacy practices, tools, and systems that:
(3)(a)(i)(A) protect the privacy of personal data;
(3)(a)(i)(B) comply with data privacy laws and regulations specific to the governmental entity, program, or data;
(3)(a)(i)(C) empower individuals to protect and control their personal data; and
(3)(a)(i)(D) enable information use and sharing among governmental entities, as allowed by law; and
(3)(a)(ii) account for differences in a governmental entity's resources, capabilities, populations served, data types, and maturity level regarding data privacy practices;
(3)(b) review statutory provisions related to governmental data privacy and records management to:
(3)(b)(i) identify conflicts and gaps in data privacy law; and
(3)(b)(ii) standardize language;
(3)(c) work with governmental entities to study, research, and identify:
(3)(c)(i) additional data privacy practices that are feasible for governmental entities;
(3)(c)(ii) potential remedies and accountability mechanisms for non-compliance of a governmental entity;
(3)(c)(iii) ways to expand an individual's control over the individual's personal data processed by a governmental entity;
(3)(c)(iv) resources needed to develop, implement, and improve data privacy programs; and
(3)(c)(v) best practices regarding:
(3)(c)(v)(A) automated decision making;
(3)(c)(v)(B) the creation and use of synthetic, de-identified, or anonymized data; and
(3)(c)(v)(C) the use of website tracking technology;
(3)(d) monitor high-risk data processing activities within governmental entities;
(3)(e) coordinate with the Cyber Center to develop an incident response plan for data breaches affecting governmental entities;
(3)(f) coordinate with the state archivist to:
(3)(f)(i) incorporate data privacy practices into records management; and
(3)(f)(ii) include data privacy content in the trainings described in Section 63A-12-110; and
(3)(g) create a data privacy training program for employees of governmental entities as described in Section 63A-19-401.3.
(4) The office may:
(4)(a) provide expertise and assistance to governmental entities for high-risk data processing activities;
(4)(b) create assessment tools and resources that a governmental entity may use to:
(4)(b)(i) review, evaluate, and mature the governmental entity's privacy program, practices, and processing activities; and
(4)(b)(ii) evaluate the privacy impact, privacy risk, and privacy compliance of the governmental entity's privacy program, practices, and processing activities;
(4)(c) charge a governmental entity a service fee, established in accordance with Section 63J-1-504, for providing services that enable a governmental entity to perform the governmental entity's duties under Section 63A-19-401, if the governmental entity requests the office provide those services;
(4)(d) bill a state agency, as provided in Section 63J-1-410, for any services the office provides to a state agency;
(4)(e) provide funding to assist a governmental entity in complying with:
(4)(e)(i) this chapter; and
(4)(e)(ii) Title 63G, Chapter 2, Part 3, Classification, and Title 63G, Chapter 2, Part 6, Collection of Information and Accuracy of Records; and
(4)(f) make rules in accordance with Title 63G, Chapter 3, Utah Administrative Rulemaking Act, to administer this part.
(5) (5)(a) Upon application by a governmental entity, the office may:
(5)(a)(i) grant, for a limited period of time, a governmental entity with an:
(5)(a)(i)(A) extension of time to comply with certain requirements of Part 4, Duties of Governmental Entities; or
(5)(a)(i)(B) exemption from complying with certain requirements of Part 4, Duties of Governmental Entities; or
(5)(a)(ii) allow a governmental entity to establish a data privacy training program for the governmental entity's employees to complete, instead of the data privacy training program established by the office under Section 63A-19-401.3, if the governmental entity's data privacy training program contains the same information contained in the office's data privacy training program.
(5)(b) An application for an extension or exemption submitted under Subsection (5)(a)(i) shall:
(5)(b)(i) identify the specific duty from which the governmental entity seeks an extension or exemption and the section that imposes that duty; and
(5)(b)(ii) include a justification for the requested extension or exemption.
(5)(c) If the office grants an exemption under Subsection (5)(a), the office shall report at the next board meeting:
(5)(c)(i) the name of the governmental entity that received an exemption; and
(5)(c)(ii) the nature of the exemption.
(5)(d) The office shall notify the state privacy auditor of any approved extensions or exemptions.