§ 67-3-13 — State privacy auditor.

Utah § 67-3-13

• Jurisdiction: Utah
• Title 67: State Officers and Employees
• Ch. 67-3: Auditor

Text

(1) As used in this section:
(1)(a) "Governmental entity" means the same as that term is defined in Section 63G-2-103.
(1)(b) "Personal data" means the same as that term is defined in Section 63A-19-101.
(1)(c) "Privacy practice" means the same as that term is defined in Section 63A-19-101.
(1)(d) "State agency" means the same as that term is defined in Section 63A-19-101.
(1)(e) "State privacy auditor" means the individual appointed as state privacy auditor by the state auditor under Section 67-3-1.
(2) The state privacy auditor shall:
(2)(a) compile information about the privacy practices of governmental entities;
(2)(b) make public and maintain information about the privacy practices of governmental entities on the state auditor's website;
(2)(c) provide governmental entities with guidance and training regarding the data privacy auditing standards developed by the state privacy auditor;
(2)(d) implement a process to analyze and respond to requests from individuals for the state privacy auditor to audit a governmental entity's privacy practice;
(2)(e) identify annually which governmental entities' privacy practices pose the greatest risk to individual privacy and prioritize those privacy practices to be audited;
(2)(f) audit each year, in as timely a manner as possible, the privacy practices that the state privacy auditor identifies under Subsection (2)(d) or (2)(e) as posing the greatest risk to individuals' privacy;
(2)(g) when auditing a governmental entity's privacy practice under Subsection (2)(f), analyze:
(2)(g)(i) details about the technology or the policy and the technology's or the policy's application;
(2)(g)(ii) information about the type of personal data being used;
(2)(g)(iii) information about how the personal data is obtained, stored, shared, secured, and disposed;
(2)(g)(iv) information about the governmental entity's sharing or selling of personal data;
(2)(g)(v) information about whether an individual can or should be able to opt out of the retention, selling, and sharing of the individual's personal data;
(2)(g)(vi) information about how the governmental entity de-identifies or anonymizes personal data;
(2)(g)(vii) a determination about the existence of alternative technology or improved practices to protect privacy; and
(2)(g)(viii) a finding of whether the governmental entity's current privacy practices adequately protect individual privacy; and
(2)(h) after completing an audit described in Subsections (2)(f) and (g), determine:
(2)(h)(i) each governmental entity's use of personal data, including the governmental entity's privacy practices regarding personal data:
(2)(h)(i)(A) acquisition;
(2)(h)(i)(B) storage;
(2)(h)(i)(C) disposal;
(2)(h)(i)(D) protection; and
(2)(h)(i)(E) sharing;
(2)(h)(ii) the adequacy of the governmental entity's practices in each of the areas described in Subsection (2)(h)(i); and
(2)(h)(iii) for each of the areas described in Subsection (2)(h)(i) that the state privacy auditor determines to require reform, provide recommendations for reform to the governmental entity and the legislative body charged with regulating the governmental entity.
(3) (3)(a) The legislative body charged with regulating a governmental entity that receives a recommendation described in Subsection (2)(h)(iii) shall hold a public hearing on the proposed reforms:
(3)(a)(i) with a quorum of the legislative body present; and
(3)(a)(ii) within 90 days after the day on which the legislative body receives the recommendation.
(3)(b) (3)(b)(i) The legislative body shall provide notice of the hearing described in Subsection (3)(a).
(3)(b)(ii) Notice of the public hearing and the recommendations to be discussed shall be posted for the jurisdiction of the governmental entity, as a class A notice under Section 63G-30-102, for at least 30 days before the day on which the legislative body will hold the public hearing.
(3)(b)(iii) Each notice required under Subsection (3)(b)(i) shall:
(3)(b)(iii)(A) identify the recommendations to be discussed; and
(3)(b)(iii)(B) state the date, time, and location of the public hearing.
(3)(c) During the hearing described in Subsection (3)(a), the legislative body shall:
(3)(c)(i) provide the public the opportunity to ask questions and obtain further information about the recommendations; and
(3)(c)(ii) provide any interested person an opportunity to address the legislative body with concerns about the recommendations.
(3)(d) At the conclusion of the hearing, the legislative body shall determine whether the legislative body shall adopt reforms to address the recommendations and any concerns raised during the public hearing.
(4) Subsection (3) does not apply to:
(4)(a) a state agency;
(4)(b) the legislative branch;
(4)(c) the judicial branch;
(4)(d) an executive branch agency within the Office of the Attorney General, the state auditor, the state treasurer, or the State Board of Education; or
(4)(e) an independent entity.
(5) The state privacy auditor shall:
(5)(a) quarterly report, to the Utah Privacy Commission:
(5)(a)(i) recommendations for privacy practices for the commission to review; and
(5)(a)(ii) the information provided in Subsection (2)(h); and
(5)(b) annually, on or before October 1, report to the Judiciary Interim Committee:
(5)(b)(i) the results of any audits described in Subsection (2)(f), if any audits have been completed;
(5)(b)(ii) reforms, to the extent that the state privacy auditor is aware of any reforms, that the governmental entity made in response to any audits described in Subsection (2)(f);
(5)(b)(iii) the information described in Subsection (2)(h); and
(5)(b)(iv) recommendations for legislation based on any results of an audit described in Subsection (2)(f).

Legislative History

Amended by Chapter 475, 2025 General Session