News

Division of Archives and Records Service
Image

Privacy Bill FAQ

Kendra Yates
/
June 11, 2024
/

On March 19, House Bill 491 for the Government Data Privacy Act was signed by the Governor of Utah. The bill provides for the creation of a Utah Privacy Governing Board and the creation of the Office of Data Privacy, which is responsible for assisting state agencies in implementing privacy practices, including compliance with legislation, facilitating data subject rights and individuals’ control of their personal data, and enabling information sharing between state agencies.

Since this bill went into effect on May 1, 2024, as the Government Data Privacy Act (Utah Code 63A-19), we’d like to provide some additional guidance. Please review the Frequently Asked Questions page and reach out to your RIM Specialist with any questions.

Government Data Privacy Act FREQUENTLY ASKED QUESTIONS

NOTE: The information provided is intended as informational only and does not constitute legal advice. Last Updated: 06/05/2024

Does HB 491 supersede GRAMA – meaning all records are considered private unless otherwise specified?

No, GRAMA is more restrictive than HB 491 and in cases where that happens, the more specific or more restrictive provision applies. HB 491 is an enhancement of the privacy laws in GRAMA, not a replacement.

Are AROs expected to keep all PII redacted while it’s being created and used in their office – even from their own staff?

No!

Is the government allowed to collect PII?

Yes, a governmental entity that has a lawful basis and accepted legal requirements for collecting PII can do so. The expectation is that they will collect the minimum amount “reasonably necessary to efficiently achieve a specified purpose,” per Utah Code 63A-19-401(2)(c).

Is there an official date when local and state government agencies are expected to be compliant with privacy requirements?

By May 1, 2024, governmental entities are required to have any new systems or new processes (i.e., those adopted after May 1, 2024) in compliance with Utah Code 63A-19-4.

By May 1, 2025, governmental entities are expected to have documented privacy programs that include policies, practices, and procedures for the processing of personal data. 

By January 1, 2027, governmental entities need to be in full compliance with all statutes and regulations in Utah Code 63A-19-4. This includes (but is not limited to): verifying that a record series with an approved retention schedule is created that accounts for the PII being processed and disposed of appropriately; notifying individuals of the purposes and uses for which PII is collected and having processes in place for notifying individuals when a private data breach has occurred; working to obtain and process the minimum amount of data needed; and training employees regarding data privacy.

Subsection 63G-2-307(1) requires a governmental entity to evaluate their record series, designate their record series, and report the designation of their record series to State Archives. This is not a new requirement; however, last year language was added that requires executive branch agencies to also report the privacy annotation of their record series to State Archives. Similarly, Subsection 63G-2-601(1) requires a governmental entity to file with State Archives a statement explaining the purposes for which personal identifying information in a record series is collected, maintained, or used. I am wondering if Archives has a specific form or process for this? Can a governmental entity amend an already existing record retention schedule or do they submit a separate statement to Archives?

We at the State Archives have tried a few processes in the past for collecting the PII info about record series in our legacy system, but none of them displayed the information publicly on our website, which seemed to defeat the purpose, so we did not really use them. We are working with the Chief Privacy Officer and his team to develop a system where these purpose statements and annotations can be added by agencies and will be displayed online. 

In the meantime, agencies that want these showing on their record series are adding them to the record series descriptions. They can do this by contacting their RIM Specialist.

Can you provide some examples of privacy annotations on record series retention schedules?

Department of Transportation, Traffic Management: Trio of schedules for the use and management of Express Lanes