(1) There is created within the department the Utah Office of Data Privacy. (2) The office shall coordinate with the governing board and the commission to perform the duties in this section. (3) The office shall: (a) create and maintain a data privacy framework designed to: (i) assist governmental entities to identify and implement effective and efficient data privacy practices, tools, and systems that: (A) protect the privacy of personal data; (B) comply with data privacy laws and regulations specific to the governmental entity, program, or data; (C) empower individuals to protect and control their personal data; and (D) enable information use and sharing among governmental entities, as allowed by law; and (ii) account for differences in a governmental entity's resources, capabilities, populations served, data types, and maturity level regarding data privacy practices; (b) review statutory provisions related to governmental data privacy and records management to: (i) identify conflicts and gaps in data privacy law; and (ii) standardize language; (c) work with governmental entities to study, research, and identify: (i) additional data privacy practices that are feasible for governmental entities; (ii) potential remedies and accountability mechanisms for non-compliance of a governmental entity; (iii) ways to expand an individual's control over the individual's personal data processed by a governmental entity; (iv) resources needed to develop, implement, and improve data privacy programs; and (v) best practices regarding: (A) automated decision making; (B) the creation and use of synthetic, de-identified, or anonymized data; and (C) the use of website tracking technology; (d) monitor high-risk data processing activities within governmental entities; (e) coordinate with the Cyber Center to develop an incident response plan for data breaches affecting governmental entities; (f) coordinate with the state archivist to: (i) incorporate data privacy practices into records management; and (ii) include data privacy content in the trainings described in Section 63A-12-110; and (g) develop, maintain, and make available data privacy training, education, and awareness materials that meet the requirements of Section 63A-19-401.2. (4) The office may: (a) provide expertise and assistance to governmental entities for high-risk data processing activities; (b) create assessment tools and resources that a governmental entity may use to: (i) review, evaluate, and mature the governmental entity's privacy program, practices, and processing activities; and (ii) evaluate the privacy impact, privacy risk, and privacy compliance of the governmental entity's privacy program, practices, and processing activities; (c) charge a governmental entity a service fee, established in accordance with Section 63J-1-504, for providing services that enable a governmental entity to perform the governmental entity's duties under Section 63A-19-401, if the governmental entity requests the office provide those services; (d) bill a state agency, as provided in Section 63J-1-410, for any services the office provides to a state agency; (e) provide funding to assist a governmental entity in complying with: (i) this chapter; and (ii) Title 63G, Chapter 2, Part 3, Classification, and Title 63G, Chapter 2, Part 6, Collection of Information and Accuracy of Records; (f) advise the governing board about widespread or systemic data privacy matters or alleged violations; (g) work with the Division of Purchasing and General Services to develop cooperative contracts that a governmental entity may choose to use to support the governmental entity's data privacy compliance; (h) make available to governmental entities privacy compliance assessment tools that may be used by governmental entities to assess the governmental entity's reasonable compliance of processing activities described in this chapter; (i) upon request of a governmental entity or on the office's own initiative, issue guidance or recommendations regarding: (i) compliance with this chapter; and (ii) best practices for data privacy and data governance; (j) contract with an institute, component, or department at a state institution of higher education to support the office in: (i) conducting research and prepare reports regarding data privacy and data governance; (ii) providing support to the commission; (iii) holding data governance summits and educational programs; (iv) developing systems and tools to support data privacy and data governance; and (v) providing other services in support of the office's duties under this chapter; (k) create data governance models that may be used by governmental entities; and (l) make rules in accordance with Title 63G, Chapter 3, Utah Administrative Rulemaking Act, to administer this chapter. (5) (a) Upon application by a governmental entity, the office may grant, for a limited period of time, a governmental entity with an: (i) extension of time to comply with certain requirements of Part 4, Duties of Governmental Entities; or (ii) exemption from complying with certain requirements of Part 4, Duties of Governmental Entities. (b) On the office's own initiative, the office may issue a one-time extension to a category or group of governmental entities to comply with certain requirements of Part 4, Duties of Governmental Entities. (c) An extension issued under Subsection (5)(b): (i) shall: (A) identify the specific duty for which the extension is granted and the section that imposes the duty; and (B) specify the category or group of governmental entities to which the extension applies; and (ii) may not be longer than 12 months. (d) An application for an extension or exemption submitted under Subsection (5)(a) shall: (i) identify the specific duty from which the governmental entity seeks an extension or exemption and the section that imposes that duty; and (ii) include a justification for the requested extension or exemption. (e) If the office grants an exemption under Subsection (5)(a), the office shall report at the next board meeting: (i) the name of the governmental entity that received an exemption; and (ii) the nature of the exemption.
‹ Prev All Utah sections Next ›
Lexace provides legal information, not legal advice, and no attorney–client relationship is created. Statute text is provided for general information and may not reflect the most recent amendments; verify against the official state code.