(1) On or before December 31 of each year, the chief administrative officer of each governmental entity shall prepare a report that includes: (a) how the governmental entity has initiated the governmental entity's privacy program; (b) a description of: (i) the governmental entity's privacy program including privacy practices; (ii) strategies for improving and maturing the governmental entity's privacy program and practices; and (iii) the governmental entity's high-risk processing activities; (c) a list of the types of personal data the governmental entity currently shares, sells, or purchases; (d) the legal basis for sharing, selling, or purchasing personal data; (e) the category of individuals or entities: (i) with whom the governmental entity shares personal data; (ii) to whom the governmental entity sells personal data; or (iii) from whom the governmental entity purchases personal data; (f) the percentage of the governmental entity's employees required to complete the data privacy training under Section 63A-19-401.2 that have completed the training; and (g) a description of any non-compliant processing activities identified under Subsection 63A-19-401(2)(a)(iv) and the governmental entity's strategy for bringing those activities into compliance with this part. (2) The report described in Subsection (1) shall be: (a) considered a protected record under Section 63G-2-305; (b) shared with the office, in accordance with Section 63G-2-206, on or before December 31 each year; and (c) retained by the governmental entity for no less than five years.
‹ Prev All Utah sections Next ›
Lexace provides legal information, not legal advice, and no attorney–client relationship is created. Statute text is provided for general information and may not reflect the most recent amendments; verify against the official state code.