Utah Government Data Privacy act��Nora Kurzova�Asst. State Privacy Officer ��May 22, 2024

This document is for educational purposes only, it is not legal advice.

1

Office of the

State Auditor

����Utah Government Data Privacy act (GDPA)�- Highlights��https://le.utah.gov/xcode/Title63A/Chapter19/63A-19.html�����

1. Requires all governmental entities to fulfill duties related to personal data privacy, including:

Expanded breach notification;

Limits on data collection and use; and

Enhances the ability to correct, access & delete (optional) data;

• Requires an annual privacy training as well as on-boarding training - for all employees with access to personal data.
• Prohibits the sale of personal data unless required by law or based on an approved fee schedule (example: access to data fee)
• Prohibits share of personal data unless permitted by law.
• Prohibits covert surveillance unless permitted by law.
• Creates the Utah Privacy Governing Board.
• Establishes the Office of Data Privacy for state agencies.
• Creates a Data Privacy Ombudsperson role.
• Mandates entities to require contractors to comply with GDPA.
• Serves as an addition to otherwise already existing federal or state legal requirements – stricter regulation applies.

Office of the

State Auditor

2

Office of the

State Auditor

GDPA�Key Requirements Timelines �For Designated Governmental Entities�

• Log and report data breaches and provide appropriate notifications - as of May 2024
• Provide notice on the purpose of the collection and use of data. Provide notice when the use of data changes - as of May 2024
• Establish a process to correct personal data when inaccurate and facilitate correction requests - as of May 2024
• Provide (and monitor completion of) annual privacy training as well as on-boarding training - as of May 2024
• Report the sale of personal data. This law prohibits the sale of personal data unless required by law - annually, starting 2024
• Report sharing practices of personal data. This law prohibits the sharing of personal data unless permitted by law – report to the State Privacy Officer annually, starting 2024
• Create and implement privacy program with corresponding privacy policies and standards – by May 1, 2025
• Map data and for processing done before May 2024 prepare a plan to bring it into compliance by 2027.

Office of the

State Auditor

3

Office of the

State Auditor

Data Processing checklist:��Going forward, �you need to:

​

​

• Reasonably attempt to collect and process the minimum amount of personal data necessary.
• Verify the activity does not constitute unauthorized surveillance.
• Verify the activity is not an unauthorized selling or sharing of data.
• Verify Notice of Purpose and Use is provided.
• Verify agreements include required terms and conditions.
• Verify capability to access, correct and delete (optional or inaccurate) data according to retention schedules.
• Keep an inventory of use of personal data, the type of data, the basis for sharing, the classes of persons and entities that receive it
• Annually report sharing practices to the State Privacy Officer
• If a data breach occurs and compromise of personal data has not been excluded, notify the impacted individuals (regardless of number), and without delay / within 5 days notify also the Office of the Attorney General and the Utah Cyber Center if the breach impacts over 500 people.
• If a compromise of computer system occurred, notify the Utah Cyber Center regardless of severity of impact.

Office of the

State Auditor

4

Office of the

State Auditor

“Data Breach” definition: �“unauthorized access, acquisition, disclosure, loss of access, or destruction of personal data held by a governmental entity, unless the governmental entity concludes, according to standards established by the Cyber Center, that there is a�low probability that personal data has been compromised.”��Computer system compromise:��“unauthorized access, acquisition, disclosure, loss of access, or destruction of data that compromises the security, confidentiality, availability, or integrity of the computer systems used or information maintained by the governmental entity”��

How should I notify the Cyber Center, AG’s office or the individual?

• Both the AG’s office as well as the Cyber center are notified by filling out this interactive form:
• https://cybercenter.utah.gov/Report-a-Breach/

Notification to individuals in case of a personal data breach: unless the governmental entity reasonably believes that providing notification would pose a threat to the safety of an individual, or unless an individual has designated to the governmental entity a preferred method of communication, a governmental entity shall provide notice

• By email, if reasonably available and allowed by law;
• By mail; and one of the following methods, if the individual's contact information is available and the method is allowed by law
• text message with a summary of the data breach notice and instructions for accessing the full notice; or
• telephone message with a summary of the data breach notice and instructions for accessing the full data breach notice.
• Without delay, after scope of breach was established and a reasonable integrity of service/ system restored.

​

Office of the

State Auditor

5

Office of the

State Auditor

​

What should be in a “personal data request notice” and how should I provide it to people?

• the reasons the individual is asked to provide the data
• the purposes and uses of the personal data;
• the consequences for refusing to provide the personal data;
• the classes of persons and entities that share or receive the data
• the record series in which the personal data will be included, if applicable.

The governmental entity shall provide the personal data request notice by

1. posting the personal data request notice in a prominent place where the governmental entity collects the personal data
2. including the personal data request notice as part of any document or form used by the governmental entity to collect the personal data; or
3. conspicuously linking to or displaying a QR code linked to an electronic version of the personal data request notice as part of any document or form used by the governmental entity to collect the personal data.

Office of the

State Auditor

6

Office of the

State Auditor

WHAT RESOURCES DO WE HAVE FOR YOU?�We have a “Privacy Toolkit” that includes:�������

​

Annual Report to SPO on Data Sharing Template�Bring Your Own Device Template�Generative AI Usage Policy for Governmental Entities Template�Governmental Entity Privacy Program Template�Information Lifecycle Policy Template�Personal Data (PII) Inventory Template�Personal Data Breach Notification to Impacted Individuals Template�Personal Data Collection Notice Template�Personal Data Processing Consent Template�PIA Assessment Template�Privacy Contract Clauses �Privacy Policy Simple Template�Privacy Policy Statement Template

Privacy Basics Training Video

Response Kit prepared by the Utah Cyber Center

​

Please know all of these are to be used as starting points only, and need to be customized to fit your organization and should be consulted with appropriate legal counsels and/or cyber security experts.

​

7

Office of the

State Auditor

• ��Questions?���Contact details:���State Privacy Officer:�wphillips@utah.gov��Asst. State Privacy Officer�nkurzova@utah.gov������

8

Office of the

State Auditor