Bill Summary – FastDemocracy

02-19-24 4:05 PM                                                      2nd Sub. (Gray) H.B. 491
  to a more restrictive or º a more » specific provision of law than found in this part, the
305a governmental
  entity º or contractor » shall comply with the more restrictive or º more » specific
306a provision of law.
             (ii) For purposes of Subsection (1)(b)(i), Title 63G, Chapter 2, Government Records
  Access and Management Act, is a more º [restrictive and] » specific provision of law º
308a and shall control over the provisions of this part » .
             (c) A governmental entity that is exempt under Section 63G-2-702, 63G-2-703, or
  63G-2-704 from complying with the requirements in Title 63G, Chapter 2, Part 6, Collection of
  Information and Accuracy of Records, is exempt from complying with the requirements in
  Sections 63A-19-402, 63A-19-403, and 63A-19-404.
             (2) A governmental entity:
             (a) shall implement and maintain a privacy program before May 1, 2025, that includes
  the governmental entity's policies, practices, and procedures for the process of personal data;
             (b) shall provide notice to an individual or the legal guardian of an individual, if the
  individual's personal data is affected by a data breach, in accordance with Section 63A-19-406;
             (c) shall obtain and process only the minimum amount of personal data reasonably
  necessary to efficiently achieve a specified purpose;
             (d) shall meet the requirements of this part for all processing activities implemented by
  a governmental entity after May 1, 2024;
             (e) shall for any processing activity implemented before May 1, 2024, as soon as is
  reasonably practicable, but no later than January 1, 2027:
             (i) identify any non-compliant processing activity:
             (ii) document the non-compliant processing activity; and
             (iii) prepare a strategy for bringing the non-compliant processing activity into
  compliance with this part;
             (f) may not establish, maintain, or use undisclosed or covert surveillance of individuals
  unless permitted by law;
             (g) may not sell personal data unless expressly required by law;
             (h) may not share personal data unless permitted by law;
             (i) (i) that is a designated governmental entity, shall annually report to the state privacy
  officer:
             (A) the types of personal data the designated governmental entity currently shares or
  sells;
                                                          - 11 -           House Floor Amendments 2-23-2024 ho/se1
         2nd Sub. (Gray) H.B. 491                                                        02-19-24 4:05 PM
            (B) the basis for sharing or selling the personal data; and
            (C) the classes of persons and the governmental entities that receive the personal data
  from the designated governmental entity; and
            (ii) that is a state agency, shall annually report to the chief privacy officer:
            (A) the types of personal data the state agency currently shares or sells;
            (B) the basis for sharing or selling the personal data; and
            (C) the classes of persons and the governmental entities that receive the personal data
  from the state agency; and
            (j) (i) except as provided in Subsection (3), an employee of a governmental entity shall
  complete a data privacy training program:
            (A) within 30 days after beginning employment; and
            (B) at least once in each calendar year; and
            (k) is responsible for monitoring completion of data privacy training by the
  governmental entity's employees.
            (3) An employee of a governmental entity that does not have access to personal data of
  individuals as part of the employee's work duties is not required to complete a data privacy
  training program described in Subsection (2)(j)(i).
            (4) (a) A contractor that enters into or renews an agreement with a governmental entity
  after May 1, 2024, and processes or has access to personal data as a part of the contractor's
  duties under the agreement, is subject to the requirements of this chapter with regard to the
  personal data processed or accessed by the contractor to the same extent as required of the
  governmental entity.
            (b) An agreement under Subsection (4)(a) shall require the contractor to comply with
  the requirements of this chapter º with regard to the personal data processed or accessed by
359a the contractor as a part of the contractor's duties under the agreement » to the same extent
359b as º required of » the governmental entity.
            (c) The requirements under Subsections (4)(a) and (b) are in addition to and do not
  replace any other requirements or liability that may be imposed for the contractor's violation of
  other laws protecting privacy rights or government records.
            Section 9. Section 63A-19-402 is enacted to read:
            63A-19-402. General governmental privacy requirements -- Personal data request
 notice.
           (1) A governmental entity shall provide a personal data request notice to an individual,
                                                          - 12 -            House Floor Amendments 2-23-2024 ho/se1
Statutes affected: 
H.B. 491 3rd Substitute (Not Adopted) Text: 63A-12-115, 63C-24-101, 63C-24-102, 63C-24-201, 63C-24-202, 67-3-13
Amended: 63A-12-115, 63C-24-101, 63C-24-102, 63C-24-201, 63C-24-202, 67-3-13
Enrolled: 63A-12-115, 63C-24-101, 63C-24-102, 63C-24-201, 63C-24-202, 67-3-13
H.B. 491 1st Substitute (Not Adopted) Text: 63A-12-115, 63C-24-101, 63C-24-102, 63C-24-201, 63C-24-202, 67-3-13
H.B. 491 2nd Substitute (Not Adopted) Text: 63A-12-115, 63C-24-101, 63C-24-102, 63C-24-201, 63C-24-202, 67-3-13
Introduced: 63A-12-115, 63C-24-101, 63C-24-102, 63C-24-201, 63C-24-202, 67-3-13