- (1) There is created within the department the Utah Office of Data Privacy.
- (2) The office shall coordinate with the governing board and the commission to perform the duties in this section.
(3) The office shall:
(a) create and maintain a data privacy framework designed to:
(i) assist governmental entities to identify and implement effective and efficient data privacy practices, tools, and systems that:
- (A) protect the privacy of personal data;
- (B) comply with data privacy laws and regulations specific to the governmental entity, program, or data;
- (C) empower individuals to protect and control their personal data; and
- (D) enable information use and sharing among governmental entities, as allowed by law; and
- (ii) account for differences in a governmental entity's resources, capabilities, populations served, data types, and maturity level regarding data privacy practices;
(b) review statutory provisions related to governmental data privacy and records management to:
- (i) identify conflicts and gaps in data privacy law; and
- (ii) standardize language;
(c) work with governmental entities to study, research, and identify:
- (i) additional data privacy practices that are feasible for governmental entities;
- (ii) potential remedies and accountability mechanisms for non-compliance of a governmental entity;
- (iii) ways to expand an individual's control over the individual's personal data processed by a governmental entity;
- (iv) resources needed to develop, implement, and improve data privacy programs; and
(v) best practices regarding:
- (A) automated decision making;
- (B) the creation and use of synthetic, de-identified, or anonymized data; and
- (C) the use of website tracking technology;
- (d) monitor high-risk data processing activities within governmental entities;
- (e) coordinate with the Cyber Center to develop an incident response plan for data breaches affecting governmental entities;
(f) coordinate with the state archivist to:
- (i) incorporate data privacy practices into records management; and
- (ii) include data privacy content in the trainings described in Section 63A-12-110; and
- (g) develop, maintain, and make available data privacy training, education, and awareness materials that meet the requirements of Section 63A-19-401.2.
(4) The office may:
- (a) provide expertise and assistance to governmental entities for high-risk data processing activities;
(b) create assessment tools and resources that a governmental entity may use to:
- (i) review, evaluate, and mature the governmental entity's privacy program, practices, and processing activities; and
- (ii) evaluate the privacy impact, privacy risk, and privacy compliance of the governmental entity's privacy program, practices, and processing activities;
- (c) charge a governmental entity a service fee, established in accordance with Section 63J-1-504, for providing services that enable a governmental entity to perform the governmental entity's duties under Section 63A-19-401, if the governmental entity requests the office provide those services;
- (d) bill a state agency, as provided in Section 63J-1-410, for any services the office provides to a state agency;
(e) provide funding to assist a governmental entity in complying with:
- (i) this chapter; and
- (ii) Title 63G, Chapter 2, Part 3, Classification, and Title 63G, Chapter 2, Part 6, Collection of Information and Accuracy of Records;
- (f) advise the governing board about widespread or systemic data privacy matters or alleged violations;
- (g) work with the Division of Purchasing and General Services to develop cooperative contracts that a governmental entity may choose to use to support the governmental entity's data privacy compliance;
- (h) make available to governmental entities privacy compliance assessment tools that may be used by governmental entities to assess the governmental entity's reasonable compliance of processing activities described in this chapter;
(i) upon request of a governmental entity or on the office's own initiative, issue guidance or recommendations regarding:
- (i) compliance with this chapter; and
- (ii) best practices for data privacy and data governance;
(j) contract with an institute, component, or department at a state institution of higher education to support the office in:
- (i) conducting research and prepare reports regarding data privacy and data governance;
- (ii) providing support to the commission;
- (iii) holding data governance summits and educational programs;
- (iv) developing systems and tools to support data privacy and data governance; and
- (v) providing other services in support of the office's duties under this chapter;
- (k) create data governance models that may be used by governmental entities; and
- (l) make rules in accordance with Title 63G, Chapter 3, Utah Administrative Rulemaking Act, to administer this chapter.
(5)
(a) Upon application by a governmental entity, the office may grant, for a limited period of time, a governmental entity with an:
- (i) extension of time to comply with certain requirements of Part 4, Duties of Governmental Entities; or
- (ii) exemption from complying with certain requirements of Part 4, Duties of Governmental Entities.
- (b) On the office's own initiative, the office may issue a one-time extension to a category or group of governmental entities to comply with certain requirements of Part 4, Duties of Governmental Entities.
(c) An extension issued under Subsection (5)(b):
(i) shall:
- (A) identify the specific duty for which the extension is granted and the section that imposes the duty; and
- (B) specify the category or group of governmental entities to which the extension applies; and
- (ii) may not be longer than 12 months.
(d) An application for an extension or exemption submitted under Subsection (5)(a) shall:
- (i) identify the specific duty from which the governmental entity seeks an extension or exemption and the section that imposes that duty; and
- (ii) include a justification for the requested extension or exemption.
(e) If the office grants an exemption under Subsection (5)(a), the office shall report at the next board meeting:
- (i) the name of the governmental entity that received an exemption; and
- (ii) the nature of the exemption.
Amended by Chapter 202, 2026 General Session