(1) On or before December 31 of each year, the chief administrative officer of each governmental entity shall prepare a report that includes:
- (a) how the governmental entity has initiated the governmental entity's privacy program;
(b) a description of:
- (i) the governmental entity's privacy program including privacy practices;
- (ii) strategies for improving and maturing the governmental entity's privacy program and practices; and
- (iii) the governmental entity's high-risk processing activities;
- (c) a list of the types of personal data the governmental entity currently shares, sells, or purchases;
- (d) the legal basis for sharing, selling, or purchasing personal data;
(e) the category of individuals or entities:
- (i) with whom the governmental entity shares personal data;
- (ii) to whom the governmental entity sells personal data; or
- (iii) from whom the governmental entity purchases personal data;
- (f) the percentage of the governmental entity's employees required to complete the data privacy training under Section 63A-19-401.2 that have completed the training; and
- (g) a description of any non-compliant processing activities identified under Subsection 63A-19-401(2)(a)(iv) and the governmental entity's strategy for bringing those activities into compliance with this part.
(2) The report described in Subsection (1) shall be:
- (a) considered a protected record under Section 63G-2-305;
- (b) shared with the office, in accordance with Section 63G-2-206, on or before December 31 each year; and
- (c) retained by the governmental entity for no less than five years.
Amended by Chapter 202, 2026 General Session