- (1) There is created within the office the position of data privacy ombudsperson.
- (2) The governor shall appoint the ombudsperson with the advice of the governing board.
(3) The ombudsperson shall:
- (a) be an attorney in good standing and authorized to practice law in this state;
(b) be familiar with the provisions of:
- (i) this chapter;
- (ii) Chapter 12, Division of Archives and Records Service and Management of Government Records;
- (iii) Chapter 20, State-Endorsed Digital Identity; and
- (iv) Title 63G, Chapter 2, Government Records Access and Management Act; and
(c) serve as a resource for:
- (i) an individual who is making a data privacy complaint; and
- (ii) a governmental entity that is the subject of a data privacy complaint.
(4) The ombudsperson may:
(a)
- (i) upon request by a governmental entity or individual, mediate a dispute between the governmental entity and the individual regarding the individual's data privacy complaint; and
- (ii) upon resolution of a data privacy complaint described in Subsection (4)(a)(i), post on the office's website a brief summary of the data privacy complaint and the resolution of the matter; and
- (b) provide data privacy education and training in accordance with Subsection 63A-19-301(3)(g).
(5) The ombudsperson may not:
(a) mediate a dispute between a governmental entity and an individual if the individual's data privacy complaint is within the authority of:
- (i) the Government Records Office created in Section 63A-12-202; or
- (ii) the government records ombudsman established in Section 63A-12-204;
- (b) expand the scope of a mediation beyond the individual's data privacy complaint;
- (c) testify, or be compelled to testify, regarding a matter for which the ombudsperson provides services under this section; or
- (d) conduct an audit of a governmental entity's privacy practices.
- (6) After consultation with the chief privacy officer, the ombudsperson may raise matters and questions to the governing board.
- (7) The ombudsperson may receive and review complaints regarding alleged violations of Chapter 20, State-Endorsed Digital Identity, by private sector entities, and may refer such complaints to the attorney general for enforcement in accordance with Section 63A-20-801.
Amended by Chapter 202, 2026 General Session