SRC-TBR S.B. 866 77(R) BILL ANALYSIS Senate Research Center S.B. 866 77R7419 JRD-DBy: Nelson Business & Commerce 3/5/2001 As Filed DIGEST AND PURPOSE Currently, Texas is one of a number of states that do not have a clear privacy policy relating to personal information held by state and local governments. As proposed, S.B. 866 establishes a basic framework of privacy principles, including guidelines for the proper collection, use, retention, and disclosure of personal information by governmental entities. RULEMAKING AUTHORITY Rulemaking authority is expressly granted to the attorney general in SECTION 1 (Section 559.051 Government Code), the Department of Information Resources in SECTION 1 (Section 559.055 Government Code) of this bill. SECTION BY SECTION ANALYSIS SECTION 1. Amends, Title 5A, Government Code, by adding Chapter 559 as follows: CHAPTER 559. TEXAS PRIVACY ACT SUBCHAPTER A. GENERAL PROVISIONS Sec. 559.001. SHORT TITLE. Authorizes this chapter to be cited as the Texas Privacy Act. Sec. 559.002. LEGISLATIVE FINDINGS; GENERAL PRIVACY PRINCIPLES. Sets forth legislative findings. Sec. 559.003. DEFINITIONS. Defines "personal information," and "governmental entity." Sec. 559.004. CONSTRUCTION WITH OTHER LAW. Provides that this chapter does not affect the ability of a state or local governmental entity to undertake a lawful investigation or to protect persons, property, or the environment in the manner authorized by law, or the duty of a state or local governmental entity to comply with applicable law. (Reserves Sections 559.005-559.050 reserved for expansion.) SUBCHAPTER B. SPECIFIC PRIVACY PROTECTIONS Sec. 559.051. DISCLOSURE OF CERTAIN PERSONAL INFORMATION; COMPELLING INTEREST OR INTENSE PUBLIC CONCERN REQUIREMENT. (a) Provides that this section applies only to the disclosure by government of information that reveals an individual's social security number, bank account number, credit card account number, or other financial account number; or computer password or computer network location or identity. (b) Prohibits a state or local governmental entity from disclosing information described by Subsection (a) under Chapter 552 (Public Information) or other law unless the attorney general authorizes the disclosure after determining certain factors. (c) Authorizes the attorney general to adopt rules to implement this section, including rules that describe appropriate and clearly defined circumstances under which a category of information described by Subsection (a) is presumed to satisfy a requirement of Subsection (b) and therefore may be disclosed without the necessity of obtaining specific authorization for the disclosure from the attorney general. Provides that a rule of the attorney general that describes circumstances under which information presumptively may be disclosed may limit disclosure to specific state, local, or federal authorities or may allow the information to be generally disclosed under Chapter 552, as appropriate. (d) Requires the attorney general to develop procedures under which the office of the attorney general will expedite a decision whether to authorize disclosure of information described by Subsection (a) when expedited consideration is warranted under the circumstances. (e) Provides that a decision of the attorney general under this section may be challenged in court in the same manner that a decision of the attorney general may be challenged under Subchapter G, Chapter 552. (f) Provides that if information described by Subsection (a) is requested under Chapter 552, Section 552.325 applies in relation to the individual who is the subject of the information in the same manner as if the individual were a requestor of the information, except that the attorney general shall notify the individual under Section 552.325(c) if the attorney general proposes to agree to the release of all or part of the information. Sec. 559.052. COLLECTION OF PERSONAL INFORMATION. Requires a state or local governmental entity to establish procedures to ensure that the governmental entity collects personal information only to the extent reasonably necessary to meet certain factors. Sec. 559.053. RECORDS RETENTION SCHEDULES. (a) Requires a state or local governmental entity, in adopting or amending its records retention schedule, to schedule the retention of personal information only for the period necessary to accomplish the purpose for which the information was collected or, if applicable, for the minimum period specifically prescribed by statute. (b) Provides that Subsection (a) does not apply to the retention of personal information that has demonstrable historical or archival value. Sec. 559.054. GENERAL PRIVACY POLICIES. (a) Requires a state or local governmental entity to develop a privacy policy that completely describes in plainly written language certain factors. (b) Requires the state or local governmental entity to promptly amend the privacy policy whenever information in the policy becomes incorrect or incomplete. (c) Requires the state or local governmental entity to prominently post its current privacy policy by certain methods. Sec. 559.055. GOVERNMENT INTERNET SITES: PRIVACY POLICY. (a) Requires the Department of Information Resources (department) to adopt rules prescribing minimum privacy standards with which an Internet site or portal maintained by or for a state or local governmental entity must comply. Requires the rules to be designed to limit the collection of personal information about users of the government Internet site or portal to certain information. (b) Requires the department, in adopting its rules under this section, to consider policies adopted by other states and the federal government in this regard. (c) Requires a state or local governmental entity that maintains an Internet site or portal or for which an Internet site or portal is maintained to adopt a privacy policy regarding information collected through the site or portal and provide a prominent link to the policy for users of the site or portal. Requires the policy to be consistent with the rules adopted by the department under this section and be included as a prominent separate element of the general privacy policy that the entity is required to develop and to which it must provide an Internet link under Section 559.054. Sec. 559.056. STATE AUDITOR. (a) Requires the state auditor to establish auditing guidelines to ensure that state and local governmental entities that the state auditor has authority to audit under other law take certain actions. (b) Requires the state auditor, during an appropriate type of audit, to audit a state or local governmental entity for compliance with the guidelines established under Subsection (a). (Reserves Section 559.057 - 559.100 for expansion.) SUBCHAPTER C. GUIDELINES AND STUDIES Sec. 559.101. ATTORNEY GENERAL GUIDELINES FOR REVIEWING PRIVACY ISSUES. (a) Requires the attorney general to establish guidelines for state and local governmental entities to follow when considering privacy issues that arise in connection with requests for public information. Requires the guidelines to address procedural safeguards, legal issues, and other issues that in the opinion of the attorney general would help state and local governmental entities comply with applicable law and recommended information practices when handling personal information. (b) Provides that the guidelines do not create exceptions from required disclosure under Chapter 552. Sec. 559.102. OPEN RECORDS STEERING COMMITTEE; RECORDS MANAGEMENT INTERAGENCY COORDINATING COUNCIL. (a) Requires the open records steering committee established under Section 552.009 to periodically study and determine the implications for the personal privacy of individuals of putting information held by government on the Internet, and include its findings and recommendations in reports the committee makes under Section 552.009. (b) Requires the records management interagency coordinating council established under Section 441.203 to provide guidance and policy direction to state and local governmental entities in appropriately incorporating developments in electronic management of information into their information management systems in ways that protect personal privacy and promote efficient public access to public information that is not excepted from required public disclosure. (c) Requires the records management interagency coordinating council to study and assess efficient and effective ways in which individuals can request and challenge certain information. (d) Requires a state or local governmental entity on request to assist the records management interagency coordinating council in performing its studies under Subsection (c) by responding to the council's requests for information or opinion. Requires the council to periodically report the results of its studies under Subsection (c) and any related recommendations to the governor and the legislature. Sec. 559.103. ATTORNEY GENERAL STUDIES. Requires the attorney general to study and periodically report recommendations to the governor and the legislature regarding certain items. Sec. 559.104. COMPTROLLER STUDY: MODIFYING INFORMATION MANAGEMENT SYSTEMS' USE OF PERSONAL IDENTIFIERS. (a) Requires the comptroller to study and make recommendations to the governor, the legislature, and affected state governmental entities regarding efficient and effective ways in which state governmental entities could modify their information management systems so that personal identifiers, such as social security numbers, are not used to track individuals in a manner contrary to commonly held privacy expectations. Requires the comptroller, in making recommendations under this section, to include an estimate of the cost of modifying an information management system in accordance with a recommendation. (b) Requires the department to assist the comptroller in making the study. Requires other state governmental entities to participate in the study at the invitation of the comptroller. SECTION 2. (a) Requires each state and local governmental entity to examine its records retention schedule and amend the schedule so that it complies with Section 559.053, Government Code, as added by this Act. (b) Requires the comptroller to make initial recommendations to the governor, the legislature, and any affected state governmental entities under Section 559.104, Government Code, as added by this Act, by November 1, 2002. (c) Requires the records management interagency coordinating council to make initial recommendations to the governor and the legislature under Section 559.102(d), Government Code, as added by this Act, by November 1, 2002. SECTION 3. Effective date: upon passage or September 1, 2001.