By: Nelson, et al. S.B. No. 866
A BILL TO BE ENTITLED
1-1 AN ACT
1-2 relating to the creation of a Texas Privacy Act and addressing the
1-3 ways in which the information practices of state and local
1-4 governmental entities affect personal privacy.
1-5 BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
1-6 SECTION 1. Subtitle A, Title 5, Government Code, is amended
1-7 by adding Chapter 559 to read as follows:
1-8 CHAPTER 559. TEXAS PRIVACY ACT
1-9 SUBCHAPTER A. GENERAL PROVISIONS
1-10 Sec. 559.001. SHORT TITLE. This chapter may be cited as the
1-11 Texas Privacy Act.
1-12 Sec. 559.002. LEGISLATIVE FINDINGS; GENERAL PRIVACY
1-13 PRINCIPLES. (a) The legislature finds that:
1-14 (1) an increasing number of individuals in this state
1-15 are concerned that:
1-16 (A) personal information held by government may
1-17 be used inappropriately;
1-18 (B) unauthorized persons may have access to that
1-19 information; and
1-20 (C) some of the information may be inaccurate,
1-21 incomplete, or unnecessary for the effective functioning of
1-22 government; and
1-23 (2) in response to the findings stated by Subdivision
1-24 (1), each state and local governmental entity in this state must be
1-25 committed to strengthening privacy protections for personal
2-1 information held by government in a manner consistent with the
2-2 public's right to complete information about the affairs of
2-3 government and the official acts of public officials and employees.
2-4 (b) The legislature also finds that because inadvertent
2-5 release, careless storage, or improper disposal of information
2-6 could result in embarrassment or other harm to individuals, each
2-7 state and local governmental entity:
2-8 (1) has an obligation to protect personal information
2-9 in the manner required by law; and
2-10 (2) must exercise particular care in protecting
2-11 records containing sensitive and private personal information about
2-12 health or financial matters and in protecting personal identifiers,
2-13 such as a social security number.
2-14 (c) It is the policy of this state that an individual has a
2-15 right to know how personal information about the individual is
2-16 handled by government and the extent to which the information may
2-17 be disclosed or must be kept confidential under law.
2-18 Sec. 559.003. DEFINITIONS. In this chapter:
2-19 (1) "Personal information" means information about an
2-20 individual such as:
2-21 (A) the individual's home address, home
2-22 telephone number, social security number, date of birth, physical
2-23 characteristics, and similar information about the individual;
2-24 (B) information about an individual's marital
2-25 status or history, whether the individual has family members, and
2-26 information about the individual's family members; and
3-1 (C) personally identifiable information about
3-2 the individual's health or health history, finances or financial
3-3 history, and purchases made from government.
3-4 (2) "Governmental entity" does not include a court
3-5 other than a commissioners court.
3-6 Sec. 559.004. APPLICABILITY. This chapter does not apply to
3-7 information held by or for a court other than a commissioners
3-8 court.
3-9 Sec. 559.005. CONSTRUCTION WITH OTHER LAW. This chapter
3-10 does not affect:
3-11 (1) the ability of a state or local governmental
3-12 entity to undertake a lawful investigation or to protect persons,
3-13 property, or the environment in the manner authorized by law; or
3-14 (2) the duty of a state or local governmental entity
3-15 to comply with applicable law.
3-16 (Sections 559.006-559.050 reserved for expansion
3-17 SUBCHAPTER B. SPECIFIC PRIVACY PROTECTIONS
3-18 Sec. 559.051. DISCLOSURE OF CERTAIN PERSONAL INFORMATION;
3-19 COMPELLING INTEREST OR INTENSE PUBLIC CONCERN REQUIREMENT.
3-20 (a) This section applies only to the disclosure by a governmental
3-21 entity of information that reveals an individual's:
3-22 (1) social security number;
3-23 (2) bank account number, credit card account number,
3-24 or other financial account number; or
3-25 (3) computer password or computer network location or
3-26 identity.
4-1 (b) A state or local governmental entity may not disclose
4-2 information described by Subsection (a) under Chapter 552 or other
4-3 law unless the attorney general authorizes the disclosure after
4-4 determining that:
4-5 (1) there is a compelling governmental interest in
4-6 disclosing the information that cannot be effectively accomplished
4-7 without the disclosure; or
4-8 (2) due to extraordinary circumstances, the
4-9 information is especially relevant to a matter of intense public
4-10 concern.
4-11 (c) The requestor of the information or the state or local
4-12 governmental entity may request the attorney general to authorize
4-13 the disclosure of information described by Subsection (a).
4-14 (d) A state or local governmental entity is not required to
4-15 request a decision of the attorney general under Subchapter G,
4-16 Chapter 552, before refusing to disclose a social security number,
4-17 bank account number, credit card account number, other financial
4-18 account number, computer password, or computer network location or
4-19 identity in response to a request made under Chapter 552. The
4-20 state or local governmental entity shall inform the requestor that
4-21 the requested information is being withheld under this section and
4-22 that the requestor is entitled to request the attorney general to
4-23 authorize the disclosure.
4-24 (e) The attorney general may adopt rules to implement this
4-25 section, including rules that describe appropriate and clearly
4-26 defined circumstances under which a category of information
5-1 described by Subsection (a) is presumed to satisfy a requirement of
5-2 Subsection (b) and therefore may be disclosed without the necessity
5-3 of obtaining specific authorization for the disclosure from the
5-4 attorney general. A rule of the attorney general that describes
5-5 circumstances under which information presumptively may be
5-6 disclosed may limit disclosure to specific state, local, or federal
5-7 authorities or may allow the information to be generally disclosed
5-8 under Chapter 552, as appropriate.
5-9 (f) The attorney general shall develop procedures under
5-10 which the office of the attorney general will expedite a decision
5-11 whether to authorize disclosure of information described by
5-12 Subsection (a) when expedited consideration is warranted under the
5-13 circumstances.
5-14 (g) A decision of the attorney general under this section
5-15 may be challenged in court in the same manner that a decision of
5-16 the attorney general may be challenged under Subchapter G, Chapter
5-17 552.
5-18 (h) If information described by Subsection (a) is requested
5-19 under Chapter 552, Section 552.325 applies in relation to the
5-20 individual who is the subject of the information in the same manner
5-21 as if the individual were a requestor of the information, except
5-22 that the attorney general shall notify the individual under Section
5-23 552.325(c) if the attorney general proposes to agree to the release
5-24 of all or part of the information.
5-25 Sec. 559.052. COLLECTION OF PERSONAL INFORMATION. A state
5-26 or local governmental entity shall establish procedures to ensure
6-1 that the governmental entity collects personal information only to
6-2 the extent reasonably necessary to:
6-3 (1) implement a program;
6-4 (2) authenticate an individual's identity when
6-5 necessary;
6-6 (3) ensure security; or
6-7 (4) accomplish another legitimate governmental
6-8 purpose.
6-9 Sec. 559.053. RECORDS RETENTION SCHEDULES. (a) In adopting
6-10 or amending its records retention schedule, a state or local
6-11 governmental entity shall schedule the retention of personal
6-12 information only for the period necessary to accomplish the purpose
6-13 for which the information was collected or, if applicable, for the
6-14 minimum period specifically prescribed by statute.
6-15 (b) Subsection (a) does not apply to the retention of
6-16 personal information that has demonstrable historical or archival
6-17 value.
6-18 Sec. 559.054. GENERAL PRIVACY POLICIES. (a) A state or
6-19 local governmental entity shall develop a privacy policy that
6-20 completely describes in plainly written language:
6-21 (1) the reasons that the governmental entity requires
6-22 or collects each category of personal information about individuals
6-23 that the entity requires or collects;
6-24 (2) the procedures used to require or collect the
6-25 information;
6-26 (3) the persons to whom the information may be
7-1 disclosed;
7-2 (4) the manner in which the information may be
7-3 disclosed; and
7-4 (5) any current arrangement under which the
7-5 governmental entity sells personal information about individuals or
7-6 discloses the information under a contract or agreement or in bulk.
7-7 (b) The state or local governmental entity shall promptly
7-8 amend the privacy policy whenever information in the policy becomes
7-9 incorrect or incomplete.
7-10 (c) The state or local governmental entity shall prominently
7-11 post its current privacy policy:
7-12 (1) through a prominent link on the main Internet site
7-13 maintained by or for the governmental entity; and
7-14 (2) next to the sign that the governmental entity
7-15 posts under Section 552.205.
7-16 Sec. 559.055. GOVERNMENT INTERNET SITES: PRIVACY POLICY.
7-17 (a) The Department of Information Resources shall adopt rules
7-18 prescribing minimum privacy standards with which an Internet site
7-19 or portal maintained by or for a state or local governmental entity
7-20 must comply. The rules must be designed to limit the collection of
7-21 personal information about users of the government Internet site or
7-22 portal to information:
7-23 (1) that the state or local governmental entity needs
7-24 in order to accomplish a legitimate government purpose;
7-25 (2) that the user of the site or portal knowingly and
7-26 intentionally transmits to the state or local governmental entity;
8-1 or
8-2 (3) regarding the collection of which the user of the
8-3 site or portal has actively given informed consent.
8-4 (b) In adopting its rules under this section, the Department
8-5 of Information Resources shall consider policies adopted by other
8-6 states and the federal government in this regard.
8-7 (c) A state or local governmental entity that maintains an
8-8 Internet site or portal or for which an Internet site or portal is
8-9 maintained shall adopt a privacy policy regarding information
8-10 collected through the site or portal and provide a prominent link
8-11 to the policy for users of the site or portal. The policy must be
8-12 consistent with the rules adopted by the Department of Information
8-13 Resources under this section and must be included as a prominent
8-14 separate element of the general privacy policy that the entity is
8-15 required to develop and to which it must provide an Internet link
8-16 under Section 559.054.
8-17 Sec. 559.056. STATE AUDITOR. (a) The state auditor shall
8-18 establish auditing guidelines to ensure that state and local
8-19 governmental entities that the state auditor has authority to audit
8-20 under other law:
8-21 (1) do not routinely collect or retain more personal
8-22 information than an entity needs to accomplish a legitimate
8-23 governmental purpose of the entity; and
8-24 (2) have established an information management system
8-25 that protects the privacy and security of information in accordance
8-26 with applicable state and federal law.
9-1 (b) During an appropriate type of audit, the state auditor
9-2 may audit a state or local governmental entity for compliance with
9-3 the guidelines established under Subsection (a).
9-4 (Sections 559.057-559.100 reserved for expansion
9-5 SUBCHAPTER C. GUIDELINES AND STUDIES
9-6 Sec. 559.101. ATTORNEY GENERAL GUIDELINES FOR REVIEWING
9-7 PRIVACY ISSUES. (a) The attorney general shall establish
9-8 guidelines for state and local governmental entities to follow when
9-9 considering privacy issues that arise in connection with requests
9-10 for public information. The guidelines shall address procedural
9-11 safeguards, legal issues, and other issues that in the opinion of
9-12 the attorney general would help state and local governmental
9-13 entities comply with applicable law and recommended information
9-14 practices when handling personal information.
9-15 (b) The guidelines do not create exceptions from required
9-16 disclosure under Chapter 552.
9-17 Sec. 559.102. OPEN RECORDS STEERING COMMITTEE; RECORDS
9-18 MANAGEMENT INTERAGENCY COORDINATING COUNCIL. (a) The open records
9-19 steering committee established under Section 552.009 shall
9-20 periodically study and determine the implications for the personal
9-21 privacy of individuals of putting information held by government on
9-22 the Internet and shall include its findings and recommendations in
9-23 reports the committee makes under Section 552.009.
9-24 (b) The Records Management Interagency Coordinating Council
9-25 established under Section 441.203 shall provide guidance and policy
9-26 direction to state and local governmental entities in appropriately
10-1 incorporating developments in electronic management of information
10-2 into their information management systems in ways that protect
10-3 personal privacy and promote efficient public access to public
10-4 information that is not excepted from required public disclosure.
10-5 (c) The Records Management Interagency Coordinating Council
10-6 shall study and assess efficient and effective ways in which:
10-7 (1) an individual could request and receive from a
10-8 state or local governmental entity information about the individual
10-9 that:
10-10 (A) the entity possesses or to which it has a
10-11 right of access; and
10-12 (B) the individual is entitled to receive under
10-13 Section 552.021 or 552.023;
10-14 (2) the individual could challenge the accuracy of the
10-15 information if the individual considers it to be incorrect; and
10-16 (3) the governmental entity can correct information
10-17 that is incorrect.
10-18 (d) A state or local governmental entity on request shall
10-19 assist the Records Management Interagency Coordinating Council in
10-20 performing its studies under Subsection (c) by responding to the
10-21 council's requests for information or opinion. The council shall
10-22 periodically report the results of its studies under Subsection (c)
10-23 and any related recommendations to the governor and the
10-24 legislature.
10-25 Sec. 559.103. ATTORNEY GENERAL STUDIES. The attorney
10-26 general shall study and periodically report recommendations to the
11-1 governor and the legislature regarding:
11-2 (1) ways in which laws could be enacted that would
11-3 balance the need for open government with the ability of
11-4 individuals to elect not to have personal information about the
11-5 individual released, especially when the release of that
11-6 information poses a significant danger to an individual; and
11-7 (2) circumstances under which, with respect to
11-8 personal information that a state or local governmental entity
11-9 possesses only because the individual who is the subject of the
11-10 information applied for or holds a license, permit, certificate, or
11-11 similar form of permission issued by the governmental entity that
11-12 the individual must obtain to engage in an activity, the
11-13 governmental entity should be allowed to release the personal
11-14 information to the public only with the prior informed consent of
11-15 the individual.
11-16 Sec. 559.104. COMPTROLLER STUDY: MODIFYING INFORMATION
11-17 MANAGEMENT SYSTEMS' USE OF PERSONAL IDENTIFIERS. (a) The
11-18 comptroller shall study and make recommendations to the governor,
11-19 the legislature, and affected state governmental entities regarding
11-20 efficient and effective ways in which state governmental entities
11-21 could modify their information management systems so that personal
11-22 identifiers, such as social security numbers, are not used to track
11-23 individuals in a manner contrary to commonly held privacy
11-24 expectations. In making its recommendations under this section,
11-25 the comptroller shall include an estimate of the cost of modifying
11-26 an information management system in accordance with a
12-1 recommendation.
12-2 (b) The Department of Information Resources shall assist the
12-3 comptroller in making the study. Other state governmental entities
12-4 shall participate in the study at the invitation of the
12-5 comptroller.
12-6 SECTION 2. (a) Subsection (f), Section 521.044,
12-7 Transportation Code, as added by Section 18, Chapter 1189, Acts of
12-8 the 76th Legislature, Regular Session, 1999, is reenacted to read
12-9 as follows:
12-10 (f) This section does not authorize the department to
12-11 require an applicant for a driver's license to provide the
12-12 applicant's social security number unless the provision of the
12-13 social security number is required under federal law.
12-14 (b) Subsection (g), Section 521.142, Transportation Code, as
12-15 added by Section 22, Chapter 1189, Acts of the 76th Legislature,
12-16 Regular Session, 1999, is reenacted to read as follows:
12-17 (g) The department may not require an applicant to provide
12-18 the applicant's social security number unless the provision of the
12-19 social security number is required under federal law.
12-20 SECTION 3. (a) Subsection (f), Section 521.044,
12-21 Transportation Code, as added by Section 77, Chapter 556, Acts of
12-22 the 76th Legislature, Regular Session, 1999, is repealed.
12-23 (b) Subsection (g), Section 521.142, Transportation Code, as
12-24 added by Section 78, Chapter 556, Acts of the 76th Legislature,
12-25 Regular Session, 1999, is repealed.
12-26 SECTION 4. (a) Each state and local governmental entity
13-1 shall examine its records retention schedule and amend the schedule
13-2 so that it complies with Section 559.053, Government Code, as added
13-3 by this Act.
13-4 (b) The comptroller of public accounts shall make initial
13-5 recommendations to the governor, the legislature, and any affected
13-6 state governmental entities under Section 559.104, Government Code,
13-7 as added by this Act, not later than November 1, 2002.
13-8 (c) The Records Management Interagency Coordinating Council
13-9 shall make initial recommendations to the governor and the
13-10 legislature under Subsection (d), Section 559.102, Government Code,
13-11 as added by this Act, not later than November 1, 2002.
13-12 SECTION 5. This Act takes effect immediately if it receives
13-13 a vote of two-thirds of all the members elected to each house, as
13-14 provided by Section 39, Article III, Texas Constitution. If this
13-15 Act does not receive the vote necessary for immediate effect, this
13-16 Act takes effect September 1, 2001.