By: Nelson, et al. S.B. No. 866 A BILL TO BE ENTITLED 1-1 AN ACT 1-2 relating to the creation of a Texas Privacy Act and addressing the 1-3 ways in which the information practices of state and local 1-4 governmental entities affect personal privacy. 1-5 BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: 1-6 SECTION 1. Subtitle A, Title 5, Government Code, is amended 1-7 by adding Chapter 559 to read as follows: 1-8 CHAPTER 559. TEXAS PRIVACY ACT 1-9 SUBCHAPTER A. GENERAL PROVISIONS 1-10 Sec. 559.001. SHORT TITLE. This chapter may be cited as the 1-11 Texas Privacy Act. 1-12 Sec. 559.002. LEGISLATIVE FINDINGS; GENERAL PRIVACY 1-13 PRINCIPLES. (a) The legislature finds that: 1-14 (1) an increasing number of individuals in this state 1-15 are concerned that: 1-16 (A) personal information held by government may 1-17 be used inappropriately; 1-18 (B) unauthorized persons may have access to that 1-19 information; and 1-20 (C) some of the information may be inaccurate, 1-21 incomplete, or unnecessary for the effective functioning of 1-22 government; and 1-23 (2) in response to the findings stated by Subdivision 1-24 (1), each state and local governmental entity in this state must be 1-25 committed to strengthening privacy protections for personal 2-1 information held by government in a manner consistent with the 2-2 public's right to complete information about the affairs of 2-3 government and the official acts of public officials and employees. 2-4 (b) The legislature also finds that because inadvertent 2-5 release, careless storage, or improper disposal of information 2-6 could result in embarrassment or other harm to individuals, each 2-7 state and local governmental entity: 2-8 (1) has an obligation to protect personal information 2-9 in the manner required by law; and 2-10 (2) must exercise particular care in protecting 2-11 records containing sensitive and private personal information about 2-12 health or financial matters and in protecting personal identifiers, 2-13 such as a social security number. 2-14 (c) It is the policy of this state that an individual has a 2-15 right to know how personal information about the individual is 2-16 handled by government and the extent to which the information may 2-17 be disclosed or must be kept confidential under law. 2-18 Sec. 559.003. DEFINITIONS. In this chapter: 2-19 (1) "Personal information" means information about an 2-20 individual such as: 2-21 (A) the individual's home address, home 2-22 telephone number, social security number, date of birth, physical 2-23 characteristics, and similar information about the individual; 2-24 (B) information about an individual's marital 2-25 status or history, whether the individual has family members, and 2-26 information about the individual's family members; and 3-1 (C) personally identifiable information about 3-2 the individual's health or health history, finances or financial 3-3 history, and purchases made from government. 3-4 (2) "Governmental entity" does not include a court 3-5 other than a commissioners court. 3-6 Sec. 559.004. APPLICABILITY. This chapter does not apply to 3-7 information held by or for a court other than a commissioners 3-8 court. 3-9 Sec. 559.005. CONSTRUCTION WITH OTHER LAW. This chapter 3-10 does not affect: 3-11 (1) the ability of a state or local governmental 3-12 entity to undertake a lawful investigation or to protect persons, 3-13 property, or the environment in the manner authorized by law; or 3-14 (2) the duty of a state or local governmental entity 3-15 to comply with applicable law. 3-16 (Sections 559.006-559.050 reserved for expansion 3-17 SUBCHAPTER B. SPECIFIC PRIVACY PROTECTIONS 3-18 Sec. 559.051. DISCLOSURE OF CERTAIN PERSONAL INFORMATION; 3-19 COMPELLING INTEREST OR INTENSE PUBLIC CONCERN REQUIREMENT. 3-20 (a) This section applies only to the disclosure by a governmental 3-21 entity of information that reveals an individual's: 3-22 (1) social security number; 3-23 (2) bank account number, credit card account number, 3-24 or other financial account number; or 3-25 (3) computer password or computer network location or 3-26 identity. 4-1 (b) A state or local governmental entity may not disclose 4-2 information described by Subsection (a) under Chapter 552 or other 4-3 law unless the attorney general authorizes the disclosure after 4-4 determining that: 4-5 (1) there is a compelling governmental interest in 4-6 disclosing the information that cannot be effectively accomplished 4-7 without the disclosure; or 4-8 (2) due to extraordinary circumstances, the 4-9 information is especially relevant to a matter of intense public 4-10 concern. 4-11 (c) The requestor of the information or the state or local 4-12 governmental entity may request the attorney general to authorize 4-13 the disclosure of information described by Subsection (a). 4-14 (d) A state or local governmental entity is not required to 4-15 request a decision of the attorney general under Subchapter G, 4-16 Chapter 552, before refusing to disclose a social security number, 4-17 bank account number, credit card account number, other financial 4-18 account number, computer password, or computer network location or 4-19 identity in response to a request made under Chapter 552. The 4-20 state or local governmental entity shall inform the requestor that 4-21 the requested information is being withheld under this section and 4-22 that the requestor is entitled to request the attorney general to 4-23 authorize the disclosure. 4-24 (e) The attorney general may adopt rules to implement this 4-25 section, including rules that describe appropriate and clearly 4-26 defined circumstances under which a category of information 5-1 described by Subsection (a) is presumed to satisfy a requirement of 5-2 Subsection (b) and therefore may be disclosed without the necessity 5-3 of obtaining specific authorization for the disclosure from the 5-4 attorney general. A rule of the attorney general that describes 5-5 circumstances under which information presumptively may be 5-6 disclosed may limit disclosure to specific state, local, or federal 5-7 authorities or may allow the information to be generally disclosed 5-8 under Chapter 552, as appropriate. 5-9 (f) The attorney general shall develop procedures under 5-10 which the office of the attorney general will expedite a decision 5-11 whether to authorize disclosure of information described by 5-12 Subsection (a) when expedited consideration is warranted under the 5-13 circumstances. 5-14 (g) A decision of the attorney general under this section 5-15 may be challenged in court in the same manner that a decision of 5-16 the attorney general may be challenged under Subchapter G, Chapter 5-17 552. 5-18 (h) If information described by Subsection (a) is requested 5-19 under Chapter 552, Section 552.325 applies in relation to the 5-20 individual who is the subject of the information in the same manner 5-21 as if the individual were a requestor of the information, except 5-22 that the attorney general shall notify the individual under Section 5-23 552.325(c) if the attorney general proposes to agree to the release 5-24 of all or part of the information. 5-25 Sec. 559.052. COLLECTION OF PERSONAL INFORMATION. A state 5-26 or local governmental entity shall establish procedures to ensure 6-1 that the governmental entity collects personal information only to 6-2 the extent reasonably necessary to: 6-3 (1) implement a program; 6-4 (2) authenticate an individual's identity when 6-5 necessary; 6-6 (3) ensure security; or 6-7 (4) accomplish another legitimate governmental 6-8 purpose. 6-9 Sec. 559.053. RECORDS RETENTION SCHEDULES. (a) In adopting 6-10 or amending its records retention schedule, a state or local 6-11 governmental entity shall schedule the retention of personal 6-12 information only for the period necessary to accomplish the purpose 6-13 for which the information was collected or, if applicable, for the 6-14 minimum period specifically prescribed by statute. 6-15 (b) Subsection (a) does not apply to the retention of 6-16 personal information that has demonstrable historical or archival 6-17 value. 6-18 Sec. 559.054. GENERAL PRIVACY POLICIES. (a) A state or 6-19 local governmental entity shall develop a privacy policy that 6-20 completely describes in plainly written language: 6-21 (1) the reasons that the governmental entity requires 6-22 or collects each category of personal information about individuals 6-23 that the entity requires or collects; 6-24 (2) the procedures used to require or collect the 6-25 information; 6-26 (3) the persons to whom the information may be 7-1 disclosed; 7-2 (4) the manner in which the information may be 7-3 disclosed; and 7-4 (5) any current arrangement under which the 7-5 governmental entity sells personal information about individuals or 7-6 discloses the information under a contract or agreement or in bulk. 7-7 (b) The state or local governmental entity shall promptly 7-8 amend the privacy policy whenever information in the policy becomes 7-9 incorrect or incomplete. 7-10 (c) The state or local governmental entity shall prominently 7-11 post its current privacy policy: 7-12 (1) through a prominent link on the main Internet site 7-13 maintained by or for the governmental entity; and 7-14 (2) next to the sign that the governmental entity 7-15 posts under Section 552.205. 7-16 Sec. 559.055. GOVERNMENT INTERNET SITES: PRIVACY POLICY. 7-17 (a) The Department of Information Resources shall adopt rules 7-18 prescribing minimum privacy standards with which an Internet site 7-19 or portal maintained by or for a state or local governmental entity 7-20 must comply. The rules must be designed to limit the collection of 7-21 personal information about users of the government Internet site or 7-22 portal to information: 7-23 (1) that the state or local governmental entity needs 7-24 in order to accomplish a legitimate government purpose; 7-25 (2) that the user of the site or portal knowingly and 7-26 intentionally transmits to the state or local governmental entity; 8-1 or 8-2 (3) regarding the collection of which the user of the 8-3 site or portal has actively given informed consent. 8-4 (b) In adopting its rules under this section, the Department 8-5 of Information Resources shall consider policies adopted by other 8-6 states and the federal government in this regard. 8-7 (c) A state or local governmental entity that maintains an 8-8 Internet site or portal or for which an Internet site or portal is 8-9 maintained shall adopt a privacy policy regarding information 8-10 collected through the site or portal and provide a prominent link 8-11 to the policy for users of the site or portal. The policy must be 8-12 consistent with the rules adopted by the Department of Information 8-13 Resources under this section and must be included as a prominent 8-14 separate element of the general privacy policy that the entity is 8-15 required to develop and to which it must provide an Internet link 8-16 under Section 559.054. 8-17 Sec. 559.056. STATE AUDITOR. (a) The state auditor shall 8-18 establish auditing guidelines to ensure that state and local 8-19 governmental entities that the state auditor has authority to audit 8-20 under other law: 8-21 (1) do not routinely collect or retain more personal 8-22 information than an entity needs to accomplish a legitimate 8-23 governmental purpose of the entity; and 8-24 (2) have established an information management system 8-25 that protects the privacy and security of information in accordance 8-26 with applicable state and federal law. 9-1 (b) During an appropriate type of audit, the state auditor 9-2 may audit a state or local governmental entity for compliance with 9-3 the guidelines established under Subsection (a). 9-4 (Sections 559.057-559.100 reserved for expansion 9-5 SUBCHAPTER C. GUIDELINES AND STUDIES 9-6 Sec. 559.101. ATTORNEY GENERAL GUIDELINES FOR REVIEWING 9-7 PRIVACY ISSUES. (a) The attorney general shall establish 9-8 guidelines for state and local governmental entities to follow when 9-9 considering privacy issues that arise in connection with requests 9-10 for public information. The guidelines shall address procedural 9-11 safeguards, legal issues, and other issues that in the opinion of 9-12 the attorney general would help state and local governmental 9-13 entities comply with applicable law and recommended information 9-14 practices when handling personal information. 9-15 (b) The guidelines do not create exceptions from required 9-16 disclosure under Chapter 552. 9-17 Sec. 559.102. OPEN RECORDS STEERING COMMITTEE; RECORDS 9-18 MANAGEMENT INTERAGENCY COORDINATING COUNCIL. (a) The open records 9-19 steering committee established under Section 552.009 shall 9-20 periodically study and determine the implications for the personal 9-21 privacy of individuals of putting information held by government on 9-22 the Internet and shall include its findings and recommendations in 9-23 reports the committee makes under Section 552.009. 9-24 (b) The Records Management Interagency Coordinating Council 9-25 established under Section 441.203 shall provide guidance and policy 9-26 direction to state and local governmental entities in appropriately 10-1 incorporating developments in electronic management of information 10-2 into their information management systems in ways that protect 10-3 personal privacy and promote efficient public access to public 10-4 information that is not excepted from required public disclosure. 10-5 (c) The Records Management Interagency Coordinating Council 10-6 shall study and assess efficient and effective ways in which: 10-7 (1) an individual could request and receive from a 10-8 state or local governmental entity information about the individual 10-9 that: 10-10 (A) the entity possesses or to which it has a 10-11 right of access; and 10-12 (B) the individual is entitled to receive under 10-13 Section 552.021 or 552.023; 10-14 (2) the individual could challenge the accuracy of the 10-15 information if the individual considers it to be incorrect; and 10-16 (3) the governmental entity can correct information 10-17 that is incorrect. 10-18 (d) A state or local governmental entity on request shall 10-19 assist the Records Management Interagency Coordinating Council in 10-20 performing its studies under Subsection (c) by responding to the 10-21 council's requests for information or opinion. The council shall 10-22 periodically report the results of its studies under Subsection (c) 10-23 and any related recommendations to the governor and the 10-24 legislature. 10-25 Sec. 559.103. ATTORNEY GENERAL STUDIES. The attorney 10-26 general shall study and periodically report recommendations to the 11-1 governor and the legislature regarding: 11-2 (1) ways in which laws could be enacted that would 11-3 balance the need for open government with the ability of 11-4 individuals to elect not to have personal information about the 11-5 individual released, especially when the release of that 11-6 information poses a significant danger to an individual; and 11-7 (2) circumstances under which, with respect to 11-8 personal information that a state or local governmental entity 11-9 possesses only because the individual who is the subject of the 11-10 information applied for or holds a license, permit, certificate, or 11-11 similar form of permission issued by the governmental entity that 11-12 the individual must obtain to engage in an activity, the 11-13 governmental entity should be allowed to release the personal 11-14 information to the public only with the prior informed consent of 11-15 the individual. 11-16 Sec. 559.104. COMPTROLLER STUDY: MODIFYING INFORMATION 11-17 MANAGEMENT SYSTEMS' USE OF PERSONAL IDENTIFIERS. (a) The 11-18 comptroller shall study and make recommendations to the governor, 11-19 the legislature, and affected state governmental entities regarding 11-20 efficient and effective ways in which state governmental entities 11-21 could modify their information management systems so that personal 11-22 identifiers, such as social security numbers, are not used to track 11-23 individuals in a manner contrary to commonly held privacy 11-24 expectations. In making its recommendations under this section, 11-25 the comptroller shall include an estimate of the cost of modifying 11-26 an information management system in accordance with a 12-1 recommendation. 12-2 (b) The Department of Information Resources shall assist the 12-3 comptroller in making the study. Other state governmental entities 12-4 shall participate in the study at the invitation of the 12-5 comptroller. 12-6 SECTION 2. (a) Subsection (f), Section 521.044, 12-7 Transportation Code, as added by Section 18, Chapter 1189, Acts of 12-8 the 76th Legislature, Regular Session, 1999, is reenacted to read 12-9 as follows: 12-10 (f) This section does not authorize the department to 12-11 require an applicant for a driver's license to provide the 12-12 applicant's social security number unless the provision of the 12-13 social security number is required under federal law. 12-14 (b) Subsection (g), Section 521.142, Transportation Code, as 12-15 added by Section 22, Chapter 1189, Acts of the 76th Legislature, 12-16 Regular Session, 1999, is reenacted to read as follows: 12-17 (g) The department may not require an applicant to provide 12-18 the applicant's social security number unless the provision of the 12-19 social security number is required under federal law. 12-20 SECTION 3. (a) Subsection (f), Section 521.044, 12-21 Transportation Code, as added by Section 77, Chapter 556, Acts of 12-22 the 76th Legislature, Regular Session, 1999, is repealed. 12-23 (b) Subsection (g), Section 521.142, Transportation Code, as 12-24 added by Section 78, Chapter 556, Acts of the 76th Legislature, 12-25 Regular Session, 1999, is repealed. 12-26 SECTION 4. (a) Each state and local governmental entity 13-1 shall examine its records retention schedule and amend the schedule 13-2 so that it complies with Section 559.053, Government Code, as added 13-3 by this Act. 13-4 (b) The comptroller of public accounts shall make initial 13-5 recommendations to the governor, the legislature, and any affected 13-6 state governmental entities under Section 559.104, Government Code, 13-7 as added by this Act, not later than November 1, 2002. 13-8 (c) The Records Management Interagency Coordinating Council 13-9 shall make initial recommendations to the governor and the 13-10 legislature under Subsection (d), Section 559.102, Government Code, 13-11 as added by this Act, not later than November 1, 2002. 13-12 SECTION 5. This Act takes effect immediately if it receives 13-13 a vote of two-thirds of all the members elected to each house, as 13-14 provided by Section 39, Article III, Texas Constitution. If this 13-15 Act does not receive the vote necessary for immediate effect, this 13-16 Act takes effect September 1, 2001.