By Nelson, et al. S.B. No. 866
77R7419 JRD-D
A BILL TO BE ENTITLED
1-1 AN ACT
1-2 relating to the creation of a Texas Privacy Act to address the ways
1-3 in which the information practices of state and local governmental
1-4 entities affect personal privacy.
1-5 BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
1-6 SECTION 1. Subtitle A, Title 5, Government Code, is amended
1-7 by adding Chapter 559 to read as follows:
1-8 CHAPTER 559. TEXAS PRIVACY ACT
1-9 SUBCHAPTER A. GENERAL PROVISIONS
1-10 Sec. 559.001. SHORT TITLE. This chapter may be cited as the
1-11 Texas Privacy Act.
1-12 Sec. 559.002. LEGISLATIVE FINDINGS; GENERAL PRIVACY
1-13 PRINCIPLES. (a) The legislature finds that:
1-14 (1) an increasing number of individuals in this state
1-15 are concerned that:
1-16 (A) personal information held by government may
1-17 be used inappropriately;
1-18 (B) unauthorized persons may have access to that
1-19 information; and
1-20 (C) some of the information may be inaccurate,
1-21 incomplete, or unnecessary for the effective functioning of
1-22 government; and
1-23 (2) in response to the findings stated by Subdivision
1-24 (1), each state and local governmental entity in this state must be
2-1 committed to strengthening privacy protections for personal
2-2 information held by government in a manner consistent with the
2-3 public's right to complete information about the affairs of
2-4 government and the official acts of public officials and employees.
2-5 (b) The legislature also finds that because inadvertent
2-6 release, careless storage, or improper disposal of information
2-7 could result in embarassment or other harm to individuals, each
2-8 state and local governmental entity:
2-9 (1) has an obligation to protect personal information
2-10 in the manner required by law; and
2-11 (2) must exercise particular care in protecting
2-12 records containing sensitive and private personal information about
2-13 health or financial matters and in protecting personal identifiers,
2-14 such as a social security number.
2-15 (c) It is the policy of this state that an individual has a
2-16 right to know how personal information about the individual is
2-17 handled by government and the extent to which the information may
2-18 be disclosed or must be kept confidential under law.
2-19 Sec. 559.003. DEFINITIONS. In this chapter:
2-20 (1) "Personal information" means information about an
2-21 individual such as:
2-22 (A) the individual's home address, home
2-23 telephone number, social security number, date of birth, physical
2-24 characteristics, and similar information about the individual;
2-25 (B) information about an individual's marital
2-26 status or history, whether the individual has family members, and
2-27 information about the individual's family members; and
3-1 (C) personally identifiable information about
3-2 the individual's health or health history, finances or financial
3-3 history, and consumer history.
3-4 (2) "Governmental entity" does not include a court
3-5 other than a commissioners court.
3-6 Sec. 559.004. CONSTRUCTION WITH OTHER LAW. This chapter
3-7 does not affect:
3-8 (1) the ability of a state or local governmental
3-9 entity to undertake a lawful investigation or to protect persons,
3-10 property, or the environment in the manner authorized by law; or
3-11 (2) the duty of a state or local governmental entity
3-12 to comply with applicable law.
3-13 (Sections 559.005-559.050 reserved for expansion
3-14 SUBCHAPTER B. SPECIFIC PRIVACY PROTECTIONS
3-15 Sec. 559.051. DISCLOSURE OF CERTAIN PERSONAL INFORMATION;
3-16 COMPELLING INTEREST OR INTENSE PUBLIC CONCERN REQUIREMENT. (a)
3-17 This section applies only to the disclosure by government of
3-18 information that reveals an individual's:
3-19 (1) social security number;
3-20 (2) bank account number, credit card account number,
3-21 or other financial account number; or
3-22 (3) computer password or computer network location or
3-23 identity.
3-24 (b) A state or local governmental entity may not disclose
3-25 information described by Subsection (a) under Chapter 552 or other
3-26 law unless the attorney general authorizes the disclosure after
3-27 determining that:
4-1 (1) there is a compelling governmental interest in
4-2 disclosing the information that cannot be effectively accomplished
4-3 without the disclosure; or
4-4 (2) due to extraordinary circumstances, the
4-5 information is especially relevant to a matter of intense public
4-6 concern.
4-7 (c) The attorney general may adopt rules to implement this
4-8 section, including rules that describe appropriate and clearly
4-9 defined circumstances under which a category of information
4-10 described by Subsection (a) is presumed to satisfy a requirement
4-11 of Subsection (b) and therefore may be disclosed without the
4-12 necessity of obtaining specific authorization for the disclosure
4-13 from the attorney general. A rule of the attorney general that
4-14 describes circumstances under which information presumptively may
4-15 be disclosed may limit disclosure to specific state, local, or
4-16 federal authorities or may allow the information to be generally
4-17 disclosed under Chapter 552, as appropriate.
4-18 (d) The attorney general shall develop procedures under
4-19 which the office of the attorney general will expedite a decision
4-20 whether to authorize disclosure of information described by
4-21 Subsection (a) when expedited consideration is warranted under the
4-22 circumstances.
4-23 (e) A decision of the attorney general under this section
4-24 may be challenged in court in the same manner that a decision of
4-25 the attorney general may be challenged under Subchapter G, Chapter
4-26 552.
4-27 (f) If information described by Subsection (a) is requested
5-1 under Chapter 552, Section 552.325 applies in relation to the
5-2 individual who is the subject of the information in the same manner
5-3 as if the individual were a requestor of the information, except
5-4 that the attorney general shall notify the individual under Section
5-5 552.325(c) if the attorney general proposes to agree to the release
5-6 of all or part of the information.
5-7 Sec. 559.052. COLLECTION OF PERSONAL INFORMATION. A state
5-8 or local governmental entity shall establish procedures to ensure
5-9 that the governmental entity collects personal information only to
5-10 the extent reasonably necessary to:
5-11 (1) implement a program;
5-12 (2) authenticate an individual's identity when
5-13 necessary;
5-14 (3) ensure security; or
5-15 (4) accomplish another legitimate governmental
5-16 purpose.
5-17 Sec. 559.053. RECORDS RETENTION SCHEDULES. (a) In adopting
5-18 or amending its records retention schedule, a state or local
5-19 governmental entity shall schedule the retention of personal
5-20 information only for the period necessary to accomplish the purpose
5-21 for which the information was collected or, if applicable, for the
5-22 minimum period specifically prescribed by statute.
5-23 (b) Subsection (a) does not apply to the retention of
5-24 personal information that has demonstrable historical or archival
5-25 value.
5-26 Sec. 559.054. GENERAL PRIVACY POLICIES. (a) A state or
5-27 local governmental entity shall develop a privacy policy that
6-1 completely describes in plainly written language:
6-2 (1) the reasons that the governmental entity requires
6-3 or collects each category of personal information about individuals
6-4 that the entity requires or collects;
6-5 (2) the procedures used to require or collect the
6-6 information;
6-7 (3) the persons to whom the information may be
6-8 disclosed;
6-9 (4) the manner in which the information may be
6-10 disclosed; and
6-11 (5) any current arrangement under which the
6-12 governmental entity sells personal information about individuals or
6-13 discloses the information under a contract or agreement or in bulk.
6-14 (b) The state or local governmental entity shall promptly
6-15 amend the privacy policy whenever information in the policy becomes
6-16 incorrect or incomplete.
6-17 (c) The state or local governmental entity shall prominently
6-18 post its current privacy policy:
6-19 (1) through a prominent link on the main Internet site
6-20 maintained by or for the governmental entity; and
6-21 (2) next to the sign that the governmental entity
6-22 posts under Section 552.205.
6-23 Sec. 559.055. GOVERNMENT INTERNET SITES: PRIVACY POLICY. (a)
6-24 The Department of Information Resources shall adopt rules
6-25 prescribing minimum privacy standards with which an Internet site
6-26 or portal maintained by or for a state or local governmental entity
6-27 must comply. The rules must be designed to limit the collection of
7-1 personal information about users of the government Internet site or
7-2 portal to information:
7-3 (1) that the state or local governmental entity needs
7-4 in order to accomplish a legitimate government purpose;
7-5 (2) that the user of the site or portal knowingly and
7-6 intentionally transmits to the state or local governmental entity;
7-7 or
7-8 (3) regarding the collection of which the user of the
7-9 site or portal has actively given informed consent.
7-10 (b) In adopting its rules under this section, the Department
7-11 of Information Resources shall consider policies adopted by other
7-12 states and the federal government in this regard.
7-13 (c) A state or local governmental entity that maintains an
7-14 Internet site or portal or for which an Internet site or portal is
7-15 maintained shall adopt a privacy policy regarding information
7-16 collected through the site or portal and provide a prominent link
7-17 to the policy for users of the site or portal. The policy must be
7-18 consistent with the rules adopted by the Department of Information
7-19 Resources under this section and must be included as a prominent
7-20 separate element of the general privacy policy that the entity is
7-21 required to develop and to which it must provide an Internet link
7-22 under Section 559.054.
7-23 Sec. 559.056. STATE AUDITOR. (a) The state auditor shall
7-24 establish auditing guidelines to ensure that state and local
7-25 governmental entities that the state auditor has authority to audit
7-26 under other law:
7-27 (1) do not routinely collect or retain more personal
8-1 information than an entity needs to accomplish a legitimate
8-2 governmental purpose of the entity; and
8-3 (2) have established an information management system
8-4 that protects the privacy and security of information in accordance
8-5 with applicable state and federal law.
8-6 (b) During an appropriate type of audit, the state auditor
8-7 shall audit a state or local governmental entity for compliance
8-8 with the guidelines established under Subsection (a).
8-9 (Sections 559.057-559.100 reserved for expansion
8-10 SUBCHAPTER C. GUIDELINES AND STUDIES
8-11 Sec. 559.101. ATTORNEY GENERAL GUIDELINES FOR REVIEWING
8-12 PRIVACY ISSUES. (a) The attorney general shall establish
8-13 guidelines for state and local governmental entities to follow when
8-14 considering privacy issues that arise in connection with requests
8-15 for public information. The guidelines shall address procedural
8-16 safeguards, legal issues, and other issues that in the opinion of
8-17 the attorney general would help state and local governmental
8-18 entities comply with applicable law and recommended information
8-19 practices when handling personal information.
8-20 (b) The guidelines do not create exceptions from required
8-21 disclosure under Chapter 552.
8-22 Sec. 559.102. OPEN RECORDS STEERING COMMITTEE; RECORDS
8-23 MANAGEMENT INTERAGENCY COORDINATING COUNCIL. (a) The open records
8-24 steering committee established under Section 552.009 shall
8-25 periodically study and determine the implications for the personal
8-26 privacy of individuals of putting information held by government on
8-27 the Internet, and shall include its findings and recommendations in
9-1 reports the committee makes under Section 552.009.
9-2 (b) The records management interagency coordinating council
9-3 established under Section 441.203 shall provide guidance and policy
9-4 direction to state and local governmental entities in appropriately
9-5 incorporating developments in electronic management of information
9-6 into their information management systems in ways that protect
9-7 personal privacy and promote efficient public access to public
9-8 information that is not excepted from required public disclosure.
9-9 (c) The records management interagency coordinating council
9-10 shall study and assess efficient and effective ways in which:
9-11 (1) an individual could request and receive from a
9-12 state or local governmental entity information about the individual
9-13 that:
9-14 (A) the entity possesses or to which it has a
9-15 right of access; and
9-16 (B) the individual is entitled to receive under
9-17 Section 552.021 or 552.023;
9-18 (2) the individual could challenge the accuracy of the
9-19 information if the individual considers it to be incorrect; and
9-20 (3) the governmental entity can correct information
9-21 that is incorrect.
9-22 (d) A state or local governmental entity on request shall
9-23 assist the records management interagency coordinating council in
9-24 performing its studies under Subsection (c) by responding to the
9-25 council's requests for information or opinion. The council shall
9-26 periodically report the results of its studies under Subsection (c)
9-27 and any related recommendations to the governor and the
10-1 legislature.
10-2 Sec. 559.103. ATTORNEY GENERAL STUDIES. The attorney general
10-3 shall study and periodically report recommendations to the governor
10-4 and the legislature regarding:
10-5 (1) ways in which laws could be enacted that would
10-6 balance the need for open government with the ability of
10-7 individuals to elect not to have personal information about the
10-8 individual released, especially when the release of that
10-9 information poses a significant danger to an individual; and
10-10 (2) circumstances under which, with respect to
10-11 personal information that a state or local governmental entity
10-12 possesses only because the individual who is the subject of the
10-13 information applied for or holds a license, permit, certificate, or
10-14 similar form of permission issued by the governmental entity that
10-15 the individual must obtain to engage in an activity, the
10-16 governmental entity should be allowed to release the personal
10-17 information to the public only with the prior informed consent of
10-18 the individual.
10-19 Sec. 559.104. COMPTROLLER STUDY: MODIFYING INFORMATION
10-20 MANAGEMENT SYSTEMS' USE OF PERSONAL IDENTIFIERS. (a) The
10-21 comptroller shall study and make recommendations to the governor,
10-22 the legislature, and affected state governmental entities regarding
10-23 efficient and effective ways in which state governmental entities
10-24 could modify their information management systems so that personal
10-25 identifiers, such as social security numbers, are not used to track
10-26 individuals in a manner contrary to commonly held privacy
10-27 expectations. In making its recommendations under this section,
11-1 the comptroller shall include an estimate of the cost of modifying
11-2 an information management system in accordance with a
11-3 recommendation.
11-4 (b) The Department of Information Resources shall assist the
11-5 comptroller in making the study. Other state governmental entities
11-6 shall participate in the study at the invitation of the
11-7 comptroller.
11-8 SECTION 2. (a) Each state and local governmental entity
11-9 shall examine its records retention schedule and amend the schedule
11-10 so that it complies with Section 559.053, Government Code, as added
11-11 by this Act.
11-12 (b) The comptroller shall make initial recommendations to
11-13 the governor, the legislature, and any affected state governmental
11-14 entities under Section 559.104, Government Code, as added by this
11-15 Act, not later than November 1, 2002.
11-16 (c) The records management interagency coordinating council
11-17 shall make initial recommendations to the governor and the
11-18 legislature under Section 559.102(d), Government Code, as added by
11-19 this Act, not later than November 1, 2002.
11-20 SECTION 3. This Act takes effect immediately if it receives
11-21 a vote of two-thirds of all the members elected to each house, as
11-22 provided by Section 39, Article III, Texas Constitution. If this
11-23 Act does not receive the vote necessary for immediate effect, this
11-24 Act takes effect September 1, 2001.