By Nelson, et al. S.B. No. 866 77R7419 JRD-D A BILL TO BE ENTITLED 1-1 AN ACT 1-2 relating to the creation of a Texas Privacy Act to address the ways 1-3 in which the information practices of state and local governmental 1-4 entities affect personal privacy. 1-5 BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: 1-6 SECTION 1. Subtitle A, Title 5, Government Code, is amended 1-7 by adding Chapter 559 to read as follows: 1-8 CHAPTER 559. TEXAS PRIVACY ACT 1-9 SUBCHAPTER A. GENERAL PROVISIONS 1-10 Sec. 559.001. SHORT TITLE. This chapter may be cited as the 1-11 Texas Privacy Act. 1-12 Sec. 559.002. LEGISLATIVE FINDINGS; GENERAL PRIVACY 1-13 PRINCIPLES. (a) The legislature finds that: 1-14 (1) an increasing number of individuals in this state 1-15 are concerned that: 1-16 (A) personal information held by government may 1-17 be used inappropriately; 1-18 (B) unauthorized persons may have access to that 1-19 information; and 1-20 (C) some of the information may be inaccurate, 1-21 incomplete, or unnecessary for the effective functioning of 1-22 government; and 1-23 (2) in response to the findings stated by Subdivision 1-24 (1), each state and local governmental entity in this state must be 2-1 committed to strengthening privacy protections for personal 2-2 information held by government in a manner consistent with the 2-3 public's right to complete information about the affairs of 2-4 government and the official acts of public officials and employees. 2-5 (b) The legislature also finds that because inadvertent 2-6 release, careless storage, or improper disposal of information 2-7 could result in embarassment or other harm to individuals, each 2-8 state and local governmental entity: 2-9 (1) has an obligation to protect personal information 2-10 in the manner required by law; and 2-11 (2) must exercise particular care in protecting 2-12 records containing sensitive and private personal information about 2-13 health or financial matters and in protecting personal identifiers, 2-14 such as a social security number. 2-15 (c) It is the policy of this state that an individual has a 2-16 right to know how personal information about the individual is 2-17 handled by government and the extent to which the information may 2-18 be disclosed or must be kept confidential under law. 2-19 Sec. 559.003. DEFINITIONS. In this chapter: 2-20 (1) "Personal information" means information about an 2-21 individual such as: 2-22 (A) the individual's home address, home 2-23 telephone number, social security number, date of birth, physical 2-24 characteristics, and similar information about the individual; 2-25 (B) information about an individual's marital 2-26 status or history, whether the individual has family members, and 2-27 information about the individual's family members; and 3-1 (C) personally identifiable information about 3-2 the individual's health or health history, finances or financial 3-3 history, and consumer history. 3-4 (2) "Governmental entity" does not include a court 3-5 other than a commissioners court. 3-6 Sec. 559.004. CONSTRUCTION WITH OTHER LAW. This chapter 3-7 does not affect: 3-8 (1) the ability of a state or local governmental 3-9 entity to undertake a lawful investigation or to protect persons, 3-10 property, or the environment in the manner authorized by law; or 3-11 (2) the duty of a state or local governmental entity 3-12 to comply with applicable law. 3-13 (Sections 559.005-559.050 reserved for expansion 3-14 SUBCHAPTER B. SPECIFIC PRIVACY PROTECTIONS 3-15 Sec. 559.051. DISCLOSURE OF CERTAIN PERSONAL INFORMATION; 3-16 COMPELLING INTEREST OR INTENSE PUBLIC CONCERN REQUIREMENT. (a) 3-17 This section applies only to the disclosure by government of 3-18 information that reveals an individual's: 3-19 (1) social security number; 3-20 (2) bank account number, credit card account number, 3-21 or other financial account number; or 3-22 (3) computer password or computer network location or 3-23 identity. 3-24 (b) A state or local governmental entity may not disclose 3-25 information described by Subsection (a) under Chapter 552 or other 3-26 law unless the attorney general authorizes the disclosure after 3-27 determining that: 4-1 (1) there is a compelling governmental interest in 4-2 disclosing the information that cannot be effectively accomplished 4-3 without the disclosure; or 4-4 (2) due to extraordinary circumstances, the 4-5 information is especially relevant to a matter of intense public 4-6 concern. 4-7 (c) The attorney general may adopt rules to implement this 4-8 section, including rules that describe appropriate and clearly 4-9 defined circumstances under which a category of information 4-10 described by Subsection (a) is presumed to satisfy a requirement 4-11 of Subsection (b) and therefore may be disclosed without the 4-12 necessity of obtaining specific authorization for the disclosure 4-13 from the attorney general. A rule of the attorney general that 4-14 describes circumstances under which information presumptively may 4-15 be disclosed may limit disclosure to specific state, local, or 4-16 federal authorities or may allow the information to be generally 4-17 disclosed under Chapter 552, as appropriate. 4-18 (d) The attorney general shall develop procedures under 4-19 which the office of the attorney general will expedite a decision 4-20 whether to authorize disclosure of information described by 4-21 Subsection (a) when expedited consideration is warranted under the 4-22 circumstances. 4-23 (e) A decision of the attorney general under this section 4-24 may be challenged in court in the same manner that a decision of 4-25 the attorney general may be challenged under Subchapter G, Chapter 4-26 552. 4-27 (f) If information described by Subsection (a) is requested 5-1 under Chapter 552, Section 552.325 applies in relation to the 5-2 individual who is the subject of the information in the same manner 5-3 as if the individual were a requestor of the information, except 5-4 that the attorney general shall notify the individual under Section 5-5 552.325(c) if the attorney general proposes to agree to the release 5-6 of all or part of the information. 5-7 Sec. 559.052. COLLECTION OF PERSONAL INFORMATION. A state 5-8 or local governmental entity shall establish procedures to ensure 5-9 that the governmental entity collects personal information only to 5-10 the extent reasonably necessary to: 5-11 (1) implement a program; 5-12 (2) authenticate an individual's identity when 5-13 necessary; 5-14 (3) ensure security; or 5-15 (4) accomplish another legitimate governmental 5-16 purpose. 5-17 Sec. 559.053. RECORDS RETENTION SCHEDULES. (a) In adopting 5-18 or amending its records retention schedule, a state or local 5-19 governmental entity shall schedule the retention of personal 5-20 information only for the period necessary to accomplish the purpose 5-21 for which the information was collected or, if applicable, for the 5-22 minimum period specifically prescribed by statute. 5-23 (b) Subsection (a) does not apply to the retention of 5-24 personal information that has demonstrable historical or archival 5-25 value. 5-26 Sec. 559.054. GENERAL PRIVACY POLICIES. (a) A state or 5-27 local governmental entity shall develop a privacy policy that 6-1 completely describes in plainly written language: 6-2 (1) the reasons that the governmental entity requires 6-3 or collects each category of personal information about individuals 6-4 that the entity requires or collects; 6-5 (2) the procedures used to require or collect the 6-6 information; 6-7 (3) the persons to whom the information may be 6-8 disclosed; 6-9 (4) the manner in which the information may be 6-10 disclosed; and 6-11 (5) any current arrangement under which the 6-12 governmental entity sells personal information about individuals or 6-13 discloses the information under a contract or agreement or in bulk. 6-14 (b) The state or local governmental entity shall promptly 6-15 amend the privacy policy whenever information in the policy becomes 6-16 incorrect or incomplete. 6-17 (c) The state or local governmental entity shall prominently 6-18 post its current privacy policy: 6-19 (1) through a prominent link on the main Internet site 6-20 maintained by or for the governmental entity; and 6-21 (2) next to the sign that the governmental entity 6-22 posts under Section 552.205. 6-23 Sec. 559.055. GOVERNMENT INTERNET SITES: PRIVACY POLICY. (a) 6-24 The Department of Information Resources shall adopt rules 6-25 prescribing minimum privacy standards with which an Internet site 6-26 or portal maintained by or for a state or local governmental entity 6-27 must comply. The rules must be designed to limit the collection of 7-1 personal information about users of the government Internet site or 7-2 portal to information: 7-3 (1) that the state or local governmental entity needs 7-4 in order to accomplish a legitimate government purpose; 7-5 (2) that the user of the site or portal knowingly and 7-6 intentionally transmits to the state or local governmental entity; 7-7 or 7-8 (3) regarding the collection of which the user of the 7-9 site or portal has actively given informed consent. 7-10 (b) In adopting its rules under this section, the Department 7-11 of Information Resources shall consider policies adopted by other 7-12 states and the federal government in this regard. 7-13 (c) A state or local governmental entity that maintains an 7-14 Internet site or portal or for which an Internet site or portal is 7-15 maintained shall adopt a privacy policy regarding information 7-16 collected through the site or portal and provide a prominent link 7-17 to the policy for users of the site or portal. The policy must be 7-18 consistent with the rules adopted by the Department of Information 7-19 Resources under this section and must be included as a prominent 7-20 separate element of the general privacy policy that the entity is 7-21 required to develop and to which it must provide an Internet link 7-22 under Section 559.054. 7-23 Sec. 559.056. STATE AUDITOR. (a) The state auditor shall 7-24 establish auditing guidelines to ensure that state and local 7-25 governmental entities that the state auditor has authority to audit 7-26 under other law: 7-27 (1) do not routinely collect or retain more personal 8-1 information than an entity needs to accomplish a legitimate 8-2 governmental purpose of the entity; and 8-3 (2) have established an information management system 8-4 that protects the privacy and security of information in accordance 8-5 with applicable state and federal law. 8-6 (b) During an appropriate type of audit, the state auditor 8-7 shall audit a state or local governmental entity for compliance 8-8 with the guidelines established under Subsection (a). 8-9 (Sections 559.057-559.100 reserved for expansion 8-10 SUBCHAPTER C. GUIDELINES AND STUDIES 8-11 Sec. 559.101. ATTORNEY GENERAL GUIDELINES FOR REVIEWING 8-12 PRIVACY ISSUES. (a) The attorney general shall establish 8-13 guidelines for state and local governmental entities to follow when 8-14 considering privacy issues that arise in connection with requests 8-15 for public information. The guidelines shall address procedural 8-16 safeguards, legal issues, and other issues that in the opinion of 8-17 the attorney general would help state and local governmental 8-18 entities comply with applicable law and recommended information 8-19 practices when handling personal information. 8-20 (b) The guidelines do not create exceptions from required 8-21 disclosure under Chapter 552. 8-22 Sec. 559.102. OPEN RECORDS STEERING COMMITTEE; RECORDS 8-23 MANAGEMENT INTERAGENCY COORDINATING COUNCIL. (a) The open records 8-24 steering committee established under Section 552.009 shall 8-25 periodically study and determine the implications for the personal 8-26 privacy of individuals of putting information held by government on 8-27 the Internet, and shall include its findings and recommendations in 9-1 reports the committee makes under Section 552.009. 9-2 (b) The records management interagency coordinating council 9-3 established under Section 441.203 shall provide guidance and policy 9-4 direction to state and local governmental entities in appropriately 9-5 incorporating developments in electronic management of information 9-6 into their information management systems in ways that protect 9-7 personal privacy and promote efficient public access to public 9-8 information that is not excepted from required public disclosure. 9-9 (c) The records management interagency coordinating council 9-10 shall study and assess efficient and effective ways in which: 9-11 (1) an individual could request and receive from a 9-12 state or local governmental entity information about the individual 9-13 that: 9-14 (A) the entity possesses or to which it has a 9-15 right of access; and 9-16 (B) the individual is entitled to receive under 9-17 Section 552.021 or 552.023; 9-18 (2) the individual could challenge the accuracy of the 9-19 information if the individual considers it to be incorrect; and 9-20 (3) the governmental entity can correct information 9-21 that is incorrect. 9-22 (d) A state or local governmental entity on request shall 9-23 assist the records management interagency coordinating council in 9-24 performing its studies under Subsection (c) by responding to the 9-25 council's requests for information or opinion. The council shall 9-26 periodically report the results of its studies under Subsection (c) 9-27 and any related recommendations to the governor and the 10-1 legislature. 10-2 Sec. 559.103. ATTORNEY GENERAL STUDIES. The attorney general 10-3 shall study and periodically report recommendations to the governor 10-4 and the legislature regarding: 10-5 (1) ways in which laws could be enacted that would 10-6 balance the need for open government with the ability of 10-7 individuals to elect not to have personal information about the 10-8 individual released, especially when the release of that 10-9 information poses a significant danger to an individual; and 10-10 (2) circumstances under which, with respect to 10-11 personal information that a state or local governmental entity 10-12 possesses only because the individual who is the subject of the 10-13 information applied for or holds a license, permit, certificate, or 10-14 similar form of permission issued by the governmental entity that 10-15 the individual must obtain to engage in an activity, the 10-16 governmental entity should be allowed to release the personal 10-17 information to the public only with the prior informed consent of 10-18 the individual. 10-19 Sec. 559.104. COMPTROLLER STUDY: MODIFYING INFORMATION 10-20 MANAGEMENT SYSTEMS' USE OF PERSONAL IDENTIFIERS. (a) The 10-21 comptroller shall study and make recommendations to the governor, 10-22 the legislature, and affected state governmental entities regarding 10-23 efficient and effective ways in which state governmental entities 10-24 could modify their information management systems so that personal 10-25 identifiers, such as social security numbers, are not used to track 10-26 individuals in a manner contrary to commonly held privacy 10-27 expectations. In making its recommendations under this section, 11-1 the comptroller shall include an estimate of the cost of modifying 11-2 an information management system in accordance with a 11-3 recommendation. 11-4 (b) The Department of Information Resources shall assist the 11-5 comptroller in making the study. Other state governmental entities 11-6 shall participate in the study at the invitation of the 11-7 comptroller. 11-8 SECTION 2. (a) Each state and local governmental entity 11-9 shall examine its records retention schedule and amend the schedule 11-10 so that it complies with Section 559.053, Government Code, as added 11-11 by this Act. 11-12 (b) The comptroller shall make initial recommendations to 11-13 the governor, the legislature, and any affected state governmental 11-14 entities under Section 559.104, Government Code, as added by this 11-15 Act, not later than November 1, 2002. 11-16 (c) The records management interagency coordinating council 11-17 shall make initial recommendations to the governor and the 11-18 legislature under Section 559.102(d), Government Code, as added by 11-19 this Act, not later than November 1, 2002. 11-20 SECTION 3. This Act takes effect immediately if it receives 11-21 a vote of two-thirds of all the members elected to each house, as 11-22 provided by Section 39, Article III, Texas Constitution. If this 11-23 Act does not receive the vote necessary for immediate effect, this 11-24 Act takes effect September 1, 2001.