1-1 By: Nelson, Sibley S.B. No. 866 1-2 (In the Senate - Filed February 22, 2001; February 26, 2001, 1-3 read first time and referred to Committee on Business and Commerce; 1-4 March 8, 2001, reported adversely, with favorable Committee 1-5 Substitute by the following vote: Yeas 7, Nays 0; March 8, 2001, 1-6 sent to printer.) 1-7 COMMITTEE SUBSTITUTE FOR S.B. No. 866 By: Carona 1-8 A BILL TO BE ENTITLED 1-9 AN ACT 1-10 relating to the creation of a Texas Privacy Act to address the ways 1-11 in which the information practices of state and local governmental 1-12 entities affect personal privacy. 1-13 BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: 1-14 SECTION 1. Subtitle A, Title 5, Government Code, is amended 1-15 by adding Chapter 559 to read as follows: 1-16 CHAPTER 559. TEXAS PRIVACY ACT 1-17 SUBCHAPTER A. GENERAL PROVISIONS 1-18 Sec. 559.001. SHORT TITLE. This chapter may be cited as the 1-19 Texas Privacy Act. 1-20 Sec. 559.002. LEGISLATIVE FINDINGS; GENERAL PRIVACY 1-21 PRINCIPLES. (a) The legislature finds that: 1-22 (1) an increasing number of individuals in this state 1-23 are concerned that: 1-24 (A) personal information held by government may 1-25 be used inappropriately; 1-26 (B) unauthorized persons may have access to that 1-27 information; and 1-28 (C) some of the information may be inaccurate, 1-29 incomplete, or unnecessary for the effective functioning of 1-30 government; and 1-31 (2) in response to the findings stated by Subdivision 1-32 (1), each state and local governmental entity in this state must be 1-33 committed to strengthening privacy protections for personal 1-34 information held by government in a manner consistent with the 1-35 public's right to complete information about the affairs of 1-36 government and the official acts of public officials and employees. 1-37 (b) The legislature also finds that because inadvertent 1-38 release, careless storage, or improper disposal of information 1-39 could result in embarrassment or other harm to individuals, each 1-40 state and local governmental entity: 1-41 (1) has an obligation to protect personal information 1-42 in the manner required by law; and 1-43 (2) must exercise particular care in protecting 1-44 records containing sensitive and private personal information about 1-45 health or financial matters and in protecting personal identifiers, 1-46 such as a social security number. 1-47 (c) It is the policy of this state that an individual has a 1-48 right to know how personal information about the individual is 1-49 handled by government and the extent to which the information may 1-50 be disclosed or must be kept confidential under law. 1-51 Sec. 559.003. DEFINITIONS. In this chapter: 1-52 (1) "Personal information" means information about an 1-53 individual such as: 1-54 (A) the individual's home address, home 1-55 telephone number, social security number, date of birth, physical 1-56 characteristics, and similar information about the individual; 1-57 (B) information about an individual's marital 1-58 status or history, whether the individual has family members, and 1-59 information about the individual's family members; and 1-60 (C) personally identifiable information about 1-61 the individual's health or health history, finances or financial 1-62 history, and purchases made from government. 1-63 (2) "Governmental entity" does not include a court 1-64 other than a commissioners court. 2-1 Sec. 559.004. CONSTRUCTION WITH OTHER LAW. This chapter 2-2 does not affect: 2-3 (1) the ability of a state or local governmental 2-4 entity to undertake a lawful investigation or to protect persons, 2-5 property, or the environment in the manner authorized by law; or 2-6 (2) the duty of a state or local governmental entity 2-7 to comply with applicable law. 2-8 (Sections 559.005-559.050 reserved for expansion 2-9 SUBCHAPTER B. SPECIFIC PRIVACY PROTECTIONS 2-10 Sec. 559.051. DISCLOSURE OF CERTAIN PERSONAL INFORMATION; 2-11 COMPELLING INTEREST OR INTENSE PUBLIC CONCERN REQUIREMENT. 2-12 (a) This section applies only to the disclosure by a governmental 2-13 entity of information that reveals an individual's: 2-14 (1) social security number; 2-15 (2) bank account number, credit card account number, 2-16 or other financial account number; or 2-17 (3) computer password or computer network location or 2-18 identity. 2-19 (b) A state or local governmental entity may not disclose 2-20 information described by Subsection (a) under Chapter 552 or other 2-21 law unless the attorney general authorizes the disclosure after 2-22 determining that: 2-23 (1) there is a compelling governmental interest in 2-24 disclosing the information that cannot be effectively accomplished 2-25 without the disclosure; or 2-26 (2) due to extraordinary circumstances, the 2-27 information is especially relevant to a matter of intense public 2-28 concern. 2-29 (c) The attorney general may adopt rules to implement this 2-30 section, including rules that describe appropriate and clearly 2-31 defined circumstances under which a category of information 2-32 described by Subsection (a) is presumed to satisfy a requirement 2-33 of Subsection (b) and therefore may be disclosed without the 2-34 necessity of obtaining specific authorization for the disclosure 2-35 from the attorney general. A rule of the attorney general that 2-36 describes circumstances under which information presumptively may 2-37 be disclosed may limit disclosure to specific state, local, or 2-38 federal authorities or may allow the information to be generally 2-39 disclosed under Chapter 552, as appropriate. 2-40 (d) The attorney general shall develop procedures under 2-41 which the office of the attorney general will expedite a decision 2-42 whether to authorize disclosure of information described by 2-43 Subsection (a) when expedited consideration is warranted under the 2-44 circumstances. 2-45 (e) A decision of the attorney general under this section 2-46 may be challenged in court in the same manner that a decision of 2-47 the attorney general may be challenged under Subchapter G, Chapter 2-48 552. 2-49 (f) If information described by Subsection (a) is requested 2-50 under Chapter 552, Section 552.325 applies in relation to the 2-51 individual who is the subject of the information in the same manner 2-52 as if the individual were a requestor of the information, except 2-53 that the attorney general shall notify the individual under Section 2-54 552.325(c) if the attorney general proposes to agree to the release 2-55 of all or part of the information. 2-56 Sec. 559.052. COLLECTION OF PERSONAL INFORMATION. A state 2-57 or local governmental entity shall establish procedures to ensure 2-58 that the governmental entity collects personal information only to 2-59 the extent reasonably necessary to: 2-60 (1) implement a program; 2-61 (2) authenticate an individual's identity when 2-62 necessary; 2-63 (3) ensure security; or 2-64 (4) accomplish another legitimate governmental 2-65 purpose. 2-66 Sec. 559.053. RECORDS RETENTION SCHEDULES. (a) In adopting 2-67 or amending its records retention schedule, a state or local 2-68 governmental entity shall schedule the retention of personal 2-69 information only for the period necessary to accomplish the purpose 3-1 for which the information was collected or, if applicable, for the 3-2 minimum period specifically prescribed by statute. 3-3 (b) Subsection (a) does not apply to the retention of 3-4 personal information that has demonstrable historical or archival 3-5 value. 3-6 Sec. 559.054. GENERAL PRIVACY POLICIES. (a) A state or 3-7 local governmental entity shall develop a privacy policy that 3-8 completely describes in plainly written language: 3-9 (1) the reasons that the governmental entity requires 3-10 or collects each category of personal information about individuals 3-11 that the entity requires or collects; 3-12 (2) the procedures used to require or collect the 3-13 information; 3-14 (3) the persons to whom the information may be 3-15 disclosed; 3-16 (4) the manner in which the information may be 3-17 disclosed; and 3-18 (5) any current arrangement under which the 3-19 governmental entity sells personal information about individuals or 3-20 discloses the information under a contract or agreement or in bulk. 3-21 (b) The state or local governmental entity shall promptly 3-22 amend the privacy policy whenever information in the policy becomes 3-23 incorrect or incomplete. 3-24 (c) The state or local governmental entity shall prominently 3-25 post its current privacy policy: 3-26 (1) through a prominent link on the main Internet site 3-27 maintained by or for the governmental entity; and 3-28 (2) next to the sign that the governmental entity 3-29 posts under Section 552.205. 3-30 Sec. 559.055. GOVERNMENT INTERNET SITES: PRIVACY POLICY. 3-31 (a) The Department of Information Resources shall adopt rules 3-32 prescribing minimum privacy standards with which an Internet site 3-33 or portal maintained by or for a state or local governmental entity 3-34 must comply. The rules must be designed to limit the collection of 3-35 personal information about users of the government Internet site or 3-36 portal to information: 3-37 (1) that the state or local governmental entity needs 3-38 in order to accomplish a legitimate government purpose; 3-39 (2) that the user of the site or portal knowingly and 3-40 intentionally transmits to the state or local governmental entity; 3-41 or 3-42 (3) regarding the collection of which the user of the 3-43 site or portal has actively given informed consent. 3-44 (b) In adopting its rules under this section, the Department 3-45 of Information Resources shall consider policies adopted by other 3-46 states and the federal government in this regard. 3-47 (c) A state or local governmental entity that maintains an 3-48 Internet site or portal or for which an Internet site or portal is 3-49 maintained shall adopt a privacy policy regarding information 3-50 collected through the site or portal and provide a prominent link 3-51 to the policy for users of the site or portal. The policy must be 3-52 consistent with the rules adopted by the Department of Information 3-53 Resources under this section and must be included as a prominent 3-54 separate element of the general privacy policy that the entity is 3-55 required to develop and to which it must provide an Internet link 3-56 under Section 559.054. 3-57 Sec. 559.056. STATE AUDITOR. (a) The state auditor shall 3-58 establish auditing guidelines to ensure that state and local 3-59 governmental entities that the state auditor has authority to audit 3-60 under other law: 3-61 (1) do not routinely collect or retain more personal 3-62 information than an entity needs to accomplish a legitimate 3-63 governmental purpose of the entity; and 3-64 (2) have established an information management system 3-65 that protects the privacy and security of information in accordance 3-66 with applicable state and federal law. 3-67 (b) During an appropriate type of audit, the state auditor 3-68 may audit a state or local governmental entity for compliance with 3-69 the guidelines established under Subsection (a). 4-1 (Sections 559.057-559.100 reserved for expansion 4-2 SUBCHAPTER C. GUIDELINES AND STUDIES 4-3 Sec. 559.101. ATTORNEY GENERAL GUIDELINES FOR REVIEWING 4-4 PRIVACY ISSUES. (a) The attorney general shall establish 4-5 guidelines for state and local governmental entities to follow when 4-6 considering privacy issues that arise in connection with requests 4-7 for public information. The guidelines shall address procedural 4-8 safeguards, legal issues, and other issues that in the opinion of 4-9 the attorney general would help state and local governmental 4-10 entities comply with applicable law and recommended information 4-11 practices when handling personal information. 4-12 (b) The guidelines do not create exceptions from required 4-13 disclosure under Chapter 552. 4-14 Sec. 559.102. OPEN RECORDS STEERING COMMITTEE; RECORDS 4-15 MANAGEMENT INTERAGENCY COORDINATING COUNCIL. (a) The open records 4-16 steering committee established under Section 552.009 shall 4-17 periodically study and determine the implications for the personal 4-18 privacy of individuals of putting information held by government on 4-19 the Internet and shall include its findings and recommendations in 4-20 reports the committee makes under Section 552.009. 4-21 (b) The Records Management Interagency Coordinating Council 4-22 established under Section 441.203 shall provide guidance and policy 4-23 direction to state and local governmental entities in appropriately 4-24 incorporating developments in electronic management of information 4-25 into their information management systems in ways that protect 4-26 personal privacy and promote efficient public access to public 4-27 information that is not excepted from required public disclosure. 4-28 (c) The Records Management Interagency Coordinating Council 4-29 shall study and assess efficient and effective ways in which: 4-30 (1) an individual could request and receive from a 4-31 state or local governmental entity information about the individual 4-32 that: 4-33 (A) the entity possesses or to which it has a 4-34 right of access; and 4-35 (B) the individual is entitled to receive under 4-36 Section 552.021 or 552.023; 4-37 (2) the individual could challenge the accuracy of the 4-38 information if the individual considers it to be incorrect; and 4-39 (3) the governmental entity can correct information 4-40 that is incorrect. 4-41 (d) A state or local governmental entity on request shall 4-42 assist the Records Management Interagency Coordinating Council in 4-43 performing its studies under Subsection (c) by responding to the 4-44 council's requests for information or opinion. The council shall 4-45 periodically report the results of its studies under Subsection (c) 4-46 and any related recommendations to the governor and the 4-47 legislature. 4-48 Sec. 559.103. ATTORNEY GENERAL STUDIES. The attorney 4-49 general shall study and periodically report recommendations to the 4-50 governor and the legislature regarding: 4-51 (1) ways in which laws could be enacted that would 4-52 balance the need for open government with the ability of 4-53 individuals to elect not to have personal information about the 4-54 individual released, especially when the release of that 4-55 information poses a significant danger to an individual; and 4-56 (2) circumstances under which, with respect to 4-57 personal information that a state or local governmental entity 4-58 possesses only because the individual who is the subject of the 4-59 information applied for or holds a license, permit, certificate, or 4-60 similar form of permission issued by the governmental entity that 4-61 the individual must obtain to engage in an activity, the 4-62 governmental entity should be allowed to release the personal 4-63 information to the public only with the prior informed consent of 4-64 the individual. 4-65 Sec. 559.104. COMPTROLLER STUDY: MODIFYING INFORMATION 4-66 MANAGEMENT SYSTEMS' USE OF PERSONAL IDENTIFIERS. (a) The 4-67 comptroller shall study and make recommendations to the governor, 4-68 the legislature, and affected state governmental entities regarding 4-69 efficient and effective ways in which state governmental entities 5-1 could modify their information management systems so that personal 5-2 identifiers, such as social security numbers, are not used to track 5-3 individuals in a manner contrary to commonly held privacy 5-4 expectations. In making its recommendations under this section, 5-5 the comptroller shall include an estimate of the cost of modifying 5-6 an information management system in accordance with a 5-7 recommendation. 5-8 (b) The Department of Information Resources shall assist the 5-9 comptroller in making the study. Other state governmental entities 5-10 shall participate in the study at the invitation of the 5-11 comptroller. 5-12 SECTION 2. (a) Each state and local governmental entity 5-13 shall examine its records retention schedule and amend the schedule 5-14 so that it complies with Section 559.053, Government Code, as added 5-15 by this Act. 5-16 (b) The comptroller of public accounts shall make initial 5-17 recommendations to the governor, the legislature, and any affected 5-18 state governmental entities under Section 559.104, Government Code, 5-19 as added by this Act, not later than November 1, 2002. 5-20 (c) The Records Management Interagency Coordinating Council 5-21 shall make initial recommendations to the governor and the 5-22 legislature under Subsection (d), Section 559.102, Government Code, 5-23 as added by this Act, not later than November 1, 2002. 5-24 SECTION 3. This Act takes effect immediately if it receives 5-25 a vote of two-thirds of all the members elected to each house, as 5-26 provided by Section 39, Article III, Texas Constitution. If this 5-27 Act does not receive the vote necessary for immediate effect, this 5-28 Act takes effect September 1, 2001. 5-29 * * * * *