78R1003 JRD-D
By: Hupp H.B. No. 2125
A BILL TO BE ENTITLED
AN ACT
relating to the creation of a Texas Privacy and Security Act and
addressing the ways in which the information practices of state and
local governmental entities affect personal privacy and the
security of this state.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
SECTION 1. Subtitle A, Title 5, Government Code, is amended
by adding Chapter 561 to read as follows:
CHAPTER 561. TEXAS PRIVACY AND SECURITY ACT
SUBCHAPTER A. GENERAL PROVISIONS
Sec. 561.001. SHORT TITLE. This chapter may be cited as the
Texas Privacy and Security Act.
Sec. 561.002. LEGISLATIVE FINDINGS; GENERAL PRIVACY AND
SECURITY PRINCIPLES. (a) The legislature finds that:
(1) an increasing number of individuals in this state
are concerned that:
(A) personal information held by government may
be used inappropriately;
(B) unauthorized persons may have access to that
information; and
(C) some of the information may be inaccurate,
incomplete, or unnecessary for the effective functioning of
government; and
(2) in response to the findings stated by Subdivision
(1), each state and local governmental entity in this state must be
committed to strengthening privacy protections for personal
information held by government in a manner consistent with the
public's right to complete information about the affairs of
government and the official acts of public officials and employees.
(b) The legislature also finds that:
(1) because inadvertent release, careless storage, or
improper disposal of information could result in embarrassment or
other harm to individuals, each state and local governmental
entity:
(A) has an obligation to protect personal
information in the manner required by law; and
(B) must exercise particular care in protecting
records containing sensitive and private personal information
about health or financial matters and in protecting personal
identifiers, such as a social security number;
(2) each state and local governmental entity must
strive to balance the need to collect or protect information that
relates to the security needs of this state with the need for open
government and with the need to protect personal privacy; and
(3) each state and local governmental entity should
take affirmative steps to make information about government
activities fully and easily available to the public unless there is
a demonstrated security risk in doing so.
(c) It is the policy of this state that:
(1) an individual has a right to know how personal
information about the individual is handled by government and the
extent to which the information may be disclosed or must be kept
confidential under law; and
(2) state and local governmental entities should share
information as necessary to ensure accountability in government
programs or the security of this state while protecting personal
information from inappropriate dissemination to the extent
possible.
Sec. 561.003. DEFINITIONS. In this chapter:
(1) "Personal information" means information about an
individual such as:
(A) the individual's home address, home
telephone number, social security number, date of birth, physical
characteristics, and similar information about the individual;
(B) information about an individual's marital
status or history, whether the individual has family members, and
information about the individual's family members; and
(C) personally identifiable information about
the individual's health or health history, finances or financial
history, and purchases made from government.
(2) "Governmental entity" does not include a court
other than a commissioners court.
Sec. 561.004. APPLICABILITY. This chapter does not apply
to information held by or for a court other than a commissioners
court.
Sec. 561.005. CONSTRUCTION WITH OTHER LAW. This chapter
does not affect:
(1) the ability of a state or local governmental
entity to undertake a lawful investigation or to protect persons,
property, or the environment in the manner authorized by law; or
(2) the duty of a state or local governmental entity to
comply with applicable law.
[Sections 561.006-561.050 reserved for expansion]
SUBCHAPTER B. SPECIFIC PRIVACY PROTECTIONS
Sec. 561.051. DISCLOSURE OF CERTAIN PERSONAL INFORMATION;
COMPELLING INTEREST OR INTENSE PUBLIC CONCERN REQUIREMENT. (a)
This section applies only to the disclosure by a governmental
entity of information that reveals an individual's:
(1) social security number;
(2) bank account number, credit card account number,
or other financial account number; or
(3) computer password or computer network location or
identity.
(b) A state or local governmental entity may not disclose
information described by Subsection (a) under Chapter 552 or other
law unless the attorney general authorizes the disclosure after
determining that:
(1) there is a compelling governmental interest in
disclosing the information that cannot be effectively accomplished
without the disclosure; or
(2) due to extraordinary circumstances, the
information is especially relevant to a matter of intense public
concern.
(c) The requestor of the information or the state or local
governmental entity may request the attorney general to authorize
the disclosure of information described by Subsection (a).
(d) A state or local governmental entity is not required to
request a decision of the attorney general under Subchapter G,
Chapter 552, before refusing to disclose a social security number,
bank account number, credit card account number, other financial
account number, computer password, or computer network location or
identity in response to a request made under Chapter 552. The state
or local governmental entity shall inform the requestor that the
requested information is being withheld under this section and that
the requestor is entitled to request the attorney general to
authorize the disclosure.
(e) The attorney general may adopt rules to implement this
section, including rules that describe appropriate and clearly
defined circumstances under which a category of information
described by Subsection (a) is presumed to satisfy a requirement of
Subsection (b) and therefore may be disclosed without the necessity
of obtaining specific authorization for the disclosure from the
attorney general. A rule of the attorney general that describes
circumstances under which information presumptively may be
disclosed may limit disclosure to specific state, local, or federal
authorities or may allow the information to be generally disclosed
under Chapter 552, as appropriate.
(f) The attorney general shall develop procedures under
which the office of the attorney general will expedite a decision
whether to authorize disclosure of information described by
Subsection (a) when expedited consideration is warranted under the
circumstances.
(g) A decision of the attorney general under this section
may be challenged in court in the same manner that a decision of the
attorney general may be challenged under Subchapter G, Chapter 552.
(h) If information described by Subsection (a) is requested
under Chapter 552, Section 552.325 applies in relation to the
individual who is the subject of the information in the same manner
as if the individual were a requestor of the information, except
that the attorney general shall notify the individual under Section
552.325(c) if the attorney general proposes to agree to the release
of all or part of the information.
Sec. 561.052. COLLECTION OF PERSONAL INFORMATION. A state
or local governmental entity shall establish procedures to ensure
that the governmental entity collects personal information only to
the extent reasonably necessary to:
(1) implement a program;
(2) authenticate an individual's identity when
necessary;
(3) ensure security; or
(4) accomplish another legitimate governmental
purpose.
Sec. 561.053. RECORDS RETENTION SCHEDULES. (a) In
adopting or amending its records retention schedule, a state or
local governmental entity shall schedule the retention of personal
information only for the period necessary to accomplish the purpose
for which the information was collected or, if applicable, for the
minimum period specifically prescribed by statute.
(b) Subsection (a) does not apply to the retention of
personal information that has demonstrable historical or archival
value.
Sec. 561.054. GENERAL PRIVACY POLICIES. (a) A state or
local governmental entity shall develop a privacy policy that
completely describes in plainly written language:
(1) the reasons that the governmental entity requires
or collects each category of personal information about individuals
that the entity requires or collects;
(2) the procedures used to require or collect the
information;
(3) the persons to whom the information may be
disclosed;
(4) the manner in which the information may be
disclosed; and
(5) any current arrangement under which the
governmental entity sells personal information about individuals
or discloses the information under a contract or agreement or in
bulk.
(b) The state or local governmental entity shall promptly
amend the privacy policy whenever information in the policy becomes
incorrect or incomplete.
(c) The state or local governmental entity shall
prominently post its current privacy policy:
(1) through a prominent link on the main Internet site
maintained by or for the governmental entity; and
(2) next to the sign that the governmental entity
posts under Section 552.205.
Sec. 561.055. GOVERNMENT INTERNET SITES: PRIVACY POLICY.
(a) The Department of Information Resources shall adopt rules
prescribing minimum privacy standards with which an Internet site
or portal maintained by or for a state or local governmental entity
must comply. The rules must be designed to limit the collection of
personal information about users of the government Internet site or
portal to information:
(1) that the state or local governmental entity needs
in order to accomplish a legitimate government purpose;
(2) that the user of the site or portal knowingly and
intentionally transmits to the state or local governmental entity;
or
(3) regarding the collection of which the user of the
site or portal has actively given informed consent.
(b) In adopting its rules under this section, the Department
of Information Resources shall consider policies adopted by other
states and the federal government in this regard.
(c) A state or local governmental entity that maintains an
Internet site or portal or for which an Internet site or portal is
maintained shall adopt a privacy policy regarding information
collected through the site or portal and provide a prominent link to
the policy for users of the site or portal. The policy must be
consistent with the rules adopted by the Department of Information
Resources under this section and must be included as a prominent
separate element of the general privacy policy that the entity is
required to develop and to which it must provide an Internet link
under Section 561.054.
Sec. 561.056. STATE AUDITOR. (a) The state auditor shall
establish auditing guidelines to ensure that state and local
governmental entities that the state auditor has authority to audit
under other law:
(1) do not routinely collect or retain more personal
information than an entity needs to accomplish a legitimate
governmental purpose of the entity; and
(2) have established an information management system
that protects the privacy and security of information in accordance
with applicable state and federal law.
(b) During an appropriate type of audit, the state auditor
may audit a state or local governmental entity for compliance with
the guidelines established under Subsection (a).
[Sections 561.057-561.100 reserved for expansion]
SUBCHAPTER C. GUIDELINES
Sec. 561.101. ATTORNEY GENERAL GUIDELINES FOR REVIEWING
PRIVACY AND SECURITY ISSUES. (a) The attorney general shall
establish guidelines for state and local governmental entities to
follow when considering privacy and security issues that arise in
connection with requests for public information. The guidelines
shall address procedural safeguards, legal issues, and other issues
that in the opinion of the attorney general would help state and
local governmental entities comply with applicable law and
recommended information practices when handling personal
information or information related to security. The guidelines
shall balance the need for open government with respect for
personal privacy and with the security needs of this state.
(b) The attorney general shall establish guidelines for
sharing information for security purposes among state, local, and
federal governmental entities and with the private sector. The
guidelines must ensure the protection of personal privacy to the
extent feasible and must clarify and explain the legal consequences
of sharing the information.
(c) The guidelines do not create exceptions from required
disclosure under Chapter 552.
Sec. 561.102. OPEN RECORDS STEERING COMMITTEE; RECORDS
MANAGEMENT INTERAGENCY COORDINATING COUNCIL. (a) The open records
steering committee established under Section 552.009 shall
periodically study and determine the implications for the personal
privacy of individuals and for the security of this state of putting
information held by government on the Internet and shall include
its findings and recommendations in reports the committee makes
under Section 552.009.
(b) The Records Management Interagency Coordinating Council
established under Section 441.203 shall provide guidance and policy
direction to state and local governmental entities in appropriately
incorporating developments in electronic management of information
into their information management systems in ways that protect
personal privacy and the security of this state and promote
appropriate public access to public information that is not
excepted from required public disclosure.
SECTION 2. Each state and local governmental entity shall
examine its records retention schedule and amend the schedule so
that it complies with Section 561.053, Government Code, as added by
this Act.
SECTION 3. This Act takes effect immediately if it receives
a vote of two-thirds of all the members elected to each house, as
provided by Section 39, Article III, Texas Constitution. If this
Act does not receive the vote necessary for immediate effect, this
Act takes effect September 1, 2003.