79R14342 ATP-D
By: Isett H.B. No. 3278
Substitute the following for H.B. No. 3278:
By: Gattis C.S.H.B. No. 3278
A BILL TO BE ENTITLED
AN ACT
relating to the management, security, and protection of personal
information and governmental records; providing a criminal
penalty.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
SECTION 1. Section 35.50, Business & Commerce Code, is
amended by amending Subsections (b) and (c) and adding Subsection
(e) to read as follows:
(b) A person may not capture a biometric identifier of an
individual for a commercial purpose [unless the person:
[(1) informs the individual before capturing the
biometric identifier; and
[(2) receives the individual's consent to capture the
biometric identifier].
(c) A person may not store [who possesses] a biometric
identifier of an individual[:
[(1) may not sell, lease, or otherwise disclose the
biometric identifier to another person unless:
[(A) the individual consents to the disclosure;
[(B) the disclosure completes a financial
transaction requested or authorized by the individual;
[(C) the disclosure is required or permitted by a
federal statute or by a state statute other than Chapter 552,
Government Code; or
[(D) the disclosure is made by or to a law
enforcement agency for a law enforcement purpose; and
[(2) shall store, transmit, and protect from
disclosure the biometric identifier using reasonable care and in a
manner that is the same as or more protective than the manner in
which the person stores, transmits, and protects the person's other
confidential information].
(e) This section does not apply to:
(1) the capture or storage of a biometric identifier
of an individual arrested for or convicted of a crime, by a law
enforcement agency for law enforcement purposes or by the Texas
Department of Criminal Justice for criminal justice purposes;
(2) a program designed to reduce the administrative
costs of or fraud in a state-funded or federally funded program,
including a program developed under Section 531.1063, Government
Code, or Section 31.0325, Human Resources Code;
(3) a state or federal credit union that uses a
biometric identifier solely for providing security to the credit
union's members; or
(4) a program designed to secure high-security areas
within an independent organization established under Section
39.151, Utilities Code, to ensure the reliability of the regional
electrical network.
SECTION 2. Title 6, Civil Practice and Remedies Code, is
amended by adding Chapter 142 to read as follows:
CHAPTER 142. CONFIDENTIALITY OF SOCIAL SECURITY NUMBERS
Sec. 142.001. PROHIBITED USES. (a) In this section,
"publicly display" means to intentionally communicate or otherwise
make available to the general public.
(b) A person, including a governmental body, as defined by
Section 552.003, Government Code, may not:
(1) publicly display in any manner an individual's
social security number;
(2) require an individual to transmit a social
security number over the Internet, unless the connection is secure
or the social security number is encrypted;
(3) require an individual to use a social security
number to access an Internet website;
(4) print an individual's social security number on
any card required for the individual to have access to products or
services provided by the person, unless required by a state or
federal law as it existed on September 1, 2005;
(5) print an individual's social security number on
any materials that are mailed to the individual, unless a state or
federal law as it existed on September 1, 2005, requires the social
security number to be printed on the document to be mailed; or
(6) require an individual's social security number to
allow the individual access to the products or services provided by
the person, unless required by a state or federal law as it existed
on September 1, 2005.
(c) Subsection (b)(5) does not apply to applications or
forms sent by mail, including a document sent:
(1) as part of an application or enrollment process;
(2) to establish, amend, or terminate an account,
contract, or policy; or
(3) to confirm the accuracy of a social security
number.
Sec. 142.002. PERMITTED USES. (a) A person may collect,
use, or release a social security number for internal verification
or administrative purposes.
(b) A person who, before January 1, 2007, has used an
individual's social security number in a manner prohibited by
Section 142.001 may continue using that individual's social
security number in the same manner if:
(1) the use of the social security number is
continuous; and
(2) the person provides the individual with an annual
disclosure, beginning January 1, 2008, informing the individual of
the right to stop the use of the social security number in the
manner prohibited by Section 142.001.
(c) This chapter does not apply to:
(1) a person who collects, uses, or releases a social
security number if the person is required to collect, use, or
release the social security number by a federal or state law as it
existed on September 1, 2005, including Chapter 552, Government
Code;
(2) an institution of higher education if the use of
the social security number by the institution is regulated under
the Education Code; or
(3) the collection, use, or release of the social
security number of an individual who has been convicted of a crime
by a law enforcement agency for law enforcement purposes or by the
Texas Department of Criminal Justice for criminal justice purposes.
Sec. 142.003. DISCONTINUANCE OF USE ON REQUEST. (a) If a
person receives a written request from an individual directing the
person to stop using the individual's social security number in a
manner prohibited by Section 142.001, the person shall comply with
the request not later than the 30th day after the date the request
is received.
(b) The person may not impose a fee or charge for complying
with the request.
Sec. 142.004. DENIAL OF SERVICES PROHIBITED. A person may
not deny products or services to an individual because the
individual makes a written request to discontinue use under Section
142.003.
Sec. 142.005. CONFLICTS WITH LAW. Except as otherwise
provided by this chapter or Chapter 561, Government Code, or
expressly provided by other law, this chapter controls to the
extent of a conflict between this chapter and another state or
federal law.
SECTION 3. Section 560.002, Government Code, is amended to
read as follows:
Sec. 560.002. DISCLOSURE OF BIOMETRIC IDENTIFIER. A
governmental body that possesses a biometric identifier of an
individual:
(1) may not sell, lease, or otherwise disclose the
biometric identifier to another person unless:
(A) the individual consents to the disclosure;
(B) the disclosure is required or permitted by a
federal [statute] or [by a] state statute as it existed on September
1, 2005, other than Chapter 552; or
(C) the disclosure is made by or to a law
enforcement agency for a law enforcement purpose; [and]
(2) shall store, transmit, and protect from disclosure
the biometric identifier using reasonable care and in a manner that
is the same as or more protective than the manner in which the
governmental body stores, transmits, and protects its other
confidential information; and
(3) may not store a biometric identifier in a database
unless:
(A) the individual has been arrested for or
convicted of a crime and the individual's information is stored by a
law enforcement agency for law enforcement purposes or by the Texas
Department of Criminal Justice for criminal justice purposes;
(B) the biometric identifier is stored for
purposes of a program designed to reduce the administrative costs
of or fraud in a state-funded or federally funded program,
including a program developed under Section 531.1063 of this code
or Section 31.0325, Human Resources Code; or
(C) the biometric identifier is stored for
purposes of a program designed to secure high-security areas within
an independent organization established under Section 39.151,
Utilities Code, to ensure the reliability of the regional
electrical network.
SECTION 4. Subtitle A, Title 5, Government Code, is amended
by adding Chapter 561 to read as follows:
CHAPTER 561. TEXAS PRIVACY AND SECURITY ACT
SUBCHAPTER A. GENERAL PROVISIONS
Sec. 561.001. SHORT TITLE. This chapter may be cited as the
Texas Privacy and Security Act.
Sec. 561.002. LEGISLATIVE FINDINGS; GENERAL PRIVACY AND
SECURITY PRINCIPLES. (a) The legislature finds that:
(1) an increasing number of individuals in this state
are concerned that:
(A) personal information held by government may
be used inappropriately;
(B) unauthorized persons may have access to that
information; and
(C) some of the information may be inaccurate,
incomplete, or unnecessary for the effective functioning of
government; and
(2) in response to the findings stated by Subdivision
(1), each state and local governmental entity in this state must be
committed to strengthening privacy protections for personal
information held by government in a manner consistent with the
public's right to complete information about the affairs of
government and the official acts of public officials and employees.
(b) The legislature also finds that:
(1) because inadvertent release, careless storage, or
improper disposal of information could result in embarrassment or
other harm to individuals, each state and local governmental
entity:
(A) has an obligation to protect personal
information in the manner required by law; and
(B) must exercise particular care in protecting
records containing sensitive and private personal information
about health or financial matters and in protecting personal
identifiers, such as a social security number;
(2) each state and local governmental entity must
strive to balance the need to collect or protect information that
relates to the security needs of this state with the need for open
government and with the need to protect personal privacy; and
(3) each state and local governmental entity should
take affirmative steps to make information about government
activities fully and easily available to the public unless there is
a demonstrated security risk in doing so.
(c) It is the policy of this state that:
(1) an individual has a right to know how personal
information about the individual is handled by government and the
extent to which the information may be disclosed or must be kept
confidential under law; and
(2) state and local governmental entities should share
information as necessary to ensure accountability in government
programs or the security of this state while protecting personal
information from inappropriate dissemination to the extent
possible.
Sec. 561.003. DEFINITIONS. In this chapter:
(1) "Personal information" means information about an
individual such as:
(A) the individual's home address, home
telephone number, social security number, date of birth, physical
characteristics, and similar information about the individual;
(B) information about an individual's marital
status or history, whether the individual has family members, and
information about the individual's family members; and
(C) personally identifiable information about
the individual's health or health history, finances or financial
history, and purchases made from government.
(2) "Governmental entity" does not include a court
other than a commissioners court.
(3) "Sell" does not include the charge of a reasonable
fee authorized or required by law for a copy of a document.
Sec. 561.004. APPLICABILITY; AUTHORIZED PERSONS. (a) This
chapter does not apply to information held by or for a court other
than a commissioners court or to information regarding an
individual who has been convicted of a crime held by a law
enforcement agency for law enforcement purposes or by the Texas
Department of Criminal Justice for criminal justice purposes.
(b) Nothing in this chapter restricts access to information
by:
(1) a law enforcement officer;
(2) a private investigator licensed under Chapter
1702, Occupations Code;
(3) an officer of the court or an employee under the
direct supervision of an officer of the court; and
(4) any person accessing the information under an
executive or legislative privilege.
(c) Nothing in this chapter prohibits a person or a person's
authorized representative from requesting and accessing
information relating to the person as provided by Section 552.023.
(d) Nothing in this chapter restricts access to information
by a person accessing the information as necessary to perform a
title search or prepare an abstract of title. This subsection
expires September 1, 2007.
Sec. 561.005. CONSTRUCTION WITH OTHER LAW. (a) This
chapter does not affect the ability of a state or local governmental
entity to undertake a lawful investigation or to protect persons,
property, or the environment in the manner authorized by law.
(b) Except as otherwise provided by this chapter or
expressly provided by other law, this chapter controls to the
extent of a conflict between this chapter and another state or
federal law.
[Sections 561.006-561.050 reserved for expansion]
SUBCHAPTER B. SPECIFIC PRIVACY PROTECTIONS
Sec. 561.051. DISCLOSURE OF CERTAIN PERSONAL INFORMATION;
COMPELLING INTEREST OR INTENSE PUBLIC CONCERN REQUIREMENT. (a)
This section applies only to the disclosure by a governmental
entity of information that:
(1) reveals an individual's:
(A) social security number;
(B) bank account number, credit card account
number, or other financial account number; or
(C) computer password or computer network
location or identity; or
(2) contains an individual's signature or the seal of
office of a notary public.
(b) A state or local governmental entity may not disclose
information described by Subsection (a) under Chapter 552 or other
law unless the attorney general authorizes the disclosure after
determining that:
(1) there is a compelling governmental interest in
disclosing the information that cannot be effectively accomplished
without the disclosure; or
(2) due to extraordinary circumstances, the
information is especially relevant to a matter of intense public
concern.
(c) The requestor of the information or the state or local
governmental entity may request the attorney general to authorize
the disclosure of information described by Subsection (a).
(d) A state or local governmental entity is not required to
request a decision of the attorney general under Subchapter G,
Chapter 552, before refusing to disclose a social security number,
bank account number, credit card account number, other financial
account number, computer password, or computer network location or
identity or provide an individual's signature or the seal of office
of a notary public in response to a request made under Chapter 552.
The state or local governmental entity shall inform the requestor
that the requested information is being withheld under this section
and that the requestor is entitled to request the attorney general
to authorize the disclosure.
(e) If information described by Subsection (a) is requested
under Chapter 552, Section 552.325 applies in relation to the
individual who is the subject of the information in the same manner
as if the individual were a requestor of the information, except
that the attorney general shall notify the individual under Section
552.325(c) if the attorney general proposes to agree to the release
of all or part of the information.
(f) This section does not apply to information regarding a
deceased individual after the seventh anniversary of the
individual's death.
Sec. 561.052. COLLECTION OF PERSONAL INFORMATION. A state
or local governmental entity shall establish procedures to ensure
that the governmental entity collects personal information only to
the extent reasonably necessary to:
(1) implement a program;
(2) authenticate an individual's identity when
necessary;
(3) ensure security; or
(4) accomplish another legitimate governmental
purpose.
Sec. 561.053. RECORDS RETENTION SCHEDULES. (a) In
adopting or amending its records retention schedule, a state or
local governmental entity shall schedule the retention of personal
information only for the period necessary to accomplish the purpose
for which the information was collected or, if applicable, for the
minimum period specifically prescribed by statute.
(b) Subsection (a) does not apply to the retention of
personal information that has demonstrable historical or archival
value.
Sec. 561.054. GENERAL PRIVACY POLICIES. (a) A state or
local governmental entity shall develop a privacy policy that
completely describes in plainly written language:
(1) the reasons that the governmental entity requires
or collects each category of personal information about individuals
that the entity requires or collects;
(2) the procedures used to require or collect the
information;
(3) the persons to whom the information may be
disclosed;
(4) the manner in which the information may be
disclosed; and
(5) any current arrangement under which the
governmental entity sells personal information about individuals
or discloses the information under a contract or agreement or in
bulk.
(b) The state or local governmental entity shall promptly
amend the privacy policy whenever information in the policy becomes
incorrect or incomplete.
(c) The state or local governmental entity shall
prominently post its current privacy policy:
(1) through a prominent link on the main Internet site
maintained by or for the governmental entity; and
(2) next to the sign that the governmental entity
posts under Section 552.205.
Sec. 561.055. GOVERNMENT INTERNET SITES; PRIVACY POLICY.
(a) The Department of Information Resources shall adopt rules
prescribing minimum privacy standards with which an Internet site
or portal maintained by or for a state or local governmental entity
must comply. The rules must:
(1) be designed to limit the collection of personal
information about users of the government Internet site or portal
to information:
(A) that the state or local governmental entity
needs in order to accomplish a legitimate government purpose;
(B) that the user of the site or portal knowingly
and intentionally transmits to the state or local governmental
entity; or
(C) regarding the collection of which the user of
the site or portal has actively given informed consent;
(2) provide that personal information stored online
must be unavailable to unauthorized persons in accordance with
Subchapter D; and
(3) require that the Internet site or portal have
security measures to prevent an unauthorized person from
downloading personal information in bulk.
(b) In adopting its rules under this section, the Department
of Information Resources shall consider policies adopted by other
states and the federal government in this regard.
(c) A state or local governmental entity that maintains an
Internet site or portal or for which an Internet site or portal is
maintained shall adopt a privacy policy regarding information
collected through the site or portal and provide a prominent link to
the policy for users of the site or portal. The policy must be
consistent with the rules adopted by the Department of Information
Resources under this section and must be included as a prominent
separate element of the general privacy policy that the entity is
required to develop and to which it must provide an Internet link
under Section 561.054.
Sec. 561.056. STATE AUDITOR. (a) The state auditor shall
establish auditing guidelines to ensure that state and local
governmental entities that the state auditor has authority to audit
under other law:
(1) do not routinely collect or retain more personal
information than an entity needs to accomplish a legitimate
governmental purpose of the entity; and
(2) have established an information management system
that protects the privacy and security of information in accordance
with applicable state and federal law.
(b) During an appropriate type of audit, the state auditor
may audit a state or local governmental entity for compliance with
the guidelines established under Subsection (a).
[Sections 561.057-561.100 reserved for expansion]
SUBCHAPTER C. GUIDELINES
Sec. 561.101. ATTORNEY GENERAL GUIDELINES FOR REVIEWING
PRIVACY AND SECURITY ISSUES. (a) The attorney general may
establish guidelines for state and local governmental entities to
follow when considering privacy and security issues that arise in
connection with requests for public information. The guidelines
shall address procedural safeguards, legal issues, and other issues
that in the opinion of the attorney general would help state and
local governmental entities comply with applicable law and
recommended information practices when handling personal
information or information related to security. The guidelines
shall balance the need for open government with respect for
personal privacy and with the security needs of this state.
(b) The attorney general may establish guidelines for
sharing information for security purposes among state, local, and
federal governmental entities and with the private sector. The
guidelines must ensure the protection of personal privacy to the
extent feasible and must clarify and explain the legal consequences
of sharing the information.
(c) The guidelines do not create exceptions from required
disclosure under Chapter 552.
Sec. 561.102. OPEN RECORDS STEERING COMMITTEE; RECORDS
MANAGEMENT INTERAGENCY COORDINATING COUNCIL. (a) The open records
steering committee established under Section 552.009 shall
periodically study and determine the implications for the personal
privacy of individuals and for the security of this state of putting
information held by government on the Internet and shall include
its findings and recommendations in reports the committee makes
under Section 552.009.
(b) The Records Management Interagency Coordinating Council
established under Section 441.203 shall provide guidance and policy
direction to state and local governmental entities in appropriately
incorporating developments in electronic management of information
into their information management systems in ways that protect
personal privacy and the security of this state and promote
appropriate public access to public information that is not
excepted from required public disclosure.
[Sections 561.103-561.150 reserved for expansion]
SUBCHAPTER D. INFORMATION IN ELECTRONIC FORM
Sec. 561.151. DEFINITION. In this subchapter, "remote
access" means the ability of a person to search, inspect, or copy
information in a record through the Internet or other electronic
means without being physically present at the location of the
original record or a copy of the record.
Sec. 561.152. CERTAIN INFORMATION NOT REMOTELY ACCESSIBLE.
A state or local governmental entity may not permit remote access by
a member of the public to personal information contained in the
entity's records.
Sec. 561.153. RESTRICTIONS ON REMOTE ACCESS. (a) A
governmental entity may by rule impose reasonable conditions for
remote access to government records, including requiring the person
remotely accessing the record to:
(1) agree not to attempt unauthorized access;
(2) consent to monitoring of the access to the
records; and
(3) register with the governmental entity.
(b) A governmental entity may deny remote access to a person
who does not comply with the conditions imposed under this section.
Sec. 561.154. DISSEMINATION OF INFORMATION BY ELECTRONIC
MEANS. A governmental entity may not download or transfer personal
information in bulk by electronic means unless the entity adopts
rules to narrowly define the information that may be posted online
for an electronic download.
Sec. 561.155. CONTRACTS WITH OTHER PERSONS. A governmental
entity may not contract with a person for the gathering, storage, or
creation in electronic format of the governmental entity's records
unless the contract:
(1) states that the governmental entity retains all
rights to the information contained in the records and the
photographs or images of the information; and
(2) prohibits the person who gathers, stores, or
creates the records from distributing information contained in the
records.
SECTION 5. Section 118.0216(d), Local Government Code, is
amended to read as follows:
(d) The fee may be used only to provide funds for specific
records management and preservation, including for automation
purposes or for conforming with applicable laws regarding
confidential information.
SECTION 6. Section 32.51(c), Penal Code, is amended to read
as follows:
(c) An offense under this section is a third degree [state
jail] felony.
SECTION 7. (a) An institution of higher education that is
not exempt from Chapter 142, Civil Practice and Remedies Code, as
added by this Act, under Section 142.002(c)(2), Civil Practice and
Remedies Code, as added by this Act, must comply with Chapter 142 on
or before September 1, 2007.
(b) Each state and local governmental entity shall examine
its records retention schedule and amend the schedule so that it
complies with Section 561.053, Government Code, as added by this
Act.
SECTION 8. (a) The change in law made by this Act to Section
32.51, Penal Code, applies only to an offense committed on or after
the effective date of this Act. For purposes of this section, an
offense is committed before the effective date of this Act if any
element of the offense occurs before the effective date.
(b) An offense committed before the effective date of this
Act is covered by the law in effect when the offense was committed,
and the former law is continued in effect for that purpose.
SECTION 9. (a) Except as provided by Subsection (b) of this
section, this Act takes effect September 1, 2005.
(b) Section 2 of this Act takes effect January 1, 2006.