79R6472 ATP-F
By: Isett H.B. No. 3278
A BILL TO BE ENTITLED
AN ACT
relating to the management, security, and protection of personal
information and governmental records; providing a criminal
penalty.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
SECTION 1. Section 35.50, Business & Commerce Code, is
amended by adding Subsection (b-1) and amending Subsection (c) to
read as follows:
(b-1) A business that is not owned by a governmental entity
may not require a biometric identifier of an individual for
membership or to identify the individual.
(c) A person who possesses a biometric identifier of an
individual:
(1) may not sell, lease, or otherwise disclose the
biometric identifier to another person unless:
(A) the person is not a business or is owned by a
governmental entity, and:
(i) the individual consents to the
disclosure;
(ii) [(B)] the disclosure completes a
financial transaction requested or authorized by the individual;
(iii) [(C)] the disclosure is required or
permitted by a federal statute or by a state statute other than
Chapter 552, Government Code; or
(iv) [(D)] the disclosure is made by or to a
law enforcement agency for a law enforcement purpose; or
(B) the person is a business that is not owned by
a governmental entity, and the disclosure is required by a warrant,
subpoena, or other order issued after due process; and
(2) shall store, transmit, and protect from disclosure
the biometric identifier using reasonable care and in a manner that
is the same as or more protective than the manner in which the
person stores, transmits, and protects the person's other
confidential information.
SECTION 2. Title 6, Civil Practice and Remedies Code, is
amended by adding Chapter 142 to read as follows:
CHAPTER 142. CONFIDENTIALITY OF SOCIAL SECURITY NUMBERS
Sec. 142.001. APPLICABILITY. This chapter does not apply
to public records or court records.
Sec. 142.002. PROHIBITED USES. (a) In this section,
"publicly display" means to intentionally communicate or otherwise
make available to the general public.
(b) A person, including a governmental body, as defined by
Section 552.003, Government Code, may not:
(1) publicly display in any manner an individual's
social security number;
(2) require an individual to transmit a social
security number over the Internet, unless the connection is secure
or the social security number is encrypted;
(3) require an individual to use a social security
number to access an Internet website;
(4) print an individual's social security number on
any card required for the individual to have access to products or
services provided by the person, unless required by state or
federal law;
(5) print an individual's social security number on
any materials that are mailed to the individual, unless state or
federal law requires the social security number to be printed on the
document to be mailed; or
(6) require an individual's social security number to
allow the individual access to the products or services provided by
the person, unless required by state or federal law.
(c) Subsection (b)(5) does not apply to applications or
forms sent by mail, including a document sent:
(1) as part of an application or enrollment process;
(2) to establish, amend, or terminate an account,
contract, or policy; or
(3) to confirm the accuracy of a social security
number.
Sec. 142.003. PERMITTED USES. (a) A person may collect,
use, or release a social security number for internal verification
or administrative purposes.
(b) A person who, before January 1, 2007, has used an
individual's social security number in a manner prohibited by
Section 142.002 may continue using that individual's social
security number in the same manner if:
(1) the use of the social security number is
continuous; and
(2) the person provides the individual with an annual
disclosure, beginning January 1, 2008, informing the individual of
the right to stop the use of the social security number in the
manner prohibited by Section 142.002.
(c) This chapter does not apply to:
(1) a person who collects, uses, or releases a social
security number if the person is required to collect, use, or
release the social security number by federal or state law,
including Chapter 552, Government Code; or
(2) an institution of higher education if the use of
the social security number by the institution is regulated under
the Education Code.
Sec. 142.004. DISCONTINUANCE OF USE ON REQUEST. (a) If a
person receives a written request from an individual directing the
person to stop using the individual's social security number in a
manner prohibited by Section 142.002, the person shall comply with
the request not later than the 30th day after the date the request
is received.
(b) The person may not impose a fee or charge for complying
with the request.
Sec. 142.005. DENIAL OF SERVICES PROHIBITED. A person may
not deny products or services to an individual because the
individual makes a written request to discontinue use under Section
142.004.
SECTION 3. Section 560.002, Government Code, is amended to
read as follows:
Sec. 560.002. DISCLOSURE OF BIOMETRIC IDENTIFIER. A
governmental body that possesses a biometric identifier of an
individual:
(1) may not sell, lease, or otherwise disclose the
biometric identifier to another person unless:
(A) the individual consents to the disclosure;
(B) the disclosure is required or permitted by a
federal statute or by a state statute other than Chapter 552; or
(C) the disclosure is made by or to a law
enforcement agency for a law enforcement purpose; [and]
(2) shall store, transmit, and protect from disclosure
the biometric identifier using reasonable care and in a manner that
is the same as or more protective than the manner in which the
governmental body stores, transmits, and protects its other
confidential information; and
(3) may not store a biometric identifier in a
database.
SECTION 4. Subtitle A, Title 5, Government Code, is amended
by adding Chapter 561 to read as follows:
CHAPTER 561. TEXAS PRIVACY AND SECURITY ACT
SUBCHAPTER A. GENERAL PROVISIONS
Sec. 561.001. SHORT TITLE. This chapter may be cited as the
Texas Privacy and Security Act.
Sec. 561.002. LEGISLATIVE FINDINGS; GENERAL PRIVACY AND
SECURITY PRINCIPLES. (a) The legislature finds that:
(1) an increasing number of individuals in this state
are concerned that:
(A) personal information held by government may
be used inappropriately;
(B) unauthorized persons may have access to that
information; and
(C) some of the information may be inaccurate,
incomplete, or unnecessary for the effective functioning of
government; and
(2) in response to the findings stated by Subdivision
(1), each state and local governmental entity in this state must be
committed to strengthening privacy protections for personal
information held by government in a manner consistent with the
public's right to complete information about the affairs of
government and the official acts of public officials and employees.
(b) The legislature also finds that:
(1) because inadvertent release, careless storage, or
improper disposal of information could result in embarrassment or
other harm to individuals, each state and local governmental
entity:
(A) has an obligation to protect personal
information in the manner required by law; and
(B) must exercise particular care in protecting
records containing sensitive and private personal information
about health or financial matters and in protecting personal
identifiers, such as a social security number;
(2) each state and local governmental entity must
strive to balance the need to collect or protect information that
relates to the security needs of this state with the need for open
government and with the need to protect personal privacy; and
(3) each state and local governmental entity should
take affirmative steps to make information about government
activities fully and easily available to the public unless there is
a demonstrated security risk in doing so.
(c) It is the policy of this state that:
(1) an individual has a right to know how personal
information about the individual is handled by government and the
extent to which the information may be disclosed or must be kept
confidential under law; and
(2) state and local governmental entities should share
information as necessary to ensure accountability in government
programs or the security of this state while protecting personal
information from inappropriate dissemination to the extent
possible.
Sec. 561.003. DEFINITIONS. In this chapter:
(1) "Personal information" means information about an
individual such as:
(A) the individual's home address, home
telephone number, social security number, date of birth, physical
characteristics, and similar information about the individual;
(B) information about an individual's marital
status or history, whether the individual has family members, and
information about the individual's family members; and
(C) personally identifiable information about
the individual's health or health history, finances or financial
history, and purchases made from government.
(2) "Governmental entity" does not include a court
other than a commissioners court.
Sec. 561.004. APPLICABILITY. This chapter does not apply
to information held by or for a court other than a commissioners
court.
Sec. 561.005. CONSTRUCTION WITH OTHER LAW. This chapter
does not affect:
(1) the ability of a state or local governmental
entity to undertake a lawful investigation or to protect persons,
property, or the environment in the manner authorized by law; or
(2) the duty of a state or local governmental entity to
comply with applicable law.
[Sections 561.006-561.050 reserved for expansion]
SUBCHAPTER B. SPECIFIC PRIVACY PROTECTIONS
Sec. 561.051. DISCLOSURE OF CERTAIN PERSONAL INFORMATION;
COMPELLING INTEREST OR INTENSE PUBLIC CONCERN REQUIREMENT. (a)
This section applies only to the disclosure by a governmental
entity of information that reveals an individual's:
(1) social security number;
(2) bank account number, credit card account number,
or other financial account number; or
(3) computer password or computer network location or
identity.
(b) A state or local governmental entity may not disclose
information described by Subsection (a) under Chapter 552 or other
law unless the attorney general authorizes the disclosure after
determining that:
(1) there is a compelling governmental interest in
disclosing the information that cannot be effectively accomplished
without the disclosure; or
(2) due to extraordinary circumstances, the
information is especially relevant to a matter of intense public
concern.
(c) The requestor of the information or the state or local
governmental entity may request the attorney general to authorize
the disclosure of information described by Subsection (a).
(d) A state or local governmental entity is not required to
request a decision of the attorney general under Subchapter G,
Chapter 552, before refusing to disclose a social security number,
bank account number, credit card account number, other financial
account number, computer password, or computer network location or
identity in response to a request made under Chapter 552. The state
or local governmental entity shall inform the requestor that the
requested information is being withheld under this section and that
the requestor is entitled to request the attorney general to
authorize the disclosure.
(e) The attorney general may adopt rules to implement this
section, including rules that describe appropriate and clearly
defined circumstances under which a category of information
described by Subsection (a) is presumed to satisfy a requirement of
Subsection (b) and therefore may be disclosed without the necessity
of obtaining specific authorization for the disclosure from the
attorney general. A rule of the attorney general that describes
circumstances under which information presumptively may be
disclosed may limit disclosure to specific state, local, or federal
authorities or may allow the information to be generally disclosed
under Chapter 552, as appropriate.
(f) The attorney general shall develop procedures under
which the office of the attorney general will expedite a decision
whether to authorize disclosure of information described by
Subsection (a) when expedited consideration is warranted under the
circumstances.
(g) A decision of the attorney general under this section
may be challenged in court in the same manner that a decision of the
attorney general may be challenged under Subchapter G, Chapter 552.
(h) If information described by Subsection (a) is requested
under Chapter 552, Section 552.325 applies in relation to the
individual who is the subject of the information in the same manner
as if the individual were a requestor of the information, except
that the attorney general shall notify the individual under Section
552.325(c) if the attorney general proposes to agree to the release
of all or part of the information.
Sec. 561.052. COLLECTION OF PERSONAL INFORMATION. A state
or local governmental entity shall establish procedures to ensure
that the governmental entity collects personal information only to
the extent reasonably necessary to:
(1) implement a program;
(2) authenticate an individual's identity when
necessary;
(3) ensure security; or
(4) accomplish another legitimate governmental
purpose.
Sec. 561.053. RECORDS RETENTION SCHEDULES. (a) In
adopting or amending its records retention schedule, a state or
local governmental entity shall schedule the retention of personal
information only for the period necessary to accomplish the purpose
for which the information was collected or, if applicable, for the
minimum period specifically prescribed by statute.
(b) Subsection (a) does not apply to the retention of
personal information that has demonstrable historical or archival
value.
Sec. 561.054. GENERAL PRIVACY POLICIES. (a) A state or
local governmental entity shall develop a privacy policy that
completely describes in plainly written language:
(1) the reasons that the governmental entity requires
or collects each category of personal information about individuals
that the entity requires or collects;
(2) the procedures used to require or collect the
information;
(3) the persons to whom the information may be
disclosed;
(4) the manner in which the information may be
disclosed; and
(5) any current arrangement under which the
governmental entity sells personal information about individuals
or discloses the information under a contract or agreement or in
bulk.
(b) The state or local governmental entity shall promptly
amend the privacy policy whenever information in the policy becomes
incorrect or incomplete.
(c) The state or local governmental entity shall
prominently post its current privacy policy:
(1) through a prominent link on the main Internet site
maintained by or for the governmental entity; and
(2) next to the sign that the governmental entity
posts under Section 552.205.
Sec. 561.055. GOVERNMENT INTERNET SITES; PRIVACY POLICY.
(a) The Department of Information Resources shall adopt rules
prescribing minimum privacy standards with which an Internet site
or portal maintained by or for a state or local governmental entity
must comply. The rules must be designed to limit the collection of
personal information about users of the government Internet site or
portal to information:
(1) that the state or local governmental entity needs
in order to accomplish a legitimate government purpose;
(2) that the user of the site or portal knowingly and
intentionally transmits to the state or local governmental entity;
or
(3) regarding the collection of which the user of the
site or portal has actively given informed consent.
(b) In adopting its rules under this section, the Department
of Information Resources shall consider policies adopted by other
states and the federal government in this regard.
(c) A state or local governmental entity that maintains an
Internet site or portal or for which an Internet site or portal is
maintained shall adopt a privacy policy regarding information
collected through the site or portal and provide a prominent link to
the policy for users of the site or portal. The policy must be
consistent with the rules adopted by the Department of Information
Resources under this section and must be included as a prominent
separate element of the general privacy policy that the entity is
required to develop and to which it must provide an Internet link
under Section 561.054.
Sec. 561.056. STATE AUDITOR. (a) The state auditor shall
establish auditing guidelines to ensure that state and local
governmental entities that the state auditor has authority to audit
under other law:
(1) do not routinely collect or retain more personal
information than an entity needs to accomplish a legitimate
governmental purpose of the entity; and
(2) have established an information management system
that protects the privacy and security of information in accordance
with applicable state and federal law.
(b) During an appropriate type of audit, the state auditor
may audit a state or local governmental entity for compliance with
the guidelines established under Subsection (a).
[Sections 561.057-561.100 reserved for expansion]
SUBCHAPTER C. GUIDELINES
Sec. 561.101. ATTORNEY GENERAL GUIDELINES FOR REVIEWING
PRIVACY AND SECURITY ISSUES. (a) The attorney general shall
establish guidelines for state and local governmental entities to
follow when considering privacy and security issues that arise in
connection with requests for public information. The guidelines
shall address procedural safeguards, legal issues, and other issues
that in the opinion of the attorney general would help state and
local governmental entities comply with applicable law and
recommended information practices when handling personal
information or information related to security. The guidelines
shall balance the need for open government with respect for
personal privacy and with the security needs of this state.
(b) The attorney general shall establish guidelines for
sharing information for security purposes among state, local, and
federal governmental entities and with the private sector. The
guidelines must ensure the protection of personal privacy to the
extent feasible and must clarify and explain the legal consequences
of sharing the information.
(c) The guidelines do not create exceptions from required
disclosure under Chapter 552.
Sec. 561.102. OPEN RECORDS STEERING COMMITTEE; RECORDS
MANAGEMENT INTERAGENCY COORDINATING COUNCIL. (a) The open records
steering committee established under Section 552.009 shall
periodically study and determine the implications for the personal
privacy of individuals and for the security of this state of putting
information held by government on the Internet and shall include
its findings and recommendations in reports the committee makes
under Section 552.009.
(b) The Records Management Interagency Coordinating Council
established under Section 441.203 shall provide guidance and policy
direction to state and local governmental entities in appropriately
incorporating developments in electronic management of information
into their information management systems in ways that protect
personal privacy and the security of this state and promote
appropriate public access to public information that is not
excepted from required public disclosure.
SECTION 5. Section 118.0216, Local Government Code, is
amended by amending Subsection (d) and adding Subsection (f) to
read as follows:
(d) Except as provided by Subsection (f), the [The] fee may
be used only to provide funds for specific records management and
preservation, including for automation purposes.
(f) The commissioners court of a county may use the fees
collected for "Records Management and Preservation" under Section
118.011 that are not needed for use as provided by Subsection (d)
for any county purpose.
SECTION 6. Section 118.025(j), Local Government Code, is
amended to read as follows:
(j) Any excess funds generated from the collection of a fee
under this section remaining after completion of a county records
archive preservation and restoration project may be expended [only]
for any county purpose [the purposes described by Section
118.0216]. The commissioners court of a county may not order the
collection of a fee authorized by this section after the county
records archive preservation and restoration is complete.
SECTION 7. Section 32.51(c), Penal Code, is amended to read
as follows:
(c) An offense under this section is a third degree [state
jail] felony.
SECTION 8. (a) An institution of higher education that is
not exempt from Chapter 142, Civil Practice and Remedies Code, as
added by this Act, under Section 142.003(c)(2), Civil Practice and
Remedies Code, as added by this Act, must comply with Chapter 142 on
or before September 1, 2007.
(b) Each state and local governmental entity shall examine
its records retention schedule and amend the schedule so that it
complies with Section 561.053, Government Code, as added by this
Act.
SECTION 9. (a) The change in law made by this Act to Section
32.51, Penal Code, applies only to an offense committed on or after
the effective date of this Act. For purposes of this section, an
offense is committed before the effective date of this Act if any
element of the offense occurs before the effective date.
(b) An offense committed before the effective date of this
Act is covered by the law in effect when the offense was committed,
and the former law is continued in effect for that purpose.
SECTION 10. (a) Except as provided by Subsection (b) of
this section, this Act takes effect September 1, 2005.
(b) Section 2 of this Act takes effect January 1, 2006.