79R6472 ATP-F

By:  Isett                                                        H.B. No. 3278


A BILL TO BE ENTITLED
AN ACT
relating to the management, security, and protection of personal information and governmental records; providing a criminal penalty. BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: SECTION 1. Section 35.50, Business & Commerce Code, is amended by adding Subsection (b-1) and amending Subsection (c) to read as follows: (b-1) A business that is not owned by a governmental entity may not require a biometric identifier of an individual for membership or to identify the individual. (c) A person who possesses a biometric identifier of an individual: (1) may not sell, lease, or otherwise disclose the biometric identifier to another person unless: (A) the person is not a business or is owned by a governmental entity, and: (i) the individual consents to the disclosure; (ii) [(B)] the disclosure completes a financial transaction requested or authorized by the individual; (iii) [(C)] the disclosure is required or permitted by a federal statute or by a state statute other than Chapter 552, Government Code; or (iv) [(D)] the disclosure is made by or to a law enforcement agency for a law enforcement purpose; or (B) the person is a business that is not owned by a governmental entity, and the disclosure is required by a warrant, subpoena, or other order issued after due process; and (2) shall store, transmit, and protect from disclosure the biometric identifier using reasonable care and in a manner that is the same as or more protective than the manner in which the person stores, transmits, and protects the person's other confidential information. SECTION 2. Title 6, Civil Practice and Remedies Code, is amended by adding Chapter 142 to read as follows:
CHAPTER 142. CONFIDENTIALITY OF SOCIAL SECURITY NUMBERS
Sec. 142.001. APPLICABILITY. This chapter does not apply to public records or court records. Sec. 142.002. PROHIBITED USES. (a) In this section, "publicly display" means to intentionally communicate or otherwise make available to the general public. (b) A person, including a governmental body, as defined by Section 552.003, Government Code, may not: (1) publicly display in any manner an individual's social security number; (2) require an individual to transmit a social security number over the Internet, unless the connection is secure or the social security number is encrypted; (3) require an individual to use a social security number to access an Internet website; (4) print an individual's social security number on any card required for the individual to have access to products or services provided by the person, unless required by state or federal law; (5) print an individual's social security number on any materials that are mailed to the individual, unless state or federal law requires the social security number to be printed on the document to be mailed; or (6) require an individual's social security number to allow the individual access to the products or services provided by the person, unless required by state or federal law. (c) Subsection (b)(5) does not apply to applications or forms sent by mail, including a document sent: (1) as part of an application or enrollment process; (2) to establish, amend, or terminate an account, contract, or policy; or (3) to confirm the accuracy of a social security number. Sec. 142.003. PERMITTED USES. (a) A person may collect, use, or release a social security number for internal verification or administrative purposes. (b) A person who, before January 1, 2007, has used an individual's social security number in a manner prohibited by Section 142.002 may continue using that individual's social security number in the same manner if: (1) the use of the social security number is continuous; and (2) the person provides the individual with an annual disclosure, beginning January 1, 2008, informing the individual of the right to stop the use of the social security number in the manner prohibited by Section 142.002. (c) This chapter does not apply to: (1) a person who collects, uses, or releases a social security number if the person is required to collect, use, or release the social security number by federal or state law, including Chapter 552, Government Code; or (2) an institution of higher education if the use of the social security number by the institution is regulated under the Education Code. Sec. 142.004. DISCONTINUANCE OF USE ON REQUEST. (a) If a person receives a written request from an individual directing the person to stop using the individual's social security number in a manner prohibited by Section 142.002, the person shall comply with the request not later than the 30th day after the date the request is received. (b) The person may not impose a fee or charge for complying with the request. Sec. 142.005. DENIAL OF SERVICES PROHIBITED. A person may not deny products or services to an individual because the individual makes a written request to discontinue use under Section 142.004. SECTION 3. Section 560.002, Government Code, is amended to read as follows: Sec. 560.002. DISCLOSURE OF BIOMETRIC IDENTIFIER. A governmental body that possesses a biometric identifier of an individual: (1) may not sell, lease, or otherwise disclose the biometric identifier to another person unless: (A) the individual consents to the disclosure; (B) the disclosure is required or permitted by a federal statute or by a state statute other than Chapter 552; or (C) the disclosure is made by or to a law enforcement agency for a law enforcement purpose; [and] (2) shall store, transmit, and protect from disclosure the biometric identifier using reasonable care and in a manner that is the same as or more protective than the manner in which the governmental body stores, transmits, and protects its other confidential information; and (3) may not store a biometric identifier in a database. SECTION 4. Subtitle A, Title 5, Government Code, is amended by adding Chapter 561 to read as follows:
CHAPTER 561. TEXAS PRIVACY AND SECURITY ACT
SUBCHAPTER A. GENERAL PROVISIONS
Sec. 561.001. SHORT TITLE. This chapter may be cited as the Texas Privacy and Security Act. Sec. 561.002. LEGISLATIVE FINDINGS; GENERAL PRIVACY AND SECURITY PRINCIPLES. (a) The legislature finds that: (1) an increasing number of individuals in this state are concerned that: (A) personal information held by government may be used inappropriately; (B) unauthorized persons may have access to that information; and (C) some of the information may be inaccurate, incomplete, or unnecessary for the effective functioning of government; and (2) in response to the findings stated by Subdivision (1), each state and local governmental entity in this state must be committed to strengthening privacy protections for personal information held by government in a manner consistent with the public's right to complete information about the affairs of government and the official acts of public officials and employees. (b) The legislature also finds that: (1) because inadvertent release, careless storage, or improper disposal of information could result in embarrassment or other harm to individuals, each state and local governmental entity: (A) has an obligation to protect personal information in the manner required by law; and (B) must exercise particular care in protecting records containing sensitive and private personal information about health or financial matters and in protecting personal identifiers, such as a social security number; (2) each state and local governmental entity must strive to balance the need to collect or protect information that relates to the security needs of this state with the need for open government and with the need to protect personal privacy; and (3) each state and local governmental entity should take affirmative steps to make information about government activities fully and easily available to the public unless there is a demonstrated security risk in doing so. (c) It is the policy of this state that: (1) an individual has a right to know how personal information about the individual is handled by government and the extent to which the information may be disclosed or must be kept confidential under law; and (2) state and local governmental entities should share information as necessary to ensure accountability in government programs or the security of this state while protecting personal information from inappropriate dissemination to the extent possible. Sec. 561.003. DEFINITIONS. In this chapter: (1) "Personal information" means information about an individual such as: (A) the individual's home address, home telephone number, social security number, date of birth, physical characteristics, and similar information about the individual; (B) information about an individual's marital status or history, whether the individual has family members, and information about the individual's family members; and (C) personally identifiable information about the individual's health or health history, finances or financial history, and purchases made from government. (2) "Governmental entity" does not include a court other than a commissioners court. Sec. 561.004. APPLICABILITY. This chapter does not apply to information held by or for a court other than a commissioners court. Sec. 561.005. CONSTRUCTION WITH OTHER LAW. This chapter does not affect: (1) the ability of a state or local governmental entity to undertake a lawful investigation or to protect persons, property, or the environment in the manner authorized by law; or (2) the duty of a state or local governmental entity to comply with applicable law.
[Sections 561.006-561.050 reserved for expansion]
SUBCHAPTER B. SPECIFIC PRIVACY PROTECTIONS
Sec. 561.051. DISCLOSURE OF CERTAIN PERSONAL INFORMATION; COMPELLING INTEREST OR INTENSE PUBLIC CONCERN REQUIREMENT. (a) This section applies only to the disclosure by a governmental entity of information that reveals an individual's: (1) social security number; (2) bank account number, credit card account number, or other financial account number; or (3) computer password or computer network location or identity. (b) A state or local governmental entity may not disclose information described by Subsection (a) under Chapter 552 or other law unless the attorney general authorizes the disclosure after determining that: (1) there is a compelling governmental interest in disclosing the information that cannot be effectively accomplished without the disclosure; or (2) due to extraordinary circumstances, the information is especially relevant to a matter of intense public concern. (c) The requestor of the information or the state or local governmental entity may request the attorney general to authorize the disclosure of information described by Subsection (a). (d) A state or local governmental entity is not required to request a decision of the attorney general under Subchapter G, Chapter 552, before refusing to disclose a social security number, bank account number, credit card account number, other financial account number, computer password, or computer network location or identity in response to a request made under Chapter 552. The state or local governmental entity shall inform the requestor that the requested information is being withheld under this section and that the requestor is entitled to request the attorney general to authorize the disclosure. (e) The attorney general may adopt rules to implement this section, including rules that describe appropriate and clearly defined circumstances under which a category of information described by Subsection (a) is presumed to satisfy a requirement of Subsection (b) and therefore may be disclosed without the necessity of obtaining specific authorization for the disclosure from the attorney general. A rule of the attorney general that describes circumstances under which information presumptively may be disclosed may limit disclosure to specific state, local, or federal authorities or may allow the information to be generally disclosed under Chapter 552, as appropriate. (f) The attorney general shall develop procedures under which the office of the attorney general will expedite a decision whether to authorize disclosure of information described by Subsection (a) when expedited consideration is warranted under the circumstances. (g) A decision of the attorney general under this section may be challenged in court in the same manner that a decision of the attorney general may be challenged under Subchapter G, Chapter 552. (h) If information described by Subsection (a) is requested under Chapter 552, Section 552.325 applies in relation to the individual who is the subject of the information in the same manner as if the individual were a requestor of the information, except that the attorney general shall notify the individual under Section 552.325(c) if the attorney general proposes to agree to the release of all or part of the information. Sec. 561.052. COLLECTION OF PERSONAL INFORMATION. A state or local governmental entity shall establish procedures to ensure that the governmental entity collects personal information only to the extent reasonably necessary to: (1) implement a program; (2) authenticate an individual's identity when necessary; (3) ensure security; or (4) accomplish another legitimate governmental purpose. Sec. 561.053. RECORDS RETENTION SCHEDULES. (a) In adopting or amending its records retention schedule, a state or local governmental entity shall schedule the retention of personal information only for the period necessary to accomplish the purpose for which the information was collected or, if applicable, for the minimum period specifically prescribed by statute. (b) Subsection (a) does not apply to the retention of personal information that has demonstrable historical or archival value. Sec. 561.054. GENERAL PRIVACY POLICIES. (a) A state or local governmental entity shall develop a privacy policy that completely describes in plainly written language: (1) the reasons that the governmental entity requires or collects each category of personal information about individuals that the entity requires or collects; (2) the procedures used to require or collect the information; (3) the persons to whom the information may be disclosed; (4) the manner in which the information may be disclosed; and (5) any current arrangement under which the governmental entity sells personal information about individuals or discloses the information under a contract or agreement or in bulk. (b) The state or local governmental entity shall promptly amend the privacy policy whenever information in the policy becomes incorrect or incomplete. (c) The state or local governmental entity shall prominently post its current privacy policy: (1) through a prominent link on the main Internet site maintained by or for the governmental entity; and (2) next to the sign that the governmental entity posts under Section 552.205. Sec. 561.055. GOVERNMENT INTERNET SITES; PRIVACY POLICY. (a) The Department of Information Resources shall adopt rules prescribing minimum privacy standards with which an Internet site or portal maintained by or for a state or local governmental entity must comply. The rules must be designed to limit the collection of personal information about users of the government Internet site or portal to information: (1) that the state or local governmental entity needs in order to accomplish a legitimate government purpose; (2) that the user of the site or portal knowingly and intentionally transmits to the state or local governmental entity; or (3) regarding the collection of which the user of the site or portal has actively given informed consent. (b) In adopting its rules under this section, the Department of Information Resources shall consider policies adopted by other states and the federal government in this regard. (c) A state or local governmental entity that maintains an Internet site or portal or for which an Internet site or portal is maintained shall adopt a privacy policy regarding information collected through the site or portal and provide a prominent link to the policy for users of the site or portal. The policy must be consistent with the rules adopted by the Department of Information Resources under this section and must be included as a prominent separate element of the general privacy policy that the entity is required to develop and to which it must provide an Internet link under Section 561.054. Sec. 561.056. STATE AUDITOR. (a) The state auditor shall establish auditing guidelines to ensure that state and local governmental entities that the state auditor has authority to audit under other law: (1) do not routinely collect or retain more personal information than an entity needs to accomplish a legitimate governmental purpose of the entity; and (2) have established an information management system that protects the privacy and security of information in accordance with applicable state and federal law. (b) During an appropriate type of audit, the state auditor may audit a state or local governmental entity for compliance with the guidelines established under Subsection (a).
[Sections 561.057-561.100 reserved for expansion]
SUBCHAPTER C. GUIDELINES
Sec. 561.101. ATTORNEY GENERAL GUIDELINES FOR REVIEWING PRIVACY AND SECURITY ISSUES. (a) The attorney general shall establish guidelines for state and local governmental entities to follow when considering privacy and security issues that arise in connection with requests for public information. The guidelines shall address procedural safeguards, legal issues, and other issues that in the opinion of the attorney general would help state and local governmental entities comply with applicable law and recommended information practices when handling personal information or information related to security. The guidelines shall balance the need for open government with respect for personal privacy and with the security needs of this state. (b) The attorney general shall establish guidelines for sharing information for security purposes among state, local, and federal governmental entities and with the private sector. The guidelines must ensure the protection of personal privacy to the extent feasible and must clarify and explain the legal consequences of sharing the information. (c) The guidelines do not create exceptions from required disclosure under Chapter 552. Sec. 561.102. OPEN RECORDS STEERING COMMITTEE; RECORDS MANAGEMENT INTERAGENCY COORDINATING COUNCIL. (a) The open records steering committee established under Section 552.009 shall periodically study and determine the implications for the personal privacy of individuals and for the security of this state of putting information held by government on the Internet and shall include its findings and recommendations in reports the committee makes under Section 552.009. (b) The Records Management Interagency Coordinating Council established under Section 441.203 shall provide guidance and policy direction to state and local governmental entities in appropriately incorporating developments in electronic management of information into their information management systems in ways that protect personal privacy and the security of this state and promote appropriate public access to public information that is not excepted from required public disclosure. SECTION 5. Section 118.0216, Local Government Code, is amended by amending Subsection (d) and adding Subsection (f) to read as follows: (d) Except as provided by Subsection (f), the [The] fee may be used only to provide funds for specific records management and preservation, including for automation purposes. (f) The commissioners court of a county may use the fees collected for "Records Management and Preservation" under Section 118.011 that are not needed for use as provided by Subsection (d) for any county purpose. SECTION 6. Section 118.025(j), Local Government Code, is amended to read as follows: (j) Any excess funds generated from the collection of a fee under this section remaining after completion of a county records archive preservation and restoration project may be expended [only] for any county purpose [the purposes described by Section 118.0216]. The commissioners court of a county may not order the collection of a fee authorized by this section after the county records archive preservation and restoration is complete. SECTION 7. Section 32.51(c), Penal Code, is amended to read as follows: (c) An offense under this section is a third degree [state jail] felony. SECTION 8. (a) An institution of higher education that is not exempt from Chapter 142, Civil Practice and Remedies Code, as added by this Act, under Section 142.003(c)(2), Civil Practice and Remedies Code, as added by this Act, must comply with Chapter 142 on or before September 1, 2007. (b) Each state and local governmental entity shall examine its records retention schedule and amend the schedule so that it complies with Section 561.053, Government Code, as added by this Act. SECTION 9. (a) The change in law made by this Act to Section 32.51, Penal Code, applies only to an offense committed on or after the effective date of this Act. For purposes of this section, an offense is committed before the effective date of this Act if any element of the offense occurs before the effective date. (b) An offense committed before the effective date of this Act is covered by the law in effect when the offense was committed, and the former law is continued in effect for that purpose. SECTION 10. (a) Except as provided by Subsection (b) of this section, this Act takes effect September 1, 2005. (b) Section 2 of this Act takes effect January 1, 2006.