| |
|
|
A BILL TO BE ENTITLED
|
|
|
AN ACT
|
|
|
relating to the management, security, and protection of personal |
|
|
information and governmental records; providing a criminal |
|
|
penalty. |
|
|
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: |
|
|
SECTION 1. Section 35.50, Business & Commerce Code, is |
|
|
amended by adding Subsection (b-1) and amending Subsection (c) to |
|
|
read as follows: |
|
|
(b-1) A business that is not owned by a governmental entity |
|
|
may not require a biometric identifier of an individual for |
|
|
membership or to identify the individual. |
|
|
(c) A person who possesses a biometric identifier of an |
|
|
individual: |
|
|
(1) may not sell, lease, or otherwise disclose the |
|
|
biometric identifier to another person unless: |
|
|
(A) the person is not a business or is owned by a |
|
|
governmental entity, and: |
|
|
(i) the individual consents to the |
|
|
disclosure; |
|
|
(ii) [(B)] the disclosure completes a |
|
|
financial transaction requested or authorized by the individual; |
|
|
(iii) [(C)] the disclosure is required or |
|
|
permitted by a federal statute or by a state statute other than |
|
|
Chapter 552, Government Code; or |
|
|
(iv) [(D)] the disclosure is made by or to a |
|
|
law enforcement agency for a law enforcement purpose; or |
|
|
(B) the person is a business that is not owned by |
|
|
a governmental entity, and the disclosure is required by a warrant, |
|
|
subpoena, or other order issued after due process; and |
|
|
(2) shall store, transmit, and protect from disclosure |
|
|
the biometric identifier using reasonable care and in a manner that |
|
|
is the same as or more protective than the manner in which the |
|
|
person stores, transmits, and protects the person's other |
|
|
confidential information. |
|
|
SECTION 2. Title 6, Civil Practice and Remedies Code, is |
|
|
amended by adding Chapter 142 to read as follows: |
|
|
CHAPTER 142. CONFIDENTIALITY OF SOCIAL SECURITY NUMBERS |
|
|
Sec. 142.001. APPLICABILITY. This chapter does not apply |
|
|
to public records or court records. |
|
|
Sec. 142.002. PROHIBITED USES. (a) In this section, |
|
|
"publicly display" means to intentionally communicate or otherwise |
|
|
make available to the general public. |
|
|
(b) A person, including a governmental body as defined by |
|
|
Section 552.003, Government Code, may not: |
|
|
(1) publicly display in any manner an individual's |
|
|
social security number; |
|
|
(2) require an individual to transmit a social |
|
|
security number over the Internet, unless the connection is secure |
|
|
or the social security number is encrypted; |
|
|
(3) require an individual to use a social security |
|
|
number to access an Internet website; |
|
|
(4) print an individual's social security number on |
|
|
any card required for the individual to have access to products or |
|
|
services provided by the person, unless required by state or |
|
|
federal law; |
|
|
(5) except as provided by Subsection (c), print an |
|
|
individual's social security number on any materials that are |
|
|
mailed to the individual, unless state or federal law requires the |
|
|
social security number to be printed on the document to be mailed; |
|
|
or |
|
|
(6) require an individual's social security number to |
|
|
allow the individual access to the products or services provided by |
|
|
the person, unless required by state or federal law. |
|
|
(c) Subsection (b)(5) does not apply to an application or |
|
|
form sent by mail, including a document sent: |
|
|
(1) as part of an application or enrollment process; |
|
|
(2) to establish, amend, or terminate an account, |
|
|
contract, or policy; or |
|
|
(3) to confirm the accuracy of a social security |
|
|
number. |
|
|
Sec. 142.003. PERMITTED USES. (a) A person may collect, |
|
|
use, or release a social security number for internal verification |
|
|
or administrative purposes. |
|
|
(b) A person who, before January 1, 2007, has used an |
|
|
individual's social security number in a manner prohibited by |
|
|
Section 142.002 may continue using that individual's social |
|
|
security number in the same manner if: |
|
|
(1) the use of the social security number is |
|
|
continuous; and |
|
|
(2) the person provides the individual with an annual |
|
|
disclosure, beginning January 1, 2008, informing the individual of |
|
|
the right to stop the use of the social security number in the |
|
|
manner prohibited by Section 142.002. |
|
|
(c) This chapter does not apply to: |
|
|
(1) a person who collects, uses, or releases a social |
|
|
security number if the person is required to collect, use, or |
|
|
release the social security number by federal or state law, |
|
|
including Chapter 552, Government Code; or |
|
|
(2) an institution of higher education if the use of |
|
|
the social security number by the institution is regulated under |
|
|
the Education Code. |
|
|
Sec. 142.004. DISCONTINUANCE OF USE ON REQUEST. (a) If a |
|
|
person receives a written request from an individual directing the |
|
|
person to stop using the individual's social security number in a |
|
|
manner prohibited by Section 142.002, the person shall comply with |
|
|
the request not later than the 30th day after the date the request |
|
|
is received. |
|
|
(b) The person may not impose a fee or charge for complying |
|
|
with the request. |
|
|
Sec. 142.005. DENIAL OF SERVICES PROHIBITED. A person may |
|
|
not deny products or services to an individual because the |
|
|
individual makes a written request to discontinue use under Section |
|
|
142.004. |
|
|
SECTION 3. Section 560.002, Government Code, is amended to |
|
|
read as follows: |
|
|
Sec. 560.002. DISCLOSURE OF BIOMETRIC IDENTIFIER. A |
|
|
governmental body that possesses a biometric identifier of an |
|
|
individual: |
|
|
(1) may not sell, lease, or otherwise disclose the |
|
|
biometric identifier to another person unless: |
|
|
(A) the individual consents to the disclosure; |
|
|
(B) the disclosure is required or permitted by a |
|
|
federal statute or by a state statute other than Chapter 552; or |
|
|
(C) the disclosure is made by or to a law |
|
|
enforcement agency for a law enforcement purpose; [and] |
|
|
(2) shall store, transmit, and protect from disclosure |
|
|
the biometric identifier using reasonable care and in a manner that |
|
|
is the same as or more protective than the manner in which the |
|
|
governmental body stores, transmits, and protects its other |
|
|
confidential information; and |
|
|
(3) may not store a biometric identifier in a |
|
|
database. |
|
|
SECTION 4. Subtitle A, Title 5, Government Code, is amended |
|
|
by adding Chapter 561 to read as follows: |
|
|
CHAPTER 561. TEXAS PRIVACY AND SECURITY ACT |
|
|
SUBCHAPTER A. GENERAL PROVISIONS |
|
|
Sec. 561.001. SHORT TITLE. This chapter may be cited as the |
|
|
Texas Privacy and Security Act. |
|
|
Sec. 561.002. LEGISLATIVE FINDINGS; GENERAL PRIVACY AND |
|
|
SECURITY PRINCIPLES. (a) The legislature finds that: |
|
|
(1) an increasing number of individuals in this state |
|
|
are concerned that: |
|
|
(A) personal information held by government may |
|
|
be used inappropriately; |
|
|
(B) unauthorized persons may have access to that |
|
|
information; and |
|
|
(C) some of the information may be inaccurate, |
|
|
incomplete, or unnecessary for the effective functioning of |
|
|
government; and |
|
|
(2) in response to the findings stated by Subdivision |
|
|
(1), each state and local governmental entity in this state must be |
|
|
committed to strengthening privacy protections for personal |
|
|
information held by government in a manner consistent with the |
|
|
public's right to complete information about the affairs of |
|
|
government and the official acts of public officials and employees. |
|
|
(b) The legislature also finds that: |
|
|
(1) because inadvertent release, careless storage, or |
|
|
improper disposal of information could result in embarrassment or |
|
|
other harm to individuals, each state and local governmental |
|
|
entity: |
|
|
(A) has an obligation to protect personal |
|
|
information in the manner required by law; and |
|
|
(B) must exercise particular care in protecting |
|
|
records containing sensitive and private personal information |
|
|
about health or financial matters and in protecting personal |
|
|
identifiers, such as a social security number; |
|
|
(2) each state and local governmental entity must |
|
|
strive to balance the need to collect or protect information that |
|
|
relates to the security needs of this state with the need for open |
|
|
government and with the need to protect personal privacy; and |
|
|
(3) each state and local governmental entity should |
|
|
take affirmative steps to make information about government |
|
|
activities fully and easily available to the public unless there is |
|
|
a demonstrated security risk in doing so. |
|
|
(c) It is the policy of this state that: |
|
|
(1) an individual has a right to know how personal |
|
|
information about the individual is handled by government and the |
|
|
extent to which the information may be disclosed or must be kept |
|
|
confidential under law; and |
|
|
(2) state and local governmental entities should share |
|
|
information as necessary to ensure accountability in government |
|
|
programs or the security of this state while protecting personal |
|
|
information from inappropriate dissemination to the extent |
|
|
possible. |
|
|
Sec. 561.003. DEFINITIONS. In this chapter: |
|
|
(1) "Personal information" means information about an |
|
|
individual such as: |
|
|
(A) the individual's home address, home |
|
|
telephone number, social security number, date of birth, physical |
|
|
characteristics, and similar information about the individual; |
|
|
(B) information about an individual's marital |
|
|
status or history, whether the individual has family members, and |
|
|
information about the individual's family members; and |
|
|
(C) personally identifiable information about |
|
|
the individual's health or health history, finances or financial |
|
|
history, and purchases made from government. |
|
|
(2) "Governmental entity" does not include a court |
|
|
other than a commissioners court. |
|
|
Sec. 561.004. APPLICABILITY. This chapter does not apply |
|
|
to information held by or for a court other than a commissioners |
|
|
court. |
|
|
Sec. 561.005. CONSTRUCTION WITH OTHER LAW. This chapter |
|
|
does not affect: |
|
|
(1) the ability of a state or local governmental |
|
|
entity to undertake a lawful investigation or to protect persons, |
|
|
property, or the environment in the manner authorized by law; or |
|
|
(2) the duty of a state or local governmental entity to |
|
|
comply with applicable law. |
|
|
[Sections 561.006-561.050 reserved for expansion] |
|
|
SUBCHAPTER B. SPECIFIC PRIVACY PROTECTIONS |
|
|
Sec. 561.051. DISCLOSURE OF CERTAIN PERSONAL INFORMATION; |
|
|
COMPELLING INTEREST OR INTENSE PUBLIC CONCERN REQUIREMENT. (a) |
|
|
This section applies only to the disclosure by a governmental |
|
|
entity of information that reveals an individual's: |
|
|
(1) social security number; |
|
|
(2) bank account number, credit card account number, |
|
|
or other financial account number; or |
|
|
(3) computer password or computer network location or |
|
|
identity. |
|
|
(b) A state or local governmental entity may not disclose |
|
|
information described by Subsection (a) under Chapter 552 or other |
|
|
law unless the attorney general authorizes the disclosure after |
|
|
determining that: |
|
|
(1) there is a compelling governmental interest in |
|
|
disclosing the information that cannot be effectively accomplished |
|
|
without the disclosure; or |
|
|
(2) due to extraordinary circumstances, the |
|
|
information is especially relevant to a matter of intense public |
|
|
concern. |
|
|
(c) The requestor of the information or the state or local |
|
|
governmental entity may request the attorney general to authorize |
|
|
the disclosure of information described by Subsection (a). |
|
|
(d) A state or local governmental entity is not required to |
|
|
request a decision of the attorney general under Subchapter G, |
|
|
Chapter 552, before refusing to disclose a social security number, |
|
|
bank account number, credit card account number, other financial |
|
|
account number, computer password, or computer network location or |
|
|
identity in response to a request made under Chapter 552. The state |
|
|
or local governmental entity shall inform the requestor that the |
|
|
requested information is being withheld under this section and that |
|
|
the requestor is entitled to request the attorney general to |
|
|
authorize the disclosure. |
|
|
(e) The attorney general may adopt rules to implement this |
|
|
section, including rules that describe appropriate and clearly |
|
|
defined circumstances under which a category of information |
|
|
described by Subsection (a) is presumed to satisfy a requirement of |
|
|
Subsection (b) and therefore may be disclosed without the necessity |
|
|
of obtaining specific authorization for the disclosure from the |
|
|
attorney general. A rule of the attorney general that describes |
|
|
circumstances under which information presumptively may be |
|
|
disclosed may limit disclosure to specific state, local, or federal |
|
|
authorities or may allow the information to be generally disclosed |
|
|
under Chapter 552, as appropriate. |
|
|
(f) The attorney general shall develop procedures under |
|
|
which the office of the attorney general will expedite a decision |
|
|
whether to authorize disclosure of information described by |
|
|
Subsection (a) when expedited consideration is warranted under the |
|
|
circumstances. |
|
|
(g) A decision of the attorney general under this section |
|
|
may be challenged in court in the same manner that a decision of the |
|
|
attorney general may be challenged under Subchapter H, Chapter 552. |
|
|
(h) If information described by Subsection (a) is requested |
|
|
under Chapter 552, Section 552.325 applies in relation to the |
|
|
individual who is the subject of the information in the same manner |
|
|
as if the individual were a requestor of the information, except |
|
|
that the attorney general shall notify the individual under Section |
|
|
552.325(c) if the attorney general proposes to agree to the release |
|
|
of all or part of the information. |
|
|
Sec. 561.052. COLLECTION OF PERSONAL INFORMATION. A state |
|
|
or local governmental entity shall establish procedures to ensure |
|
|
that the governmental entity collects personal information only to |
|
|
the extent reasonably necessary to: |
|
|
(1) implement a program; |
|
|
(2) authenticate an individual's identity when |
|
|
necessary; |
|
|
(3) ensure security; or |
|
|
(4) accomplish another legitimate governmental |
|
|
purpose. |
|
|
Sec. 561.053. RECORDS RETENTION SCHEDULES. (a) In |
|
|
adopting or amending its records retention schedule, a state or |
|
|
local governmental entity shall schedule the retention of personal |
|
|
information only for the period necessary to accomplish the purpose |
|
|
for which the information was collected or, if applicable, for the |
|
|
minimum period specifically prescribed by statute. |
|
|
(b) Subsection (a) does not apply to the retention of |
|
|
personal information that has demonstrable historical or archival |
|
|
value. |
|
|
Sec. 561.054. GENERAL PRIVACY POLICIES. (a) A state or |
|
|
local governmental entity shall develop a privacy policy that |
|
|
completely describes in plainly written language: |
|
|
(1) the reasons that the governmental entity requires |
|
|
or collects each category of personal information about individuals |
|
|
that the entity requires or collects; |
|
|
(2) the procedures used to require or collect the |
|
|
information; |
|
|
(3) the persons to whom the information may be |
|
|
disclosed; |
|
|
(4) the manner in which the information may be |
|
|
disclosed; and |
|
|
(5) any current arrangement under which the |
|
|
governmental entity sells personal information about individuals |
|
|
or discloses the information under a contract or agreement or in |
|
|
bulk. |
|
|
(b) The state or local governmental entity shall promptly |
|
|
amend the privacy policy whenever information in the policy becomes |
|
|
incorrect or incomplete. |
|
|
(c) The state or local governmental entity shall |
|
|
prominently post its current privacy policy: |
|
|
(1) through a prominent link on the main Internet site |
|
|
maintained by or for the governmental entity; and |
|
|
(2) next to the sign that the governmental entity |
|
|
posts under Section 552.205. |
|
|
Sec. 561.055. GOVERNMENT INTERNET SITES; PRIVACY POLICY. |
|
|
(a) The Department of Information Resources shall adopt rules |
|
|
prescribing minimum privacy standards with which an Internet site |
|
|
or portal maintained by or for a state or local governmental entity |
|
|
must comply. The rules must be designed to limit the collection of |
|
|
personal information about users of the government Internet site or |
|
|
portal to information: |
|
|
(1) that the state or local governmental entity needs |
|
|
in order to accomplish a legitimate government purpose; |
|
|
(2) that the user of the site or portal knowingly and |
|
|
intentionally transmits to the state or local governmental entity; |
|
|
or |
|
|
(3) regarding the collection of which the user of the |
|
|
site or portal has actively given informed consent. |
|
|
(b) In adopting its rules under this section, the Department |
|
|
of Information Resources shall consider policies adopted by other |
|
|
states and the federal government in this regard. |
|
|
(c) A state or local governmental entity that maintains an |
|
|
Internet site or portal or for which an Internet site or portal is |
|
|
maintained shall adopt a privacy policy regarding information |
|
|
collected through the site or portal and provide a prominent link to |
|
|
the policy for users of the site or portal. The policy must be |
|
|
consistent with the rules adopted by the Department of Information |
|
|
Resources under this section and must be included as a prominent |
|
|
separate element of the general privacy policy that the entity is |
|
|
required to develop and to which it must provide an Internet link |
|
|
under Section 561.054. |
|
|
Sec. 561.056. STATE AUDITOR. (a) The state auditor shall |
|
|
establish auditing guidelines to ensure that state and local |
|
|
governmental entities that the state auditor has authority to audit |
|
|
under other law: |
|
|
(1) do not routinely collect or retain more personal |
|
|
information than an entity needs to accomplish a legitimate |
|
|
governmental purpose of the entity; and |
|
|
(2) have established an information management system |
|
|
that protects the privacy and security of information in accordance |
|
|
with applicable state and federal law. |
|
|
(b) During an appropriate type of audit, the state auditor |
|
|
may audit a state or local governmental entity for compliance with |
|
|
the guidelines established under Subsection (a). |
|
|
[Sections 561.057-561.100 reserved for expansion] |
|
|
SUBCHAPTER C. GUIDELINES |
|
|
Sec. 561.101. ATTORNEY GENERAL GUIDELINES FOR REVIEWING |
|
|
PRIVACY AND SECURITY ISSUES. (a) The attorney general shall |
|
|
establish guidelines for state and local governmental entities to |
|
|
follow when considering privacy and security issues that arise in |
|
|
connection with requests for public information. The guidelines |
|
|
shall address procedural safeguards, legal issues, and other issues |
|
|
that in the opinion of the attorney general would help state and |
|
|
local governmental entities comply with applicable law and |
|
|
recommended information practices when handling personal |
|
|
information or information related to security. The guidelines |
|
|
shall balance the need for open government with respect for |
|
|
personal privacy and with the security needs of this state. |
|
|
(b) The attorney general shall establish guidelines for |
|
|
sharing information for security purposes among state, local, and |
|
|
federal governmental entities and with the private sector. The |
|
|
guidelines must ensure the protection of personal privacy to the |
|
|
extent feasible and must clarify and explain the legal consequences |
|
|
of sharing the information. |
|
|
(c) The guidelines do not create exceptions from required |
|
|
disclosure under Chapter 552. |
|
|
Sec. 561.102. OPEN RECORDS STEERING COMMITTEE; RECORDS |
|
|
MANAGEMENT INTERAGENCY COORDINATING COUNCIL. (a) The open records |
|
|
steering committee established under Section 552.009 shall |
|
|
periodically study and determine the implications for the personal |
|
|
privacy of individuals and for the security of this state of putting |
|
|
information held by government on the Internet and shall include |
|
|
its findings and recommendations in reports the committee makes |
|
|
under Section 552.009. |
|
|
(b) The Records Management Interagency Coordinating Council |
|
|
established under Section 441.203 shall provide guidance and policy |
|
|
direction to state and local governmental entities in appropriately |
|
|
incorporating developments in electronic management of information |
|
|
into their information management systems in ways that protect |
|
|
personal privacy and the security of this state and promote |
|
|
appropriate public access to public information that is not |
|
|
excepted from required public disclosure. |
|
|
SECTION 5. Section 118.0216, Local Government Code, is |
|
|
amended by amending Subsection (d) and adding Subsection (f) to |
|
|
read as follows: |
|
|
(d) Except as provided by Subsection (f), the [The] fee may |
|
|
be used only to provide funds for specific records management and |
|
|
preservation, including for automation purposes. |
|
|
(f) The commissioners court of a county may use the fees |
|
|
collected for "Records Management and Preservation" under Section |
|
|
118.011 that are not needed for use as provided by Subsection (d) |
|
|
for any county purpose. |
|
|
SECTION 6. Section 118.025(j), Local Government Code, is |
|
|
amended to read as follows: |
|
|
(j) Any excess funds generated from the collection of a fee |
|
|
under this section remaining after completion of a county records |
|
|
archive preservation and restoration project may be expended [ |
|
|
only] |
|
|
for any county purpose [the purposes described by Section
|
|
|
118.0216]. The commissioners court of a county may not order the |
|
|
collection of a fee authorized by this section after the county |
|
|
records archive preservation and restoration is complete. |
|
|
SECTION 7. Section 32.51(c), Penal Code, is amended to read |
|
|
as follows: |
|
|
(c) An offense under this section is a third degree [state
|
|
|
jail] felony. |
|
|
SECTION 8. (a) An institution of higher education that is |
|
|
not exempt from Chapter 142, Civil Practice and Remedies Code, as |
|
|
added by this Act, under Section 142.003(c)(2), Civil Practice and |
|
|
Remedies Code, as added by this Act, must comply with Chapter 142 on |
|
|
or before September 1, 2009. |
|
|
(b) Each state and local governmental entity shall examine |
|
|
its records retention schedule and amend the schedule so that it |
|
|
complies with Section 561.053, Government Code, as added by this |
|
|
Act. |
|
|
SECTION 9. (a) The change in law made by this Act to Section |
|
|
32.51, Penal Code, applies only to an offense committed on or after |
|
|
the effective date of this Act. For purposes of this section, an |
|
|
offense is committed before the effective date of this Act if any |
|
|
element of the offense occurs before the effective date. |
|
|
(b) An offense committed before the effective date of this |
|
|
Act is covered by the law in effect when the offense was committed, |
|
|
and the former law is continued in effect for that purpose. |
|
|
SECTION 10. (a) Except as provided by Subsection (b) of |
|
|
this section, this Act takes effect September 1, 2007. |
|
|
(b) Section 2 of this Act takes effect January 1, 2008. |