|
|
|
A BILL TO BE ENTITLED
|
|
AN ACT
|
|
relating to personal confidential information accessed by an |
|
employee of a state governmental body; imposing penalties. |
|
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: |
|
SECTION 1. Section 552.023, Government Code, is amended by |
|
adding Subsection (a-1) to read as follows: |
|
(a-1) A person or a person's authorized representative that |
|
has a special right of access to information under Subsection (a) |
|
must provide evidence satisfactory to the officer for public |
|
information of the governmental body that the person has the |
|
special right of access to that information. |
|
SECTION 2. Chapter 559, Government Code, is amended by |
|
designating Sections 559.001, 559.002, 559.003, 559.004, and |
|
559.005 as Subchapter A and adding a heading for Subchapter A to |
|
read as follows: |
|
SUBCHAPTER A. REQUIRED NOTICES REGARDING INFORMATION COLLECTED BY A |
|
STATE GOVERNMENTAL BODY |
|
SECTION 3. Section 559.001, Government Code, is amended to |
|
read as follows: |
|
Sec. 559.001. DEFINITIONS [DEFINITION]. In this chapter: |
|
(1) "Personal confidential information" includes a |
|
person's: |
|
(A) photograph or computerized image; |
|
(B) social security number; |
|
(C) driver's license number; |
|
(D) home address; |
|
(E) home, work, and cellular telephone number; |
|
(F) electronic mail address; |
|
(G) bank account and other financial |
|
information; |
|
(H) medical or disability information; and |
|
(I) similar information. |
|
(2) "State[, "state] governmental body" means a |
|
governmental body as defined by Section 552.003 that is part of |
|
state government. |
|
SECTION 4. Section 559.005(b), Government Code, is amended |
|
to read as follows: |
|
(b) To the extent of a conflict between this subchapter |
|
[chapter] and the public information law, Chapter 552, Chapter 552 |
|
controls. |
|
SECTION 5. Chapter 559, Government Code, is amended by |
|
adding Subchapter B to read as follows: |
|
SUBCHAPTER B. ACCESS BY A STATE GOVERNMENTAL BODY TO PERSONAL |
|
CONFIDENTIAL INFORMATION |
|
Sec. 559.011. UNAUTHORIZED ACCESS TO PERSONAL CONFIDENTIAL |
|
INFORMATION. The attorney general shall adopt rules for use by each |
|
state governmental body to control access to personal confidential |
|
information collected or maintained by that state governmental |
|
body. The rules must prescribe guidelines that assist each state |
|
governmental body in: |
|
(1) identifying each employee of the state |
|
governmental body who may access personal confidential |
|
information; |
|
(2) establishing procedures to authorize an employee |
|
of the state governmental body to access personal confidential |
|
information; |
|
(3) maintaining a list of reasons that an employee of |
|
the state governmental body may access personal confidential |
|
information; |
|
(4) maintaining a list of each employee of the state |
|
governmental body who accesses personal confidential information; |
|
and |
|
(5) making available to each employee of the state |
|
governmental body copies of the laws of this state and federal law |
|
that regulate the dissemination of personal confidential |
|
information. |
|
Sec. 559.012. DIRECTOR OF PRIVACY. (a) Each state |
|
governmental body shall designate an employee as the director of |
|
privacy. |
|
(b) The director of privacy shall develop and publish an |
|
evaluation of the risks and effects of collecting and maintaining |
|
personal confidential information by the state governmental body. |
|
(c) The director of privacy shall work with the attorney |
|
general to prevent unauthorized access to personal confidential |
|
information collected or maintained by the state governmental body. |
|
Sec. 559.013. PERSONAL CONFIDENTIAL INFORMATION POLICY. |
|
(a) A state employee who engages in conduct constituting an offense |
|
under Section 559.017 or a policy adopted under Subsection (c) is |
|
subject to termination of the employee's state employment or |
|
another employment-related sanction. |
|
(b) Each state governmental body shall: |
|
(1) adopt a written personal confidential information |
|
policy for the state governmental body's employees consistent with |
|
the standards prescribed by provisions of this subchapter; |
|
(2) distribute a copy of the personal confidential |
|
information policy and this subchapter to: |
|
(A) each new employee not later than the third |
|
business day after the date the person begins employment with the |
|
state governmental body; and |
|
(B) each new officer not later than the third |
|
business day after the date the person qualifies for office; |
|
(3) provide appropriate training concerning the |
|
personal confidential information policy, in accordance with rules |
|
adopted by the attorney general, to employees and officers; |
|
(4) post a copy of the personal confidential |
|
information policy next to the sign that the state governmental |
|
body posts under Section 552.205; and |
|
(5) make available on the state governmental body's |
|
Internet website a copy of the personal confidential information |
|
policy. |
|
(c) The office of the attorney general shall develop and |
|
distribute a model policy that a state governmental body may use in |
|
adopting a state governmental body personal confidential |
|
information policy under Subsection (b). A state governmental |
|
body is not required to adopt the model policy developed under this |
|
subsection. |
|
(d) Not later than November 1, 2009, the office of the |
|
attorney general shall: |
|
(1) develop a model personal confidential information |
|
policy as required by Subsection (c); and |
|
(2) distribute the policy to each state governmental |
|
body required to adopt a policy under Subsection (b). |
|
(e) Not later than January 1, 2010, each state governmental |
|
body shall: |
|
(1) adopt a policy as required by Subsection (b); and |
|
(2) distribute a copy of that policy and this |
|
subchapter to each employee of the state governmental body. |
|
(f) Subsections (d) and (e) and this subsection expire |
|
September 1, 2011. |
|
Sec. 559.014. PROTECTION OF INFORMATION. (a) Each state |
|
governmental body shall require passwords to access personal |
|
confidential information that is maintained in an electronic |
|
format. |
|
(b) Each state agency shall secure personal confidential |
|
information that is maintained as a paper record. |
|
Sec. 559.015. NOTIFICATION REQUIRED FOLLOWING UNAUTHORIZED |
|
ACCESS TO CONFIDENTIAL PERSONAL INFORMATION. A state governmental |
|
body shall promptly disclose any unauthorized access to personal |
|
confidential information to any individual whose personal |
|
confidential information was accessed. |
|
Sec. 559.016. CIVIL REMEDY. A person who knowingly |
|
accesses personal confidential information collected or maintained |
|
by a state governmental body and is not authorized to access that |
|
information under the policies of the state governmental body is |
|
liable to a person injured or damaged by the access to the |
|
information or a resulting disclosure of the information for: |
|
(1) actual damages, including damages for personal |
|
injury or damage, lost wages, defamation, or mental or other |
|
emotional distress; |
|
(2) reasonable attorney's fees and court costs; and |
|
(3) exemplary damages as provided by Chapter 41, Civil |
|
Practice and Remedies Code. |
|
Sec. 559.017. CRIMINAL PENALTY. (a) A person commits an |
|
offense if the person knowingly accesses personal confidential |
|
information collected or maintained by a state governmental body |
|
that the person is not authorized to access under the policies of |
|
the state governmental body. |
|
(b) An officer or employee of a state governmental body |
|
commits an offense if the officer or employee knowingly: |
|
(1) accesses personal confidential information |
|
collected or maintained by a state governmental body for a purpose |
|
other than the purpose for which the information was collected and |
|
for a purpose unrelated to the law that permitted the officer or |
|
employee to obtain authorization to access the information; |
|
(2) permits inspection of the personal confidential |
|
information by a person who is not authorized to inspect the |
|
information; or |
|
(3) discloses the personal confidential information |
|
to a person who is not authorized to receive the information. |
|
(c) For purposes of Subsection (b), a member of an advisory |
|
committee to a state governmental body who obtains access to |
|
confidential information in that capacity is considered to be an |
|
officer or employee of the state governmental body. |
|
(d) An offense under this section is a Class A misdemeanor. |
|
(e) A violation under this section constitutes official |
|
misconduct. |
|
Sec. 559.018. CERTAIN INFORMATION MAINTAINED BY THE |
|
COMPTROLLER. (a) The comptroller by rule shall develop and |
|
implement a system that records each time an employee accesses any |
|
database system that is created or for which the comptroller |
|
contracts that relates to taxes collected by the comptroller. |
|
(b) The comptroller shall use the information collected |
|
under Subsection (a) to determine if an employee of the comptroller |
|
accesses a database which the employee does not have authorization |
|
to access. |
|
Sec. 559.019. ROLE OF ATTORNEY GENERAL. (a) The attorney |
|
general shall: |
|
(1) review each state governmental body's policies |
|
regarding confidential personal information; and |
|
(2) enforce this subchapter. |
|
(b) The attorney general may submit a report to the |
|
legislature that contains recommendations regarding the personal |
|
confidential information that state governmental bodies collect |
|
and maintain. |
|
SECTION 6. This Act takes effect immediately if it receives |
|
a vote of two-thirds of all the members elected to each house, as |
|
provided by Section 39, Article III, Texas Constitution. If this |
|
Act does not receive the vote necessary for immediate effect, this |
|
Act takes effect September 1, 2009. |