Primary Office

2183 W Main St, #A102

Lehi, Utah 84043

(801) 901-0310

Privacy Protection Act

Creating confidence in government use of private data

The Problem

We produce an inordinate amount of data — on our computers, using our phones, or with our “smart”
home devices like Alexa, Ring doorbells, security cameras, and more. Even our own DNA reveals
profound information about us.

This information is frequently used in ways that individuals did not intend nor authorize. Government
uses our driver license data for facial recognition and cancer research; our movements and social
media posts for “live time” surveillance; our blood for health analysis; our DNA for identifying
relatives in criminal investigations; our face or fingerprint to access the entire contents of our mobile
devices; our private health information to monitor potential drug abuse; and more.

This intrusion into privacy changes the relationship between government and citizen, and happened
without oversight or public buy-in, let alone explicit consent by those whose information it is.

A Solution

We propose a two-part reform to holistically address this privacy problem.

Part one

This first phase entails setting up a process whereby information can be gathered, use of private
information can be scrutinized, and recommendations made regarding policy reforms for phase two.

1. The Legislature should create and fund the State Privacy Officer, within the State Auditor’s
office. The position would be appointed by the Auditor. 
2. The Auditor will assemble a Personal Privacy Oversight Committee, composed of 7-8 volunteer
tech/privacy experts/advocates, along with 1-2 law enforcement representatives. This will be
done on an ad-hoc basis for the short term by the Auditor. This should be formalized in statute
later, to give the committee oversight authority and legitimacy to ensure government agencies/
entities respond.
3. The responsibilities of the State Privacy Officer shall include:
a) Develop guiding standards, for use by the Officer and the Personal Privacy Oversight
Committee, regarding privacy law, technology, and data security.
i) Provide information to private citizens, civic groups, government entities, and other
interested parties about government use of technology, privacy concerns, and data
security standards.
 ii) Provide relevant information on the State Auditor’s website in a form that is easily
accessible.
iii) Provide education and training to government agencies regarding:
1) the implication of using certain technologies and civil liberties concerns
2) standards for collecting and storing PII
3) data security standards and best practices
4) the purpose and process of the Personal Privacy Oversight Committee
b) Field requests from individuals to review a government agency/entity’s use of technology/
software/process that implicates privacy. If a request merits review, produce an analysis
regarding: 
i) details of the technology/software/process
ii) what data is being used
iii) how the data is secured/stored
iv) who it is shared with
v) whether a person can (or, in the Officer’s determination given the circumstances,
should be able to) opt in or out, and have informed consent
vi) how such information is de-identified or anonymized, and whether better processes
are needed
vii) comparable or related technology/software/processes that could possibly be used to
better protect privacy
viii)an initial finding regarding whether the present technology/software/process
adequately protects individual privacy
1) The Officer shall make the finding pursuant to “the right of the people to be
secure in their persons, houses, papers and effects against unreasonable
searches and seizures” as described in Article I, Section 14 of the Utah
Constitution, and any relevant case law.
c) If the finding in (3)(b)(viii) is against the use of the technology/software/process, refer it to
the Personal Privacy Oversight Committee for further review and recommendations.
d) Require government agencies/entities, including local governments, to provide an analysis
of any PII (personally identifying information) they collect/store, and with that
information perform an analysis to determine if the agency/entity is adequately protecting
information. 
i) If not, issue recommendations to the local legislative body for needed reforms.
ii) Each year the Officer shall do this for at least 10 agencies/entities or local
governments.
4. The responsibilities of the Personal Privacy Oversight Committee shall include:
a) Review proposed uses of technology/software/processes that the State Privacy Officer has
flagged for committee review and analysis.
 b) Provide any reports/analyses each year to the Legislative Management Committee for
referral to the Judiciary Interim Committee, which should hold a hearing each fall to
review such reports and take any action as it may deem necessary.
c) For 2021 only, the committee shall review the following uses of technology and provide any
recommendations for legislative reforms regarding their use in their first annual report to
the Legislature:
i) Providing public data feeds (911 calls, traffic cameras, etc.) to private companies for
synthesis/analysis to facilitate surveillance (past or present) by law enforcement.
ii) Use of video surveillance, both private/public (CCTV, drone, body camera, etc.) for
synthesis/analysis to facilitate surveillance (past or present) by law enforcement.
iii) Bulk analysis of social media feeds to recommend action/intervention by law
enforcement.
iv) Use of biometrics by law enforcement 
1) Compelling a person to provide access to their entire digital life via a facial
or fingerprint scan.
2) Facial recognition technology, both using government databases and social
media photos of people.
3) Using public/private DNA databases to search for the identity of unknown
people. 
v) Review data-sharing agreements among state agencies with third party
participants, including but not limited to: federal agencies, private entities,
nonprofit organizations, and public colleges and universities. 
5. A government agency/entity may not use a technology/software/process that the Personal
Privacy Oversight Committee has recommended against using unless the relevant legislative
body enacts a law specifically authorizing its use.
a) For state agencies/entities, the use must terminate by May 1 unless specifically authorized
by the Utah Legislature.
b) For local governments, the use must terminate within 60 days unless specifically
authorized by the county or city council.
6. Each favorable recommendation of a technology/software/process by the Committee shall
sunset within two years, at which point the State Privacy Officer shall perform a review to
determine if anything has changed about the use of the technology/software/process
(additional data being used, more expansive use, etc.). If so, the Committee shall flag it for
committee review and analysis.
Part two

Have the Judiciary Interim committee hold 1-2 interim meetings in fall 2021 regarding the Personal
Privacy Oversight Committee’s recommendations.

In the 2022 session, have an omnibus privacy reform bill that enacts necessary reforms, restricting
government use of private information to better protect privacy and ensure information is used
consistent with the purposes for which it was created (so as to prevent “scope creep” and surveillance
where it was never expected or authorized).