Utah Administrative Code
The Utah Administrative Code is the body of all effective administrative rules as compiled and organized by the Division of Administrative Rules (see Subsection 63G-3-102(5); see also Sections 63G-3-701 and 702).
NOTE: For a list of rules that have been made effective since July 1, 2019, please see the codification segue page.
NOTE TO RULEFILING AGENCIES: Use the RTF version for submitting rule changes.
R895. Technology Services, Administration.
As in effect on July 1, 2019
Table of Contents
- R895-8-1. Purpose.
- R895-8-2. Application.
- R895-8-3. Authority.
- R895-8-4. Definitions.
- R895-8-5. Agency Privacy Policies.
- R895-8-6. Use of Personally Identifiable Information.
- R895-8-7. Notification and Posting Requirements.
- R895-8-8. Privacy Risk Assessment for Online Applications.
- R895-8-9. Periodic Audits.
- R895-8-10. Statutes that may affect this Rule.
- Date of Enactment or Last Substantive Amendment
- Notice of Continuation
- Authorizing, Implemented, or Interpreted Law
The purpose of this rule is to:
(1) establish a statewide policy for informing the public how personally identifiable information is collected and used by the State of Utah (State) websites;
(3) establish notification and posting requirements for State websites.
This rule is issued by the Chief Information Officer (CIO) under the authority of Section 63F-1-206 of the Technology Governance Act, and in accordance with Section 63G-3-201 of the Utah Rulemaking Act, Utah Code Annotated.
As used in this rule:
(1) "Conspicuous" means any material displayed, for example, in a manner that a reasonable person should notice it.
(2) "Link" means a connection marker on a Web page that permits an Internet user to gain access to one web page from another.
(3) "Home page" means the main, or first page retrieved when accessing an Internet Web site. It serves as a table of contents to the rest of the pages on the site or to other Web sites. This may refer to either a department home page or to other state agency pages such as those of an office or division.
(4) "Personally identifiable information" means any information collected online that could serve to identify an individual, including:
(a) first and last name;
(b) physical address;
(c) e-mail address;
(d) telephone number;
(e) Social Security number;
(f) credit card information;
(g) bank account information; and
(h) any combination of personal information that could be used to determine identity.
(6) "State agency" means any agency or administrative sub-unit of the executive branch of the State government, except:
(a) the State Board of Education; and
(b) the Board of Regents and institutions of higher education.
(7) "State function" means an activity explicitly, or implicitly assigned by the legislature, as having a specific role in the operation of the state's government.
(9) "Privacy Risk Assessment" means a series of questions approved by the Chief Information Officer that are designed to:
(a) assist agencies in identifying and reducing potential levels of risk to the privacy of individuals using an online government service through state of Utah Websites;
(b) provide information to assist in determining different levels of security;
(10) "Website" means a set of documents or pages located on the World Wide Web.
(1) Any personally identifiable information an individual provides to a State website shall be used solely by the State, its entities, and third party agents with whom it has contracted to perform a state function on its behalf, unless:
(a) this rule is superceded by a federal statute, federal regulation, or State statute in which case the personally identifiable information shall be used by other parties only to the extent required by the superseding federal statute, federal regulation or State Statute, or
(b) the information is designated as public record by an individual State agency as authorized under Title 63G, Chapter 2 of the Utah Code, Government Records Access and Management Act.
(a) a notice that such personally identifiable information is subject to public access, if such information is public record;
(b) a notice and a summary or link to the citation of any State statute, federal statute, or federal regulation that supercedes part or all of this rule;
(d) a link from the agency's website to this rule and
(e) a link from the agency's website to the State Policy.
(a) the name of the issuing agency;
(c) a statement about what personally identifiable information the policy specifically applies to; and
(3) The effective date for this subsection shall be four months from the effective date of this rule for information collected through existing online applications. If requested in writing by the agency, an additional extension for up to 30-days may be given by the chief information officer. For all new online applications the conditions of this subsection must be met prior to the application going "live."
Each state agency shall complete a "Privacy Risk Assessment" that is authorized by the CIO, for all online applications. The agency shall maintain a copy of each completed assessment for a period of four years for the purpose of providing audit documentation.
The CIO may measure compliance of a State agency and its employees with this rule by conducting periodic audits in accordance with Section 63F-1-206, Utah Code Annotated. In performing audits, the CIO may utilize external auditors, an agency's internal auditor(s) or both.
Included among the federal and State statutes that may supersede portions of this rule are the Driver's Privacy Protection Act of 1994, Title 18, Section 2721, United States Code; and Sections 41-1a-116, 53-1-104, 53-1-109, and 59-1-403, Utah Code Annotated.
privacy, website, CIO
December 20, 2001
December 1, 2015
63F-1-206; 63G-3-201; 63G-2-101 et seq.
For questions regarding the content or application of rules under Title R895, please contact the promulgating agency (Technology Services, Administration). A list of agencies with links to their homepages is available at http://www.utah.gov/government/agencylist.html or from http://www.rules.utah.gov/contact/agencycontacts.htm.