Section 63A-19-401 - Duties of governmental entities(1)(a) Except as provided in Subsections (1)(b) and (c), a governmental entity shall comply with the requirements of this part.(b)(i) If a governmental entity or a contractor described in Subsection (4)(a) is subject to a more restrictive or a more specific provision of law than found in this part, the governmental entity or contractor shall comply with the more restrictive or more specific provision of law.(ii) For purposes of Subsection (1)(b)(i), Title 63G, Chapter 2, Government Records Access and Management Act, is a more specific provision of law and shall control over the provisions of this part.(c) A governmental entity that is exempt under Section 63G-2-702, 63G-2-703, or 63G-2-704 from complying with the requirements in Title 63G, Chapter 2, Part 6, Collection of Information and Accuracy of Records, is exempt from complying with the requirements in Sections 63A-19-402, 63A-19-403, and 63A-19-404.(2) A governmental entity: (a) shall implement and maintain a privacy program before May 1, 2025, that includes the governmental entity's policies, practices, and procedures for the process of personal data;(b) shall provide notice to an individual or the legal guardian of an individual, if the individual's personal data is affected by a data breach, in accordance with Section 63A-19-406;(c) shall obtain and process only the minimum amount of personal data reasonably necessary to efficiently achieve a specified purpose;(d) shall meet the requirements of this part for all processing activities implemented by a governmental entity after May 1, 2024;(e) shall for any processing activity implemented before May 1, 2024, as soon as is reasonably practicable, but no later than January 1, 2027:(i) identify any non-compliant processing activity;(ii) document the non-compliant processing activity; and(iii) prepare a strategy for bringing the non-compliant processing activity into compliance with this part;(f) may not establish, maintain, or use undisclosed or covert surveillance of individuals unless permitted by law;(g) may not sell personal data unless expressly required by law;(h) may not share personal data unless permitted by law;(i)(i) that is a designated governmental entity, shall annually report to the state privacy officer: (A) the types of personal data the designated governmental entity currently shares or sells;(B) the basis for sharing or selling the personal data; and(C) the classes of persons and the governmental entities that receive the personal data from the designated governmental entity; and(ii) that is a state agency, shall annually report to the chief privacy officer:(A) the types of personal data the state agency currently shares or sells;(B) the basis for sharing or selling the personal data; and(C) the classes of persons and the governmental entities that receive the personal data from the state agency; and(j)(i) except as provided in Subsection (3), an employee of a governmental entity shall complete a data privacy training program: (A) within 30 days after beginning employment; and(B) at least once in each calendar year; and(k) is responsible for monitoring completion of data privacy training by the governmental entity's employees.(3) An employee of a governmental entity that does not have access to personal data of individuals as part of the employee's work duties is not required to complete a data privacy training program described in Subsection (2)(j)(i).(4)(a) A contractor that enters into or renews an agreement with a governmental entity after May 1, 2024, and processes or has access to personal data as a part of the contractor's duties under the agreement, is subject to the requirements of this chapter with regard to the personal data processed or accessed by the contractor to the same extent as required of the governmental entity.(b) An agreement under Subsection (4)(a) shall require the contractor to comply with the requirements of this chapter with regard to the personal data processed or accessed by the contractor as a part of the contractor's duties under the agreement to the same extent as required of the governmental entity.(c) The requirements under Subsections (4)(a) and (b) are in addition to and do not replace any other requirements or liability that may be imposed for the contractor's violation of other laws protecting privacy rights or government records.Added by Chapter 417, 2024 General Session ,§ 8, eff. 5/1/2024.