BILL NUMBER: AB 2922	ENROLLED
	BILL TEXT

	PASSED THE ASSEMBLY  AUGUST 29, 2002
	PASSED THE SENATE  AUGUST 27, 2002
	AMENDED IN SENATE  JUNE 26, 2002
	AMENDED IN ASSEMBLY  MAY 6, 2002
	AMENDED IN ASSEMBLY  APRIL 18, 2002
	AMENDED IN ASSEMBLY  APRIL 11, 2002

INTRODUCED BY   Assembly Member Simitian

                        FEBRUARY 25, 2002

   An act to add Section 353 to the Business and Professions Code,
and to add Section 11019.10 to the Government Code, relating to
personal information.



	LEGISLATIVE COUNSEL'S DIGEST


   AB 2922, Simitian.  Personal information:  state agency records.
   Existing law establishes the Office of Privacy Protection in the
Department of Consumer Affairs, the purpose of which is to protect
the privacy of individuals' personal information, as specified.
   Existing law requires each state department and state agency to
enact and maintain a permanent privacy policy and is required to
include in that policy various provisions related to its collection,
retention, and disclosure of personally identifiable information.
   This bill would require each state agency, no later than January
1, 2004, to provide to the Office of Privacy Protection in the
Department of Consumer Affairs a description of the general
categories or classes of records containing personal information
contained in its system of records, as prescribed.  The bill would
require the office, no later than July 1, 2003, to develop the
process and format for the reporting by state agencies of categories
of records containing personal information to the office to be
included in the State Personal Information Inventory, which the
office would be required to create.  The bill would require that each
state agency provide annual updates no later than January 1 to the
office specifying any changes in the information contained in its
records, and would require the office to make the inventory available
to the public no later than March 1, 2004.


THE PEOPLE OF THE STATE OF CALIFORNIA DO ENACT AS FOLLOWS:


  SECTION 1.  Section 353 is added to the Business and Professions
Code, to read:
   353.  (a) It is the intent of the Legislature to create a central
catalog that will allow the public to observe the general categories
of personal information that are collected by the state, how the
state uses that information, and the process by which individuals may
access specific records in which they are identified.  This
inventory is also intended to help the state assess the
appropriateness of the regulatory and statutory privacy protection
measures currently in place.
   It is the intent of the Legislature that information in the
catalog be easily accessible by the general public.
   It is the intent of the Legislature that regulations resulting
from this section have as minimal impact as possible on the resources
of state agencies and of the California Office of Privacy
Protection.
   It is the intent of the Legislature to require state agencies to
update information that shall be provided to the Office of Privacy
Protection, as specified by this section, at least annually.
   (b) The California Office of Privacy Protection shall create the
State Personal Information Inventory.  The office, no later than July
1, 2003, shall develop the process and format for the reporting of
categories of records containing personal information by state
agencies, pursuant to Section 11019.10 of the Government Code, to the
office for inclusion in the inventory.
   (c) No later than March 1, 2004, the office shall make the State
Personal Information Inventory available to the general public.
  SEC. 2.  Section 11019.10 is added to the Government Code, to read:

   11019.10.  (a) For purposes of this section, the following words
have the following meanings:
   (1) "Personal information" means any information about an
individual in any record, including, but not limited to, all of the
following:
   (A) Name, address, telephone number, social security number, or
other identifying information.
   (B) Education, financial, medical, or employment history.
   (C) Payroll and attendance records, retirement account
information, disciplinary information, and other employment data.
   (D) Insurance information.
   (E) Real estate records.
   (F) Business, professional, or driver's license information.
   (G) Tax information.
   (H) Criminal history.
   (2) "Record" means any file or collection of information about an
individual that contains the individual's name, identifying number,
symbol, fingerprint, or other identification assigned to the
individual, and is maintained by a state agency with reference to a
means of identification.
   (3) "System of records" means one or more records under the
control of a state agency from which information is retrieved by the
name of an individual or by an identifying number, symbol, or other
identifying designation assigned to the individual.
   (b) Each state agency, no later than January 1, 2004, shall
provide to the Office of Privacy Protection in the Department of
Consumer Affairs a description of general categories of records
containing personal information contained in its system of records,
pursuant to Section 353 of the Business and Professions Code.  That
description shall include, but is not limited to, all of the
following:
   (1) The name and location of the system.
   (2) The categories of individuals on whom records are maintained
in the system, including, for example, agency employees, taxpayers,
and holders of driver's licenses.
   (3) The categories of records maintained in the system, including,
for example, payroll records, tax forms, and histories of vehicle
code violations.
   (4) Each routine use of the records contained in the system,
including the categories of users and the purpose of each use.
   (5) The title and business address of the agency official who is
responsible for the system of records.
   (6) The categories of sources of records in the system, including,
for example, employee time cards, taxpayers records, and law
enforcement records.
   (7) Whether the records contained in the system are open to public
access or restricted, and the nature of any restrictions.
   (8) Known or foreseeable disclosures of the records contained in
the system.
   (c) Each state agency shall provide annual updates, no later than
January 1, to the Office of Privacy Protection specifying any changes
to the information in subdivision (b), or indicating that there have
been no changes.