BILL NUMBER: AB 2922 ENROLLED BILL TEXT PASSED THE ASSEMBLY AUGUST 29, 2002 PASSED THE SENATE AUGUST 27, 2002 AMENDED IN SENATE JUNE 26, 2002 AMENDED IN ASSEMBLY MAY 6, 2002 AMENDED IN ASSEMBLY APRIL 18, 2002 AMENDED IN ASSEMBLY APRIL 11, 2002 INTRODUCED BY Assembly Member Simitian FEBRUARY 25, 2002 An act to add Section 353 to the Business and Professions Code, and to add Section 11019.10 to the Government Code, relating to personal information. LEGISLATIVE COUNSEL'S DIGEST AB 2922, Simitian. Personal information: state agency records. Existing law establishes the Office of Privacy Protection in the Department of Consumer Affairs, the purpose of which is to protect the privacy of individuals' personal information, as specified. Existing law requires each state department and state agency to enact and maintain a permanent privacy policy and is required to include in that policy various provisions related to its collection, retention, and disclosure of personally identifiable information. This bill would require each state agency, no later than January 1, 2004, to provide to the Office of Privacy Protection in the Department of Consumer Affairs a description of the general categories or classes of records containing personal information contained in its system of records, as prescribed. The bill would require the office, no later than July 1, 2003, to develop the process and format for the reporting by state agencies of categories of records containing personal information to the office to be included in the State Personal Information Inventory, which the office would be required to create. The bill would require that each state agency provide annual updates no later than January 1 to the office specifying any changes in the information contained in its records, and would require the office to make the inventory available to the public no later than March 1, 2004. THE PEOPLE OF THE STATE OF CALIFORNIA DO ENACT AS FOLLOWS: SECTION 1. Section 353 is added to the Business and Professions Code, to read: 353. (a) It is the intent of the Legislature to create a central catalog that will allow the public to observe the general categories of personal information that are collected by the state, how the state uses that information, and the process by which individuals may access specific records in which they are identified. This inventory is also intended to help the state assess the appropriateness of the regulatory and statutory privacy protection measures currently in place. It is the intent of the Legislature that information in the catalog be easily accessible by the general public. It is the intent of the Legislature that regulations resulting from this section have as minimal impact as possible on the resources of state agencies and of the California Office of Privacy Protection. It is the intent of the Legislature to require state agencies to update information that shall be provided to the Office of Privacy Protection, as specified by this section, at least annually. (b) The California Office of Privacy Protection shall create the State Personal Information Inventory. The office, no later than July 1, 2003, shall develop the process and format for the reporting of categories of records containing personal information by state agencies, pursuant to Section 11019.10 of the Government Code, to the office for inclusion in the inventory. (c) No later than March 1, 2004, the office shall make the State Personal Information Inventory available to the general public. SEC. 2. Section 11019.10 is added to the Government Code, to read: 11019.10. (a) For purposes of this section, the following words have the following meanings: (1) "Personal information" means any information about an individual in any record, including, but not limited to, all of the following: (A) Name, address, telephone number, social security number, or other identifying information. (B) Education, financial, medical, or employment history. (C) Payroll and attendance records, retirement account information, disciplinary information, and other employment data. (D) Insurance information. (E) Real estate records. (F) Business, professional, or driver's license information. (G) Tax information. (H) Criminal history. (2) "Record" means any file or collection of information about an individual that contains the individual's name, identifying number, symbol, fingerprint, or other identification assigned to the individual, and is maintained by a state agency with reference to a means of identification. (3) "System of records" means one or more records under the control of a state agency from which information is retrieved by the name of an individual or by an identifying number, symbol, or other identifying designation assigned to the individual. (b) Each state agency, no later than January 1, 2004, shall provide to the Office of Privacy Protection in the Department of Consumer Affairs a description of general categories of records containing personal information contained in its system of records, pursuant to Section 353 of the Business and Professions Code. That description shall include, but is not limited to, all of the following: (1) The name and location of the system. (2) The categories of individuals on whom records are maintained in the system, including, for example, agency employees, taxpayers, and holders of driver's licenses. (3) The categories of records maintained in the system, including, for example, payroll records, tax forms, and histories of vehicle code violations. (4) Each routine use of the records contained in the system, including the categories of users and the purpose of each use. (5) The title and business address of the agency official who is responsible for the system of records. (6) The categories of sources of records in the system, including, for example, employee time cards, taxpayers records, and law enforcement records. (7) Whether the records contained in the system are open to public access or restricted, and the nature of any restrictions. (8) Known or foreseeable disclosures of the records contained in the system. (c) Each state agency shall provide annual updates, no later than January 1, to the Office of Privacy Protection specifying any changes to the information in subdivision (b), or indicating that there have been no changes.