BILL ANALYSIS �
SENATE JUDICIARY COMMITTEE
Martha M. Escutia, Chair
2001-2002 Regular Session
AB 2922 A
Assembly Member Simitian B
As Amended May 6, 2002
Hearing Date: June 18, 2002 2
Business and Professions Code 9
CJW 2
2
SUBJECT
Personal Information: State Agency Records
DESCRIPTION
This bill would require the Office of Privacy Protection
(OPP) to create a State Personal Information Inventory for
access by the public, indicating the types of personal
information contained in each state agency's records, how
the state uses the information, and how individuals may
gain access to specific records in which they are
identified.
The bill would require the OPP to provide state agencies
with a format for reporting on the categories of personal
information in their possession, and would require each
agency to provide that information to the OPP by a
specified date, and to provide annual updates regarding any
changes in the information.
BACKGROUND
In 1977, the Legislature enacted the Information Practices
Act, declaring that the individual right to privacy was
threatened by "the indiscriminate collection, maintenance,
and dissemination of personal information." The Act set
standards for government collection, retention, and
disclosure of information pertaining to individuals, and
established an Office of Information Practices, with which
state agencies were required to file annual notices
describing the types of records kept, and their
(more)
�
AB 2922 (Simitian)
Page 2
collection, retention, disclosure, and protection policies
for records containing personal information.
Although other provisions of the Act still control agency
practices regarding personal information, the provisions
establishing the Office of Information Practices and
requiring annual filings by state agencies were repealed in
1992.
(The 1992 statute repealed scores of laws in various state
codes without comment or explanation, which might imply a
budgetary rationale for the repeals, or at least a reason
unrelated to the merits of the laws themselves.)
This bill would establish a central repository for general
information regarding state government record retention,
including an annual state agency filing requirement similar
to the one that existed from 1977-92 under the Information
Practices Act. The bill is modeled on a similar federal
statute, as well as on the former California law.
CHANGES TO EXISTING LAW
Existing law , the Information Practices Act of 1977,
establishes standards for state agency collection,
retention, protection, and disclosure of records containing
personal information relating to individuals. [Civ. Code
Sec. 1798.14 et seq .]
Existing federal law requires federal agencies to file
annual notices regarding their records containing personal
information (including categories of individuals on whom
records are kept, routine uses of the information,
retention, retrieval, and safeguarding policies, disclosure
policies, and access procedures), which are published in
the Federal Register. [5 U.S.C. Sec. 552(a)].
This bill would declare the intent of the Legislature:
to create a central catalogue that will allow the
public to observe the categories of personal
information that are collected by the state, how the
state uses that information, and the process by which
individuals may access specific records in which they
are identified. This inventory is also intended to
help the state assess the appropriateness of the
�
AB 2922 (Simitian)
Page 3
regulatory and statutory privacy protection measures
currently in place.
This bill would require the OPP to create the State
Personal Information Inventory, and to develop the format
for state agency filings for inclusion in the Inventory by
July 1, 2003.
This bill would require each state agency, using the format
provided by the OPP, to file with the OPP by January 1,
2004, a description of general categories or classes of
personal information contained in its system of records,
including but not limited to the system's name and
location; how to contact its record keeper; the categories
of individuals on whom records are kept; the sources of the
information in the records; the routine uses of the
records; and the circumstances under which the information
is disclosed to people outside the agency.
This bill would require the OPP to make the Inventory
available to the general public by March 1, 2004.
This bill further would require each agency to provide
annual updates to the OPP regarding changes to the
information provided in their initial filings.
COMMENT
1. Stated need for legislation
The author states:
Given the public's increased concern about privacy and
identity theft, the California Legislature has begun
to ask questions about how personal information is
used, stored and shared. Because the State itself is
a repository of personal information, it makes sense
to look at what information is collected by various
State agencies, whether that information is shared,
and if it is shared, under what conditions.
2. Compliance with similar inventories does not appear
unduly burdensome
�
AB 2922 (Simitian)
Page 4
This bill would require the OPP to develop a "process and
format" for state agencies to use to describe the sorts
of records they keep, how they are used, stored,
protected, and disclosed, and how individuals might gain
access to records containing their personal information.
The information provided by the agencies would be
compiled in a "central catalogue" and made available to
the general public by March 1, 2004.
The author has supplied an example of the format federal
agencies use to comply with the federal record inventory
law. The example lists six "record systems" stored by
the federal Court Services and Offender Supervision
Agency, dealing with bail, drug testing, treatment,
probation/parole, employee payroll, and employee
attendance, respectively. Each system inventory
describes the sorts of records kept, routine uses,
safeguarding and disclosure policies, and instructions on
how to gain access to one's personal records, in a manner
similar to that proposed by this bill. Each of the six
inventories takes up less than one page of the Federal
Register.
In addition, the author has provided a copy of a
privately published state record inventory for the State
of Wisconsin. Produced by the ACLU, the publication is
titled "Data Surveillance: A Citizens' Guide to
Government Registries and Reporting Systems," and
contains a summary of state record retention and
disclosure practices, followed by a table of agencies and
their record categories. The entire document (which
concludes that Wisconsin "has not become Big Brother in
the Orwellian sense") is 27 pages long.
3. Bill would seek information readily provided by state
agencies
The types of information agencies would have to provide
under this bill's provisions should be easily prepared -
particularly as agencies complied with a similar mandate
from 1977 to 1992. Other than summary descriptions of
"categories" of individuals on whom records are kept,
"routine use" of records, etc., the bill would require
agencies to state the sources of the information in their
records, which is information they already are required
�
AB 2922 (Simitian)
Page 5
to maintain pursuant to the Information Practices Act.
[Civ. Code Sec. 1798.16.]
Accordingly, the high cost projections for compliance
that have been made in some agency reviews of this bill
may represent misunderstandings of the bill's intent that
could be corrected with clarifying amendments. The
Secretary of State's Office, for example, estimates that
it would require "660 staff years" to locate and index
every personal reference in its archives, although the
bill seems to require only general descriptions of
categories of records maintained on individuals - not the
cataloguing of every incidental personal reference made
in any document.
Similarly, the Department of Finance estimates a
preliminary implementation cost of "$48,000 and .6
personnel years." While this estimate is considerably
less hysterical than that of the Secretary of State's
Office, it seems to anticipate a level of effort that
would not appear intended by the bill.
4. Suggested amendments
To clarify that the information required to be provided
to the OPP would be general and categorical, rather than
specific or detailed, the author may wish to amend the
bill as follows:
(1) On page 2, lines 21-24:
The office, no later than July 1, 2003, shall
develop the process and format for the reporting of
personal information categories of records maintained
on individuals by state agencies, (etc.)
(2) On page 3, lines 10-22:
(2) The categories of individuals on whom records are
maintained in the system (for example, "agency
employees," "taxpayers," "holders of driver's
licenses," etc.) .
(3) The categories of records maintained in the
system (for example, "payroll records," "tax forms,"
�
AB 2922 (Simitian)
Page 6
"vehicle code violation histories," etc.) .
. . . .
(6) The categories of sources of records in the
system (for example, "employee time cards,"
"taxpayers," "law enforcement records," etc.) .
(7) Whether the categories of information contained
records in the system are personal information or
public information open to public access or
restricted, and the nature of any restrictions .
The bill also would benefit from additional and clarified
definitions. The term "personal information," which
under the 1977 law specifically excluded addresses and
telephone numbers as information that "could not, in any
reasonable way, be used to an individual's detriment,"
obviously needs an updated and expanded definition here.
Similarly, a definition of "record" would help agencies
exclude files and documents not specifically maintained
with reference to individuals. The definitions suggested
below are updated versions of the definitions in the 1977
statute:
(3) On page 3, line 24, after "in the system." insert:
(b) "Personal information" means any information
about an individual in any record, as defined,
including but not limited to identifying information
(such as name, address, telephone number, social
security number, or other identifying number or code);
education, financial, medical or employment history;
other employment data (such as payroll and attendance
records, retirement account information, or
disciplinary information); insurance information; real
estate records; business, professional, or driver's
license information; tax information; or criminal
history.
(c) "Record" means any file or grouping of
information about an individual that is maintained by
an agency and that contains the individual's name,
identifying number, symbol, fingerprint, or other
means of identification assigned to the individual,
�
AB 2922 (Simitian)
Page 7
and is maintained by reference to such a means of
identification.
(d) As used in this section, a "S ystem of records "
means a group of any one or more records, as defined,
under the control of an agency from which information
is retrieved by the name of an individual, by some
identifying number, symbol, or other identifying
designation assigned to an individual.
Finally, the author may wish to clarify whether an annual
filing would be required only if the agency had changes
to report, or if a "no changes" notice would be required,
as follows:
(4) On page 3, line 35:
(b) (e) Each state agency shall provide annual
updates, no later than January 1, to the Office of
Privacy Protection regarding specifying any changes to
the information in subdivision (a ), or indicating that
there have been no changes .
Support: ACLU; California Public Interest Research Group
(CalPIRG); Privacy Rights Clearinghouse
Opposition: None Known
HISTORY
Source: Author
Related Pending Legislation: None Known
Prior Legislation: SB 170 (Roberti), Ch. 709, Stats. of
1977, established the Office of Information
Practices within the State Personnel Board,
which required state agencies to file annual
notices describing the categories and uses of
their records pertaining to individuals (the
�
AB 2922 (Simitian)
Page 8
office was dissolved in 1992)
Prior Vote: Assembly Jobs, Economic Development, and
Economy Committee 6-5
Assembly Appropriations Committee 16-5
Assembly Floor 50-25
**************