BILL NUMBER: SB 13 CHAPTERED 09/22/05 CHAPTER 241 FILED WITH SECRETARY OF STATE SEPTEMBER 22, 2005 APPROVED BY GOVERNOR SEPTEMBER 22, 2005 PASSED THE SENATE AUGUST 29, 2005 PASSED THE ASSEMBLY AUGUST 22, 2005 AMENDED IN ASSEMBLY JUNE 22, 2005 AMENDED IN ASSEMBLY JUNE 9, 2005 AMENDED IN SENATE APRIL 21, 2005 AMENDED IN SENATE APRIL 13, 2005 INTRODUCED BY Senator Bowen DECEMBER 6, 2004 An act to amend Section 1798.24 of the Civil Code, and Section 10850 of the Welfare and Institutions Code, relating to personal information. LEGISLATIVE COUNSEL'S DIGEST SB 13, Bowen Personal information. The existing Information Practices Act of 1977 generally prohibits a state agency from disclosing any personal information in a manner that would link the information to the individual to whom it pertains unless the disclosure of the information is, among other things, to the University of California or a nonprofit educational institution conducting scientific research if specified confidentiality requirements are met. This bill would revise the provision authorizing a state agency to disclose personal information to those institutions by permitting that disclosure only if the request is approved by the Committee for the Protection of Human Subjects for the California Health and Human Services Agency. The bill would also establish criteria for the review and approval of the request, as specified. Existing law prohibits the disclosure of confidential information regarding applicants and recipients of public assistance benefits, with certain exceptions that include allowing the State Department of Social Services to make case records available for research purposes provided that the research will not result in the disclosure of the identity of applicants for or recipients of public social services. This bill would allow the department to make these case records available provided that making them available will not result in disclosure of the identity of applicants for or recipients of public social services and will not disclose personal information in a manner that would link the information to the individual to whom it pertains, except as specified. The bill would also make a statement of legislative intent regarding the protection of personal information. THE PEOPLE OF THE STATE OF CALIFORNIA DO ENACT AS FOLLOWS: SECTION 1. (a) It is the intent of the Legislature to protect personal information held in agency databases from being accessed for the purpose of committing identity theft and other crimes. (b) The Legislature recognizes the research community has legitimate needs to access personal information to carry out research in certain cases, and the provisions of this bill are not intended to impede research but rather to require and set minimum standards for careful review and approval of requests for access to personal information held in agency databases and to require personal information to be removed before data is shared whenever possible. SEC. 2. Section 1798.24 of the Civil Code is amended to read: 1798.24. No agency may disclose any personal information in a manner that would link the information disclosed to the individual to whom it pertains unless the information is disclosed, as follows: (a) To the individual to whom the information pertains. (b) With the prior written voluntary consent of the individual to whom the record pertains, but only if that consent has been obtained not more than 30 days before the disclosure, or in the time limit agreed to by the individual in the written consent. (c) To the duly appointed guardian or conservator of the individual or a person representing the individual if it can be proven with reasonable certainty through the possession of agency forms, documents or correspondence that this person is the authorized representative of the individual to whom the information pertains. (d) To those officers, employees, attorneys, agents, or volunteers of the agency that has custody of the information if the disclosure is relevant and necessary in the ordinary course of the performance of their official duties and is related to the purpose for which the information was acquired. (e) To a person, or to another agency where the transfer is necessary for the transferee agency to perform its constitutional or statutory duties, and the use is compatible with a purpose for which the information was collected and the use or transfer is accounted for in accordance with Section 1798.25. With respect to information transferred from a law enforcement or regulatory agency, or information transferred to another law enforcement or regulatory agency, a use is compatible if the use of the information requested is needed in an investigation of unlawful activity under the jurisdiction of the requesting agency or for licensing, certification, or regulatory purposes by that agency. (f) To a governmental entity when required by state or federal law. (g) Pursuant to the California Public Records Act (Chapter 3.5 (commencing with Section 6250) of Division 7 of Title 1 of the Government Code). (h) To a person who has provided the agency with advance, adequate written assurance that the information will be used solely for statistical research or reporting purposes, but only if the information to be disclosed is in a form that will not identify any individual. (i) Pursuant to a determination by the agency that maintains information that compelling circumstances exist that affect the health or safety of an individual, if upon the disclosure notification is transmitted to the individual to whom the information pertains at his or her last known address. Disclosure shall not be made if it is in conflict with other state or federal laws. (j) To the State Archives as a record that has sufficient historical or other value to warrant its continued preservation by the California state government, or for evaluation by the Director of General Services or his or her designee to determine whether the record has further administrative, legal, or fiscal value. (k) To any person pursuant to a subpoena, court order, or other compulsory legal process if, before the disclosure, the agency reasonably attempts to notify the individual to whom the record pertains, and if the notification is not prohibited by law. (l) To any person pursuant to a search warrant. (m) Pursuant to Article 3 (commencing with Section 1800) of Chapter 1 of Division 2 of the Vehicle Code. (n) For the sole purpose of verifying and paying government health care service claims made pursuant to Division 9 (commencing with Section 10000) of the Welfare and Institutions Code. (o) To a law enforcement or regulatory agency when required for an investigation of unlawful activity or for licensing, certification, or regulatory purposes, unless the disclosure is otherwise prohibited by law. (p) To another person or governmental organization to the extent necessary to obtain information from the person or governmental organization as necessary for an investigation by the agency of a failure to comply with a specific state law that the agency is responsible for enforcing. (q) To an adopted person and is limited to general background information pertaining to the adopted person's natural parents, provided that the information does not include or reveal the identity of the natural parents. (r) To a child or a grandchild of an adopted person and disclosure is limited to medically necessary information pertaining to the adopted person's natural parents. However, the information, or the process for obtaining the information, shall not include or reveal the identity of the natural parents. The State Department of Social Services shall adopt regulations governing the release of information pursuant to this subdivision by July 1, 1985. The regulations shall require licensed adoption agencies to provide the same services provided by the department as established by this subdivision. (s) To a committee of the Legislature or to a Member of the Legislature, or his or her staff when authorized in writing by the member, where the member has permission to obtain the information from the individual to whom it pertains or where the member provides reasonable assurance that he or she is acting on behalf of the individual. (t) (1) To the University of California or a nonprofit educational institution conducting scientific research, provided the request for information is approved by the Committee for the Protection of Human Subjects (CPHS) for the California Health and Human Services Agency (CHHSA). The CPHS approval required under this subdivision shall include a review and determination that all the following criteria have been satisfied: (A) The researcher has provided a plan sufficient to protect personal information from improper use and disclosures, including sufficient administrative, physical, and technical safeguards to protect personal information from reasonable anticipated threats to the security or confidentiality of the information. (B) The researcher has provided a sufficient plan to destroy or return all personal information as soon as it is no longer needed for the research project, unless the researcher has demonstrated an ongoing need for the personal information for the research project and has provided a long-term plan sufficient to protect the confidentiality of that information. (C) The researcher has provided sufficient written assurances that the personal information will not be reused or disclosed to any other person or entity, or used in any manner, not approved in the research protocol, except as required by law or for authorized oversight of the research project. (2) The CPHS shall, at a minimum, accomplish all of the following as part of its review and approval of the research project for the purpose of protecting personal information held in agency databases: (A) Determine whether the requested personal information is needed to conduct the research. (B) Permit access to personal information only if it is needed for the research project. (C) Permit access only to the minimum necessary personal information needed for the research project. (D) Require the assignment of unique subject codes that are not derived from personal information in lieu of social security numbers if the research can still be conducted without social security numbers. (E) If feasible, and if cost, time, and technical expertise permit, require the agency to conduct a portion of the data processing for the researcher to minimize the release of personal information. (3) Reasonable costs to the agency associated with the agency's process of protecting personal information under the conditions of CPHS approval may be billed to the researcher, including, but not limited to, the agency's costs for conducting a portion of the data processing for the researcher, removing personal information, encrypting or otherwise securing personal information, or assigning subject codes. (4) This subdivision does not prohibit the CPHS from using its existing authority to enter into written agreements to enable other institutional review boards to approve projects or classes of projects for the CPHS, provided the data security requirements set forth in this subdivision are satisfied. (u) To an insurer if authorized by Chapter 5 (commencing with Section 10900) of Division 4 of the Vehicle Code. (v) Pursuant to Section 1909, 8009, or 18396 of the Financial Code. This article shall not be construed to require the disclosure of personal information to the individual to whom the information pertains when that information may otherwise be withheld as set forth in Section 1798.40. SEC. 3. Section 10850 of the Welfare and Institutions Code is amended to read: 10850. (a) Except as otherwise provided in this section, all applications and records concerning any individual made or kept by any public officer or agency in connection with the administration of any provision of this code relating to any form of public social services for which grants-in-aid are received by this state from the United States government shall be confidential, and shall not be open to examination for any purpose not directly connected with the administration of that program, or any investigation, prosecution, or criminal or civil proceeding conducted in connection with the administration of any such program. The disclosure of any information that identifies by name or address any applicant for or recipient of these grants-in-aid to any committee or legislative body is prohibited, except as provided in subdivision (b). (b) Except as otherwise provided in this section, no person shall publish or disclose or permit or cause to be published or disclosed any list of persons receiving public social services. Any county welfare department in this state may release lists of applicants for, or recipients of, public social services, to any other county welfare department or the State Department of Social Services, and these lists or any other records shall be released when requested by any county welfare department or the State Department of Social Services. These lists or other records shall only be used for purposes directly connected with the administration of public social services. Except for those purposes, no person shall publish, disclose, or use or permit or cause to be published, disclosed, or used any confidential information pertaining to an applicant or recipient. Any county welfare department and the State Department of Social Services shall provide any governmental entity that is authorized by law to conduct an audit or similar activity in connection with the administration of public social services, including any committee or legislative body so authorized, with access to any public social service applications and records described in subdivision (a) to the extent of the authorization. Those committees, legislative bodies and other entities may only request or use these records for the purpose of investigating the administration of public social services, and shall not disclose the identity of any applicant or recipient except in the case of a criminal or civil proceeding conducted in connection with the administration of public social services. However, this section shall not prohibit the furnishing of this information to other public agencies to the extent required for verifying eligibility or for other purposes directly connected with the administration of public social services, or to county superintendents of schools or superintendents of school districts only as necessary for the administration of federally assisted programs providing assistance in cash or in-kind or services directly to individuals on the basis of need. Any person knowingly and intentionally violating this subdivision is guilty of a misdemeanor. Further, in the context of a petition for the appointment of a conservator for a person who is receiving or has received aid from a public agency, as indicated above, or in the context of a criminal prosecution for a violation of Section 368 of the Penal Code both of the following shall apply: (1) An Adult Protective Services employee or Ombudsman may answer truthfully at any proceeding related to the petition or prosecution, when asked if he or she is aware of information that he or she believes is related to the legal mental capacity of that aid recipient or the need for a conservatorship for that aid recipient. If the Adult Protective Services employee or Ombudsman states that he or she is aware of such information, the court may order the Adult Protective Services employee or Ombudsman to testify about his or her observations and to disclose all relevant agency records. (2) The court may order the Adult Protective Services employee or Ombudsman to testify about his or her observations and to disclose any relevant agency records if the court has other independent reason to believe that the Adult Protective Services employee or Ombudsman has information that would facilitate the resolution of the matter. (c) The State Department of Social Services may make rules and regulations governing the custody, use, and preservation of all records, papers, files, and communications pertaining to the administration of the laws relating to public social services under their jurisdiction. The rules and regulations shall be binding on all departments, officials and employees of the state, or of any political subdivision of the state and may provide for giving information to or exchanging information with agencies, public or political subdivisions of the state, and may provide for giving information to or exchanging information with agencies, public or private, that are engaged in planning, providing, or securing social services for or in behalf of recipients or applicants; and for making case records available for research purposes, provided that making these case records available will not result in the disclosure of the identity of applicants for or recipients of public social services and will not disclose any personal information in a manner that would link the information disclosed to the individual to whom it pertains, unless the department has complied with subdivision (t) of Section 1798.24 of the Civil Code. (d) Any person, including every public officer and employee, who knowingly secures or possesses, other than in the course of official duty, an official list or a list compiled from official sources, published or disclosed in violation of this section, of persons who have applied for or who have been granted any form of public social services for which state or federal funds are made available to the counties is guilty of a misdemeanor. (e) This section shall not be construed to prohibit an employee of a county welfare department from disclosing confidential information concerning a public social services applicant or recipient to a state or local law enforcement agency investigating or gathering information regarding a criminal act committed in a welfare department office, a criminal act against any county or state welfare worker, or any criminal act witnessed by any county or state welfare worker while involved in the administration of public social services at any location. Further, this section shall not be construed to prohibit an employee of a county welfare department from disclosing confidential information concerning a public social services applicant or recipient to a state or local law enforcement agency investigating or gathering information regarding a criminal act intentionally committed by the applicant or recipient against any off-duty county or state welfare worker in retaliation for an act performed in the course of the welfare worker's duty when the person committing the offense knows or reasonably should know that the victim is a state or county welfare worker. These criminal acts shall include only those that are in violation of state or local law. Disclosure of confidential information pursuant to this subdivision shall be limited to the applicant's or recipient's name, physical description, and address. (f) The provisions of this section shall be operative only to the extent permitted by federal law and shall not apply to, but exclude, Chapter 7 (commencing with Section 14000) of this division, entitled "Basic Health Care", and for which a grant-in-aid is received by the state under Title XIX of the Social Security Act.