BILL NUMBER: AB 2147 INTRODUCED
BILL TEXT
INTRODUCED BY Assembly Member Melendez
FEBRUARY 20, 2014
An act to amend Section 1798.24 of the Civil Code, relating to the
right to privacy.
LEGISLATIVE COUNSEL'S DIGEST
AB 2147, as introduced, Melendez. Privacy: personal information:
agency disclosure.
Existing law outlines the procedures for agencies to follow in the
collection, maintenance, and dissemination of personal information,
as defined, in order to protect the privacy of individuals. Existing
law prohibits an agency from disclosing any personal information in a
manner that would link the information disclosed to the individual
to whom it pertains, with specified exceptions.
This bill would, with regard to specified disclosures of personal
information, require agencies to obtain prior written voluntary
consent of the individual before releasing the personal information
to an independent contractor or other worker who is not an agency
employee or to a natural person or corporation, partnership, limited
liability company, firm, association, or other nongovernment entity.
Vote: majority. Appropriation: no. Fiscal committee: yes.
State-mandated local program: no.
THE PEOPLE OF THE STATE OF CALIFORNIA DO ENACT AS FOLLOWS:
SECTION 1. Section 1798.24 of the Civil Code is amended to read:
1798.24. No agency may disclose any personal information in a
manner that would link the information disclosed to the individual to
whom it pertains unless the information is disclosed, as follows:
(a) To the individual to whom the information pertains.
(b) With the prior written voluntary consent of the individual to
whom the record pertains, but only if that consent has been obtained
not more than 30 days before the disclosure, or in the time limit
agreed to by the individual in the written consent.
(c) To the duly appointed guardian or conservator of the
individual or a person representing the individual if it can be
proven with reasonable certainty through the possession of agency
forms, documents or correspondence that this person is the authorized
representative of the individual to whom the information pertains.
(d) To those officers, employees, attorneys, agents, or volunteers
of the agency that has custody of the information if the disclosure
is relevant and necessary in the ordinary course of the performance
of their official duties and is related to the purpose for which the
information was acquired , except personal information may be
disclosed to an independent contractor or other worker who is not an
agency employee only with prior written voluntary consent of the
individual pursuant to subdivision (b).
(e) To a person, or to another agency where the transfer is
necessary for the transferee agency to perform its constitutional or
statutory duties, and the use is compatible with a purpose for which
the information was collected and the use or transfer is accounted
for in accordance with Section 1798.25. With
For information transferred pursuant to this subdivision the
following shall apply:
(1) With respect to information
transferred from a law enforcement or regulatory agency, or
information transferred to another law enforcement or regulatory
agency, a use is compatible if the use of the information requested
is needed in an investigation of unlawful activity under the
jurisdiction of the requesting agency or for licensing,
certification, or regulatory purposes by that agency.
(2) With respect to information transferred to a natural person or
a person that is a corporation, partnership, limited liability
company, firm, association, or other nongovernment entity, personal
information may be disclosed only with prior written voluntary
consent of the individual pursuant to subdivision (b).
(f) To a governmental entity when required by state or federal
law.
(g) Pursuant to the California Public Records Act (Chapter 3.5
(commencing with Section 6250) of Division 7 of Title 1 of the
Government Code).
(h) To a person who has provided the agency with advance, adequate
written assurance that the information will be used solely for
statistical research or reporting purposes, but only if the
information to be disclosed is in a form that will not identify any
individual.
(i) Pursuant to a determination by the agency that maintains
information that compelling circumstances exist that affect the
health or safety of an individual, if upon the disclosure
notification is transmitted to the individual to whom the information
pertains at his or her last known address. Disclosure shall not be
made if it is in conflict with other state or federal laws.
(j) To the State Archives as a record that has sufficient
historical or other value to warrant its continued preservation by
the California state government, or for evaluation by the Director of
General Services or his or her designee to determine whether the
record has further administrative, legal, or fiscal value.
(k) To any person pursuant to a subpoena, court order, or other
compulsory legal process if, before the disclosure, the agency
reasonably attempts to notify the individual to whom the record
pertains, and if the notification is not prohibited by law.
(l) To any person pursuant to a search warrant.
(m) Pursuant to Article 3 (commencing with Section 1800) of
Chapter 1 of Division 2 of the Vehicle Code.
(n) For the sole purpose of verifying and paying government health
care service claims made pursuant to Division 9 (commencing with
Section 10000) of the Welfare and Institutions Code.
(o) To a law enforcement or regulatory agency when required for an
investigation of unlawful activity or for licensing, certification,
or regulatory purposes, unless the disclosure is otherwise prohibited
by law.
(p) To another person or governmental organization to the extent
necessary to obtain information from the person or governmental
organization as necessary for an investigation by the agency of a
failure to comply with a specific state law that the agency is
responsible for enforcing.
(q) To an adopted person and is limited to general background
information pertaining to the adopted person's natural parents,
provided that the information does not include or reveal the identity
of the natural parents.
(r) To a child or a grandchild of an adopted person and disclosure
is limited to medically necessary information pertaining to the
adopted person's natural parents. However, the information, or the
process for obtaining the information, shall not include or reveal
the identity of the natural parents. The State Department of Social
Services shall adopt regulations governing the release of information
pursuant to this subdivision by July 1, 1985. The regulations shall
require licensed adoption agencies to provide the same services
provided by the department as established by this subdivision.
(s) To a committee of the Legislature or to a Member of the
Legislature, or his or her staff when authorized in writing by the
member, where the member has permission to obtain the information
from the individual to whom it pertains or where the member provides
reasonable assurance that he or she is acting on behalf of the
individual.
(t) (1) To the University of California, a nonprofit educational
institution, or, in the case of education-related data, another
nonprofit entity, conducting scientific research, provided the
request for information is approved by the Committee for the
Protection of Human Subjects (CPHS) for the California Health and
Human Services Agency (CHHSA) or an institutional review board, as
authorized in paragraphs (4) and (5). The approval required under
this subdivision shall include a review and determination that all
the following criteria have been satisfied:
(A) The researcher has provided a plan sufficient to protect
personal information from improper use and disclosures, including
sufficient administrative, physical, and technical safeguards to
protect personal information from reasonable anticipated threats to
the security or confidentiality of the information.
(B) The researcher has provided a sufficient plan to destroy or
return all personal information as soon as it is no longer needed for
the research project, unless the researcher has demonstrated an
ongoing need for the personal information for the research project
and has provided a long-term plan sufficient to protect the
confidentiality of that information.
(C) The researcher has provided sufficient written assurances that
the personal information will not be reused or disclosed to any
other person or entity, or used in any manner, not approved in the
research protocol, except as required by law or for authorized
oversight of the research project.
(2) The CPHS or institutional review board shall, at a minimum,
accomplish all of the following as part of its review and approval of
the research project for the purpose of protecting personal
information held in agency databases:
(A) Determine whether the requested personal information is needed
to conduct the research.
(B) Permit access to personal information only if it is needed for
the research project.
(C) Permit access only to the minimum necessary personal
information needed for the research project.
(D) Require the assignment of unique subject codes that are not
derived from personal information in lieu of social security numbers
if the research can still be conducted without social security
numbers.
(E) If feasible, and if cost, time, and technical expertise
permit, require the agency to conduct a portion of the data
processing for the researcher to minimize the release of personal
information.
(3) Reasonable costs to the agency associated with the agency's
process of protecting personal information under the conditions of
CPHS approval may be billed to the researcher, including, but not
limited to, the agency's costs for conducting a portion of the data
processing for the researcher, removing personal information,
encrypting or otherwise securing personal information, or assigning
subject codes.
(4) The CPHS may enter into written agreements to enable other
institutional review boards to provide the data security approvals
required by this subdivision, provided the data security requirements
set forth in this subdivision are satisfied.
(5) Pursuant to paragraph (4), the CPHS shall enter into a written
agreement with the institutional review board established pursuant
to Section 49079.5 of the Education Code. The agreement shall
authorize, commencing July 1, 2010, or the date upon which the
written agreement is executed, whichever is later, that board to
provide the data security approvals required by this subdivision,
provided the data security requirements set forth in this subdivision
and the act specified in paragraph (1) of subdivision (a) of Section
49079.5 are satisfied.
(u) To an insurer if authorized by Chapter 5 (commencing with
Section 10900) of Division 4 of the Vehicle Code.
(v) Pursuant to Section 280, 282, 8009, or 18396 of the Financial
Code.
This article shall not be construed to require the disclosure of
personal information to the individual to whom the information
pertains when that information may otherwise be withheld as set forth
in Section 1798.40.