BILL ANALYSIS Ó AB 2399 Page 1 ASSEMBLY THIRD READING AB 2399 (John A. Pérez) As Amended April 24, 2014 Majority vote JUDICIARY 10-0 APPROPRIATIONS 17-0 ----------------------------------------------------------------- |Ayes:|Wieckowski, Wagner, |Ayes:|Gatto, Bigelow, | | |Alejo, Chau, Dickinson, | |Bocanegra, Bradford, Ian | | |Garcia, Gorell, | |Calderon, Campos, | | |Maienschein, Muratsuchi, | |Donnelly, Eggman, Gomez, | | |Stone | |Holden, Jones, Linder, | | | | |Pan, Quirk, | | | | |Ridley-Thomas, Wagner, | | | | |Weber | |-----+--------------------------+-----+--------------------------| | | | | | ----------------------------------------------------------------- SUMMARY : Authorizes an organ procurement organization to swipe a driver's license or identification card to transmit a donor's personal information to the organ and tissue donor register, as specified. Specifically, this bill : 1)Provides that an organ procurement organization may swipe a driver's license or identification card issued by the Department of Motor Vehicles (DMV) in an electronic device to transmit information to the Donate Life California Organ and Tissue Donor Registry for the purposes of allowing an individual to identify himself or herself as a registered organ donor. 2)Requires that information gathered or transmitted by the procurement organization comply with the DMV Information Security Agreement. 3)Prohibits an organ procurement organization from retaining or using any of the information obtained by electronic means for any purpose other than operating the organ and donor registry. 4)Defines "organ procurement organization" to mean a person designated by the Secretary of the United States Department of Health and Human Services as an organ procurement AB 2399 Page 2 organization. 5)Revises existing reference to "general characteristics" of donors to instead refer to "aggregated data" of donors amend annual report requirements accordingly. FISCAL EFFECT : According to the Assembly Appropriations Committee, negligible fiscal impact to the DMV. COMMENTS : The Uniform Anatomical Gift Act allows a person to make a gift of his or her body (or any part, organ, or tissue) for the purpose of performing transplants or for medical research or education purposes. Since the Uniform Anatomical Gift Act was first enacted in 1988, most donor registrations have occurred through the DMV when someone applies for, or renews, a driver's license or identification card. In 2003, SB 112 (Speier), Chapter 405, authorized four non-profit "organ procurement organizations" to establish and maintain the Donate Life California (DLC) Organ and Tissue Donor Registry (Registry). As in the past, most donor registrations occur at the time of license application or renewal. Online registration is also available, but apparently seldom used. Donor procurement organizations also proactively register donors through outreach at a variety of community events, often by setting up informational tables, collecting information from voluntary donors, and recording information on paper forms. Information collected is then subsequently entered into the Registry. These outreach events give the organizations the opportunity to reach people during the five years before a license or identification card must be renewed. However, this existing paper-form system has its drawbacks. To begin with, paper forms take more time to complete, and the information may be recorded illegibly or inaccurately. Paper forms must then be transported to a place where the information on the form can be entered into the Registry (which is not only time-consuming but also presents another opportunity for error). Allowing the use of electronic swiping and transmission, DLC believes, will be faster and more accurate, and it will avoid the need to transport paper forms. Information scanned from the magnetic stripe - the same information that is on the front of the license - can be encrypted and sent to the Registry in real time. The device that swipes information from the magnetic stripe can be easily attached to a smart phone, making AB 2399 Page 3 collection and transmission all the easier. Pursuant to the legislation creating the donor registry, DLC became an official state partner of DMV. As such, it must adhere to the DMV Information Security Agreement, which incorporates information security standards promulgated by the National Institute of Standards and Technology (NIST). NIST standards represent current "best practices" in information system management and technical safeguards that are designed to protect the confidentiality, integrity, and availability of the system and its information. These standards cover everything from training and access authentication to technical safeguards such as encryption. (NIST, Special Publication (SP) 800-53.) Under existing law, the NIST standards already protect the integrity and security of the Registry itself. This bill will require that the DMV Information Security Agreement and the NIST standards also apply to the gathering and transmission of the information to the Registry. In particular, information collected by electronic devices - most likely attached to smart phones - will be encrypted. Once submitted to the Registry, the sponsor states, any information remaining on the device will be deleted. Indeed the bill prohibits the organ procurement organizations from maintaining or using the information for any purpose beyond those authorized by the bill - that is, to submit the information to the Registry, and nothing else. There is, of course, no perfectly secure means of collecting and transmitting digitized data, just as there is no perfectly secure means of handling paper forms containing the same information. Analysis Prepared by : Thomas Clark / JUD. / (916) 319-2334 FN: 0003499