BILL ANALYSIS Ó AB 2399 Page 1 CONCURRENCE IN SENATE AMENDMENTS AB 2399 (John A. Pérez) As Amended August 21, 2014 Majority vote ----------------------------------------------------------------- |ASSEMBLY: |76-0 |(May 19, 2014) |SENATE: |33-0 |(August 25, | | | | | | |2014) | ----------------------------------------------------------------- Original Committee Reference: JUD. SUMMARY : Authorizes an organ procurement organization to swipe a driver's license or identification card to transmit a donor's personal information to the organ and tissue donor register, as specified. Specifically, this bill : 1)Provides that an organ procurement organization may swipe a driver's license or identification card issued by the Department of Motor Vehicles (DMV) in an electronic device to transmit information to the Donate Life California Organ and Tissue Donor Registry for the purposes of allowing an individual to identify himself or herself as a registered organ donor. 2)Requires that information gathered or transmitted by the procurement organization comply with the DMV Information Security Agreement. 3)Requires the organ procurement organization to provide specified notice to the donor applicant prior to swiping the driver's license or identification card and specifies the procedure by which information shall be submitted. 4)Prohibits an organ procurement organization from retaining or using any of the information obtained by electronic means for any purpose other than operating the organ and donor registry. 5)Defines "organ procurement organization" to mean a person designated by the Secretary of the United States Department of Health and Human Services as an organ procurement organization. The Senate amendments : AB 2399 Page 2 1)Require the organ procurement organization to provide specified notice to the donor applicant prior to swiping the driver's license or identification card and specifies the procedure by which information shall be submitted. 2)Change the term "aggregated data" to "nonidentifiable information" to clarify the meaning and be consistent with other provisions of the Vehicle Code. FISCAL EFFECT : According to the Senate Appropriations Committee, pursuant to Senate Rule 28.8, negligible state costs. COMMENTS : The Uniform Anatomical Gift Act allows a person to make a gift of his or her body (or any part, organ, or tissue) for the purpose of performing transplants or for medical research or education purposes. Since the Uniform Anatomical Gift Act was first enacted in 1988, most donor registrations have occurred through the DMV when someone applies for, or renews, a driver's license or identification card. In 2003, SB 112 (Speier), Chapter 405, authorized four non-profit "organ procurement organizations" to establish and maintain the Donate Life California (DLC) Organ and Tissue Donor Registry (Registry). As in the past, most donor registrations occur at the time of license application or renewal. Online registration is also available, but apparently seldom used. Donor procurement organizations also proactively register donors through outreach at a variety of community events, often by setting up informational tables, collecting information from voluntary donors, and recording information on paper forms. Information collected is then subsequently entered into the Registry. These outreach events give the organizations the opportunity to reach people during the five years before a license or identification card must be renewed. However, this existing paper-form system has its drawbacks. To begin with, paper forms take more time to complete, and the information may be recorded illegibly or inaccurately. Paper forms must then be transported to a place where the information on the form can be entered into the Registry (which is not only time-consuming but also presents another opportunity for error). Allowing the use of electronic swiping and transmission, DLC believes, will be faster and more accurate, and it will avoid the need to transport paper forms. Information scanned from the magnetic stripe - the same information that is on the front of AB 2399 Page 3 the license - can be encrypted and sent to the Registry in real time. The device that swipes information from the magnetic stripe can be easily attached to a smart phone, making collection and transmission all the easier. DLC, as an official state partner of DMV, must adhere to the DMV Information Security Agreement, which incorporates information security standards promulgated by the National Institute of Standards and Technology (NIST). NIST standards represent current "best practices" in information system management and technical safeguards that are designed to protect the confidentiality, integrity, and availability of the system and its information. These standards cover everything from training and access authentication to technical safeguards such as encryption. Under existing law, the NIST standards already protect the integrity and security of the Registry itself. This bill will require that the DMV Information Security Agreement and the NIST standards also apply to the gathering and transmission of the information to the Registry. In particular, information collected by electronic devices - most likely attached to smart phones - will be encrypted. Once submitted to the Registry, the sponsor states, any information remaining on the device will be deleted. Indeed the bill prohibits the organ procurement organizations from maintaining or using the information for any purpose beyond those authorized by this bill - that is, to submit the information to the Registry, and nothing else. There is, of course, no perfectly secure means of collecting and transmitting digitized data, just as there is no perfectly secure means of handling paper forms containing the same information. Analysis Prepared by : Thomas Clark / JUD. / (916) 319-2334 FN: 0005359