BILL NUMBER: AB 1686 CHAPTERED 10/10/99 CHAPTER 873 FILED WITH SECRETARY OF STATE OCTOBER 10, 1999 APPROVED BY GOVERNOR OCTOBER 8, 1999 PASSED THE ASSEMBLY SEPTEMBER 10, 1999 PASSED THE SENATE SEPTEMBER 9, 1999 AMENDED IN SENATE SEPTEMBER 8, 1999 AMENDED IN ASSEMBLY APRIL 22, 1999 INTRODUCED BY Committee on Information Technology (Dutra (Chair), Bates (Vice Chair), Alquist, Briggs, and Ducheny) MARCH 18, 1999 An act to repeal, add, and repeal Chapter 7 (commencing with Section 11700) of Division 3 of Title 2 of the Government Code, relating to information technology, and making an appropriation therefor. LEGISLATIVE COUNSEL'S DIGEST AB 1686, Committee on Information Technology. Department of Information Technology. (1) Existing law provides for the development and coordination of information technology activities in the state, and for these purposes establishes the Department of Information Technology, the Hawkins Data Center, the Stephen P. Teale Data Center, which is funded by the continuously appropriated Stephen P. Teale Data Center Revolving Fund, and the Health and Welfare Agency Data Center, which is funded by the continuously appropriated Health and Welfare Agency Data Center Revolving Fund. These provisions become inoperative on July 1, 2000, and are repealed as of January 1, 2001. This bill would extend the dates on which these provisions are to become inoperative to July 1, 2002, and are to be repealed to January 1, 2003. By continuing the existence of continuously appropriated funds, this bill would make an appropriation. (2) Existing law renames the Health and Welfare Agency as the California Health and Human Services Agency. This bill would correct obsolete references to the Health and Welfare Agency, rename the Health and Welfare Agency Data Center as the California Health and Human Services Agency Data Center, and rename the Health and Welfare Agency Data Center Revolving Fund as the California Health and Human Services Data Center Revolving Fund. Appropriation: yes. THE PEOPLE OF THE STATE OF CALIFORNIA DO ENACT AS FOLLOWS: SECTION 1. It is the intent of the Legislature in enacting this act to reaffirm the role and duties of the Department of Information Technology as established by existing law in the strongest possible manner. SEC. 2. Chapter 7 (commencing with Section 11700) of Division 3 of Title 2 of the Government Code is repealed. SEC. 3. Chapter 7 (commencing with Section 11700) is added to Division 3 of Title 2 of the Government Code, to read: CHAPTER 7. INFORMATION TECHNOLOGY Article 1. Intent and Definitions 11700. (a) The Legislature finds that information technology is an indispensable tool of modern government for the rapid and efficient handling of data, records, communication, and transactions, and for assisting decisionmakers in carrying out their tasks and responsibilities at all levels of government. (b) The Legislature finds that advances in information technology, such as automated office systems, personal computers, electronic mail, and others, have the potential to increase the productivity, efficiency, and responsiveness of the state's operations. The Legislature finds that a need exists to facilitate the productive application of information technology to state programs, and to do so in a manner that significantly improves the return on the state's investment in this technology. Therefore, the Legislature intends that the Department of Information Technology created by this chapter, shall improve the state's ability to apply information technology effectively, and provide guidance and leadership to state agencies in identifying, designing, and implementing these applications, and where feasible, promote phased implementation and funding of large and complex projects. 11701. It is the intent of the Legislature to create the Department of Information Technology that shall do all of the following: (a) Provide statewide guidance to state agencies regarding acquisition, management, and appropriate use of information technology to improve operational productivity, reduce the cost of government, enhance service to customers, lower the cost and risk to taxpayers when implementing information technology, and expand the use of information technology to make government more accessible to the public. (b) Develop specific statewide strategies, policies, and processes, including oversight, to improve the state's overall management of information technology; improve the state's overall management of information technology projects; improve the development and contract management of information technology acquisitions; guide state agencies in the acquisition, management, and use of information technology; and provide guidance to all state agencies to ensure that the agency's information technology direction is consistent with the agency's mission, business plan, and a results-oriented management policy. (c) Develop statewide policies and plans for information technology that recognize the interrelationships and impact of state activities on local governments, including local school systems, private companies that supply needed goods and services to agencies and the federal government, and require individual state agency plans be aligned with statewide policies and plans. (d) Develop appropriate policies and requirements for risk management and for sharing risk and benefits with the private sector in the acquisition of information technology products and services. (e) Develop policies, goals, and objectives for one-time collection of data, allowing its use by all appropriate agencies without jeopardizing the security or confidentiality of information as provided by statute or the constitutional protection of individual rights to privacy. (f) Establish and maintain criteria to be followed by state government in participating with private industry, and federal, state, and local government in demonstrating or developing advanced information technologies. (g) Update continuously policies developed in carrying out the intent of this chapter for inclusion in the State Administrative Manual to reflect changing state needs related to information technology. (h) Develop policies and standards to improve the acquisition and management of information technology projects in consultation with the Department of General Services, Office of Procurement. 11702. The following definitions apply for the purposes of this chapter, unless the context requires otherwise: (a) "Advanced information technologies" includes, but is not limited to, technologies of a nature providing opportunities of value to the state, and technologies to which the state has limited access because of the lack of previous application to government processes and that limit the competitiveness of the acquisition due to the advanced nature of the technology. (b) "Agency" means agency, department, board, commission, data center, or any other state entity. (c) "Department" means the Department of Information Technology. (d) "Director" means the state chief information officer and the Director of Information Technology, and may be used interchangeably. (e) "Information technology" includes, but is not limited to, all electronic technology systems and services, automated information handling, system design and analysis, conversion of data, computer programming, information storage and retrieval, telecommunications which include voice, video, and data communications, requisite system controls, simulation, electronic commerce, and all related interactions between people and machines. (f) "Infrastructure" consists of information technology equipment, software, communications networks, facilities, and staff. Specifically included in statewide infrastructure are data centers and wide-area networks with their associated management and support capabilities. Article 2. Department of Information Technology 11710. (a) There is hereby created in the executive branch the Department of Information Technology, that shall be managed by the Director of Information Technology, who shall be appointed by the Governor, with the consent of the Senate, and who shall serve at the pleasure of the Governor. (b) The department, among other duties, shall perform the statutory duties and responsibilities of the former Office of Information Technology. Any reference in any law to the Office of Information Technology or the director of that office shall be considered a reference to the Department of Information Technology and the Director of Information Technology, as the case may be, unless the context otherwise requires. (c) The Governor, upon recommendation of the director, shall appoint two officers exempt from civil service who are necessary for the administration of the department. The exempt officers appointed pursuant to this subdivision shall have both knowledge and expertise in the area of information technology. Subject to the State Civil Service Act (Part 2 (commencing with Section 18500) of Division 5 of Title 2 of the Government Code), the director shall appoint any other assistants and other employees as are necessary for the administration of the department and shall prescribe their duties. (d) The department shall provide leadership, guidance, and oversight of information technology in state government, including, but not limited to, all of the following: (1) Development of statewide vision, strategies, plans, policies, requirements, standards, and infrastructure. (2) Implementation of efficient, effective, and timely information technology acquisition and project management processes. (3) Identification of available information technology resources from both public and private sectors. (4) Development and implementation of an information technology equipment and software acquisition strategy that moves the state steadily to an architecture to provide maximum practical compatibility to facilitate information sharing among all computing systems in state government. (5) Promotion of reforms in information technology personnel classifications and in systems and procedures that reward skill in meeting business needs and facilitation of change with effective application of information technology. (e) The Department of Information Technology shall have possession and control of all relevant records and papers held for the benefit or use of the former Office of Information Technology in the performance of its statutory duties, powers, purposes, and responsibilities. 11711. The director shall be responsible for all of the following: (a) Developing plans and policies to support and promote the effective application of information technology within state government as a means of saving money, increasing employee productivity, and improving state services to the public, including public electronic access to state information. (b) Overseeing the management of information technology in state agencies, the development and management of information technology projects, and acquisition of information technology to ensure compliance with statewide strategies, policies, and standards. (c) Preparing annual reports to the Governor and the Legislature as to the status and result of the state's specific information technology plans. (d) Developing and maintaining a computer based file, for use by the department and the Legislature, of all information technology projects for which a feasibility study report has been approved. (e) Recommending to the Governor and Legislature changes needed in state policies and laws to accomplish the purposes of this chapter. (f) Identifying which applications of information technology should be statewide in scope, and ensure that these applications are not developed independently or duplicated by individual state agencies. (g) Establishing policies and procedures, where appropriate, to ensure that major projects are scheduled and funded in phases and that authority to proceed to the next phase of a project will be contingent upon successful completion of the prior phase. The policies and procedures to be developed by the director shall include the identification of one or more specific results deliverable for each phase that will provide the basis for assessing the extent to which a phase has been completed successfully. 11712. The director is vested with the authority to do the following: (a) Review proposed agency information technology projects for compliance with statewide strategies, policies, and standards, including project management methods and standards. (b) Grant or withhold approval to initiate agency information technology projects based upon the review performed in accordance with subdivision (a). The director shall consult with the affected agencies and the involved control and service agencies, as appropriate, when granting or withholding approval on information technology projects. The director shall make the final decision to initiate, suspend, or terminate an information technology project. (c) Monitor agency information technology projects to ensure continued compliance with statewide strategies, policies, and standards, and project management methods and standards. (d) Make recommendations for remedial measures to be applied to agency information technology projects in order to achieve compliance with statewide strategies, policies, and standards, and proper project management methods and standards. Remedial measures include, but are not limited to, use of independent validation and verification methodologies based on engineering principles, conducted on an independent basis, by practitioners with recognized expertise and experience. (e) Suspend, reinstate, or terminate projects after consultation with the affected agencies, and the involved control and service agencies. (f) Develop policies and requirements for carrying out the responsibilities of this article for publication in the State Administrative Manual, or distribution by management memo. 11713. The director shall continue to develop plans and policies in a coordinated fashion regarding all of the following: (a) The state data centers, including the optimum size and degree of centralization of the data centers. (b) Information technology management personnel, including the training and qualifications of those personnel. (c) Telecommunications networks, including both wide and local area networks. (d) Public access, via telecommunications, to public records, indexes, and data bases maintained in computer accessible files in conformance with applicable laws relating to confidentiality and privacy of information. 11714. The role of the Department of Finance regarding the approval of information technology projects shall be limited to the approval of expenditure of funds on information technology projects. Article 3. State Agency Responsibilities 11720. Subject to the authority of the office as set forth in this chapter, the head of each agency is responsible for the management of information technology in the agency that he or she heads, including, but not limited to, (a) the designation of an individual as the person responsible for information technology application and management within the agency; (b) the establishment of information technology strategies that support the accomplishment of the agency mission, business strategies, and objectives; (c) the justification of proposed information technology projects in terms of costs and benefits, as well as consistency with agency mission and statewide strategies, policies, requirements, and standards; (d) the management of information technology development and acquisition projects and the qualifications of project staff; and (e) the management of all agency information processing and communications activities. The head of each agency has responsibility over all information collected, processed, stored, or used by the agency that he or she heads. Article 4. Reporting Requirements 11725. (a) It is the intent of the Legislature that the reorganization and specific requirements specified in this chapter be implemented as quickly as possible. However, the Legislature recognizes that in order for compliance to be most effective, careful planning and execution are essential. (b) The director shall provide to the Joint Legislative Budget Committee and the appropriate policy and fiscal committees of the Assembly and Senate, on or before July 1, 1996, a written progress report of compliance to date and a plan and schedule for obtaining compliance for all other requirements of this chapter. Thereafter, the director shall report in writing annually by December 1 to those legislative committees of the progress in implementing this plan. This annual report shall include a statewide plan for information technology and support of state programs. 11726. Feasibility study reports, special project reports, and postimplementation evaluation reviews for information technology projects, if and when required, shall include in the front of the document a summary disclosing the following information: (a) For feasibility study reports, the estimated project cost and benefits for the selected solution, the estimated start and completion dates, and the estimated number of months required to implement the project. (b) For special project reports, the original estimates of cost, benefits, and schedule, the new estimates of cost, benefits and schedule, and where applicable, the estimated cost, benefits and schedule reflected in the most recent special project report. (c) For postimplementation evaluation reports, an analysis of the original estimated versus actual costs, benefits, and schedule. 11730. It is the intent of the Legislature that the director shall be the state's advocate in the exploitation of information technology to increase the effectiveness and efficiency of government information technology services in program and support areas. The department shall adopt policies and procedures to carry out its advocacy role and shall publish and maintain them in the State Administrative Manual. Article 6. User Committee 11735. The director shall form an information technology advisory committee or committees consisting of representatives of state agencies. These committees shall advise the director with respect to the management of information technology, including critical success factors for successful use and management of information technology and recommend changes in policy, both legislative and administrative, necessary to achieve successful information technology management. 11736. The advisory committee or committees shall prepare a written agenda for each of its meetings, and the advisory committees' finding and recommendation shall be in writing. These written documents shall be available to interested parties upon request. 11737. The representatives appointed to the user committee or committees shall be selected from individuals designated by the agency in accordance with Section 11720, or the most senior manager responsible for information technology in the agency. Additional appointments may be made at the discretion of the director. 11738. The director shall form an information technology advisory commission to provide advice to the director on information technology issues. Commission advice shall include, but is not limited to, long-term information technology trends and strategies, key information technology policy issues, strategic technologies that should be pursued, and practices in both public and private organizations. 11739. Appointments to the advisory commission shall be made by the director. Commission members shall utilize their knowledge, experience, and expertise in all matters of information technology, including new development and trends, acquisition, planning, implementation, and management. Members are to be selected from the private sector, academic sector, nonprofit organizations, and other governmental sectors. Members of the commission shall serve without compensation but may be reimbursed for actual and necessary travel expenses. Article 7. Data Centers 11751. There is in the Department of Justice the Hawkins Data Center. The Hawkins Data Center shall be under the supervision of a data center director who shall be appointed by the Attorney General, in consultation with the Director of Information Technology, pursuant to civil service. The data center shall be subject to consolidation with other information technology centers in accordance with this chapter, if the Director of Information Technology deems it in the best interest of the state. The data center director shall be responsible for the efficient and effective management and operation of the data center. 11752. There is in the Business, Transportation and Housing Agency the Stephen P. Teale Data Center. The Stephen P. Teale Data Center shall be under the supervision of a data center director who shall be appointed by the Governor, in consultation with the Director of Information Technology, subject to confirmation by the Senate and serve at the pleasure of the Governor. The Stephen P. Teale Data Center shall be subject to consolidation with other information technology centers in accordance with this chapter, if the Director of Information Technology deems it in the best interest of the state. The Director of the Stephen P. Teale Data Center shall receive a salary approved by the Department of Personnel Administration. The data center director shall be responsible for the efficient and effective management and operation of the data center. The data center director shall continue to communicate regularly with the Director of Information Technology regarding future needs of the center and the likely impact of emerging technologies. 11753. There is in the California Health and Human Services Agency the California Health and Human Services Agency Data Center. The California Health and Human Services Agency Data Center shall be under the supervision of a data center director who shall be appointed by the Secretary of the California Health and Human Services Agency, in consultation with the Director of Information Technology pursuant to civil service. The California Health and Human Services Agency Data Center shall be subject to consolidation with other information technology centers in accordance with this chapter, if the Director of Information Technology deems it in the best interest of the state. The data center director shall be responsible for the efficient and effective management and operation of the data center. 11754. There is in the State Treasury, the Stephen P. Teale Data Center Revolving Fund, hereafter referred to as the "TDC Fund," which fund is continuously appropriated for the purposes of this chapter, and the fund shall be continuously utilized without regard to fiscal years for the payment of expenses incurred by the Stephen P. Teale Data Center. Moneys available in the TDC Fund, not to exceed a total of 1 percent of the Stephen P. Teale Data Center's current fiscal year budget, may be allocated by the director to projects that demonstrate or develop advanced information technologies as solutions to information processing problems. The expenditures for these allocations shall be provided for out of the unencumbered surplus of the TDC Fund. There shall be no expenditure in the event that there is no unencumbered surplus in any particular fiscal year. The TDC Fund shall consist of the following: (a) All moneys appropriated by the Legislature for the fund in accordance with law. (b) All moneys received into the State Treasury from any source whatever in payment of electronic data processing services rendered by the Stephen P. Teale Data Center or for other services rendered by the Stephen P. Teale Data Center. (c) All moneys from outstanding balances of prior fiscal years which have not reverted to the General Fund. (d) The balance remaining in the TDC Fund at the end of any fiscal year whether the moneys received are from an appropriation or from payments for services rendered. If the balance remaining in the TDC Fund at the end of any fiscal year exceeds 25 percent of the Stephen P. Teale Data Center's current fiscal year budget, the billing rates for services rendered shall be adjusted downward for the following fiscal year. If the Stephen P. Teale Data Center is consolidated with other state information technology centers, the TDC Fund shall cease to exist and any remaining funds shall be distributed in accordance with Section 16304.9. 11754.1. (a) The Stephen P. Teale Data Center may establish rates and collect payments from state agencies for providing services to those agencies. The methodology for computing costs and billing rates shall be subject to the approval of the Director of Finance. (b) All money received by the Stephen P. Teale Data Center pursuant to this section shall be deposited in the Stephen P. Teale Data Center Revolving Fund. In order to assure that there is adequate cash in the fund, the Stephen P. Teale Data Center may require monthly payments in advance by client agencies, based on estimated billings. By mutual agreement between the Stephen P. Teale Data Center and the applicable state agency, a state agency may make monthly, quarterly, or annual payments in advance or arrears. (c) Consistent with subdivision (b), and pursuant to Section 11255, the Controller shall transfer any amounts so authorized by the Stephen P. Teale Data Center. The Stephen P. Teale Data Center shall notify each affected state agency upon requesting the Controller to make the transfer. 11755. There is in the State Treasury, the California Health and Human Services Agency Data Center Revolving Fund, hereafter referred to as the "CHHSDC Fund," which fund is continuously appropriated for the purposes of this chapter. Moneys in the fund shall be continuously utilized without regard to fiscal years for the payment of expenses incurred by the California Health and Human Services Agency Data Center. Moneys available in the CHHSDC Fund, not to exceed a total of 1 percent of the California Health and Human Services Agency Data Center's current fiscal year budget, may be allocated by the director to projects that demonstrate or develop advanced information technologies as solutions to information processing problems. The expenditures for these allocations shall be provided for out of the unencumbered surplus of the CHHSDC Fund. There shall be no expenditure in the event that there is no unencumbered surplus in any particular fiscal year. The CHHSDC Fund shall consist of the following: (a) All moneys appropriated by the Legislature for the fund in accordance with law. (b) All moneys received into the State Treasury from any source whatever in payment of electronic data processing services rendered by the California Health and Human Services Agency Data Center or for other services rendered by the California Health and Human Services Agency Data Center. (c) All moneys from outstanding balances of prior fiscal years which have not reverted to the General Fund. (d) The balance remaining in the CHHSDC Fund at the end of any fiscal year whether the moneys received are from an appropriation or from payments for services rendered. If the balance remaining in the CHHSDC Fund at the end of any fiscal year exceeds 25 percent of the California Health and Human Services Agency Data Center's current fiscal year budget, the excess amount shall be used to reduce the billing rates for services rendered during the following fiscal year. If the California Health and Human Services Agency Data Center is consolidated with other state information technology centers, the CHHSDC Fund shall cease to exist and any remaining funds shall be distributed in accordance with Section 16304.9. Article 8. Data Security and Confidentiality 11770. (a) The Department of Information Technology shall do all of the following: (1) Develop the policies and standards to be followed in providing for the confidentiality of information. (2) Develop policies necessary to provide for the security of the state's informational and physical assets. (3) Develop policies to provide for the preservation of the state' s information processing capability. (4) Coordinate research and identify solutions to problems affecting information security. (5) Review and approve personal services contracts for information security consulting services. (6) Represent the state to the federal government, other agencies of state government, local government entities, and private industry on issues that have statewide impact on information security. (7) Develop policies and monitor state agencies to ensure that agency business operations will continue to function in the event of a disaster. (8) Review and advise on security plans concerning the location and construction of information processing facilities for state agencies. (9) Prepare policies and procedures for inclusion in the State Administrative Manual for use by state agencies regarding the applicable law relating to confidentiality and privacy of, and public access to, information. (b) State agencies shall notify the department of all incidents involving the unauthorized intentional damage to, or modification or destruction of, electronic information, and the damage to, or destruction or theft of, data processing equipment, or the intentional damage to, or destruction of, information processing facilities. The department shall investigate any incident it deems necessary. (c) This section shall not apply to the California State Lottery. 11771. The chief executive officer of each state agency that uses, receives, or provides information technology services shall designate an information security officer who shall be responsible for implementing state policies and standards regarding the confidentiality and security of information pertaining to his or her respective agency. The policies and standards shall include, but are not limited to, strict controls to prevent unauthorized access to data maintained in computer files, program documentation, data processing systems, data files, and data processing equipment physically located in the agency. 11772. Any contract entered into by any state agency that includes provisions for information technology systems design, programming, documentation, conversion, equipment maintenance, and similar aspects of information technology services shall contain a provision requiring the contractor and all of his or her staff working under the contract to maintain all confidential information obtained as a result of the contract as confidential and to not divulge that information to any other person or entity. Article 9. Disaster Recovery Planning 11773. Each state agency shall develop and continually update a disaster recovery plan with respect to information technology. Each agency shall establish a disaster recovery planning team to develop the disaster recovery plan and to administer the plan's implementation. In developing the plan, the disaster recovery planning team shall do all of the following: (a) Consider the organizational, managerial, and technical environments in which the disaster recovery plan must be implemented. (b) Assess the types and likely parameters of disasters most likely to occur and the resultant impacts on the agency's ability to perform its mission. (c) List protective measures to be implemented in anticipation of a disaster, natural or manmade. Protective measures listed shall be: (1) Those protective measures determined to be most cost-effective; and (2) Identified through the risk management process for information technology referred to in the State Administrative Manual. 11774. Each state agency shall file a copy of its disaster recovery plan with the Department of Information Technology by January 31 of each year. The Department of Information Technology shall review and coordinate disaster planning with respect to information technology for all state agencies. If a state agency employs the services of a state data center, the agency must also provide the data center with a copy of its disaster recovery plan. 11775. For purposes of this article, "disaster recovery planning" includes, but is not limited to, the documentation, plans, policies, and procedures that are required to restore normal operation to a state agency impacted by manmade or natural disaster. Article 10. Applicability 11780. The provisions of this chapter shall not apply to the University of California, the California State University, the State Compensation Insurance Fund, the community college districts, agencies provided for by Article VI of the California Constitution, or the Legislature. Article 11. Repeal of Chapter 11785. This chapter shall become inoperative on July 1, 2002, and as of January 1, 2003, is repealed, unless a later enacted statute that is enacted before January 1, 2003, deletes or extends the dates on which it becomes inoperative and is repealed.