Assembly BillNo. 2147

P2    1

1798.24.  

No agency may disclose any personal information in
2a manner that would link the information disclosed to the individual
3to whom it pertains unless the information is disclosed, as follows:

4(a) To the individual to whom the information pertains.

5(b) With the prior written voluntary consent of the individual
6to whom the record pertains, but only if that consent has been
7obtained not more than 30 days before the disclosure, or in the
8time limit agreed to by the individual in the written consent.

9(c) To the duly appointed guardian or conservator of the
10individual or a person representing the individual if it can be proven
11with reasonable certainty through the possession of agency forms,
12documents or correspondence that this person is the authorized
13representative of the individual to whom the information pertains.

14(d) To those officers, employees, attorneys, agents, or volunteers
15of the agency that has custody of the information if the disclosure
16is relevant and necessary in the ordinary course of the performance
17of their official duties and is related to the purpose for which the
18information was acquiredbegin insert, except personal information may be
19disclosed to an independent contractor or other worker who is not
20an agency employee only with prior written voluntary consent of
21the individual pursuant to subdivision (b).end insert

22(e) To a person, or to another agency where the transfer is
23necessary for the transferee agency to perform its constitutional
24or statutory duties, and the use is compatible with a purpose for
25which the information was collected and the use or transfer is
26accounted for in accordance with Section 1798.25.begin delete Withend deletebegin insert For
27information transferred pursuant to this subdivision the following
28shall apply:end insert

29begin insert(1)end insertbegin insert end insertbegin insertWithend insert respect to information transferred from a law
30enforcement or regulatory agency, or information transferred to
31another law enforcement or regulatory agency, a use is compatible
32if the use of the information requested is needed in an investigation
33of unlawful activity under the jurisdiction of the requesting agency
34or for licensing, certification, or regulatory purposes by that agency.

begin insert

35(2) With respect to information transferred to a natural person
36or a person that is a corporation, partnership, limited liability
37company, firm, association, or other nongovernment entity,
38personal information may be disclosed only with prior written
39voluntary consent of the individual pursuant to subdivision (b).

end insert

P3    1(f) To a governmental entity when required by state or federal
2law.

3(g) Pursuant to the California Public Records Act (Chapter 3.5
4(commencing with Section 6250) of Division 7 of Title 1 of the
5Government Code).

6(h) To a person who has provided the agency with advance,
7adequate written assurance that the information will be used solely
8for statistical research or reporting purposes, but only if the
9information to be disclosed is in a form that will not identify any
10individual.

11(i) Pursuant to a determination by the agency that maintains
12information that compelling circumstances exist that affect the
13health or safety of an individual, if upon the disclosure notification
14is transmitted to the individual to whom the information pertains
15at his or her last known address. Disclosure shall not be made if
16it is in conflict with other state or federal laws.

17(j) To the State Archives as a record that has sufficient historical
18or other value to warrant its continued preservation by the
19California state government, or for evaluation by the Director of
20General Services or his or her designee to determine whether the
21record has further administrative, legal, or fiscal value.

22(k) To any person pursuant to a subpoena, court order, or other
23compulsory legal process if, before the disclosure, the agency
24reasonably attempts to notify the individual to whom the record
25pertains, and if the notification is not prohibited by law.

26(l) To any person pursuant to a search warrant.

27(m) Pursuant to Article 3 (commencing with Section 1800) of
28Chapter 1 of Division 2 of the Vehicle Code.

29(n) For the sole purpose of verifying and paying government
30health care service claims made pursuant to Division 9
31(commencing with Section 10000) of the Welfare and Institutions
32Code.

33(o) To a law enforcement or regulatory agency when required
34for an investigation of unlawful activity or for licensing,
35certification, or regulatory purposes, unless the disclosure is
36otherwise prohibited by law.

37(p) To another person or governmental organization to the extent
38necessary to obtain information from the person or governmental
39organization as necessary for an investigation by the agency of a
P4    1failure to comply with a specific state law that the agency is
2responsible for enforcing.

3(q) To an adopted person and is limited to general background
4information pertaining to the adopted person’s natural parents,
5provided that the information does not include or reveal the identity
6of the natural parents.

7(r) To a child or a grandchild of an adopted person and
8disclosure is limited to medically necessary information pertaining
9 to the adopted person’s natural parents. However, the information,
10or the process for obtaining the information, shall not include or
11reveal the identity of the natural parents. The State Department of
12Social Services shall adopt regulations governing the release of
13information pursuant to this subdivision by July 1, 1985. The
14regulations shall require licensed adoption agencies to provide the
15same services provided by the department as established by this
16subdivision.

17(s) To a committee of the Legislature or to a Member of the
18Legislature, or his or her staff when authorized in writing by the
19member, where the member has permission to obtain the
20information from the individual to whom it pertains or where the
21member provides reasonable assurance that he or she is acting on
22behalf of the individual.

23(t) (1) To the University of California, a nonprofit educational
24institution, or, in the case of education-related data, another
25nonprofit entity, conducting scientific research, provided the
26request for information is approved by the Committee for the
27Protection of Human Subjects (CPHS) for the California Health
28and Human Services Agency (CHHSA) or an institutional review
29board, as authorized in paragraphs (4) and (5). The approval
30required under this subdivision shall include a review and
31determination that all the following criteria have been satisfied:

32(A) The researcher has provided a plan sufficient to protect
33personal information from improper use and disclosures, including
34sufficient administrative, physical, and technical safeguards to
35protect personal information from reasonable anticipated threats
36to the security or confidentiality of the information.

37(B) The researcher has provided a sufficient plan to destroy or
38return all personal information as soon as it is no longer needed
39for the research project, unless the researcher has demonstrated
40an ongoing need for the personal information for the research
P5    1project and has provided a long-term plan sufficient to protect the
2confidentiality of that information.

3(C) The researcher has provided sufficient written assurances
4that the personal information will not be reused or disclosed to
5any other person or entity, or used in any manner, not approved
6in the research protocol, except as required by law or for authorized
7oversight of the research project.

8(2) The CPHS or institutional review board shall, at a minimum,
9accomplish all of the following as part of its review and approval
10of the research project for the purpose of protecting personal
11information held in agency databases:

12(A) Determine whether the requested personal information is
13needed to conduct the research.

14(B) Permit access to personal information only if it is needed
15for the research project.

16(C) Permit access only to the minimum necessary personal
17information needed for the research project.

18(D) Require the assignment of unique subject codes that are not
19derived from personal information in lieu of social security
20numbers if the research can still be conducted without social
21security numbers.

22(E) If feasible, and if cost, time, and technical expertise permit,
23require the agency to conduct a portion of the data processing for
24the researcher to minimize the release of personal information.

25(3) Reasonable costs to the agency associated with the agency’s
26process of protecting personal information under the conditions
27of CPHS approval may be billed to the researcher, including, but
28not limited to, the agency’s costs for conducting a portion of the
29data processing for the researcher, removing personal information,
30encrypting or otherwise securing personal information, or assigning
31subject codes.

32(4) The CPHS may enter into written agreements to enable other
33institutional review boards to provide the data security approvals
34required by this subdivision, provided the data security
35requirements set forth in this subdivision are satisfied.

36(5) Pursuant to paragraph (4), the CPHS shall enter into a written
37agreement with the institutional review board established pursuant
38to Section 49079.5 of the Education Code. The agreement shall
39authorize, commencing July 1, 2010, or the date upon which the
40written agreement is executed, whichever is later, that board to
P6    1provide the data security approvals required by this subdivision,
2provided the data security requirements set forth in this subdivision
3and the act specified in paragraph (1) of subdivision (a) of Section
449079.5 are satisfied.

5(u) To an insurer if authorized by Chapter 5 (commencing with
6Section 10900) of Division 4 of the Vehicle Code.

7(v) Pursuant to Section 280, 282, 8009, or 18396 of the Financial
8Code.

9This article shall not be construed to require the disclosure of
10personal information to the individual to whom the information
11pertains when that information may otherwise be withheld as set
12forth in Section 1798.40.