Amended in Assembly April 22, 2014

California Legislature—2013–14 Regular Session

Assembly BillNo. 2147

Introduced by Assembly Member Melendez

February 20, 2014

An act tobegin delete amend Section 1798.24 of the Civilend deletebegin insert add Section 8310.9 to the Governmentend insert Code, relating tobegin delete the right to privacyend deletebegin insert state end insertbegin insertinformation practicesend insert.

LEGISLATIVE COUNSEL’S DIGEST

AB 2147, as amended, Melendez. begin deletePrivacy: personal information: agency disclosure. end deletebegin insertState government Web sites: information practices.end insert

Existing lawbegin delete outlinesend deletebegin insert prescribesend insert the procedures forbegin insert stateend insert agencies to follow in the collection, maintenance, and dissemination of personal information, as defined, in order to protect the privacy of individuals. Existing law prohibits an agency from disclosingbegin delete anyend delete personal information in a manner that would link the information disclosed to the individual to whom it pertains, with specified exceptions.

begin insert

This bill would require a state entity, as defined, that uses an Internet Web site to obtain information by means of an electronic form to include a specified disclosure notice clearly displayed in direct proximity above the button used to submit the form. The disclosure would acknowledge that the information is being collected and may be shared. The bill would also prohibit a state entity using an electronic form, as described above, to utilize or share any information provided until the person entering information into the form specifically acts to submit the form.

end insertbegin delete

This bill would, with regard to specified disclosures of personal information, require agencies to obtain prior written voluntary consent of the individual before releasing the personal information to an independent contractor or other worker who is not an agency employee or to a natural person or corporation, partnership, limited liability company, firm, association, or other nongovernment entity.

end delete

Vote: majority. Appropriation: no. Fiscal committee: yes. State-mandated local program: no.

The people of the State of California do enact as follows:

P2    1begin insert

begin insertSECTION 1.end insert  

end insert

begin insertSection 8310.9 is added to the end insertbegin insertGovernment Codeend insertbegin insert,
2to read:end insert

begin insert
3

begin insert8310.9.end insert  

(a) For purposes of this section, “state entity” means
4any agency, department, bureau, board, or commission of any
5kind.

6(b) A state entity that uses an Internet Web site to obtain
7information by means of an electronic form shall include the
8following disclosure notice clearly displayed in a minimum of
912-point boldface type, in direct proximity above the button used
10to submit the form:


12By submitting this form, I acknowledge that this information is
13being collected by the state and may be shared with another state
14agency or a private party in accordance with Section 1798.24 of
15the Civil Code and the Information Practices Act of 1977 generally.


17(c) A state entity that uses an Internet Web site to obtain
18information by means of an electronic form shall not utilize or
19share any information provided until the person entering
20information into the form specifically acts to submit the form.
21Information in partially completed forms that have not been
22formally submitted shall not be utilized or otherwise shared.

end insert
begin delete
23

SECTION 1.  

Section 1798.24 of the Civil Code is amended
24to read:

25

1798.24.  

No agency may disclose any personal information in
26a manner that would link the information disclosed to the individual
27to whom it pertains unless the information is disclosed, as follows:

28(a) To the individual to whom the information pertains.

29(b) With the prior written voluntary consent of the individual
30to whom the record pertains, but only if that consent has been
31obtained not more than 30 days before the disclosure, or in the
32time limit agreed to by the individual in the written consent.

P3    1(c) To the duly appointed guardian or conservator of the
2individual or a person representing the individual if it can be proven
3with reasonable certainty through the possession of agency forms,
4documents or correspondence that this person is the authorized
5representative of the individual to whom the information pertains.

6(d) To those officers, employees, attorneys, agents, or volunteers
7of the agency that has custody of the information if the disclosure
8is relevant and necessary in the ordinary course of the performance
9of their official duties and is related to the purpose for which the
10information was acquired, except personal information may be
11disclosed to an independent contractor or other worker who is not
12an agency employee only with prior written voluntary consent of
13the individual pursuant to subdivision (b).

14(e) To a person, or to another agency where the transfer is
15necessary for the transferee agency to perform its constitutional
16or statutory duties, and the use is compatible with a purpose for
17which the information was collected and the use or transfer is
18accounted for in accordance with Section 1798.25. For information
19transferred pursuant to this subdivision the following shall apply:

20(1) With respect to information transferred from a law
21enforcement or regulatory agency, or information transferred to
22another law enforcement or regulatory agency, a use is compatible
23if the use of the information requested is needed in an investigation
24of unlawful activity under the jurisdiction of the requesting agency
25or for licensing, certification, or regulatory purposes by that agency.

26(2) With respect to information transferred to a natural person
27or a person that is a corporation, partnership, limited liability
28company, firm, association, or other nongovernment entity,
29personal information may be disclosed only with prior written
30voluntary consent of the individual pursuant to subdivision (b).

31(f) To a governmental entity when required by state or federal
32law.

33(g) Pursuant to the California Public Records Act (Chapter 3.5
34(commencing with Section 6250) of Division 7 of Title 1 of the
35Government Code).

36(h) To a person who has provided the agency with advance,
37adequate written assurance that the information will be used solely
38for statistical research or reporting purposes, but only if the
39information to be disclosed is in a form that will not identify any
40individual.

P4    1(i) Pursuant to a determination by the agency that maintains
2information that compelling circumstances exist that affect the
3health or safety of an individual, if upon the disclosure notification
4is transmitted to the individual to whom the information pertains
5at his or her last known address. Disclosure shall not be made if
6it is in conflict with other state or federal laws.

7(j) To the State Archives as a record that has sufficient historical
8or other value to warrant its continued preservation by the
9California state government, or for evaluation by the Director of
10General Services or his or her designee to determine whether the
11record has further administrative, legal, or fiscal value.

12(k) To any person pursuant to a subpoena, court order, or other
13compulsory legal process if, before the disclosure, the agency
14reasonably attempts to notify the individual to whom the record
15pertains, and if the notification is not prohibited by law.

16(l) To any person pursuant to a search warrant.

17(m) Pursuant to Article 3 (commencing with Section 1800) of
18Chapter 1 of Division 2 of the Vehicle Code.

19(n) For the sole purpose of verifying and paying government
20health care service claims made pursuant to Division 9
21(commencing with Section 10000) of the Welfare and Institutions
22Code.

23(o) To a law enforcement or regulatory agency when required
24for an investigation of unlawful activity or for licensing,
25certification, or regulatory purposes, unless the disclosure is
26otherwise prohibited by law.

27(p) To another person or governmental organization to the extent
28necessary to obtain information from the person or governmental
29organization as necessary for an investigation by the agency of a
30failure to comply with a specific state law that the agency is
31responsible for enforcing.

32(q) To an adopted person and is limited to general background
33information pertaining to the adopted person’s natural parents,
34provided that the information does not include or reveal the identity
35of the natural parents.

36(r) To a child or a grandchild of an adopted person and
37disclosure is limited to medically necessary information pertaining
38 to the adopted person’s natural parents. However, the information,
39or the process for obtaining the information, shall not include or
40reveal the identity of the natural parents. The State Department of
P5    1Social Services shall adopt regulations governing the release of
2information pursuant to this subdivision by July 1, 1985. The
3regulations shall require licensed adoption agencies to provide the
4same services provided by the department as established by this
5subdivision.

6(s) To a committee of the Legislature or to a Member of the
7Legislature, or his or her staff when authorized in writing by the
8member, where the member has permission to obtain the
9information from the individual to whom it pertains or where the
10member provides reasonable assurance that he or she is acting on
11behalf of the individual.

12(t) (1) To the University of California, a nonprofit educational
13institution, or, in the case of education-related data, another
14nonprofit entity, conducting scientific research, provided the
15request for information is approved by the Committee for the
16Protection of Human Subjects (CPHS) for the California Health
17and Human Services Agency (CHHSA) or an institutional review
18board, as authorized in paragraphs (4) and (5). The approval
19required under this subdivision shall include a review and
20determination that all the following criteria have been satisfied:

21(A) The researcher has provided a plan sufficient to protect
22personal information from improper use and disclosures, including
23sufficient administrative, physical, and technical safeguards to
24protect personal information from reasonable anticipated threats
25to the security or confidentiality of the information.

26(B) The researcher has provided a sufficient plan to destroy or
27return all personal information as soon as it is no longer needed
28for the research project, unless the researcher has demonstrated
29an ongoing need for the personal information for the research
30project and has provided a long-term plan sufficient to protect the
31confidentiality of that information.

32(C) The researcher has provided sufficient written assurances
33that the personal information will not be reused or disclosed to
34any other person or entity, or used in any manner, not approved
35in the research protocol, except as required by law or for authorized
36oversight of the research project.

37(2) The CPHS or institutional review board shall, at a minimum,
38accomplish all of the following as part of its review and approval
39of the research project for the purpose of protecting personal
40information held in agency databases:

P6    1(A) Determine whether the requested personal information is
2needed to conduct the research.

3(B) Permit access to personal information only if it is needed
4for the research project.

5(C) Permit access only to the minimum necessary personal
6information needed for the research project.

7(D) Require the assignment of unique subject codes that are not
8derived from personal information in lieu of social security
9numbers if the research can still be conducted without social
10security numbers.

11(E) If feasible, and if cost, time, and technical expertise permit,
12require the agency to conduct a portion of the data processing for
13the researcher to minimize the release of personal information.

14(3) Reasonable costs to the agency associated with the agency’s
15process of protecting personal information under the conditions
16of CPHS approval may be billed to the researcher, including, but
17not limited to, the agency’s costs for conducting a portion of the
18data processing for the researcher, removing personal information,
19encrypting or otherwise securing personal information, or assigning
20subject codes.

21(4) The CPHS may enter into written agreements to enable other
22institutional review boards to provide the data security approvals
23required by this subdivision, provided the data security
24requirements set forth in this subdivision are satisfied.

25(5) Pursuant to paragraph (4), the CPHS shall enter into a written
26agreement with the institutional review board established pursuant
27to Section 49079.5 of the Education Code. The agreement shall
28authorize, commencing July 1, 2010, or the date upon which the
29written agreement is executed, whichever is later, that board to
30provide the data security approvals required by this subdivision,
31provided the data security requirements set forth in this subdivision
32and the act specified in paragraph (1) of subdivision (a) of Section
3349079.5 are satisfied.

34(u) To an insurer if authorized by Chapter 5 (commencing with
35Section 10900) of Division 4 of the Vehicle Code.

36(v) Pursuant to Section 280, 282, 8009, or 18396 of the Financial
37Code.

38This article shall not be construed to require the disclosure of
39personal information to the individual to whom the information
P7    1pertains when that information may otherwise be withheld as set
2forth in Section 1798.40.

end delete

O

    98