Tap any paragraph to write a margin note. Your notes collect in the Desk below the text and file under cases with @. The side-by-side margin rail opens on a larger screen.

§
Marginalia
Code · Utah · Title 63A — Utah Government Operations Code · Chapter 19

63A-19-301. Utah Office of Data Privacy.

943 words·~4 min read·/ut/title-63a/chapter-19/63a-19-301·

A research copy — for the controlling text, always check the official state or federal source. Not legal advice.

Effective 5/6/2026
63A-19-301. Utah Office of Data Privacy.
(1)There is created within the department the Utah Office of Data Privacy.
(2)The office shall coordinate with the governing board and the commission to perform the duties in this section.
(3)The office shall:
(a)create and maintain a data privacy framework designed to:
(i)assist governmental entities to identify and implement effective and efficient data privacy practices, tools, and systems that:
(A)protect the privacy of personal data;
(B)comply with data privacy laws and regulations specific to the governmental entity, program, or data;
(C)empower individuals to protect and control their personal data; and
(D)enable information use and sharing among governmental entities, as allowed by law; and
(ii)account for differences in a governmental entity's resources, capabilities, populations served, data types, and maturity level regarding data privacy practices;
(b)review statutory provisions related to governmental data privacy and records management to:
(i)identify conflicts and gaps in data privacy law; and
(ii)standardize language;
(c)work with governmental entities to study, research, and identify:
(i)additional data privacy practices that are feasible for governmental entities;
(ii)potential remedies and accountability mechanisms for non-compliance of a governmental entity;
(iii)ways to expand an individual's control over the individual's personal data processed by a governmental entity;
(iv)resources needed to develop, implement, and improve data privacy programs; and
(v)best practices regarding:
(A)automated decision making;
(B)the creation and use of synthetic, de-identified, or anonymized data; and
(C)the use of website tracking technology;
(d)monitor high-risk data processing activities within governmental entities;
(e)coordinate with the Cyber Center to develop an incident response plan for data breaches affecting governmental entities;
(f)coordinate with the state archivist to:
(i)incorporate data privacy practices into records management; and
(ii)include data privacy content in the trainings described in Section 63A-12-110 ; and
(g)develop, maintain, and make available data privacy training, education, and awareness materials that meet the requirements of Section 63A-19-401.2 .
(4)The office may:
(a)provide expertise and assistance to governmental entities for high-risk data processing activities;
(b)create assessment tools and resources that a governmental entity may use to:
(i)review, evaluate, and mature the governmental entity's privacy program, practices, and processing activities; and
(ii)evaluate the privacy impact, privacy risk, and privacy compliance of the governmental entity's privacy program, practices, and processing activities;
(c)charge a governmental entity a service fee, established in accordance with Section 63J-1-504 , for providing services that enable a governmental entity to perform the governmental entity's duties under Section 63A-19-401 , if the governmental entity requests the office provide those services;
(d)bill a state agency, as provided in Section 63J-1-410 , for any services the office provides to a state agency;
(e)provide funding to assist a governmental entity in complying with:
(i)this chapter; and
(ii)Title 63G, Chapter 2, Part 3, Classification, and Title 63G, Chapter 2, Part 6, Collection of Information and Accuracy of Records;
(f)advise the governing board about widespread or systemic data privacy matters or alleged violations;
(g)work with the Division of Purchasing and General Services to develop cooperative contracts that a governmental entity may choose to use to support the governmental entity's data privacy compliance;
(h)make available to governmental entities privacy compliance assessment tools that may be used by governmental entities to assess the governmental entity's reasonable compliance of processing activities described in this chapter;
(i)upon request of a governmental entity or on the office's own initiative, issue guidance or recommendations regarding:
(i)compliance with this chapter; and
(ii)best practices for data privacy and data governance;
(j)contract with an institute, component, or department at a state institution of higher education to support the office in:
(i)conducting research and prepare reports regarding data privacy and data governance;
(ii)providing support to the commission;
(iii)holding data governance summits and educational programs;
(iv)developing systems and tools to support data privacy and data governance; and
(v)providing other services in support of the office's duties under this chapter;
(k)create data governance models that may be used by governmental entities; and
(l)make rules in accordance with Title 63G, Chapter 3, Utah Administrative Rulemaking Act, to administer this chapter.
(a)Upon application by a governmental entity, the office may grant, for a limited period of time, a governmental entity with an:
(i)extension of time to comply with certain requirements of Part 4, Duties of Governmental Entities; or
(ii)exemption from complying with certain requirements of Part 4, Duties of Governmental Entities.
(b)On the office's own initiative, the office may issue a one-time extension to a category or group of governmental entities to comply with certain requirements of Part 4, Duties of Governmental Entities.
(c)An extension issued under Subsection (5)(b) :
(i)shall:
(A)identify the specific duty for which the extension is granted and the section that imposes the duty; and
(B)specify the category or group of governmental entities to which the extension applies; and
(ii)may not be longer than 12 months.
(d)An application for an extension or exemption submitted under Subsection (5)(a) shall:
(i)identify the specific duty from which the governmental entity seeks an extension or exemption and the section that imposes that duty; and
(ii)include a justification for the requested extension or exemption.
(e)If the office grants an exemption under Subsection (5)(a) , the office shall report at the next board meeting:
(i)the name of the governmental entity that received an exemption; and
(ii)the nature of the exemption.
Amended by Chapter 202 , 2026 General Session
★   the supreme law of the land   ★
Don't Tread on Me
E Pluribus Unum — out of many, one

"If you don't know your rights, you don't have any."

Marginalia · a citizen's law index
A research desk, not legal advice. Always read the cited source before relying on a summary.
Questions or an issue? support@self-law.org
disclaimerMarginalia is a research index, not a law firm. Nothing on this site is legal, tax, or financial advice and no attorney–client relationship is formed by using it. Statutes, regulations, and case law change; summaries, search results, AI output, and member posts may be incomplete, out of date, or wrong. Any interpretation drawn from material on this site should be validated by a licensed attorney in your jurisdiction before you act on it.