63A-19-401.3. Privacy program report.
245 words·~1 min read·
/ut/title-63a/chapter-19/63a-19-401-3A research copy — for the controlling text, always check the official state or federal source. Not legal advice.
Effective 5/6/2026
63A-19-401.3. Privacy program report.
(1)On or before December 31 of each year, the chief administrative officer of each governmental entity shall prepare a report that includes:
(a)how the governmental entity has initiated the governmental entity's privacy program;
(b)a description of:
(i)the governmental entity's privacy program including privacy practices;
(ii)strategies for improving and maturing the governmental entity's privacy program and practices; and
(iii)the governmental entity's high-risk processing activities;
(c)a list of the types of personal data the governmental entity currently shares, sells, or purchases;
(d)the legal basis for sharing, selling, or purchasing personal data;
(e)the category of individuals or entities:
(i)with whom the governmental entity shares personal data;
(ii)to whom the governmental entity sells personal data; or
(iii)from whom the governmental entity purchases personal data;
(f)the percentage of the governmental entity's employees required to complete the data privacy training under Section 63A-19-401.2 that have completed the training; and
(g)a description of any non-compliant processing activities identified under Subsection 63A-19-401(2)(a)(iv) and the governmental entity's strategy for bringing those activities into compliance with this part.
(2)The report described in Subsection
(1)shall be:
(a)considered a protected record under Section 63G-2-305 ;
(b)shared with the office, in accordance with Section 63G-2-206 , on or before December 31 each year; and
(c)retained by the governmental entity for no less than five years.
Amended by Chapter 202 , 2026 General Session