| 1 | 1 | | 81R5250 ACP-D |
|---|
| 2 | 2 | | By: Paxton H.B. No. 3904 |
|---|
| 3 | 3 | | |
|---|
| 4 | 4 | | |
|---|
| 5 | 5 | | A BILL TO BE ENTITLED |
|---|
| 6 | 6 | | AN ACT |
|---|
| 7 | 7 | | relating to personal confidential information accessed by an |
|---|
| 8 | 8 | | employee of a state governmental body; imposing penalties. |
|---|
| 9 | 9 | | BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: |
|---|
| 10 | 10 | | SECTION 1. Section 552.023, Government Code, is amended by |
|---|
| 11 | 11 | | adding Subsection (a-1) to read as follows: |
|---|
| 12 | 12 | | (a-1) A person or a person's authorized representative that |
|---|
| 13 | 13 | | has a special right of access to information under Subsection (a) |
|---|
| 14 | 14 | | must provide evidence satisfactory to the officer for public |
|---|
| 15 | 15 | | information of the governmental body that the person has the |
|---|
| 16 | 16 | | special right of access to that information. |
|---|
| 17 | 17 | | SECTION 2. Chapter 559, Government Code, is amended by |
|---|
| 18 | 18 | | designating Sections 559.001, 559.002, 559.003, 559.004, and |
|---|
| 19 | 19 | | 559.005 as Subchapter A and adding a heading for Subchapter A to |
|---|
| 20 | 20 | | read as follows: |
|---|
| 21 | 21 | | SUBCHAPTER A. REQUIRED NOTICES REGARDING INFORMATION COLLECTED BY A |
|---|
| 22 | 22 | | STATE GOVERNMENTAL BODY |
|---|
| 23 | 23 | | SECTION 3. Section 559.001, Government Code, is amended to |
|---|
| 24 | 24 | | read as follows: |
|---|
| 25 | 25 | | Sec. 559.001. DEFINITIONS [DEFINITION]. In this chapter: |
|---|
| 26 | 26 | | (1) "Personal confidential information" includes a |
|---|
| 27 | 27 | | person's: |
|---|
| 28 | 28 | | (A) photograph or computerized image; |
|---|
| 29 | 29 | | (B) social security number; |
|---|
| 30 | 30 | | (C) driver's license number; |
|---|
| 31 | 31 | | (D) home address; |
|---|
| 32 | 32 | | (E) home, work, and cellular telephone number; |
|---|
| 33 | 33 | | (F) electronic mail address; |
|---|
| 34 | 34 | | (G) bank account and other financial |
|---|
| 35 | 35 | | information; |
|---|
| 36 | 36 | | (H) medical or disability information; and |
|---|
| 37 | 37 | | (I) similar information. |
|---|
| 38 | 38 | | (2) "State[, "state] governmental body" means a |
|---|
| 39 | 39 | | governmental body as defined by Section 552.003 that is part of |
|---|
| 40 | 40 | | state government. |
|---|
| 41 | 41 | | SECTION 4. Section 559.005(b), Government Code, is amended |
|---|
| 42 | 42 | | to read as follows: |
|---|
| 43 | 43 | | (b) To the extent of a conflict between this subchapter |
|---|
| 44 | 44 | | [chapter] and the public information law, Chapter 552, Chapter 552 |
|---|
| 45 | 45 | | controls. |
|---|
| 46 | 46 | | SECTION 5. Chapter 559, Government Code, is amended by |
|---|
| 47 | 47 | | adding Subchapter B to read as follows: |
|---|
| 48 | 48 | | SUBCHAPTER B. ACCESS BY A STATE GOVERNMENTAL BODY TO PERSONAL |
|---|
| 49 | 49 | | CONFIDENTIAL INFORMATION |
|---|
| 50 | 50 | | Sec. 559.011. UNAUTHORIZED ACCESS TO PERSONAL CONFIDENTIAL |
|---|
| 51 | 51 | | INFORMATION. The attorney general shall adopt rules for use by each |
|---|
| 52 | 52 | | state governmental body to control access to personal confidential |
|---|
| 53 | 53 | | information collected or maintained by that state governmental |
|---|
| 54 | 54 | | body. The rules must prescribe guidelines that assist each state |
|---|
| 55 | 55 | | governmental body in: |
|---|
| 56 | 56 | | (1) identifying each employee of the state |
|---|
| 57 | 57 | | governmental body who may access personal confidential |
|---|
| 58 | 58 | | information; |
|---|
| 59 | 59 | | (2) establishing procedures to authorize an employee |
|---|
| 60 | 60 | | of the state governmental body to access personal confidential |
|---|
| 61 | 61 | | information; |
|---|
| 62 | 62 | | (3) maintaining a list of reasons that an employee of |
|---|
| 63 | 63 | | the state governmental body may access personal confidential |
|---|
| 64 | 64 | | information; |
|---|
| 65 | 65 | | (4) maintaining a list of each employee of the state |
|---|
| 66 | 66 | | governmental body who accesses personal confidential information; |
|---|
| 67 | 67 | | and |
|---|
| 68 | 68 | | (5) making available to each employee of the state |
|---|
| 69 | 69 | | governmental body copies of the laws of this state and federal law |
|---|
| 70 | 70 | | that regulate the dissemination of personal confidential |
|---|
| 71 | 71 | | information. |
|---|
| 72 | 72 | | Sec. 559.012. DIRECTOR OF PRIVACY. (a) Each state |
|---|
| 73 | 73 | | governmental body shall designate an employee as the director of |
|---|
| 74 | 74 | | privacy. |
|---|
| 75 | 75 | | (b) The director of privacy shall develop and publish an |
|---|
| 76 | 76 | | evaluation of the risks and effects of collecting and maintaining |
|---|
| 77 | 77 | | personal confidential information by the state governmental body. |
|---|
| 78 | 78 | | (c) The director of privacy shall work with the attorney |
|---|
| 79 | 79 | | general to prevent unauthorized access to personal confidential |
|---|
| 80 | 80 | | information collected or maintained by the state governmental body. |
|---|
| 81 | 81 | | Sec. 559.013. PERSONAL CONFIDENTIAL INFORMATION POLICY. |
|---|
| 82 | 82 | | (a) A state employee who engages in conduct constituting an offense |
|---|
| 83 | 83 | | under Section 559.017 or a policy adopted under Subsection (c) is |
|---|
| 84 | 84 | | subject to termination of the employee's state employment or |
|---|
| 85 | 85 | | another employment-related sanction. |
|---|
| 86 | 86 | | (b) Each state governmental body shall: |
|---|
| 87 | 87 | | (1) adopt a written personal confidential information |
|---|
| 88 | 88 | | policy for the state governmental body's employees consistent with |
|---|
| 89 | 89 | | the standards prescribed by provisions of this subchapter; |
|---|
| 90 | 90 | | (2) distribute a copy of the personal confidential |
|---|
| 91 | 91 | | information policy and this subchapter to: |
|---|
| 92 | 92 | | (A) each new employee not later than the third |
|---|
| 93 | 93 | | business day after the date the person begins employment with the |
|---|
| 94 | 94 | | state governmental body; and |
|---|
| 95 | 95 | | (B) each new officer not later than the third |
|---|
| 96 | 96 | | business day after the date the person qualifies for office; |
|---|
| 97 | 97 | | (3) provide appropriate training concerning the |
|---|
| 98 | 98 | | personal confidential information policy, in accordance with rules |
|---|
| 99 | 99 | | adopted by the attorney general, to employees and officers; |
|---|
| 100 | 100 | | (4) post a copy of the personal confidential |
|---|
| 101 | 101 | | information policy next to the sign that the state governmental |
|---|
| 102 | 102 | | body posts under Section 552.205; and |
|---|
| 103 | 103 | | (5) make available on the state governmental body's |
|---|
| 104 | 104 | | Internet website a copy of the personal confidential information |
|---|
| 105 | 105 | | policy. |
|---|
| 106 | 106 | | (c) The office of the attorney general shall develop and |
|---|
| 107 | 107 | | distribute a model policy that a state governmental body may use in |
|---|
| 108 | 108 | | adopting a state governmental body personal confidential |
|---|
| 109 | 109 | | information policy under Subsection (b). A state governmental |
|---|
| 110 | 110 | | body is not required to adopt the model policy developed under this |
|---|
| 111 | 111 | | subsection. |
|---|
| 112 | 112 | | (d) Not later than November 1, 2009, the office of the |
|---|
| 113 | 113 | | attorney general shall: |
|---|
| 114 | 114 | | (1) develop a model personal confidential information |
|---|
| 115 | 115 | | policy as required by Subsection (c); and |
|---|
| 116 | 116 | | (2) distribute the policy to each state governmental |
|---|
| 117 | 117 | | body required to adopt a policy under Subsection (b). |
|---|
| 118 | 118 | | (e) Not later than January 1, 2010, each state governmental |
|---|
| 119 | 119 | | body shall: |
|---|
| 120 | 120 | | (1) adopt a policy as required by Subsection (b); and |
|---|
| 121 | 121 | | (2) distribute a copy of that policy and this |
|---|
| 122 | 122 | | subchapter to each employee of the state governmental body. |
|---|
| 123 | 123 | | (f) Subsections (d) and (e) and this subsection expire |
|---|
| 124 | 124 | | September 1, 2011. |
|---|
| 125 | 125 | | Sec. 559.014. PROTECTION OF INFORMATION. (a) Each state |
|---|
| 126 | 126 | | governmental body shall require passwords to access personal |
|---|
| 127 | 127 | | confidential information that is maintained in an electronic |
|---|
| 128 | 128 | | format. |
|---|
| 129 | 129 | | (b) Each state agency shall secure personal confidential |
|---|
| 130 | 130 | | information that is maintained as a paper record. |
|---|
| 131 | 131 | | Sec. 559.015. NOTIFICATION REQUIRED FOLLOWING UNAUTHORIZED |
|---|
| 132 | 132 | | ACCESS TO CONFIDENTIAL PERSONAL INFORMATION. A state governmental |
|---|
| 133 | 133 | | body shall promptly disclose any unauthorized access to personal |
|---|
| 134 | 134 | | confidential information to any individual whose personal |
|---|
| 135 | 135 | | confidential information was accessed. |
|---|
| 136 | 136 | | Sec. 559.016. CIVIL REMEDY. A person who knowingly |
|---|
| 137 | 137 | | accesses personal confidential information collected or maintained |
|---|
| 138 | 138 | | by a state governmental body and is not authorized to access that |
|---|
| 139 | 139 | | information under the policies of the state governmental body is |
|---|
| 140 | 140 | | liable to a person injured or damaged by the access to the |
|---|
| 141 | 141 | | information or a resulting disclosure of the information for: |
|---|
| 142 | 142 | | (1) actual damages, including damages for personal |
|---|
| 143 | 143 | | injury or damage, lost wages, defamation, or mental or other |
|---|
| 144 | 144 | | emotional distress; |
|---|
| 145 | 145 | | (2) reasonable attorney's fees and court costs; and |
|---|
| 146 | 146 | | (3) exemplary damages as provided by Chapter 41, Civil |
|---|
| 147 | 147 | | Practice and Remedies Code. |
|---|
| 148 | 148 | | Sec. 559.017. CRIMINAL PENALTY. (a) A person commits an |
|---|
| 149 | 149 | | offense if the person knowingly accesses personal confidential |
|---|
| 150 | 150 | | information collected or maintained by a state governmental body |
|---|
| 151 | 151 | | that the person is not authorized to access under the policies of |
|---|
| 152 | 152 | | the state governmental body. |
|---|
| 153 | 153 | | (b) An officer or employee of a state governmental body |
|---|
| 154 | 154 | | commits an offense if the officer or employee knowingly: |
|---|
| 155 | 155 | | (1) accesses personal confidential information |
|---|
| 156 | 156 | | collected or maintained by a state governmental body for a purpose |
|---|
| 157 | 157 | | other than the purpose for which the information was collected and |
|---|
| 158 | 158 | | for a purpose unrelated to the law that permitted the officer or |
|---|
| 159 | 159 | | employee to obtain authorization to access the information; |
|---|
| 160 | 160 | | (2) permits inspection of the personal confidential |
|---|
| 161 | 161 | | information by a person who is not authorized to inspect the |
|---|
| 162 | 162 | | information; or |
|---|
| 163 | 163 | | (3) discloses the personal confidential information |
|---|
| 164 | 164 | | to a person who is not authorized to receive the information. |
|---|
| 165 | 165 | | (c) For purposes of Subsection (b), a member of an advisory |
|---|
| 166 | 166 | | committee to a state governmental body who obtains access to |
|---|
| 167 | 167 | | confidential information in that capacity is considered to be an |
|---|
| 168 | 168 | | officer or employee of the state governmental body. |
|---|
| 169 | 169 | | (d) An offense under this section is a Class A misdemeanor. |
|---|
| 170 | 170 | | (e) A violation under this section constitutes official |
|---|
| 171 | 171 | | misconduct. |
|---|
| 172 | 172 | | Sec. 559.018. CERTAIN INFORMATION MAINTAINED BY THE |
|---|
| 173 | 173 | | COMPTROLLER. (a) The comptroller by rule shall develop and |
|---|
| 174 | 174 | | implement a system that records each time an employee accesses any |
|---|
| 175 | 175 | | database system that is created or for which the comptroller |
|---|
| 176 | 176 | | contracts that relates to taxes collected by the comptroller. |
|---|
| 177 | 177 | | (b) The comptroller shall use the information collected |
|---|
| 178 | 178 | | under Subsection (a) to determine if an employee of the comptroller |
|---|
| 179 | 179 | | accesses a database which the employee does not have authorization |
|---|
| 180 | 180 | | to access. |
|---|
| 181 | 181 | | Sec. 559.019. ROLE OF ATTORNEY GENERAL. (a) The attorney |
|---|
| 182 | 182 | | general shall: |
|---|
| 183 | 183 | | (1) review each state governmental body's policies |
|---|
| 184 | 184 | | regarding confidential personal information; and |
|---|
| 185 | 185 | | (2) enforce this subchapter. |
|---|
| 186 | 186 | | (b) The attorney general may submit a report to the |
|---|
| 187 | 187 | | legislature that contains recommendations regarding the personal |
|---|
| 188 | 188 | | confidential information that state governmental bodies collect |
|---|
| 189 | 189 | | and maintain. |
|---|
| 190 | 190 | | SECTION 6. This Act takes effect immediately if it receives |
|---|
| 191 | 191 | | a vote of two-thirds of all the members elected to each house, as |
|---|
| 192 | 192 | | provided by Section 39, Article III, Texas Constitution. If this |
|---|
| 193 | 193 | | Act does not receive the vote necessary for immediate effect, this |
|---|
| 194 | 194 | | Act takes effect September 1, 2009. |
|---|