81R5250 ACP-D
By: Paxton H.B. No. 3904
A BILL TO BE ENTITLED
AN ACT
relating to personal confidential information accessed by an
employee of a state governmental body; imposing penalties.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
SECTION 1. Section 552.023, Government Code, is amended by
adding Subsection (a-1) to read as follows:
(a-1) A person or a person's authorized representative that
has a special right of access to information under Subsection (a)
must provide evidence satisfactory to the officer for public
information of the governmental body that the person has the
special right of access to that information.
SECTION 2. Chapter 559, Government Code, is amended by
designating Sections 559.001, 559.002, 559.003, 559.004, and
559.005 as Subchapter A and adding a heading for Subchapter A to
read as follows:
SUBCHAPTER A. REQUIRED NOTICES REGARDING INFORMATION COLLECTED BY A
STATE GOVERNMENTAL BODY
SECTION 3. Section 559.001, Government Code, is amended to
read as follows:
Sec. 559.001. DEFINITIONS [DEFINITION]. In this chapter:
(1) "Personal confidential information" includes a
person's:
(A) photograph or computerized image;
(B) social security number;
(C) driver's license number;
(D) home address;
(E) home, work, and cellular telephone number;
(F) electronic mail address;
(G) bank account and other financial
information;
(H) medical or disability information; and
(I) similar information.
(2) "State[, "state] governmental body" means a
governmental body as defined by Section 552.003 that is part of
state government.
SECTION 4. Section 559.005(b), Government Code, is amended
to read as follows:
(b) To the extent of a conflict between this subchapter
[chapter] and the public information law, Chapter 552, Chapter 552
controls.
SECTION 5. Chapter 559, Government Code, is amended by
adding Subchapter B to read as follows:
SUBCHAPTER B. ACCESS BY A STATE GOVERNMENTAL BODY TO PERSONAL
CONFIDENTIAL INFORMATION
Sec. 559.011. UNAUTHORIZED ACCESS TO PERSONAL CONFIDENTIAL
INFORMATION. The attorney general shall adopt rules for use by each
state governmental body to control access to personal confidential
information collected or maintained by that state governmental
body. The rules must prescribe guidelines that assist each state
governmental body in:
(1) identifying each employee of the state
governmental body who may access personal confidential
information;
(2) establishing procedures to authorize an employee
of the state governmental body to access personal confidential
information;
(3) maintaining a list of reasons that an employee of
the state governmental body may access personal confidential
information;
(4) maintaining a list of each employee of the state
governmental body who accesses personal confidential information;
and
(5) making available to each employee of the state
governmental body copies of the laws of this state and federal law
that regulate the dissemination of personal confidential
information.
Sec. 559.012. DIRECTOR OF PRIVACY. (a) Each state
governmental body shall designate an employee as the director of
privacy.
(b) The director of privacy shall develop and publish an
evaluation of the risks and effects of collecting and maintaining
personal confidential information by the state governmental body.
(c) The director of privacy shall work with the attorney
general to prevent unauthorized access to personal confidential
information collected or maintained by the state governmental body.
Sec. 559.013. PERSONAL CONFIDENTIAL INFORMATION POLICY.
(a) A state employee who engages in conduct constituting an offense
under Section 559.017 or a policy adopted under Subsection (c) is
subject to termination of the employee's state employment or
another employment-related sanction.
(b) Each state governmental body shall:
(1) adopt a written personal confidential information
policy for the state governmental body's employees consistent with
the standards prescribed by provisions of this subchapter;
(2) distribute a copy of the personal confidential
information policy and this subchapter to:
(A) each new employee not later than the third
business day after the date the person begins employment with the
state governmental body; and
(B) each new officer not later than the third
business day after the date the person qualifies for office;
(3) provide appropriate training concerning the
personal confidential information policy, in accordance with rules
adopted by the attorney general, to employees and officers;
(4) post a copy of the personal confidential
information policy next to the sign that the state governmental
body posts under Section 552.205; and
(5) make available on the state governmental body's
Internet website a copy of the personal confidential information
policy.
(c) The office of the attorney general shall develop and
distribute a model policy that a state governmental body may use in
adopting a state governmental body personal confidential
information policy under Subsection (b). A state governmental
body is not required to adopt the model policy developed under this
subsection.
(d) Not later than November 1, 2009, the office of the
attorney general shall:
(1) develop a model personal confidential information
policy as required by Subsection (c); and
(2) distribute the policy to each state governmental
body required to adopt a policy under Subsection (b).
(e) Not later than January 1, 2010, each state governmental
body shall:
(1) adopt a policy as required by Subsection (b); and
(2) distribute a copy of that policy and this
subchapter to each employee of the state governmental body.
(f) Subsections (d) and (e) and this subsection expire
September 1, 2011.
Sec. 559.014. PROTECTION OF INFORMATION. (a) Each state
governmental body shall require passwords to access personal
confidential information that is maintained in an electronic
format.
(b) Each state agency shall secure personal confidential
information that is maintained as a paper record.
Sec. 559.015. NOTIFICATION REQUIRED FOLLOWING UNAUTHORIZED
ACCESS TO CONFIDENTIAL PERSONAL INFORMATION. A state governmental
body shall promptly disclose any unauthorized access to personal
confidential information to any individual whose personal
confidential information was accessed.
Sec. 559.016. CIVIL REMEDY. A person who knowingly
accesses personal confidential information collected or maintained
by a state governmental body and is not authorized to access that
information under the policies of the state governmental body is
liable to a person injured or damaged by the access to the
information or a resulting disclosure of the information for:
(1) actual damages, including damages for personal
injury or damage, lost wages, defamation, or mental or other
emotional distress;
(2) reasonable attorney's fees and court costs; and
(3) exemplary damages as provided by Chapter 41, Civil
Practice and Remedies Code.
Sec. 559.017. CRIMINAL PENALTY. (a) A person commits an
offense if the person knowingly accesses personal confidential
information collected or maintained by a state governmental body
that the person is not authorized to access under the policies of
the state governmental body.
(b) An officer or employee of a state governmental body
commits an offense if the officer or employee knowingly:
(1) accesses personal confidential information
collected or maintained by a state governmental body for a purpose
other than the purpose for which the information was collected and
for a purpose unrelated to the law that permitted the officer or
employee to obtain authorization to access the information;
(2) permits inspection of the personal confidential
information by a person who is not authorized to inspect the
information; or
(3) discloses the personal confidential information
to a person who is not authorized to receive the information.
(c) For purposes of Subsection (b), a member of an advisory
committee to a state governmental body who obtains access to
confidential information in that capacity is considered to be an
officer or employee of the state governmental body.
(d) An offense under this section is a Class A misdemeanor.
(e) A violation under this section constitutes official
misconduct.
Sec. 559.018. CERTAIN INFORMATION MAINTAINED BY THE
COMPTROLLER. (a) The comptroller by rule shall develop and
implement a system that records each time an employee accesses any
database system that is created or for which the comptroller
contracts that relates to taxes collected by the comptroller.
(b) The comptroller shall use the information collected
under Subsection (a) to determine if an employee of the comptroller
accesses a database which the employee does not have authorization
to access.
Sec. 559.019. ROLE OF ATTORNEY GENERAL. (a) The attorney
general shall:
(1) review each state governmental body's policies
regarding confidential personal information; and
(2) enforce this subchapter.
(b) The attorney general may submit a report to the
legislature that contains recommendations regarding the personal
confidential information that state governmental bodies collect
and maintain.
SECTION 6. This Act takes effect immediately if it receives
a vote of two-thirds of all the members elected to each house, as
provided by Section 39, Article III, Texas Constitution. If this
Act does not receive the vote necessary for immediate effect, this
Act takes effect September 1, 2009.