WEST virginia Legislature

2022 regular session

Introduced

House Bill 4718

By Delegates Kimble, McGeehan, G. Ward, Sypolt, Mazzocchi, and Linville

[Introduced February 15, 2022; Referred to the Committee on the Judiciary then Finance]

A BILL to amend the Code of West Virginia, 1931, as amended, by adding thereto a new article, designated §4-2D-1, §4-2D-2, §4-2D-3, and §4-2D-4, all relating to the creation of the Privacy Protection Act; establishing definitions; defining the role of the State Auditor’s Office in collaboration with the State Privacy Officer; creating the State Privacy Officer; and creating the Personal Privacy Oversight Committee.

Be it enacted by the Legislature of West Virginia:

ARTICLE 2D.  privacy protection act.

§4-2D-1. Definitions.

“Commission” means the Personal Privacy Oversight Committee created in this article.

“Government entity” means the state, a county, a municipality, a higher education institute, a local district, a special service district, a school district, an independent entity, or any other political subdivision of the state or an administrative subunit of any political subdivision, including a law-enforcement entity. “Government entity” includes an agent of an entity described above.

“Independent entity” is that entity which is separate and distinct from any other entity.

“Personal data” means any information relating to an identified or identifiable individual and includes personally identifying information.

“Privacy practice” means the acquisition, use, storage, or disposal of personal data and includes:

(1) A technology use related to personal data; and

(2) Policies related to the protection, storage, sharing, and retention of personal data.

§4-2D-2. Role of State Auditor.

(a) The State Auditor shall:

(1) With the advice and consent of the Legislature, appoint the State Privacy Officer described in §4-2D-4 of this code;

(2) Appoint the members of the Personal Privacy Oversight Committee described in §4-2D-4 of this code;

(3) Publish the reviews and recommendations made by the State Privacy Officer and the Personal Privacy Oversight Committee; and

(4) Determine, upon notification from the Personal Privacy Oversight Committee that a government entity is using a technology or privacy policy that fails to meet minimum acceptable standards, whether to require the government entity using the technology or policy to:

(A) If the government entity is a state entity, terminate the use of that technology or policy on or before June 1 of the year following the notification, unless the Legislature authorizes the continued use of that technology or policy by statute; or

(B) If the government entity is a local government entity, terminate the use of that technology or policy within 180 days after the day on which the local government entity receives notice of the determination, unless the local government authorizes the continued use of that technology or policy.

(b) The State Auditor shall coordinate with the State Privacy Officer as set forth in §4-2D-4 of this code.

§4-2D-3. Creation of State Privacy Officer.

(a) The State Privacy Officer shall:

(1) Based on recommendations from the Personal Privacy Oversight Committee, develop guiding standards for best practices with respect to government privacy policy, technology uses related to personal privacy, and data security;

(2) Based on recommendations from the Personal Privacy Oversight Committee, develop minimum acceptable standards for government privacy policies and technology uses related to personal privacy;

(3) Compile information about government privacy policy, technology uses related to personal privacy, and data security;

(4) Make public and maintain information about government privacy policy, technology uses related to personal privacy, and data security on the State Auditor’s website; and

(5) Provide government entities with educational and training materials developed with the input of the Personal Privacy Oversight Committee that include the following information:

(A) The privacy implications and civil liberties concerns of the government use of certain technologies;

(B) Best practices for government collection and retention policies regarding personally identifiable information;

(C) Best practices for government data security standards; and

(D) The purpose and the process of the State Privacy Officer and the Personal Privacy Oversight Committee;

(6) Implement a process to analyze and respond to requests from individuals for the State Privacy Officer to review a government entity’s use of technology that implicates the privacy of individuals’ data;

(7) Identify annually which government entity’s use of technology that implicates the privacy of individuals’ data;

(8) Review each year, in as timely a manner as possible and with the assistance of the Personal Privacy Oversight Committee, the technology uses and privacy policies that the Privacy Officer identifies under this article as posing the greatest risk to individuals’ privacy;

(9) When reviewing a government entity’s use of technology or privacy policy under this article, include in the review:

(A) Details about the technology or the policy and the technology’s or the policy’s application;

(B) Information about the type of data being used;

(C) Information about how the data is obtained, stored, kept secure, and disposed;

(D) Information about with whom the government entity shares the information;

(E) Information about whether an individual can or should be able to opt out of the retention and sharing of the individual’s data;

(F) Information about how the government entity de-identifies or anonymizes data;

(G) A determination about the existence of alternative technology or improved practices to protect privacy; and

(H) A finding of whether the current government entity’s use of technology or policy adequately protects individual privacy;

(10) After completing a review described in this article, determine:

(A) Each entity’s use of personally identifying information, including the entity’s practices regarding data:

(i) Retention;

(ii) Storage;

(iii) Protection; and

(iv) Sharing;

(B) The adequacy of the entity’s practices in each of the areas described in this article; and for each of the areas described in this article that require reform, provide recommendations to the government entity for reform; and

(11) Annually report, on or before October 1, to the Joint Committee on Government and Finance by electronic transmission:

(A) The results of the reviews described in this article, if any reviews have been completed;

(B) The information otherwise described in this article; and

(C) Recommendations for legislation based on the guiding standards and minimum standards described in this section.

(b) The State Privacy Officer shall relay to the Personal Privacy Oversight Committee the minimum standards described in this section.

§4-2D-4. Personal Privacy Oversight Committee.

(a) There is created, within the Office of the State Auditor, the Personal Privacy Oversight Committee.

(b) The committee shall be composed of the following members appointed by the State Auditor:

(1) Two members with experience in internet technology services, one of whom shall, at the time of appointment, provide internet technology services for a county or municipality;

(2) Two members with experience in cybersecurity;

(3) Two members representing private industry in technology;

(4) Two members representing law enforcement, one of whom shall, at the time of appointment, serve in local law enforcement;

(5) Two members with experience in data privacy law;

(6) One member with experience in data privacy policy; and

(7) One member with experience in civil liberties law or policy and with specific experience in identifying whether the use of a technology or policy may result in disparate impacts on different populations.

(c) The committee shall be composed of one member with experience in civil liberties law who is appointed by the West Virginia Attorney General and, at the time of appointment, is an assistant Attorney General.

(d) Except as otherwise provided in this article, the auditor shall appoint a member for a term of four years.

(e) The State Auditor shall, at the time of appointment or reappointment, adjust the lengths of the terms to ensure that the terms of committee members are staggered so that approximately half of the committee is appointed every two years.

(f) When the term of a committee member expires, the State Auditor shall reappoint the member or appoint a new member in accordance with this article.

(g) When a vacancy occurs in the membership for any reason, the State Auditor shall appoint a replacement in accordance with this article for the unexpired term.

(h) A member whose term has expired may continue to serve until a replacement is appointed.

(i) The State Privacy Officer shall serve as chair of the committee.

(j) The committee shall select officers from the committee’s members as the committee finds necessary.

(k) A majority of the members of the committee is a quorum.

(l) A member may not receive compensation or benefits for the member’s service but may receive per diem and travel expenses incurred as a member of the committee.

(m) A member shall refrain from participating in a review of:

(1) An entity of which the member is an employee; or

(2) A technology in which the member has a financial interest.

(n) The committee shall meet as required by the State Privacy Officer to accomplish the duties described in this article.

(o) At the request of the State Privacy Officer, the committee shall review the proposed and current uses of technology described in this article.

(p) The committee shall notify the State Auditor if the committee finds that a government entity’s use of technology or privacy policy does not comply with the minimum acceptable standards of privacy protection described in section 3 of this article.

(q) If the committee finds that a use of technology or a policy reviewed under this article does meet the minimum acceptable standards of privacy protection, the committee shall review the technology use or policy again two years following the date of the initial review to determine if the use still meets acceptable privacy standards.

NOTE: The purpose of this bill is to create the Privacy Protection Act. The bill establishes certain definitions. The bill defines the role of the State Auditor’s office in collaboration with the State Privacy Officer. The bill creates the position of State Privacy Officer. Finally, the bill creates the personal privacy oversight committee.

Strike-throughs indicate language that would be stricken from a heading or the present law and underscoring indicates new language that would be added.