Record and Data Sharing or Selling

Summary

Governmental entities must have appropriate legal authority to share or disclose personal data. Entities may not sell personal data unless expressly required by law. Entities may share records that contain personal data under specific record management provisions of GRAMA–this is distinct from access requests for public records or access requests of a data subject which are each discussed elsewhere in this Framework. Such sharing may be to a distinct component or program within an entity, or may be to another governmental entity, contractor, private provider, or researcher. GRAMA details requirements and restrictions that are applicable depending on the parties, purposes, and the records (data) involved. However, sharing provisions of GRAMA may not apply to all records as GRAMA contemplates that other specific laws may pre-empt the data sharing provisions of GRAMA. There are many aspects that must be accounted for by an agency and its legal counsel whenever data sharing is being analyzed.

Legal Basis for Records Sharing with Other Government Entities

Utah Code § 63G-2-206(1), (2), and (3)opens in a new tab contain three separate legal bases that a governmental entity may use when sharing records with other governmental entities.

Legal Basis for Sharing Records for Research Purposes

Utah Code § 63G-2-202(8)opens in a new tab provides requirements and restrictions under which an entity may disclose private or controlled records for research purposes.

Legal Basis for Sharing Records with Contractors and Private Providers

Utah Code § 63G-2-206(6)opens in a new tab provides requirements and restrictions under which an entity may disclose records that contain personal data with contractors and private providers. Utah Code § 63A-19-401(4) adds new requirements to contractors that enter into or renew an agreement with a governmental entity that deals with processing or access to personal data after May 1, 2024.

Other Legal Bases for Sharing Records

Governmental entities are responsible for knowing the legal bases, e.g., state and federal law, which they may use to share non-public records that may contain personal data.

Contracts that Involve Personal Data

Governmental entities must ensure that appropriate privacy protection terms and conditions are included in contracts that involve personal data. It is best practice to consult with legal counsel to ensure compliance with the many different state and federal laws and regulations, policies, and contractual obligations that may apply to particular data, agencies, or programs. Such requirements may include those mandated by the Division of Purchasing and General Servicesopens in a new tab or by the Department of Technology Services (DTS) with respect to IT related agreements.

Reporting Data Sharing or Selling

Governmental entities must annually report to the Chief Privacy Officer the types of personal data the agency currently shares or sells, the basis for sharing or selling, and the classes of persons and governmental entities that receive the personal data from the entity.

Agreements for Data Sharing

Although there is not always a requirement that sharing of personal data be addressed in a written agreement, it is best practice to do so. Legal counsel will need to verify when a written agreement is needed as well as that data sharing provisions involving privacy and personal data are adequately addressed.

It is important to remember that government records are statutorily established as property that is owned by the state. Misuse by government employees can trigger both criminal and civil penalties. Thus, it is imperative that governmental entities work closely with legal counsel to ensure that personal data contained in government records is shared in compliance with applicable laws, rules, and other privacy requirements.