Privacy for Governmental Entities
Next Steps: Ready, Set, Go!
By December 31, 2025, all governmental entities in Utah must initiate their privacy program. The Office recommends that governmental entities that are initiating a new program or those that are maturing an existing program use a simple model of “ready, set, go” phases that have been adapted from the NIST Privacy Framework. To assist entities in implementing and maturing their programs, the Office will create and maintain tools, training, and other resources that align with this model.
Ready: Preparation Phase
1. Designate a Chief Administrative Officer (CAO)
- Designate a Chief Administrative Officer (CAO) at the executive level who will be responsible for implementing the governmental entity's privacy program and completing the annual privacy program report.
- The CAO must also appoint one or more records officers, or other specified employees, who will be responsible for implementing and maintaining the entity's privacy program and associated practices.
Set: Planning and Assessment Phase
2. Define Program Scope
- Outline the governmental entity's specific privacy practices to ensure alignment with both generally applicable and entity-specific privacy requirements.
- Formalize the privacy program through an adopted policy, rule, or other documentation that explicitly defines the adopted privacy practices. These practices should be documented in the entity's privacy program report.
3. Conduct Maturity Assessment
- Use the privacy maturity model to perform an initial self-assessment to measure the current maturity level of the governmental entity's privacy practices.
4. Identify and Prioritize Strategies
- Based on the maturity assessment, determine and prioritize strategies that the governmental entity plans to effectuate to increase the maturity of specific privacy practices. This should include setting a target maturity level for one or more practices that the governmental entity aims to achieve if a specific strategy is implemented successfully.
Go: Execution and Monitoring Phase
5. Implement Prioritized Strategies
- Execute the prioritized strategies identified in the previous section to mature the governmental entity's privacy practices.
- Following each strategy's implementation, update the maturity assessment to reflect the new status of the governmental entity's privacy practices. Continuously create and prioritize new strategies to further advance privacy practice maturity.
6. Utilize Privacy Impact Assessments (PIA)
- Use the Privacy Impact Assessment the Office provides to evaluate new processing activities before implementation to ensure compliance with the GDPA and any other applicable privacy requirements.
Privacy Program Framework
The Office of Data Privacy is developing an interoperable framework designed to assist governmental entities in building, implementing, and maturing their privacy programs. This framework will initially target state agencies and will expand over time to include resources for counties, cities, special service districts, K-12 schools, and higher education institutions.
Key Components
Privacy Practices: The framework initially includes 21 privacy practices identified by the Office as generally applicable to state agencies. These practices provide a foundational approach to data privacy management that agencies can build upon as they mature.
Maturity Models for Practices: A structured model allowing entities to measure the maturity level of each privacy practice.
Strategies: Strategies for continual improvement and maturing of data privacy practices.
Privacy Program Links
Privacy Program Framework
Tools and Resources
The Office of Data Privacy will continually develop tools and resources to assist governmental entities in establishing and maturing their privacy programs. Available resources will include privacy program templates, self-assessment tools, training resources, and Privacy Impact Assessment guidelines, all designed to support entities in meeting their privacy obligations.
Contact Us
Share your feedback here or contact us at [email protected]