Privacy for Individuals
Learn about your privacy interests
Your Data Privacy Interests
Your personal data may be protected by various privacy laws and regulations depending on the government agency and the type of personal data. Some of these include:
- Government Data Privacy Act (GDPA)
- Government Records Access and Management Act (GRAMA)
- Health Insurance Portability and Accountability Act (HIPAA)
- Family Educational Rights and Privacy Act (FERPA)
- Protection of Pupil Rights Amendment (PPRA)
- Student Privacy and Data Protection Act
- Higher Education Student Data Protection Act
- Payment Card Industry Data Security Standards (PCI DSS)
- Freedom of Information Act (FOIA)
- Privacy Act of 1974
- Drivers Privacy Protection Act (DPPA)
Individuals in the State of Utah have a fundamental interest in and inherent expectation of privacy regarding the personal data that the individual provides to a governmental entity. Personal data includes any information that is linked to an individual or can be reasonably linked to an individual.
Accessing Your Personal Data
GRAMAopens in a new tab allows individuals to request access to their personal data that is in the possession of a governmental entity by:
- submitting a formal request using a formopens in a new tab provided by Archives or the governmental entity; or
- emailing the governmental entity directly with the individual’s name, mailing address, daytime telephone number, and a description of the requested record that identifies the record with reasonable specificity.
Upon receipt, the governmental entity must review the request for records and either provide the records or deny the request. If the request for records is denied, the governmental entity must provide a written explanation of the reason for the denial. The individual then has a right to appeal the denial to the chief administrative officer (CAO) of the governmental entity. If the CAO upholds the denial of the request for access, the individual has additional options to appeal the CAO’s decision as described in Part 4 of GRAMA.
Amending or Correcting Your Personal Data
An individual may request that their personal data be amended or corrected by a governmental entity under the GDPAopens in a new tab and GRAMAopens in a new tab by contacting the governmental entity directly. If this request is approved, the governmental entity will update the records. If the request is denied, an individual may submit a written statement describing the information in dispute. That statement will then be attached to the records.
Receiving a Privacy Notice
An individual is entitled to receive a privacy notice under the GDPAopens in a new tab and GRAMAopens in a new tab when a governmental entity requests or collects personal data from the individual. This privacy notice must describe:
- all intended purposes and uses of the personal data;
- the consequences of not providing the personal data;
- the classes of persons and governmental entities:
- with whom the governmental entity shares personal data; or
- to whom the governmental entity sells personal data; and
- the record series in which the personal data is included.
The GDPA also allows an individual to contact a governmental entity and request a privacy notice for any personal data the individual previously provided to the governmental entity.
Receiving an Explanation about your Personal Data
An individual may contact a governmental entity and request that the governmental entity explain the information described in the privacy notice as provided in GRAMA.
Restricting Access for At-Risk Employees
An at-risk employee, may submit a request to a governmental entity to have their personal information classified as a private record under GRAMA. An at-risk employee includes:
- peace officers;
- judges;
- prosecutors;
- members of the Board of Pardons;
- state or local government employees who, because of the unique nature of the employee's regular work assignments or because of one or more recent credible threats directed to or against the employee, would be at immediate and substantial risk of physical harm; and
- family members of at-risk-employees who live with the at-risk employee.
Obligations of Governmental Entities
Governmental entities in the State of Utah are required to process an individual’s personal data in a manner that is consistent with the individual’s interests in and expectations of privacy in their personal data. For example:
HB 444 (2025) requires governmental entities to prominently post, on the main page of their government website, a website privacy notice that describes the identity of the governmental entity and how to contact the governmental entity. This website privacy notice must also contain information about how:
- a user may seek access to the user's personal data or user data;
- a user may request to correct or amend the user's personal data or user data; and
- a user may file a complaint with the data privacy ombudsperson; and
- an at-risk employee may request that their personal information be classified as a private record.
If the government website automatically collects information about a user when the user accesses the website, the website privacy notice must also describe:
- any website tracking technology used to collect user data;
- what user data is collected by the government website;
- all intended purposes and uses of the user data;
- the classes of persons and governmental entities:
- with whom the governmental entity shares user data; or
- to whom the governmental entity sells user data; and
- the record series in which the user data is included.
A governmental entity may only:
- obtain and process the minimum amount of personal data reasonably necessary to efficiently achieve a specified purpose (Subsection 63A-19-401(2)(a)(ii)); and
- use personal data provided by an individual for the purposes described in the privacy notice that was provided to the individual (Subsection 63A-19-402(7)).
A governmental entity must:
- retain and dispose of an individual’s personal data in accordance with a documented record retention schedule (Section 63A-19-404); and
- notify an individual when there is a data breach involving the individual’s personal data
(Section 63A-19-406).
A governmental entity may not:
- use covert surveillance unless permitted by law (Subsection 63A-19-401(3)(a));
- sell personal data unless expressly required by law (Subsection 63A-19-401(3)(b)); and
- share personal data unless permitted by law (Subsection 63A-19-401(3)(c)).
A summary of these data privacy interests and data privacy obligations of a governmental entity can be found here.