Privacy for Individuals

Access Your Personal Data

GRAMA allows individuals to request access to their personal data that is in the possession of a governmental entity by:

• submitting a formal request using a form provided by the Division of Archives or the governmental entity; or
• emailing the governmental entity directly with the individual’s name, mailing address, daytime telephone number, and a description of the requested record that identifies the record with reasonable specificity.

Upon receipt, the governmental entity must review the request for records and either provide the records or deny the request. If the request for records is denied, the governmental entity must provide a written explanation of the reason for the denial. The individual then has a right to appeal the denial to the chief administrative officer (CAO) of the governmental entity. If the CAO upholds the denial of the request for access, the individual has additional options to appeal the CAO’s decision.

Amend or Correct Your Personal Data

An individual may request that their personal data be amended or corrected by a governmental entity under the GDPA and GRAMA by contacting the governmental entity directly. If this request is approved, the governmental entity will update the records. If the request is denied, an individual may submit a written statement describing the information in dispute. That statement will then be attached to the records.

Receive a Privacy Notice

An individual is entitled to receive a privacy notice under the GDPA when a governmental entity requests or collects personal data from the individual. This privacy notice must describe:

• all intended purposes and uses of the personal data;
• the consequences of not providing the personal data;
• the classes of persons and governmental entities:
• with whom the governmental entity shares personal data; or
• to whom the governmental entity sells personal data; and
• the record series in which the personal data is included.

The GDPA also allows an individual to request a privacy notice for any personal data the individual previously provided to the governmental entity.

Restrict Access to the Personal Information of an At-Risk Employee

An at-risk employee may submit a request to a governmental entity to have their personal information classified as a private record under the GDPA. An at-risk employee includes a current or former:

• peace officer;
• judge;
• prosecutor;
• member of the Board of Pardons;
• state, federal, or local government employee who, because of the unique nature of the employee's regular work assignments or because of one or more recent credible threats directed to or against the employee, would be at immediate and substantial risk of physical harm; and
• family members of an at-risk-employee who lives with the at-risk employee.

File a Data Privacy Complaint

Under the GDPA an individual who has a complaint or concern regarding an alleged infringement on the individual’s data privacy interests or a governmental entity's data privacy practices may submit a complaint directly to the CAO of the governmental entity. If the CAO is unable to resolve the individual’s data privacy complaint, the individual or the governmental entity may request that the Data Privacy Ombud mediate the dispute. You can contact the Data Privacy Ombuds at: [email protected]. 

You can read about complaints previously resolved here. 

If you believe a private entity may have violated your consumer privacy rights under the Utah Consumer Privacy Act (UCPA), you may file a complaint with the Division of Consumer Protection.