Privacy Program Report

Summary

The CAO of each governmental entity must, by December 31st annually, submit an annual privacy program report (report), in accordance with the specific requirements detailed in Utah Code § 63A-19-401.3. This report should detail whether a privacy program has been initiated and describe any implemented privacy practices, strategies for improvement, and high-risk data processing activities. It needs to list the types of personal data shared, sold, or purchased, along with the legal justification for such activities, and identify the categories of individuals or entities involved.

The report must also state the percentage of employees who have completed data privacy training and outline any non-compliant processing activities found and the plan to address them.

This report is considered a protected record under Utah Code § 63G-2-305 and may be requested by the Office.

Fulfilling the reporting requirement can satisfy the requirement for a governmental entity to initiate a privacy program by December 31, 2025.

The Office has created a privacy program report draft template that a governmental entity may use as a starting point for its particular report. This can be found on the website of the Office at privacy.utah.gov.

Template