Inventory of Processing Activities

Summary

Inventory of Processing Systems.

Under the Division of Technology Services (DTS) Information Security Policy 5000-0002opens in a new tab section 2.4.2.1, state agencies are required to maintain an inventory of all IT systems that may process state or federal data which the State owns or is responsible for, consistent with National Institute of Standards and Technology, Special Publications 800-53 Rev5, using the standard process that DTS provides. An inventory of all systems that may process state data is necessary to ensure that all systems are reasonably accounted for. Agencies may then also use this inventory to ensure that systems only process personal data for authorized purposes and that the processing is still necessary for the authorized purposes.

Inventory of Records Series and Personal Data.

As noted in Privacy Practice #6, state agencies are required to perform “privacy annotations'' for each record series that contains personal data pursuant. One of the requirements for performing a privacy annotation is the inclusion of an inventory of the personal data that is included in the particular record series.

Inventory of Non-Compliant Processing Activities.

State agencies must comply with the requirements in Utah Code § 63A-19-401, which includes a requirement to identify and document any non-compliant processing activity that was implemented prior to May 1, 2024, and prepare a strategy for bringing the non-compliant processing activity into compliance no later than January 1, 2027. All processing activities implemented after May 1, 2024, must be compliant as of implementation. This documenting requirement implies, and thus it is recommended, that agencies keep an inventory of all processing activities not only those that are non-compliant.