Record and Personal Data Sharing,  Selling, or Purchasing

Legal Basis for Sharing Records with Other Governmental Entities
Utah Code § 63G-2-206(1), (2), and (3) provide three separate legal bases for sharing records with other governmental entities.

Legal Basis for Sharing Records for Research Purposes
Utah Code § 63G-2-202(8) provides requirements and restrictions for disclosing private or controlled records for research. Entities must analyze the governing law for appropriate applicability, as numerous code sections specifically address data disclosure for research.

Legal Basis for Sharing Records with Contractors and Private Providers
GRAMA, at Subsection 63G-2-206(6), provides the requirements and restrictions for disclosing records containing personal data to contractors and private providers. The GDPA adds new requirements for these relationships:

• A contractor that processes or has access to personal data is subject to the GDPA to the
  same extent as the governmental entity.
• A contract entered into or renewed after July 1, 2026, must include specific language
  requiring the contractor to comply with GDPA requirements.
• These GDPA requirements for contractors are in addition to any other applicable law
  or liability.
• Contractors are not subject to the GDPA’s privacy training requirements.

Other Legal Bases for Sharing Records
Entities are responsible for knowing the legal bases (e.g., state and federal law) they may use to share non-public records that may contain personal data.

Contracts that Involve Personal Data
Governmental entities must ensure contracts that involve personal data include appropriate privacy protection terms and conditions. It is best practice to consult with legal counsel to ensure compliance with the many different state and federal laws, regulations, policies, and contractual obligations that may apply to particular data, entities, or programs. Such requirements may include those mandated by the Division of Purchasing and General Services or by DTS with respect to IT-related agreements. Examples of privacy protecting terms and conditions can be found at privacy.utah.gov or by contacting the Office.

Reporting Data Sharing, Selling, or Purchasing
As noted in Privacy Practice 1.5, the annual privacy program report must include the following information as required by Utah Code § 63A-19-401:

• A list of the types of personal data shared, sold, or purchased.
• The legal basis for these activities.
• The categories of individuals or entities with whom the data is shared, sold, or purchased.

Agreements for Data Sharing
Although a written agreement is not always legally required for sharing personal data, it is considered best practice. Legal counsel should be consulted to determine when a written agreement is necessary and to ensure that all privacy and personal data provisions are adequately addressed. It is important to remember that government records are statutorily established as property owned by the state. Misuse by entity employees can trigger both criminal and civil penalties. Thus, it is imperative that governmental entities work closely with their legal counsel to ensure that personal data contained in government records is shared in compliance with applicable laws, rules, and other privacy requirements. Data sharing agreement templates can be found at privacy.utah.gov or by contacting the Office.