Ask Reggi Your Question Now

Reggi is the free generative AI assistance for regulatory compliance
Ask a Question

Can I collect server log information from participants in Utah? What are the requirements?

Collecting Server Log Information from Participants in Utah

According to the documents provided, a governmental entity may collect personally identifiable information related to a user of the governmental entity’s governmental website only if the governmental entity has taken reasonable steps to ensure that on the day on which the personally identifiable information is collected the governmental entity’s governmental website complies with Subsection (2) of UTCO 63D-2-103 [4.2].

Subsection (2) of UTCO 63D-2-103 requires that a governmental website shall contain a privacy policy statement that discloses the personally identifiable information collected by the governmental entity, how the information is used, the practices related to disclosure of the information, the procedures by which a user may request access to and correction of their personally identifiable information, and a general description of the security measures in place to protect a user’s personally identifiable information from unintended disclosure [4.2].

Therefore, if you are a governmental entity collecting server log information from participants in Utah, you must ensure that your website complies with the requirements of UTCO 63D-2-103 and Subsection (2) of that rule. You must also ensure that your privacy policy statement discloses the personally identifiable information collected, how the information is used, the practices related to disclosure of the information, the procedures by which a user may request access to and correction of their personally identifiable information, and a general description of the security measures in place to protect a user’s personally identifiable information from unintended disclosure.

It is important to note that personally identifiable information is not a classification of records under Title 63G, Chapter 2, Government Records Access and Management Act [4.2].

Requirements for Collecting Personally Identifiable Information

According to UTAC R895-8-6, any personally identifiable information an individual provides to a State website shall be used solely by the State, its entities, and third party agents with whom it has contracted to perform a state function on its behalf, unless this rule is superseded by a federal statute, federal regulation, or State statute in which case the personally identifiable information shall be used by other parties only to the extent required by the superseding federal statute, federal regulation or State Statute, or the information is designated as public record by an individual State agency as authorized under Title 63G, Chapter 2 of the Utah Code, Government Records Access and Management Act [1.1][2.1].

Additionally, UTAC R708-44-5 outlines the requirements for accessing the Driver License Division database, which includes providing acceptable proof that the requester is an insurer or a designee of an insurer, entering into a contract with the division or its designated provider to obtain this service, providing the name, date of birth, and Utah license certificate number for the person for which they are seeking monitoring and notification, paying required fees as established by the division, agreeing to comply with state and federal laws regulating the use and further disclosure of information on the Driver License Division database, and complying with auditing processes and procedures required by the division or its designated provider [3.1].

Conclusion

If you are a governmental entity collecting server log information from participants in Utah, you must ensure that your website complies with the requirements of UTCO 63D-2-103 and Subsection (2) of that rule. You must also ensure that your privacy policy statement discloses the personally identifiable information collected, how the information is used, the practices related to disclosure of the information, the procedures by which a user may request access to and correction of their personally identifiable information, and a general description of the security measures in place to protect a user’s personally identifiable information from unintended disclosure.

Furthermore, any personally identifiable information collected by a State website shall be used solely by the State, its entities, and third party agents with whom it has contracted to perform a state function on its behalf, unless superseded by a federal statute, federal regulation, or State statute, or the information is designated as public record by an individual State agency as authorized under Title 63G, Chapter 2 of the Utah Code, Government Records Access and Management Act.

Source(s):
Jurisdiction

Utah