Government Information Privacy Protection Act

The Government Information Privacy Protection Act establishes strict limitations on the sharing of state-collected information with federal agencies, ensuring that such data cannot be disclosed to third parties, including private entities, without notice and accountability measures. The bill also mandates transparency regarding federal use of state-shared data, requires specific privacy training, imposes vendor restrictions, and establishes civil and criminal penalties for unauthorized disclosures.

Key Provisions

  • Restrictions on Federal Data Sharing: Prohibits federal agencies from sharing any personally identifiable information (PII) obtained from state agencies with third parties, including private companies, without explicit notice to the state and affected individuals.

  • State Oversight of Federal Use: Requires any state agency transferring data to the federal government to first obtain a written statement detailing how the data will be used, stored, and protected, as well as any potential third-party access.

  • Mandatory Privacy Training: Requires all state employees handling personally identifiable data shared with federal agencies to undergo annual training on privacy protections, data security, and legal obligations under this act.

  • Vendor Limitations and Compliance: Restricts state agencies from contracting with vendors that do not meet strict data protection requirements and prohibits vendors from further disseminating state-shared data.

  • Civil and Criminal Penalties: Establishes civil liability for agencies or individuals who unlawfully share protected data, as well as criminal penalties for willful violations, including potential fines and imprisonment.

Model Language

Section 1. Short Title: This Act shall be known as the “Government Information Privacy Protection Act.”

Section 2. Purpose. The purpose of this Act is to protect personally identifiable information collected by state agencies from unauthorized sharing, to ensure transparency in federal use of such data, and to establish legal and procedural safeguards to prevent misuse.

Section 3. Definitions

(a) Personally Identifiable Information (PII) – Any information that can be used to distinguish or trace an individual’s identity, including but not limited to name, Social Security number, driver’s license number, biometric records, or any combination thereof.

(b) State Agency – Any department, board, bureau, commission, or other entity of the state government that collects or maintains PII.

(c) Federal Agency – Any department, agency, or instrumentality of the federal government.

(d) Third Party – Any entity, public or private, other than the state agency or federal agency originally receiving the data.

(e) Vendor – Any contractor, subcontractor, or service provider handling PII on behalf of a state or federal agency.

Section 4. Restrictions on Federal Data Sharing

(a) No federal agency receiving PII from a state agency may disclose, sell, transfer, or grant access to such data to any third party without:

(1) Providing written notice to the state agency that supplied the data; and

(2) Providing written notice to any individuals whose data is affected, except where prohibited by law.

(b) A state agency shall not transfer PII to any federal agency unless the receiving agency provides a written statement detailing:

(1) The intended use of the data;

(2) Any anticipated sharing with third parties;

(3) The security measures in place to protect the data; and

(4) The duration for which the data will be retained.

Section 5. Privacy Training Requirements

(a) All employees of a state agency who handle PII subject to transfer to federal agencies shall complete annual privacy training.

(b) Such training shall include education on:

(1) Federal and state privacy laws;

(2) Data security best practices;

(3) Reporting obligations for suspected misuse; and

(4) Consequences of noncompliance.

Section 6. Limitations on Vendors and Data Access

(a) No state agency shall enter into a contract with any vendor that:

(1) Lacks adequate data security measures;

(2) Has been found in violation of federal or state data protection laws within the past five years; or

(3) Fails to comply with contractual requirements for safeguarding PII.

(b) Vendors receiving PII under state agency contracts shall be prohibited from sharing such data beyond what is expressly authorized in the contract.

Section 7. Civil and Criminal Penalties

(a) Any individual who knowingly and unlawfully discloses PII in violation of this Act shall be subject to civil liability, including fines of up to [$50,000] per violation.

(b) Any government employee or vendor who willfully violates this Act shall be guilty of a [Class A Misdemeanor] punishable by up to [one year in prison] and/or a fine of up to [$100,000].

(c) A pattern or practice of violations shall constitute a [felony] punishable by imprisonment of up to [five years] and a fine of up to [$500,000].

Section 8. Enforcement and Oversight

(a) The [State Attorney General] shall have enforcement authority over violations of this Act.

(b) An independent Privacy Oversight Board shall be established to monitor compliance and report annually to the state legislature on the effectiveness of protections.

Section 9. Severability. If any provision of this Act is found to be unconstitutional or invalid, the remaining provisions shall remain in full force and effect.

Section 10. Effective Date. This Act shall take effect [X] days after passage.

Download Model Bill Language