State Privacy Highlights

August 2023

Welcome to the latest edition of the State Privacy Highlights News from Utah’s State Privacy Officer

9 Key Privacy Provisions to Include in Any Vendor Contract

• Legal Compliance: Require the vendor to comply with applicable data protection laws and regulations.
• Data Protection and Security: Require the vendor to implement and maintain appropriate technical, physical, and administrative safeguards.
• Liability and Insurance: Require the vendor to insure against any damage or loss from or related to data breaches.
• Breach Notification: Require the vendor to notify your organization within 24-72 hours in the event of any verified or suspected (1) breach of security, (2) unauthorized disclosure, or(3) misuse of your organization’s data. Specify in the contract what constitutes a breach — do not rely on the vendor’s determination of what a breach is.
• Confidentiality: Require the vendor to keep your organization’s data confidential. Restrict the vendor from disclosing information to any third party without your organization’s prior written consent.
• Audit: Require the vendor to undergo security and privacy compliance audits. A third party may perform these audits.
• Data Deletion: Require the vendor to delete or return all of your organization’s data upon the termination of the contract.
• Use of Data Limitations: Restrict the vendor to only use your organization’s data for the purposes specified in the contract. Make those purposes clear and conspicuous in the contract.
• Subcontracting: Require the vendor to ensure subcontractors comply with the privacy clauses in the contract, if the vendor intends to subcontract any of the services under the contract.

For a starting point on drafting these provisions, see our recommendations (PDF).

Remember, protecting privacy is critical to maintaining public trust and confidence in government work!

For questions or concerns, contact Dr. Whitney Phillips, State Privacy Officer at: wphillips@utah.gov

Learn More about Privacy Provisions and
Utah’s New Data Breach Reporting Requirement

September 13, 2023 12:00-1:30
Virtual and in-person at the Capitol complex

To register, click here

Featuring:

• Travis Scott and Eric Sedgwick, Utah Cyber Center, Utah Division of Technology Services
• Dr. Whitney Phillips, State Privacy Officer
• Nora Kurzova, JD., Assistant State Privacy Officer

To sign up for State Privacy Highlights delivered to your inbox, visit http://eepurl.com/iwFowA.