Overview
- Enacted: Spring 2024
- Scope: Covers various types of personal data (PHI, employee info, biometrics, applicant data)
- Framework: Establishes a principle-based approach for governmental entities (including public universities)
- Core Principles: Minimization · Fairness · Transparency
- Purpose: Enhances data protection and privacy while allowing flexibility in compliance
- Relation to Other Laws: Supplements existing federal and state legal requirements
- Enforcement: Enforced by the State Auditor and Attorney General
What is GDPA?
The Government Data Privacy Act (GDPA) is Utah’s comprehensive privacy law for public sector organizations. Signed into law in 2024, it's a big leap forward in protecting personal information managed by state and local government entities.
Who Needs to Comply?
As a Utah governmental entity, USU is subject to the Government Data Privacy Act (GDPA). This means all personal data processed by USU—whether by its employees or third-party vendors—must be handled in accordance with GDPA’s privacy requirements.
Key Compliance Dates
- May 1, 2024: All new personal data processing must follow GDPA rules
- May 1, 2025: Privacy programs must be fully in place across all government entities
- January 1, 2027: Any lingering non-compliant practices must be identified and fixed
- Main Requirements
Here’s a quick checklist of what we must do under GDPA:
- Maintain a Data Inventory
- Provide clear privacy notices before collecting personal data
- Use personal data only for the reasons stated in the notice
- Let people access, correct, or amend their personal information
- Follow approved data retention and disposal schedules
- Notify individuals in the event of a data breach
- Implement a full privacy program
- Employees who work with personal data need regular privacy training.
Questions? If you're unsure how GDPR might impact your department or research, or if you’re dealing with personal data, reach out to USU Privacy Office at privacy@usu.edu.