Mark Myer of the Utah State Auditor's Office privacy team told local officials the state's privacy requirements are expanding and that recent legislation will shift implementation support to the Office of Data Privacy in government operations (GovOps).

"So this is very high level... there's requirements on breach notification reporting," Mark said while outlining key program elements: breach notification templates and timing, public-facing data collection notices, prohibitions on data sales and covert surveillance, annual employee privacy training (and training for new hires within 30 days), and contract language that requires third-party vendors to comply with an entity's privacy schedule and retention rules.

Myer said the data privacy amendments bill (referenced in the training) delays prior deadlines for having a fully mature privacy program; under the changes entities will need to show they are implementing plans and improvements rather than demonstrating full program maturity immediately. He explained that the Office of Data Privacy will build the statewide privacy framework and help customize it for entities while the auditor's office will focus on audit standards and compliance review.

Myer cautioned that some common website practices can run afoul of privacy prohibitions. He said his team has found examples such as embedded keyloggers that record keystrokes and can be considered covert surveillance. Local officials were advised to review third-party website tools and contracts to ensure compliance and to direct privacy questions to privacy@utah.gov while the transition occurs.

Ending: Auditor staff said privacy oversight will be gradual: auditors will initially focus on whether an entity has a documented plan and steps toward implementation, with more prescriptive expectations to follow as standards evolve.