Charleston Town Privacy Policy

 

Town of Charleston

Privacy Program Policy 2025-11

Effective Date: 12/04/2025

Revised Date: tbd

Sunset/Next Review Due: FY 2026

Approved By: Town Council Resolution R2025-11

 

1.           Purpose

This policy serves to document the Town of Charleston ’s [“Town”] privacy program, which includes the Town’s policies, practices, and procedures for the processing of personal data in accordance with Utah Code § 63A-19-401(2)(a), and which aligns with the records management and data governance requirements provided in both GRAMA and DARS. Where applicable, this policy will refer to a more specific or detailed policy, procedure, or guidance that addresses a particular practice that the Town has developed.

 

2.           Guiding Principles

This policy consolidates privacy practices, outlines governance roles and responsibilities, and ensures compliance with generally applicable records management, data protection, and data privacy obligations. It is designed to safeguard individual privacy rights, promote transparency, maintain the integrity and security of personal data, and ensure accountability across all departments within the Town.  This policy is meant to guide further alignment of the Town with the State Data Privacy Policy as detailed in Utah Code § 63A-19-102.

 

3.           Scope

This policy applies to all Town employees involved in the management, creation, and maintenance of records or who have access to personal data as part of their job duties.

This policy also applies to all contractors of the Town that process or have access to personal data as a part of the contractor’s duties under an agreement with the Town pursuant to Utah Code § 63A-19-401(4).

 

Processing activities implemented on or after May 1, 2024, must be compliant with this policy prior to implementation. The Town must develop a strategy to inventory and bring pre-existing activities into compliance with this policy by January 1, 2027.[1]

 

4.           Definitions:

[1] Utah Code § 63A-19-401(2)(e).

C retrieval, consultation, use, disclosure by transmission, transfer, dissemination, alignment, combination, restriction, erasure, or destruction.[1]

 

Record” means the same as that term is defined at Utah Code § 63G-2-103(25).[2]

 

Record series” means a group of records that may be treated as a unit for purposes of designation, description, management, or disposition.[3]

 

Records officer” means the individual appointed by the chief administrative officer of each governmental entity, or the political subdivision to work with state archives in the care, maintenance, scheduling, designation, classification, disposal, and preservation of records.[4]

 

Schedule,” “scheduling,” and their derivative forms mean the process of specifying the length of time each record series should be retained by a governmental entity for administrative, legal, fiscal, or historical purposes and when each record series should be transferred to the state archives or destroyed.[5]

 

1.           Governance

            1.1.            Chief Administrative Officers (CAOs)

  1. The Town  Clerk shall serve as a chief administrative officer (CAO) of the Town in fulfilling the duties outlined in Utah Code § 63A-12-103.

 

  1. The designation of the CAO shall be reported to the Utah Division of Archives and Records Services (Archives) within 30 days of the designation.

 

  1. The designation of, and responsibilities assigned to, a CAO shall be reviewed and confirmed by the Town on an annual basis.

 

            1.2.            Appointed Records Officers (AROs)

  1. The CAO shall appoint one or more individuals to serve as records officers in fulfilling the duties of working with Archives and the Office of Data Privacy in the care, maintenance, scheduling, disposal, classification, designation, access, privacy, and preservation of records.[6]

[1] Utah Code § 63A-19-101(14)

[2] Only the citation to the definition of “record” is provided here due to the length of the definition.

[3] Utah Code § 63G-2-103(26)

[4] Utah Code § 63G-2-103(27)

[5] Utah Code § 63G-2-103(28)

[6] Utah Code § 63A-12-103(2)

  1. The CAO may assign responsibility for the duties of appointed records officers to one, or among several, officers as the CAO deems appropriate.

 

  1. The appointment of records officers shall be reported to Archives within 30 days of the appointment.

 

  1. If responsibility for the duties of appointed records officers are divided between more than one officer, such specification should be reported to Archives along with the appointment.

 

  1. The appointment of, and responsibilities assigned to, a records officer shall be reviewed and confirmed by the Town on an annual basis.

 

1.           Records Series

            1.1.            Records and Records Series

  1. The Town shall create and maintain records and records series in accordance with the requirements provided in DARS and GRAMA in addition to correlated guidance issued by Archives.

 

  1. The Town shall appropriately designate and classify records and records series in accordance with the requirements provided in DARS and GRAMA.

 

  1. CAO shall be responsible for submitting a proposed retention schedule for each type of material defined as a record under GRAMA to the state archivist for review and final approval by the Records Management Committee (RMC).

 

  1. Upon approval by the RMC, Town shall maintain and dispose of records in strict accordance with the approved retention schedule. In instances where Town has not received an approved retention schedule for a specific type of record, the general retention schedule maintained by the state archivist shall govern the retention and disposition of those records.

 

            1.2.            Record Series Privacy Annotation

  1. The Town shall perform a privacy annotation for each record series that contains personal data pursuant to Utah Code § 63A-12-115.

 

  1. Privacy annotations shall include:
    1. the legal authority under which personal data is processed;
    2. the purposes and uses for the personal data; and
    3. the types of personal data that may be processed within the record series.
  1. Privacy annotations shall be conducted and reported in accordance with additional requirements provided by Archives via administrative rule.

 

1.           Awareness & Training

            1.1.            Departmental Data Privacy Training

  1. The CAO shall ensure that all employees that have access to personal data as part of the employee’s work duties complete a data privacy training program within 30 days after beginning employment and at least once in each calendar year.

 

  1. The CAO is responsible for monitoring completion of data privacy training by the Town’s employees.

 

            1.2.            Agency-Specific Training

  1. In addition to the general privacy awareness training, the Town may create and require employees to complete specific privacy training tailored to the unique privacy needs, practices, and requirements of the Town.

 

 

            1.3.            Appointed Records Officer Training and Certification

  1. The CAO shall ensure that, on an annual basis, all appointed records officers successfully complete online training on the provisions of GRAMA and obtain certification from Archives in accordance with Utah Code § 63A-12-110.

 

  1. The CAO shall, on an annual basis, review and confirm the certification status of all appointed records officers.

 

  1. GRAMA Access AROs: AROs who handle GRAMA transparency responsibilities are required to complete the GRAMA transparency training and obtain certification from Archives in accordance with Utah Code § 63A-12-110.

 

  1. Records Management and Privacy AROs: AROs specializing in records management or privacy are required to complete both records management and GRAMA transparency training, as well as obtain the corresponding certifications.

 

2.           Identify

            2.1.            Inventorying

The CAO shall maintain a comprehensive inventory of:

    1. All IT systems that may process state or federal data which the state owns or is responsible for, using the standard process that DTS provides.[1]
    2. All records and record series that contain personal data and the types of personal data included in the records and record series.[2]
    3. All processing activities, the inventory of which shall include:
      1. Non-compliant processing activities—pursuant to the GDPA—that were implemented prior to May 1, 2024, and a prepared strategy for bringing the non-compliant processing activity into compliance by no later than January 1, 2027;[3] and
      2. All processing activities implemented after May 1, 2024, with documentation confirming compliance status.

 

            1.1.            Information Technology Privacy Impact Assessment [NOT currently required by municipalities, but expected in future year(s).]

  1. The CAO shall ensure the completion of a Privacy Impact Assessment (PIA) for all IT systems that may process personal data prior to the initiation of data processing in the IT system as required under DTS Information Security Policy 5000-0002.

 

  1. The responsible CAO shall use the PIA template that is created and maintained by the Chief Privacy Officer and which is approved by the Chief Information Officer pursuant to DTS Information Security Policy 5000-0002.

 

  1. CAOs must maintain a copy of each completed assessment for a period of four years to provide audit documentation and ensure accountability in privacy practices.

 

2.           Transparency

            2.1.            Website Privacy Policy

  1. The CAO shall create and maintain privacy policies on their websites as outlined in Utah Code § 63D-2-103 and Utah Admin. Code R895-8.

 

The CAO shall ensure that personal data related to a user of the Town’s website is not collected unless the Town’s website complies with Utah Code § 63D-2-103(2).

[1] DTS Information Security Policy 5000-0002, section 2.4.2.1

[2] Utah Code §§ 63A-12-104 and 63A-12-115

[3] Utah Code § 63A-19-401

  1. The CAO shall ensure that all website(s) of the Town contain a privacy policy statement that discloses:

 

    1. The identity of the governmental website operator;
    2. How the governmental website operator may be contacted;
    3. The personal data collected by the governmental entity;
    4. The practices related to disclosure of personal data collected by the governmental entity and/or the governmental website operator; and
    5. The procedures, if any, by which a user of a governmental entity may request:
      1. Access to the user’s personal data; and
      2. Access to correct the user’s personal data.
    6. A general description of the security measures in place to protect a user’s personal data from unintended disclosure.

           1.1.            Privacy Notice

  1. Employees shall only collect personal data from individuals if, on the day the personal data is collected, the Town has provided a privacy notice to an individual asked to furnish personal data that complies with Utah Code §§ 63G-2-601(2), 63A-19-402, 63D-2-103(2)-(3), or other governing law, as applicable.

 

  1. Such a personal data request privacy notice shall generally include[1]:

 

    1. the record series that the personal data will be included in;
    2. the reasons the person is asked to furnish the information;
    3. the intended purposes and uses of the information;
    4. the consequences for refusing to provide the information; and
    5. the classes of persons and entities that currently:
      1. share the information with the Town or
      2. receive the information from the Town on a regular or contractual basis.

 

2.           Individual Requests

  1. The CAO shall ensure that the Town has established appropriate processes and procedures that facilitate compliance with applicable governing law for handling the following privacy requests of individuals:

 

    1. Individual’s requests to access their personal data;
    2. Individual’s requests to amend or correct their personal data;

[1] Utah Code §§ 63G-2-601(2) and 63A-19-402.

    1. Individual’s requests for an explanation of the purposes and uses of their personal data; and
    2. At-risk governmental employee requests to restrict access to their personal data.

 

  1. The CAO shall ensure that the Town has established processes for public access requests to inspect or copy the Town’s records, which are not requests from an individual to access their personal data.[1]

 

  1. The CAO shall ensure that employees of the Town follow established business practices with respect to GRAMA.[2]

 

1.           Processing

            1.1.            Minimum Data Necessary

  1. The CAO shall ensure that all programs within the Town obtain and process only the minimum amount of personal data reasonably necessary to efficiently achieve a specified purpose.[3]

 

  1. The CAO shall ensure that all programs within the Town regularly review their data collection practices to ensure compliance with the data minimization requirement.

 

           1.2.            Record and Data Sharing or Selling Policy

  1. The Town will only share or disclose personal data when there is appropriate legal authority. The sale of personal data is prohibited unless required by law.

 

  1. Data sharing must comply with GRAMA or other governing law and may include sharing with governmental entities, contractors, private providers, or researchers. Compliance with GRAMA or other governing law is contingent upon the purpose of the sharing, the parties involved, and the nature of the records.

 

  1. The CAO is required to report annually to the Chief Privacy Officer on personal data sharing and selling activities, including types of data shared, the legal basis for sharing, and the entities receiving this data.

[1] This is likely detailed in a specific Department policy.

[2] Dept. of Government Operations Internal Policy 01. Code of Conduct. Section 3.2 Managing Records and Information.

[3] Utah Code § 63A-19-401(2)(c).

  1. All contracts involving personal data must incorporate appropriate privacy protection terms. Written agreements for data sharing are recommended to ensure compliance with applicable laws and regulations.

 

           1.1.            Retention and Disposition of Records Containing Personal Data

  1. Employees shall maintain, archive, and dispose of records—which includes all personal data—in accordance with an approved retention schedule.[1]

 

  1. Employees shall comply with all other applicable laws or regulations related to retention or disposition of specific personal data held by the Town or by a particular operating unit or program of the Town

 

2.           Information Security

            2.1.            Incident Response

  1. The Town adopts and follows the DTS Cybersecurity Incident Response Plan to manage and address all security incidents, including data breaches, and privacy violations.

 

  1. Employees shall report all suspected security incidents, including non-IT incidents such as unauthorized access to physical records, to the Enterprise Information Security Office (EISO). Any additional agency-specific response measures for non-IT incidents are the responsibility of the CAO to develop and implement as appropriate.

 

  1. The CAO shall ensure compliance with all other applicable laws or regulations related to incident response and breach notification of specific personal data held by the Town.

 

            2.2.            Breach Notification

  1. The Town is required to provide notice to an individual or the legal guardian of an individual, if the individual’s personal data is affected by a data breach in accordance with Utah Code § 63A-19-406.[2]

 

  1. The Town is required to notify the Cyber Center and the state attorney general’s office of a data breach affecting 500 or more individuals in accordance with Utah Code § 63A-19-405. Should the Town experience a data breach affecting fewer than 500 individuals, the Town must create and report an internal incident report in accordance with Utah Code § 63A-19-405(5). These requirements are in addition to any other reporting requirement that the Town may be subject to.

[1] Utah Code §§ 63G-2-604(1)(b) and 63A-19-404.

[2] Utah Code § 63A-19-401(2)(b).

  1. The CAO is subject to other breach notification requirements, such as those required for compliance with federal regulations, laws or other governing requirements (e.g., HIPAA or 42 CFR Part 2) are currently required to create and maintain their own respective, specific breach notification policies and procedures that meet the requirements of the applicable governing laws and regulations.

 

1.           Surveillance

            1.1.            Covert Surveillance

  1. Employees may not establish, maintain, or use undisclosed or covert surveillance of individuals unless permitted by law.[1]

 

  1. Employees are responsible for engaging with appropriate leadership for review—to include legal counsel where pertinent—of any activity that may be considered a type of surveillance.

 

  1. The CAO shall ensure that surveillance activities are documented and that a PIA for the activity has been completed [currently not required by municipalities].

 

            1.2.            Cookies, Fingerprinting, Key Loggers, and Tracking Technologies

The Town is committed to transparency and privacy protection for individuals that visit the Town’s website(s) with regard to the use of any tracking technologies, including but not limited to cookies, device fingerprinting, key loggers, and other similar methods for monitoring or collecting information from website users.

 

  1. Cookies
    The use of cookies on the Town’s website(s) and digital services must comply with applicable privacy and security policies. Cookies should be limited to essential operational purposes, and any use of tracking or third-party cookies for analytics or similar functions must be disclosed clearly to users, with an option to consent where required by law.

 

  1. Device Fingerprinting

Device fingerprinting is prohibited unless explicitly authorized by the CAO and where the legal basis or appropriate justification for such processing is documented in a privacy impact assessment. The purpose and extent of fingerprinting must be clearly defined, documented, and disclosed to users in a privacy notice or statement that complies with applicable legal requirements.

[1] Utah Code § 63A-19-401(2)(f).

  1. Key Loggers

Key loggers are prohibited without specific authorization from the CAO and documented justification in the activity’s PIA [currently not required by municipalities]. Key loggers may only be used when there is a clearly defined operational need that complies with security standards and legal requirements, including appropriate user notice where required.

 

  1. Other Tracking Technologies

The use of other tracking technologies, such as web beacons, pixel tags, or similar tools, is prohibited unless explicitly authorized by the CAO, and the legal basis for such tracking is documented in a PIA [currently not required by municipalities]. Disclosure of these technologies must be included in user-facing privacy statements, with user consent obtained when required by law.

 

  1. User Notification and Consent

The Town must ensure users are informed about the use of tracking technologies. A clear website privacy statement must explain the types of data collected, the purpose of the tracking, and how users can manage their preferences or consent. Any updates to tracking practices must be promptly reflected in the privacy statement.

 

  1. Data Security and Retention

Data collected through authorized tracking technologies must be securely stored, with access limited to authorized personnel. Retention of this data must align with approved retention schedules, and the data should only be retained as long as necessary for the defined operational purpose.

 

1.           Related Documents

  • Department of Government Operations Internal Policy 01. Code of Conduct. Section 3.2 Managing Records and Information.
  • DTS Cybersecurity Incident Response Plan
  • of Government Operations Internal Policy 01.
  • State of Utah policies on handling public records requests under GRAMA.
  • Town of Charleston