Pursuant to Government Code Section 11019.9, all departments and agencies of the State of California shall enact and maintain a permanent privacy policy, in adherence with the Information Practices Act of 1977 (Civil Code Section 1798 et seq.), that includes, but not necessarily limited to, the following principles:
- Personally identifiable information may only be obtained through lawful means.
- The purposes for which personally identifiable data are collected shall be specified at or prior to the time of collection, and any subsequent use of the data shall be limited to and consistent with the fulfillment of those purposes previously specified.
- Personal data may not be disclosed, made available, or otherwise used for a purpose other than those specified, except with the consent of the subject of the data, or as required by law or regulation.
- Personal data collected shall be relevant to the purpose for which it is needed.
- The general means by which personal data is protected against loss, unauthorized access, use, modification, or disclosure shall be posted, unless the disclosure of those general means would compromise legitimate agency objectives or law enforcement purposes.
Each department shall implement this privacy policy by:
- Designating which position within the department or agency is responsible for the implementation of and adherence to this privacy policy;
- Prominently posting the policy physically in its offices and on its Internet website, if any;
- Distributing the policy to each of its employees and contractors who have access to personal data;
- Complying with the Information Practices Act (Civil Code Section 1798 et seq.), the Public Records Act (Government Code Section 6250 et seq.), Government Code Section 11015.5, and all other laws pertaining to information privacy, and
- Using appropriate means to successfully implement and adhere to this privacy policy.