BILL NUMBER: SB 90 CHAPTERED
BILL TEXT
CHAPTER 183
FILED WITH SECRETARY OF STATE AUGUST 24, 2007
APPROVED BY GOVERNOR AUGUST 24, 2007
PASSED THE ASSEMBLY JULY 20, 2007
PASSED THE SENATE JULY 21, 2007
AMENDED IN ASSEMBLY JULY 20, 2007
AMENDED IN ASSEMBLY JULY 16, 2007
INTRODUCED BY Committee on Budget and Fiscal Review
JANUARY 17, 2007
An act to repeal Sections 350 and 352 of the Business and
Professions Code, and to amend Sections 3513, 3527, 11550, and 12804
of, to add Chapter 5.7 (commencing with Section 11549) to Part 1 of
Division 3 of Title 2 of, to add and repeal Chapter 5.6 (commencing
with Section 11545) of Part 1 of Division 3 of Title 2 of, and to
repeal Section 11545 of, the Government Code, relating to state
government.
LEGISLATIVE COUNSEL'S DIGEST
SB 90, Committee on Budget and Fiscal Review. State government:
information technology.
(1) Under existing law, the duties of the office of the State
Chief Information Officer include, but are not limited to, generally
providing oversight, advice, and management regarding information
technology to the Governor and various agencies within the state.
This bill would additionally require the office of the State Chief
Information Officer to, among other things, approve and oversee
information technology projects, establish and enforce state
information technology strategic plans, policies, standards, and
enterprise architecture, and produce an annual strategic plan.
(2) Existing law requires each state agency and department to
enact and maintain a permanent privacy policy that includes specified
privacy principles, and complies with the Information Practices Act
of 1977.
This bill would create the Office of Information Security and
Privacy Protection in the State and Consumer Services Agency, to
ensure the confidentiality, integrity, and availability of state
systems and applications, and to promote and protect consumer privacy
to ensure the trust of the residents of the state.
(3) Existing law establishes within the Department of Consumer
Affairs an Office of Privacy Protection under the direction of the
Director of Consumer Affairs and the Secretary of State and Consumer
Services, to protect the privacy of individuals' personal
information. Existing law specifies that these provisions are only
operative in years in which there is an appropriation from the
General Fund in the Budget Act for these purposes.
This bill would revise this provision to create, until January 1,
2013, in the Office of Information Security and Privacy Protection,
the Office of Privacy Protection.
(4) This bill would provide for the transfer of employees of the
Office of Technology Review, Oversight, and Security within the
Department of Finance to the office of the State Chief Information
Officer, the Office of Information Security and Privacy Protection,
or the Finance Information Technology Consulting Unit within the
Department of Finance, subject to specified conditions.
THE PEOPLE OF THE STATE OF CALIFORNIA DO ENACT AS FOLLOWS:
SECTION 1. Section 350 of the Business and Professions Code is
repealed.
SEC. 2. Section 352 of the Business and Professions Code is
repealed.
SEC. 3. Section 3513 of the Government Code is amended to read:
3513. As used in this chapter:
(a) "Employee organization" means any organization that includes
employees of the state and that has as one of its primary purposes
representing these employees in their relations with the state.
(b) "Recognized employee organization" means an employee
organization that has been recognized by the state as the exclusive
representative of the employees in an appropriate unit.
(c) "State employee" means any civil service employee of the
state, and the teaching staff of schools under the jurisdiction of
the State Department of Education or the Superintendent of Public
Instruction, except managerial employees, confidential employees,
supervisory employees, employees of the Department of Personnel
Administration, professional employees of the Department of Finance
engaged in technical or analytical state budget preparation other
than the auditing staff, professional employees in the
Personnel/Payroll Services Division of the Controller's office
engaged in technical or analytical duties in support of the state's
personnel and payroll systems other than the training staff,
employees of the Legislative Counsel Bureau, employees of the Bureau
of State Audits, employees of the office of the Inspector General,
employees of the board, conciliators employed by the State
Conciliation Service within the Department of Industrial Relations,
employees of the Office of the State Chief Information Officer except
as otherwise provided in Section 11546.5, and intermittent athletic
inspectors who are employees of the State Athletic Commission.
(d) "Mediation" means effort by an impartial third party to assist
in reconciling a dispute regarding wages, hours and other terms and
conditions of employment between representatives of the public agency
and the recognized employee organization or recognized employee
organizations through interpretation, suggestion and advice.
(e) "Managerial employee" means any employee having significant
responsibilities for formulating or administering agency or
departmental policies and programs or administering an agency or
department.
(f) "Confidential employee" means any employee who is required to
develop or present management positions with respect to
employer-employee relations or whose duties normally require access
to confidential information contributing significantly to the
development of management positions.
(g) "Supervisory employee" means any individual, regardless of the
job description or title, having authority, in the interest of the
employer, to hire, transfer, suspend, lay off, recall, promote,
discharge, assign, reward, or discipline other employees, or
responsibility to direct them, or to adjust their grievances, or
effectively to recommend this action, if, in connection with the
foregoing, the exercise of this authority is not of a merely routine
or clerical nature, but requires the use of independent judgment.
Employees whose duties are substantially similar to those of their
subordinates shall not be considered to be supervisory employees.
(h) "Board" means the Public Employment Relations Board. The
Educational Employment Relations Board established pursuant to
Section 3541 shall be renamed the Public Employment Relations Board
as provided in Section 3540. The powers and duties of the board
described in Section 3541.3 shall also apply, as appropriate, to this
chapter.
(i) "Maintenance of membership" means that all employees who
voluntarily are, or who voluntarily become, members of a recognized
employee organization shall remain members of that employee
organization in good standing for a period as agreed to by the
parties pursuant to a memorandum of understanding, commencing with
the effective date of the memorandum of understanding. A maintenance
of membership provision shall not apply to any employee who within 30
days prior to the expiration of the memorandum of understanding
withdraws from the employee organization by sending a signed
withdrawal letter to the employee organization and a copy to the
Controller's office.
(j) "State employer," or "employer," for the purposes of
bargaining or meeting and conferring in good faith, means the
Governor or his or her designated representatives.
(k) "Fair share fee" means the fee deducted by the state employer
from the salary or wages of a state employee in an appropriate unit
who does not become a member of and financially support the
recognized employee organization. The fair share fee shall be used to
defray the costs incurred by the recognized employee organization in
fulfilling its duty to represent the employees in their employment
relations with the state, and shall not exceed the standard
initiation fee, membership dues, and general assessments of the
recognized employee organization.
SEC. 4. Section 3527 of the Government Code is amended to read:
3527. As used in this chapter:
(a) "Employee" means a civil service employee of the State of
California. The "State of California" as used in this chapter
includes such state agencies, boards, and commissions as may be
designated by law that employ civil service employees, except the
University of California, Hastings College of the Law, and the
California State University.
(b) "Excluded employee," means all managerial employees, as
defined in subdivision (e) of Section 3513, all confidential
employees, as defined in subdivision (f) of Section 3513, and all
supervisory employees, as defined in subdivision (g) of Section 3513,
and all civil service employees of the Department of Personnel
Administration, professional employees of the Department of Finance
engaged in technical or analytical state budget preparation other
than the auditing staff, professional employees in the
Personnel/Payroll Services Division of the Controller's office
engaged in technical or analytical duties in support of the state's
personnel and payroll systems other than the training staff,
employees of the Legislative Counsel Bureau, employees of the Bureau
of State Audits, employees of the Public Employment Relations Board,
conciliators employed by the State Conciliation Service within the
Department of Industrial Relations, employees of the office of the
State Chief Information Officer except as provided in Section
11546.5, and intermittent athletic inspectors who are employees of
the State Athletic Commission.
(c) "Supervisory employee organization" means an organization that
represents members who are supervisory employees under subdivision
(g) of Section 3513.
(d) "Excluded employee organization" means an organization that
includes excluded employees of the state, as defined in subdivision
(b), and that has as one of its primary purposes representing its
members in employer-employee relations. Excluded employee
organization includes supervisory employee organizations.
(e) "State employer" or "employer," for purposes of meeting and
conferring on matters relating to supervisory employer-employee
relations, means the Governor or his or her designated
representatives.
SEC. 5. Section 11545 of the Government Code is repealed.
SEC. 6. Chapter 5.6 (commencing with Section 11545) is added to
Part 1 of Division 3 of Title 2 of the Government Code, to read:
CHAPTER 5.6. OFFICE OF THE STATE CHIEF INFORMATION OFFICER
11545. (a) There is in state government the office of the State
Chief Information Officer. The State Chief Information Officer shall
be appointed by, and serve at the pleasure of, the Governor, subject
to Senate confirmation. The State Chief Information Officer shall be
a member of the Governor's cabinet.
(b) The duties of the State Chief Information Officer shall
include, but are not limited to, all of the following:
(1) Advising the Governor on the strategic management and
direction of the state's information technology resources.
(2) Establishing and enforcing state information technology
strategic plans, polices, standards, and enterprise architecture.
This shall include the periodic review and maintenance of the
information technology sections of the State Administrative Manual,
except for sections on information technology procurement,
information security and information technology fiscal policy. The
State Chief Information Officer shall consult with the Director of
General Services, the Director of the Office of Information Security
and Privacy Protection, the Director of Finance, and other relevant
agencies concerning policies and standards these agencies are
responsible to issue as they relate to information technology.
(3) Minimizing overlap, redundancy, and cost in state operations
by promoting the efficient and effective use of information
technology.
(4) Coordinating the activities of agency and department chief
information officers and the Director of Technology Services for
purposes of integrating statewide technology initiatives, ensuring
compliance with information technology policies and standards,
including policies and standards issued by the Department of General
Services and the Office of Information Security and Privacy
Protection, and promoting alignment and effective management of
information technology resources.
(5) Working to improve organizational maturity and capacity in the
effective management of information technology.
(6) Establishing performance management and improvement processes
to ensure state information technology systems and services are
efficient and effective.
(7) Approving, suspending, terminating, and reinstating
information technology projects.
(c) The office of the State Chief Information Officer shall
produce an annual information technology strategic plan that shall
guide the acquisition, management, and use of information technology.
State agencies shall cooperate with the office in the development of
this plan, as required by the State Chief Information Officer.
(1) Upon establishment of the information technology strategic
plan, the State Chief Information Officer shall take all appropriate
and necessary steps to implement the plan, subject to any
modifications and adjustments deemed necessary and reasonable.
(2) The information technology strategic plan shall be submitted
to the Joint Legislative Budget Committee by January 15, 2009, and
annually thereafter.
11546. (a) The office of the State Chief Information Officer
shall be responsible for the approval and oversight of information
technology projects, which shall include, but are not limited to, all
of the following:
(1) Establishing and maintaining a framework of policies,
procedures, and requirements for the initiation, approval,
implementation, management, oversight, and continuation of
information technology projects.
(2) Evaluating information technology projects based on the
business case justification, resources requirements, proposed
technical solution, project management, oversight and risk mitigation
approach, and compliance with statewide strategies, policies, and
procedures. Projects shall continue to be funded through the
established Budget Act process.
(3) Consulting with agencies during initial project planning to
ensure that project proposals are based on well-defined programmatic
needs, clearly identify programmatic benefits, and consider feasible
alternatives to address the identified needs and benefits consistent
with statewide strategies, policies, and procedures.
(4) Consulting with agencies prior to project initiation to review
the project governance and management framework to ensure that it is
best designed for success and will serve as a resource for agencies
throughout the project implementation.
(5) Requiring agencies to provide information on information
technology projects including, but not limited to, all of the
following:
(A) The degree to which the project is within approved scope,
cost, and schedule.
(B) Project issues, risks, and corresponding mitigation efforts.
(C) The current estimated schedule and costs for project
completion.
(6) Requiring agencies to perform remedial measures to achieve
compliance with approved project objectives. These remedial measures
may include, but are not limited to, any of the following:
(A) Independent assessments of project activities, the cost of
which shall be funded by the agency administering the project.
(B) Establishing remediation plans.
(C) Securing appropriate expertise, the cost of which shall be
funded by the agency administering the project.
(D) Requiring additional project reporting.
(E) Requiring approval to initiate any action identified in the
approved project schedule.
(7) Suspending, reinstating, or terminating information technology
projects. The office shall notify the Joint Legislative Budget
Committee of any project suspension, reinstatement, and termination
within 30 days of that suspension, reinstatement, or termination.
(8) Establishing restrictions or other controls to mitigate
nonperformance by agencies, including, but not limited to, any of the
following:
(A) The restriction of future project approvals pending
demonstration of successful correction of the identified performance
failure.
(B) The revocation or reduction of delegated authority.
(b) The office of the State Chief Information Officer shall have
the authority to delegate to another agency any authority granted
under this section based on its assessment of the agency's project
management, project oversight, and project performance.
11546.5. (a) Employees of the Office of Technology Review,
Oversight, and Security within the Department of Finance shall be
transferred to the office of the State Chief Information Officer, the
Office of Information Security and Privacy Protection, or the
Finance Information Technology Consulting Unit within the Department
of Finance.
(b) Notwithstanding Section 19050.9, the Director of Finance shall
have final approval over which persons serving in the Department of
Finance Office of Technology Review, Oversight, and Security as of
the effective date of this chapter are transferred to the office of
the State Chief Information Officer, the Office of Information
Security and Privacy Protection, and the Finance Information
Technology Consulting Unit. The status, position, and rights of those
persons transferring and those persons remaining within the
Department of Finance shall be retained by them pursuant to Section
19050.9 and the State Civil Service Act (Part 2 (commencing with
Section 18500) of Division 5).
(c) All relevant records and papers held for the benefit and use
of the former Department of Information Technology in the performance
of its statutory duties, powers, purposes, and responsibilities, and
of the Office of Technology Review, Oversight, and Security within
the Department of Finance in the performance of its statutory duties,
powers, purposes, and responsibilities, except for records and
papers with respect to information security, shall be transferred to
the office of the State Chief Information Officer.
(d) Notwithstanding any other provision of law, all employees of
the office of the State Chief Information Officer shall be designated
as excluded from collective bargaining pursuant to subdivision (b)
of Section 3527.
(e) Notwithstanding any other provision of law, the Director of
Finance may enter into contractual agreements on behalf of the office
of the State Chief Information Officer until the State Chief
Information Officer is appointed by the Governor, but not later than
June 30, 2008, whichever occurs first.
11547. The Department of Finance shall perform fiscal oversight
of the state's information technology projects. This oversight shall
consist of a determination of the availability of project funding
from appropriate sources, and project consistency with state fiscal
policy. Projects shall continue to be funded through the established
Budget Act process.
11548. This chapter shall not apply to the State Compensation
Insurance Fund, the Legislature, or the Legislative Data Center in
the Legislative Counsel Bureau.
11548.5. This chapter shall remain in effect only until January
1, 2013, and as of that date is repealed, unless a later enacted
statute, that is enacted before January 1, 2013, deletes or extends
that date.
SEC. 7. Chapter 5.7 (commencing with Section 11549) is added to
Part 1 of Division 3 of Title 2 of the Government Code, to read:
CHAPTER 5.7. OFFICE OF INFORMATION SECURITY AND PRIVACY
PROTECTION
11549. (a) There is in state government, in the State and
Consumer Services Agency, the Office of Information Security and
Privacy Protection. The purpose of the office is to ensure the
confidentiality, integrity, and availability of state systems and
applications, and to promote and protect consumer privacy to ensure
the trust of the residents of this state.
(b) The office shall be under the direction of an executive
officer, who shall be appointed by, and serve at the pleasure of, the
Governor. The executive officer shall report to the Secretary of
State and Consumer Services, and shall lead the office in carrying
out its mission.
(c) The duties of the office, under the direction of the executive
officer, shall include, but are not limited to, all of the
following:
(1) Provide direction for information security and privacy to
state government agencies, departments, and offices, pursuant to
Section 11549.3.
(2) Administer constituent programs and the Office of Privacy
Protection pursuant to Section 11549.5.
11549.1. As used in this chapter, the following terms have the
following meanings:
(a) "Executive officer" means the executive officer of the Office
of Information Security and Privacy Protection.
(b) "Office" means the Office of Information Security and Privacy
Protection.
(c) "Program" means an information security program established
pursuant to Section 11549.3.
11549.2. (a) (1) Employees assigned to the security unit of the
Office of Technology Review, Oversight, and Security within the
Department of Finance, and the employees of the Office of Privacy
Protection within the Department of Consumer Affairs are transferred
to the office, within the State and Consumer Services Agency.
(2) The status, position, and rights of any employee transferred
pursuant to this section shall not be affected by the transfer.
11549.3. (a) The executive officer shall establish an information
security program. The program responsibilities include, but are not
limited to, all of the following:
(1) The creation, updating, and publishing of information security
and privacy policies, standards, and procedures for state agencies
in the State Administrative Manual.
(2) The creation, issuance, and maintenance of policies,
standards, and procedures directing state agencies to effectively
manage security and risk for all of the following:
(A) Information technology, which includes, but is not limited to,
all electronic technology systems and services, automated
information handling, system design and analysis, conversion of data,
computer programming, information storage and retrieval,
telecommunications, requisite system controls, simulation, electronic
commerce, and all related interactions between people and machines.
(B) Information that is identified as mission critical,
confidential, sensitive, or personal, as defined and published by the
office.
(3) The creation, issuance, and maintenance of policies,
standards, and procedures directing state agencies for the
collection, tracking, and reporting of information regarding security
and privacy incidents.
(4) The creation, issuance, and maintenance of policies,
standards, and procedures directing state agencies in the
development, maintenance, testing, and filing of each agency's
operational recovery plan.
(5) Coordination of the activities of agency information security
officers, for purposes of integrating statewide security initiatives
and ensuring compliance with information security and privacy
policies and standards.
(6) Promotion and enhancement of the state agencies' risk
management and privacy programs through education, awareness,
collaboration, and consultation.
(7) Representing the state before the federal government, other
state agencies, local government entities, and private industry on
issues that have statewide impact on information security and
privacy.
(b) (1) Every state agency, department, and office shall comply
with the information security and privacy policies, standards, and
procedures issued pursuant to this chapter by the Office of
Information Security and Privacy Protection.
(2) Every state agency, department, and office shall comply with
filing requirements and incident notification by providing timely
information and reports as required by policy or directives of the
office.
(3) The office may conduct, or require to be conducted,
independent security assessments of any state agency, department, or
office, the cost of which shall be funded by the state agency,
department, or office being assessed.
(4) The office may require an audit of information security to
ensure program compliance, the cost of which shall be funded by the
state agency, department, or office being audited.
(5) The office shall report to the office of the State Chief
Information Officer any state agency found to be noncompliant with
information security program requirements.
11549.4. The office shall consult with the State Chief
Information Officer, the Office of Emergency Services, the Director
of General Services, the Director of Finance, and any other relevant
agencies concerning policies, standards, and procedures related to
information security and privacy.
11549.5. There is hereby created in the office, the Office of
Privacy Protection. The purpose of the Office of Privacy Protection
shall be to protect the privacy of individuals' personal information
in a manner consistent with the California Constitution by
identifying consumer problems in the privacy area and facilitating
the development of fair information practices in adherence with the
Information Practices Act of 1977 (Chapter 1 (commencing with Section
1798) of Title 1.8 of Part 4 of Division 3 of the Civil Code).
(b) The Office of Privacy Protection shall inform the public of
potential options for protecting the privacy of, and avoiding the
misuse of, personal information.
(c) The Office of Privacy Protection shall make recommendations to
organizations for privacy policies and practices that promote and
protect the interests of the consumers of this state.
(d) The Office of Privacy Protection may promote voluntary and
mutually agreed upon nonbinding arbitration and mediation of
privacy-related disputes where appropriate.
(e) The Office of Privacy Protection shall do all of the
following:
(1) Receive complaints from individuals concerning any person
obtaining, compiling, maintaining, using, disclosing, or disposing of
personal information in a manner that may be potentially unlawful or
violate a stated privacy policy relating to that individual, and
provide advice, information, and referral, where available.
(2) Provide information to consumers on effective ways of handling
complaints that involve violations of privacy-related laws,
including identity theft and identity fraud. If appropriate local,
state, or federal agencies are available to assist consumers with
those complaints, the office shall refer those complaints to those
agencies.
(3) Develop information and educational programs and materials to
foster public understanding and recognition of the purposes of this
article.
(4) Investigate and assist in the prosecution of identity theft
and other privacy-related crimes, and, as necessary, coordinate with
local, state, and federal law enforcement agencies in the
investigation of similar crimes.
(5) Assist and coordinate in the training of local, state, and
federal law enforcement agencies regarding identity theft and other
privacy-related crimes, as appropriate.
(6) The authority of the Office of Privacy Protection to adopt
regulations under this article shall be limited exclusively to those
regulations necessary and appropriate to implement subdivisions (b),
(c), (d), and (e).
11549.6. This chapter shall not apply to the State Compensation
Insurance Fund, the Legislature, or the Legislative Data Center in
the Legislature Counsel Bureau.
SEC. 8. Section 11550 of the Government Code is amended to read:
11550. Effective January 1, 1988, an annual salary of ninety-one
thousand fifty-four dollars ($91,054) shall be paid to each of the
following:
(a) Director of Finance.
(b) Secretary of Business, Transportation and Housing.
(c) Secretary of Resources.
(d) Secretary of Health and Human Services.
(e) Secretary of State and Consumer Services.
(f) Commissioner of the California Highway Patrol.
(g) Secretary of the Youth and Adult Correctional Agency.
(h) Secretary of Food and Agriculture.
(i) Secretary of Technology, Trade, and Commerce.
(j) Secretary of Veterans Affairs.
(k) Secretary of Labor and Workforce Development.
(l) State Chief Information Officer.
The annual compensation provided by this section shall be
increased in any fiscal year in which a general salary increase is
provided for state employees. The amount of the increase provided by
this section shall be comparable to, but shall not exceed, the
percentage of the general salary increases provided for state
employees during that fiscal year.
SEC. 9. Section 12804 of the Government Code is amended to read:
12804. The Agriculture and Services Agency is hereby renamed the
State and Consumer Services Agency.
The State and Consumer Services Agency consists of the following:
the Department of General Services; the Department of Technology
Services; the Department of Consumer Affairs; the Franchise Tax
Board; the Public Employees' Retirement System; the State Teachers'
Retirement System; the Department of Fair Employment and Housing; the
Fair Employment and Housing Commission; the California Science
Center; the California Victim Compensation and Government Claims
Board; the California African-American Museum; the State Building and
Standards Commission; the Alfred E. Alquist Seismic Safety
Commission; and the Office of Information Security and Privacy
Protection.