Information Practices Act

Civil Code Division 3, Part 4, Title 1.8 deals with personal data. Chapter 1 contains the Information Practices Act of 1977. Article 5 provides agency requirements.

Section 1798.14 requires each agency to maintain in its records only personal information which is relevant and necessary to accomplish a purpose of the agency required or authorized by the California Constitution or statute or mandated by the federal government.

Section 1798.15 requires each agency to collect personal information to the greatest extent practicable directly from the individual who is the subject of the information rather than from another source.

Section 1798.16 explains that, whenever an agency collects personal information, the agency is required to maintain the source or sources of the information, unless the source is the data subject or he or she has received a copy of the source document, including the name of any source who is an individual acting in his or her own private or individual capacity.

Section 1798.17 requires each agency to provide on or with any form used to collect personal information from individuals the notice specified in this section. When contact with the individual is of a regularly recurring nature, an initial notice followed by a periodic notice of not more than one-year intervals shall satisfy this requirement.

This requirement is also satisfied by notification to individuals of the availability of the notice in annual tax-related pamphlets or booklets provided for them. The notice must contain eight specified items. This section does not apply to any enforcement document issued by an employee of a law enforcement agency in the performance of his or her duties wherein the violator is provided an exact copy of the document, or to accident reports whereby the parties of interest may obtain a copy of the report.

Section 1798.18 requires each agency to maintain all records, to the maximum extent possible, with accuracy, relevance, timeliness, and completeness.

Section 1798.19 requires each agency, when it provides by contract for the operation or maintenance of records containing personal information to accomplish an agency function, to cause the requirements of this chapter to be applied to those records.

Section 1798.20 requires each agency to establish rules of conduct for persons involved in the design, development, operation, disclosure, or maintenance of records containing personal information and instruct each person with respect to the rules and the requirements of this chapter.

Section 1798.21 requires each agency to establish appropriate and reasonable administrative, technical, and physical safeguards to ensure compliance with the provisions of this chapter, to ensure the security and confidentiality of records, and to protect against anticipated threats or hazards to their security or integrity which could result in any injury.

Section 1798.22 requires each agency to designate an agency employee to be responsible for ensuring that the agency complies with all of the provisions of this chapter.

Section 1798.23 requires the DOJ to review all personal information in its possession every five years to determine whether it should continue to be exempt from access.