The Bureau of State Audits (the Bureau) is committed to promoting and protecting the privacy rights of individuals, as enumerated in Article 1 of the California Constitution, the Information Practices Act of 1977, and other state and federal laws.
It is the Bureau’s policy to limit the collection and safeguard the privacy of personal information collected or maintained by the Bureau. The Bureau’s information management practices conform to the requirements of the Information Practices Act (Civil Code section 1798 et seq.), the Public Records Act (Government Code section 6250 et seq.), Government Code sections 11015.5 and 11019.9, and other applicable laws pertaining to information privacy.
The Bureau adheres to the following principles in connection with the collection and management of personal information:
The Bureau collects personal information only as allowed by law. Personal information is defined in the Information Practices Act and includes information that identifies or describes an individual such as and individual’s name, Social Security number, physical description, home address, home telephone number, education, financial matters, and medical or employment history. The Bureau limits the collection of personal information to that which is relevant and necessary to accomplish a lawful purpose of the Bureau, as defined at Government Code sections 8543-8548.9 and 8251-8253.6. For example, the Bureau may need to know an individual’s home address, e-mail address, or telephone number, in order to answer the individual’s questions or in order to provide requested assistance. The Bureau also collects personal information from applicants and commenters participating in the selection of Commissioners for the Citizens Redistricting Commission pursuant to the Voters FIRST Act. Those individuals agree to the terms of the privacy notification and waiver provided by the Bureau when they elect to participate.
The Bureau endeavors in each instance to tell people who provide personal information to the Bureau the purpose for which the information is collected. The Bureau strives to tell persons who are asked to provide personal information about the general uses that the Bureau will make of that information. The Bureau does this at the time of collection. With each request for personal information, the Bureau provides information about the authority under which the request is made, the principal uses the Bureau intends to make of the information, and the disclosures the Bureau makes to other government agencies and to the public.
The Bureau provides people who provide personal information with an opportunity to review that information. The Bureau allows individuals who provide personal information to review the information and contest its accuracy or completeness.
The Bureau uses personal information only for specified purposes, or purposes consistent with those specified purposes, unless the Bureau obtains the consent of the subject of the information or the Bureau’s use of the information is otherwise required or permitted by law. The Public Records Act exists to ensure that California government is open and that the public has a right to have access to appropriate records and information possessed by many state and local government agencies. At the same time, there are exceptions to the laws that recognize the public’s right to access public records. These exceptions serve various needs, including maintaining the privacy of individuals. In the event of a conflict between this Policy and the Public Records Act, the Information Practices Act or any other law governing the disclosure of records, the applicable law will control, except when an individual has voluntarily waived his or her privacy rights under that law.
The Bureau uses information security safeguards. Regarding the personal information of individuals collected or maintained by the Bureau, the Bureau takes reasonable precautions to protect such information against loss, unauthorized access, and illegal use or disclosure. The Bureau uses Secure Socket Layer (SSL) encryption software to protect the security of individuals’ personal information during the transmission of such information through the Bureau’s Web sites. Such personal information is stored by the Bureau in secure locations. The Bureau staff is trained on procedures for the management of personal information, including limitations on the release of information. Access to personal information is limited to those members of the Bureau’s staff whose work requires such access. Confidential information is destroyed according to the Bureau’s records retention schedule. The Bureau conducts periodic reviews to ensure that proper information management policies and procedures are understood and followed.