The California State Auditor (state auditor) is committed to promoting and protecting the privacy rights of individuals, as enumerated in Article 1 of the California Constitution, the Information Practices Act of 1977, and other state and federal laws.
It is the state auditor's policy to limit the collection and safeguard the privacy of personal information collected or maintained by the state auditor. The state auditor's information management practices conform to the requirements of the Information Practices Act (Civil Code section 1798 et seq.), the Public Records Act (Government Code section 6250 et seq.), Government Code sections 11015.5 and 11019.9, and other applicable laws pertaining to information privacy.
The state auditor adheres to the following principles in connection with the collection and management of personal information:
The state auditor collects personal information only as allowed by law. Personal information is defined in the Information Practices Act and includes information that identifies or describes an individual such as and individual's name, Social Security number, physical description, home address, home telephone number, education, financial matters, and medical or employment history. The state auditor limits the collection of personal information to that which is relevant and necessary to accomplish a lawful purpose of the state auditor, as defined at Government Code sections 8543-8548.9 and 8251-8253.6. For example, the state auditor may need to know an individual's home address, e-mail address, or telephone number, in order to answer the individual's questions or in order to provide requested assistance. The state auditor also collects personal information from applicants and commenters participating in the selection of Commissioners for the Citizens Redistricting Commission pursuant to the Voters FIRST Act. Those individuals agree to the terms of the privacy notification and waiver provided by the state auditor when they elect to participate.
The state auditor endeavors in each instance to tell people who provide personal information to the state auditor the purpose for which the information is collected. The state auditor strives to tell persons who are asked to provide personal information about the general uses that the state auditor will make of that information. The state auditor does this at the time of collection. With each request for personal information, the state auditor provides information about the authority under which the request is made, the principal uses the state auditor intends to make of the information, and the disclosures the state auditor makes to other government agencies and to the public.
The state auditor provides people who provide personal information with an opportunity to review that information. The state auditor allows individuals who provide personal information to review the information and contest its accuracy or completeness.
The state auditor uses personal information only for specified purposes, or purposes consistent with those specified purposes, unless the state auditor obtains the consent of the subject of the information or the state auditor's use of the information is otherwise required or permitted by law. The Public Records Act exists to ensure that California government is open and that the public has a right to have access to appropriate records and information possessed by many state and local government agencies. At the same time, there are exceptions to the laws that recognize the public's right to access public records. These exceptions serve various needs, including maintaining the privacy of individuals. In the event of a conflict between this Policy and the Public Records Act, the Information Practices Act or any other law governing the disclosure of records, the applicable law will control, except when an individual has voluntarily waived his or her privacy rights under that law.
The state auditor uses information security safeguards. Regarding the personal information of individuals collected or maintained by the state auditor, the state auditor takes reasonable precautions to protect such information against loss, unauthorized access, and illegal use or disclosure. The state auditor uses Secure Socket Layer (SSL) encryption software to protect the security of individuals' personal information during the transmission of such information through the state auditor's Web sites. Such personal information is stored by the state auditor in secure locations. The state auditor staff is trained on procedures for the management of personal information, including limitations on the release of information. Access to personal information is limited to those members of the state auditor's staff whose work requires such access. Confidential information is destroyed according to the state auditor's records retention schedule. The state auditor conducts periodic reviews to ensure that proper information management policies and procedures are understood and followed.