City of Bountiful Data Privacy Policy


Effective Date: 4/2/2025
Last Updated: 4/2/2025

  1. Introduction

The City of Bountiful is committed to safeguarding the personal data of its residents, employees, and stakeholders. This policy outlines our practices for collecting, processing, storing, and sharing personal data in compliance with the Utah Government Data Privacy Act (GDPA) and other applicable laws.

  1. Definitions
  • Personal Data: Information linked or reasonably linkable to an identified or identifiable individual.
  • Processing: Any operation performed on personal data, including collection, recording, storage, use, disclosure, and deletion.
  • Data Breach: Unauthorized access, acquisition, disclosure, or destruction of personal data.
  • Data Subject: The individual to whom the personal data pertains.
  1. Scope

This policy applies to all personal data collected, processed, stored, or shared by the City of Bountiful and its departments, agencies, contractors, and third-party service providers.

  1. Data Collection
  • Purpose Limitation: Personal data shall be collected only for specified, lawful purposes and processed in a manner compatible with those purposes.
  • Data Minimization: Only the minimum amount of personal data necessary to achieve the specified purpose shall be collected.
  • Personal Data Request Notice: At the time of data collection, individuals will be informed about:
    • The reasons for data collection.
    • Intended uses of the data.
    • Consequences of refusing to provide the data.
    • Entities with whom the data may be shared.
    • The record series in which the data will be included.
  1. Data Processing
  • Lawful Basis: Personal data shall be processed only when there is a lawful basis, such as consent, legal obligation, or public interest.
  • Data Quality: Efforts will be made to ensure personal data is accurate, complete, and up-to-date.
  • Use Limitation: Personal data shall be used only for the purposes specified at the time of collection, unless further use is authorized by law.
  1. Data Sharing and Disclosure
  • Third-Party Sharing: Personal data shall not be shared with third parties unless permitted by law or with the explicit consent of the data subject.
  • Sale of Personal Data: The City shall not sell personal data unless expressly required by law.
  • Undisclosed Surveillance: The City shall not establish, maintain, or use undisclosed or covert surveillance unless permitted by law.
  1. Data Subject Rights
  • Access: Individuals have the right to request access to their personal data held by the City.
  • Correction: Individuals may request correction of inaccurate or incomplete personal data.
  • Deletion: Individuals may request deletion of their personal data, subject to legal or operational requirements.
  • Procedure for Requests: The City shall provide a procedure for individuals to request access, correction, or deletion of their personal data.
  1. Data Security
  • Safeguards: Appropriate technical and organizational measures shall be implemented to protect personal data against unauthorized access, disclosure, alteration, or destruction.
  • Training: Employees with access to personal data are required to complete data privacy training within 30 days of employment and annually thereafter.
  1. Data Retention and Disposal
  • Retention Schedule: Personal data shall be retained and disposed of in accordance with a documented record retention schedule.

Compliance: Retention and disposal practices shall comply with applicable laws and regulations

10. Data Breach Notification

  • Internal Reporting: All data breaches must be reported immediately to the designated Data Protection Officer.
  • External Notification: If a data breach affects 500 or more individuals, the City shall notify the Utah Cyber Center and the Attorney General's Office without unreasonable delay, but no later than five days from discovery.
  • Individual Notification: Affected individuals shall be notified without unreasonable delay, including details about the breach and recommended protective measures.

11. Responsibilities

  • Data Protection Officer: Oversees compliance with data privacy laws and this policy.
  • Employees: Responsible for adhering to this policy and completing required training.
  • Contractors: Must comply with this policy and applicable data privacy laws when processing personal data on behalf of the City.

 12. Policy Review and Updates

This policy shall be reviewed annually and updated as necessary to reflect changes in laws, regulations, or city operations. Significant updates will be communicated to residents via the City’s official website and other appropriate channels.

 13. Contact Information

For questions or concerns regarding this policy or data privacy practices, please contact:

Data Protection Officer
Galen Rasmussen, Assistant City Manager
GalenR@Bountiful.gov
801-298-6117
Bountiful City, 795 South Main, Bountiful, UT 84010

By implementing this policy, the City of Bountiful demonstrates its commitment to protecting personal data and complying with the Utah Government Data Privacy Act found at U.C.A. 63A-19.