Bill Text

Bill Information

Add To My Favorites | print page

SB-90 State government: information technology.(2007-2008)

SHARE THIS:share this bill in Facebookshare this bill in Twitter
SB90:v95#DOCUMENT

Senate Bill No. 90
CHAPTER 183

An act to repeal Sections 350 and 352 of the Business and Professions Code, and to amend Sections 3513, 3527, 11550, and 12804 of, to add Chapter 5.7 (commencing with Section 11549) to Part 1 of Division 3 of Title 2 of, to add and repeal Chapter 5.6 (commencing with Section 11545) of Part 1 of Division 3 of Title 2 of, and to repeal Section 11545 of, the Government Code, relating to state government.

[ Approved by Governor  August 24, 2007. Filed with Secretary of State  August 24, 2007. ]

LEGISLATIVE COUNSEL'S DIGEST


SB 90, Committee on Budget and Fiscal Review. State government: information technology.
(1) Under existing law, the duties of the office of the State Chief Information Officer include, but are not limited to, generally providing oversight, advice, and management regarding information technology to the Governor and various agencies within the state.
This bill would additionally require the office of the State Chief Information Officer to, among other things, approve and oversee information technology projects, establish and enforce state information technology strategic plans, policies, standards, and enterprise architecture, and produce an annual strategic plan.
(2) Existing law requires each state agency and department to enact and maintain a permanent privacy policy that includes specified privacy principles, and complies with the Information Practices Act of 1977.
This bill would create the Office of Information Security and Privacy Protection in the State and Consumer Services Agency, to ensure the confidentiality, integrity, and availability of state systems and applications, and to promote and protect consumer privacy to ensure the trust of the residents of the state.
(3) Existing law establishes within the Department of Consumer Affairs an Office of Privacy Protection under the direction of the Director of Consumer Affairs and the Secretary of State and Consumer Services, to protect the privacy of individuals’ personal information. Existing law specifies that these provisions are only operative in years in which there is an appropriation from the General Fund in the Budget Act for these purposes.
This bill would revise this provision to create, until January 1, 2013, in the Office of Information Security and Privacy Protection, the Office of Privacy Protection.
(4) This bill would provide for the transfer of employees of the Office of Technology Review, Oversight, and Security within the Department of Finance to the office of the State Chief Information Officer, the Office of Information Security and Privacy Protection, or the Finance Information Technology Consulting Unit within the Department of Finance, subject to specified conditions.
Vote: MAJORITY   Appropriation: NO   Fiscal Committee: YES   Local Program: NO  

The people of the State of California do enact as follows:


SECTION 1.

 Section 350 of the Business and Professions Code is repealed.

SEC. 2.

 Section 352 of the Business and Professions Code is repealed.

SEC. 3.

 Section 3513 of the Government Code is amended to read:

3513.
 As used in this chapter:
(a) “Employee organization” means any organization that includes employees of the state and that has as one of its primary purposes representing these employees in their relations with the state.
(b) “Recognized employee organization” means an employee organization that has been recognized by the state as the exclusive representative of the employees in an appropriate unit.
(c) “State employee” means any civil service employee of the state, and the teaching staff of schools under the jurisdiction of the State Department of Education or the Superintendent of Public Instruction, except managerial employees, confidential employees, supervisory employees, employees of the Department of Personnel Administration, professional employees of the Department of Finance engaged in technical or analytical state budget preparation other than the auditing staff, professional employees in the Personnel/Payroll Services Division of the Controller’s office engaged in technical or analytical duties in support of the state’s personnel and payroll systems other than the training staff, employees of the Legislative Counsel Bureau, employees of the Bureau of State Audits, employees of the office of the Inspector General, employees of the board, conciliators employed by the State Conciliation Service within the Department of Industrial Relations, employees of the Office of the State Chief Information Officer except as otherwise provided in Section 11546.5, and intermittent athletic inspectors who are employees of the State Athletic Commission.
(d) “Mediation” means effort by an impartial third party to assist in reconciling a dispute regarding wages, hours and other terms and conditions of employment between representatives of the public agency and the recognized employee organization or recognized employee organizations through interpretation, suggestion and advice.
(e) “Managerial employee” means any employee having significant responsibilities for formulating or administering agency or departmental policies and programs or administering an agency or department.
(f) “Confidential employee” means any employee who is required to develop or present management positions with respect to employer-employee relations or whose duties normally require access to confidential information contributing significantly to the development of management positions.
(g) “Supervisory employee” means any individual, regardless of the job description or title, having authority, in the interest of the employer, to hire, transfer, suspend, lay off, recall, promote, discharge, assign, reward, or discipline other employees, or responsibility to direct them, or to adjust their grievances, or effectively to recommend this action, if, in connection with the foregoing, the exercise of this authority is not of a merely routine or clerical nature, but requires the use of independent judgment. Employees whose duties are substantially similar to those of their subordinates shall not be considered to be supervisory employees.
(h) “Board” means the Public Employment Relations Board. The Educational Employment Relations Board established pursuant to Section 3541 shall be renamed the Public Employment Relations Board as provided in Section 3540. The powers and duties of the board described in Section 3541.3 shall also apply, as appropriate, to this chapter.
(i) “Maintenance of membership” means that all employees who voluntarily are, or who voluntarily become, members of a recognized employee organization shall remain members of that employee organization in good standing for a period as agreed to by the parties pursuant to a memorandum of understanding, commencing with the effective date of the memorandum of understanding. A maintenance of membership provision shall not apply to any employee who within 30 days prior to the expiration of the memorandum of understanding withdraws from the employee organization by sending a signed withdrawal letter to the employee organization and a copy to the Controller’s office.
(j) “State employer,” or “employer,” for the purposes of bargaining or meeting and conferring in good faith, means the Governor or his or her designated representatives.
(k) “Fair share fee” means the fee deducted by the state employer from the salary or wages of a state employee in an appropriate unit who does not become a member of and financially support the recognized employee organization. The fair share fee shall be used to defray the costs incurred by the recognized employee organization in fulfilling its duty to represent the employees in their employment relations with the state, and shall not exceed the standard initiation fee, membership dues, and general assessments of the recognized employee organization.

SEC. 4.

 Section 3527 of the Government Code is amended to read:

3527.
 As used in this chapter:
(a) “Employee” means a civil service employee of the State of California. The “State of California” as used in this chapter includes such state agencies, boards, and commissions as may be designated by law that employ civil service employees, except the University of California, Hastings College of the Law, and the California State University.
(b) “Excluded employee,” means all managerial employees, as defined in subdivision (e) of Section 3513, all confidential employees, as defined in subdivision (f) of Section 3513, and all supervisory employees, as defined in subdivision (g) of Section 3513, and all civil service employees of the Department of Personnel Administration, professional employees of the Department of Finance engaged in technical or analytical state budget preparation other than the auditing staff, professional employees in the Personnel/Payroll Services Division of the Controller’s office engaged in technical or analytical duties in support of the state’s personnel and payroll systems other than the training staff, employees of the Legislative Counsel Bureau, employees of the Bureau of State Audits, employees of the Public Employment Relations Board, conciliators employed by the State Conciliation Service within the Department of Industrial Relations, employees of the office of the State Chief Information Officer except as provided in Section 11546.5, and intermittent athletic inspectors who are employees of the State Athletic Commission.
(c) “Supervisory employee organization” means an organization that represents members who are supervisory employees under subdivision (g) of Section 3513.
(d) “Excluded employee organization” means an organization that includes excluded employees of the state, as defined in subdivision (b), and that has as one of its primary purposes representing its members in employer-employee relations. Excluded employee organization includes supervisory employee organizations.
(e) “State employer” or “employer,” for purposes of meeting and conferring on matters relating to supervisory employer-employee relations, means the Governor or his or her designated representatives.

SEC. 5.

 Section 11545 of the Government Code is repealed.

SEC. 6.

 Chapter 5.6 (commencing with Section 11545) is added to Part 1 of Division 3 of Title 2 of the Government Code, to read:
CHAPTER  5.6. Office of the State Chief Information Officer

11545.
 (a) There is in state government the office of the State Chief Information Officer. The State Chief Information Officer shall be appointed by, and serve at the pleasure of, the Governor, subject to Senate confirmation. The State Chief Information Officer shall be a member of the Governor’s cabinet.
(b) The duties of the State Chief Information Officer shall include, but are not limited to, all of the following:
(1) Advising the Governor on the strategic management and direction of the state’s information technology resources.
(2) Establishing and enforcing state information technology strategic plans, polices, standards, and enterprise architecture. This shall include the periodic review and maintenance of the information technology sections of the State Administrative Manual, except for sections on information technology procurement, information security and information technology fiscal policy. The State Chief Information Officer shall consult with the Director of General Services, the Director of the Office of Information Security and Privacy Protection, the Director of Finance, and other relevant agencies concerning policies and standards these agencies are responsible to issue as they relate to information technology.
(3) Minimizing overlap, redundancy, and cost in state operations by promoting the efficient and effective use of information technology.
(4) Coordinating the activities of agency and department chief information officers and the Director of Technology Services for purposes of integrating statewide technology initiatives, ensuring compliance with information technology policies and standards, including policies and standards issued by the Department of General Services and the Office of Information Security and Privacy Protection, and promoting alignment and effective management of information technology resources.
(5) Working to improve organizational maturity and capacity in the effective management of information technology.
(6) Establishing performance management and improvement processes to ensure state information technology systems and services are efficient and effective.
(7) Approving, suspending, terminating, and reinstating information technology projects.
(c) The office of the State Chief Information Officer shall produce an annual information technology strategic plan that shall guide the acquisition, management, and use of information technology. State agencies shall cooperate with the office in the development of this plan, as required by the State Chief Information Officer.
(1) Upon establishment of the information technology strategic plan, the State Chief Information Officer shall take all appropriate and necessary steps to implement the plan, subject to any modifications and adjustments deemed necessary and reasonable.
(2) The information technology strategic plan shall be submitted to the Joint Legislative Budget Committee by January 15, 2009, and annually thereafter.

11546.
 (a) The office of the State Chief Information Officer shall be responsible for the approval and oversight of information technology projects, which shall include, but are not limited to, all of the following:
(1) Establishing and maintaining a framework of policies, procedures, and requirements for the initiation, approval, implementation, management, oversight, and continuation of information technology projects.
(2) Evaluating information technology projects based on the business case justification, resources requirements, proposed technical solution, project management, oversight and risk mitigation approach, and compliance with statewide strategies, policies, and procedures. Projects shall continue to be funded through the established Budget Act process.
(3) Consulting with agencies during initial project planning to ensure that project proposals are based on well-defined programmatic needs, clearly identify programmatic benefits, and consider feasible alternatives to address the identified needs and benefits consistent with statewide strategies, policies, and procedures.
(4) Consulting with agencies prior to project initiation to review the project governance and management framework to ensure that it is best designed for success and will serve as a resource for agencies throughout the project implementation.
(5) Requiring agencies to provide information on information technology projects including, but not limited to, all of the following:
(A) The degree to which the project is within approved scope, cost, and schedule.
(B) Project issues, risks, and corresponding mitigation efforts.
(C) The current estimated schedule and costs for project completion.
(6) Requiring agencies to perform remedial measures to achieve compliance with approved project objectives. These remedial measures may include, but are not limited to, any of the following:
(A) Independent assessments of project activities, the cost of which shall be funded by the agency administering the project.
(B) Establishing remediation plans.
(C) Securing appropriate expertise, the cost of which shall be funded by the agency administering the project.
(D) Requiring additional project reporting.
(E) Requiring approval to initiate any action identified in the approved project schedule.
(7) Suspending, reinstating, or terminating information technology projects. The office shall notify the Joint Legislative Budget Committee of any project suspension, reinstatement, and termination within 30 days of that suspension, reinstatement, or termination.
(8) Establishing restrictions or other controls to mitigate nonperformance by agencies, including, but not limited to, any of the following:
(A) The restriction of future project approvals pending demonstration of successful correction of the identified performance failure.
(B) The revocation or reduction of delegated authority.
(b) The office of the State Chief Information Officer shall have the authority to delegate to another agency any authority granted under this section based on its assessment of the agency’s project management, project oversight, and project performance.

11546.5.
 (a) Employees of the Office of Technology Review, Oversight, and Security within the Department of Finance shall be transferred to the office of the State Chief Information Officer, the Office of Information Security and Privacy Protection, or the Finance Information Technology Consulting Unit within the Department of Finance.
(b) Notwithstanding Section 19050.9, the Director of Finance shall have final approval over which persons serving in the Department of Finance Office of Technology Review, Oversight, and Security as of the effective date of this chapter are transferred to the office of the State Chief Information Officer, the Office of Information Security and Privacy Protection, and the Finance Information Technology Consulting Unit. The status, position, and rights of those persons transferring and those persons remaining within the Department of Finance shall be retained by them pursuant to Section 19050.9 and the State Civil Service Act (Part 2 (commencing with Section 18500) of Division 5).
(c) All relevant records and papers held for the benefit and use of the former Department of Information Technology in the performance of its statutory duties, powers, purposes, and responsibilities, and of the Office of Technology Review, Oversight, and Security within the Department of Finance in the performance of its statutory duties, powers, purposes, and responsibilities, except for records and papers with respect to information security, shall be transferred to the office of the State Chief Information Officer.
(d) Notwithstanding any other provision of law, all employees of the office of the State Chief Information Officer shall be designated as excluded from collective bargaining pursuant to subdivision (b) of Section 3527.
(e) Notwithstanding any other provision of law, the Director of Finance may enter into contractual agreements on behalf of the office of the State Chief Information Officer until the State Chief Information Officer is appointed by the Governor, but not later than June 30, 2008, whichever occurs first.

11547.
 The Department of Finance shall perform fiscal oversight of the state’s information technology projects. This oversight shall consist of a determination of the availability of project funding from appropriate sources, and project consistency with state fiscal policy. Projects shall continue to be funded through the established Budget Act process.

11548.
 This chapter shall not apply to the State Compensation Insurance Fund, the Legislature, or the Legislative Data Center in the Legislative Counsel Bureau.

11548.5.
 This chapter shall remain in effect only until January 1, 2013, and as of that date is repealed, unless a later enacted statute, that is enacted before January 1, 2013, deletes or extends that date.

SEC. 7.

 Chapter 5.7 (commencing with Section 11549) is added to Part 1 of Division 3 of Title 2 of the Government Code, to read:
CHAPTER  5.7. Office of Information Security and Privacy Protection

11549.
 (a) There is in state government, in the State and Consumer Services Agency, the Office of Information Security and Privacy Protection. The purpose of the office is to ensure the confidentiality, integrity, and availability of state systems and applications, and to promote and protect consumer privacy to ensure the trust of the residents of this state.
(b) The office shall be under the direction of an executive officer, who shall be appointed by, and serve at the pleasure of, the Governor. The executive officer shall report to the Secretary of State and Consumer Services, and shall lead the office in carrying out its mission.
(c) The duties of the office, under the direction of the executive officer, shall include, but are not limited to, all of the following:
(1) Provide direction for information security and privacy to state government agencies, departments, and offices, pursuant to Section 11549.3.
(2) Administer constituent programs and the Office of Privacy Protection pursuant to Section 11549.5.

11549.1.
 As used in this chapter, the following terms have the following meanings:
(a) “Executive officer” means the executive officer of the Office of Information Security and Privacy Protection.
(b) “Office” means the Office of Information Security and Privacy Protection.
(c) “Program” means an information security program established pursuant to Section 11549.3.

11549.2.
 (a) (1) Employees assigned to the security unit of the Office of Technology Review, Oversight, and Security within the Department of Finance, and the employees of the Office of Privacy Protection within the Department of Consumer Affairs are transferred to the office, within the State and Consumer Services Agency.
(2) The status, position, and rights of any employee transferred pursuant to this section shall not be affected by the transfer.

11549.3.
 (a) The executive officer shall establish an information security program. The program responsibilities include, but are not limited to, all of the following:
(1) The creation, updating, and publishing of information security and privacy policies, standards, and procedures for state agencies in the State Administrative Manual.
(2) The creation, issuance, and maintenance of policies, standards, and procedures directing state agencies to effectively manage security and risk for all of the following:
(A) Information technology, which includes, but is not limited to, all electronic technology systems and services, automated information handling, system design and analysis, conversion of data, computer programming, information storage and retrieval, telecommunications, requisite system controls, simulation, electronic commerce, and all related interactions between people and machines.
(B) Information that is identified as mission critical, confidential, sensitive, or personal, as defined and published by the office.
(3) The creation, issuance, and maintenance of policies, standards, and procedures directing state agencies for the collection, tracking, and reporting of information regarding security and privacy incidents.
(4) The creation, issuance, and maintenance of policies, standards, and procedures directing state agencies in the development, maintenance, testing, and filing of each agency’s operational recovery plan.
(5) Coordination of the activities of agency information security officers, for purposes of integrating statewide security initiatives and ensuring compliance with information security and privacy policies and standards.
(6) Promotion and enhancement of the state agencies’ risk management and privacy programs through education, awareness, collaboration, and consultation.
(7) Representing the state before the federal government, other state agencies, local government entities, and private industry on issues that have statewide impact on information security and privacy.
(b) (1) Every state agency, department, and office shall comply with the information security and privacy policies, standards, and procedures issued pursuant to this chapter by the Office of Information Security and Privacy Protection.
(2) Every state agency, department, and office shall comply with filing requirements and incident notification by providing timely information and reports as required by policy or directives of the office.
(3) The office may conduct, or require to be conducted, independent security assessments of any state agency, department, or office, the cost of which shall be funded by the state agency, department, or office being assessed.
(4) The office may require an audit of information security to ensure program compliance, the cost of which shall be funded by the state agency, department, or office being audited.
(5) The office shall report to the office of the State Chief Information Officer any state agency found to be noncompliant with information security program requirements.

11549.4.
 The office shall consult with the State Chief Information Officer, the Office of Emergency Services, the Director of General Services, the Director of Finance, and any other relevant agencies concerning policies, standards, and procedures related to information security and privacy.

11549.5.
 There is hereby created in the office, the Office of Privacy Protection. The purpose of the Office of Privacy Protection shall be to protect the privacy of individuals’ personal information in a manner consistent with the California Constitution by identifying consumer problems in the privacy area and facilitating the development of fair information practices in adherence with the Information Practices Act of 1977 (Chapter 1 (commencing with Section 1798) of Title 1.8 of Part 4 of Division 3 of the Civil Code).
(b) The Office of Privacy Protection shall inform the public of potential options for protecting the privacy of, and avoiding the misuse of, personal information.
(c) The Office of Privacy Protection shall make recommendations to organizations for privacy policies and practices that promote and protect the interests of the consumers of this state.
(d) The Office of Privacy Protection may promote voluntary and mutually agreed upon nonbinding arbitration and mediation of privacy-related disputes where appropriate.
(e) The Office of Privacy Protection shall do all of the following:
(1) Receive complaints from individuals concerning any person obtaining, compiling, maintaining, using, disclosing, or disposing of personal information in a manner that may be potentially unlawful or violate a stated privacy policy relating to that individual, and provide advice, information, and referral, where available.
(2) Provide information to consumers on effective ways of handling complaints that involve violations of privacy-related laws, including identity theft and identity fraud. If appropriate local, state, or federal agencies are available to assist consumers with those complaints, the office shall refer those complaints to those agencies.
(3) Develop information and educational programs and materials to foster public understanding and recognition of the purposes of this article.
(4) Investigate and assist in the prosecution of identity theft and other privacy-related crimes, and, as necessary, coordinate with local, state, and federal law enforcement agencies in the investigation of similar crimes.
(5) Assist and coordinate in the training of local, state, and federal law enforcement agencies regarding identity theft and other privacy-related crimes, as appropriate.
(6) The authority of the Office of Privacy Protection to adopt regulations under this article shall be limited exclusively to those regulations necessary and appropriate to implement subdivisions (b), (c), (d), and (e).

11549.6.
 This chapter shall not apply to the State Compensation Insurance Fund, the Legislature, or the Legislative Data Center in the Legislature Counsel Bureau.

SEC. 8.

 Section 11550 of the Government Code is amended to read:

11550.
 Effective January 1, 1988, an annual salary of ninety-one thousand fifty-four dollars ($91,054) shall be paid to each of the following:
(a) Director of Finance.
(b) Secretary of Business, Transportation and Housing.
(c) Secretary of Resources.
(d) Secretary of Health and Human Services.
(e) Secretary of State and Consumer Services.
(f) Commissioner of the California Highway Patrol.
(g) Secretary of the Youth and Adult Correctional Agency.
(h) Secretary of Food and Agriculture.
(i) Secretary of Technology, Trade, and Commerce.
(j) Secretary of Veterans Affairs.
(k) Secretary of Labor and Workforce Development.
(l) State Chief Information Officer.
The annual compensation provided by this section shall be increased in any fiscal year in which a general salary increase is provided for state employees. The amount of the increase provided by this section shall be comparable to, but shall not exceed, the percentage of the general salary increases provided for state employees during that fiscal year.

SEC. 9.

 Section 12804 of the Government Code is amended to read:

12804.
 The Agriculture and Services Agency is hereby renamed the State and Consumer Services Agency.
The State and Consumer Services Agency consists of the following: the Department of General Services; the Department of Technology Services; the Department of Consumer Affairs; the Franchise Tax Board; the Public Employees’ Retirement System; the State Teachers’ Retirement System; the Department of Fair Employment and Housing; the Fair Employment and Housing Commission; the California Science Center; the California Victim Compensation and Government Claims Board; the California African-American Museum; the State Building and Standards Commission; the Alfred E. Alquist Seismic Safety Commission; and the Office of Information Security and Privacy Protection.