1798.24.
An agency shall not disclose any personal information in a manner that links or reasonably could link the information disclosed to the individual to whom it pertains unless the information is disclosed, as follows:(a) To the individual to whom the information pertains.
(b) With the prior written voluntary consent of the individual to whom the information pertains, but only if that consent has been obtained not more than 30 days before the disclosure, or in the time limit agreed to by the individual in the written consent.
(c) To the duly appointed guardian or conservator of the individual or a person representing the individual if it can be proven with reasonable certainty through the possession of agency forms, documents, or correspondence that this person is the authorized representative of the individual to whom the information pertains.
(d) To those officers, employees, attorneys, agents, or volunteers of the agency that has custody of the information if the disclosure is relevant and necessary in the ordinary course of the performance of their official duties and furthers the purpose for which the information was acquired.
(e) To a person, or to another agency if the transfer is necessary for the transferee agency to perform its constitutional or statutory duties, and the use furthers the purpose for which the information was collected and the use or transfer is in accordance with Section 1798.25. With respect to information transferred from a law enforcement or regulatory agency to another law enforcement or regulatory agency, a use furthers the purpose if the use of the information requested is needed in an investigation of unlawful activity under the jurisdiction of the requesting agency or for licensing, certification, or regulatory purposes by that agency.
(f) To a governmental entity if required by state or federal law.
(g) Pursuant to the California Public Records Act (Chapter 3.5 (commencing with Section 6250) of Division 7 of Title 1 of the Government Code).
(h) To a person who has provided the agency with advance, adequate written assurance that the information will be used solely for statistical research or reporting purposes, but only if the information to be disclosed is in a form that cannot identify any individual, and the written assurance includes a statement that the person will not attempt to reidentify the information.
(i) Pursuant to a determination by the agency that maintains information that compelling circumstances exist that affect the health or safety of an individual, if upon the disclosure notification is transmitted to the individual to whom the information pertains at the individual’s last known address. Disclosure shall not be made if it is in conflict with other state or federal laws.
(j) To the State Archives as a record that has sufficient historical or other value to warrant its continued preservation by the California state government, or for evaluation by the Director of General Services or the director’s designee to determine whether the record has further administrative, legal, or fiscal value.
(k) To any person pursuant to a subpoena, court order, or other compulsory legal process if, before the disclosure, the agency reasonably attempts to notify the individual to whom the record pertains, and if the notification is not prohibited by law.
(l) To any person pursuant to a search warrant.
(m) Pursuant to Article 3 (commencing with Section 1800) of Chapter 1 of Division 2 of the Vehicle Code.
(n) For the sole purpose of verifying and paying government health care service claims made pursuant to Division 9 (commencing with Section 10000) of the Welfare and Institutions Code.
(o) To another person or governmental organization to the extent necessary to obtain information from the person or governmental organization for an investigation by the agency of a failure to comply with a specific state law that the agency is responsible for enforcing.
(p) To an adopted person and disclosure is limited to general background information pertaining to the adopted person’s biological parents, if the information does not include or reveal the identity of the biological parents.
(q) To a child or a grandchild of an adopted person and disclosure is limited to medically necessary information pertaining to the adopted person’s biological parents. However, the information, or the process for obtaining the information, shall not include or reveal the identity of the biological parents. The State Department of Social Services shall adopt regulations governing the release of information pursuant to this subdivision. The regulations shall require licensed adoption agencies to provide the same services provided by the department as established by this subdivision.
(r) To a committee of the Legislature or to a Member of the Legislature, or the Member’s staff if authorized in writing by the Member if the Member has permission to obtain the information from the individual to whom it pertains or if the Member provides reasonable assurance that the Member is acting on behalf of the individual.
(s) (1) To the University of California, a nonprofit educational institution, an established nonprofit research institution performing health or social services research, or the Cradle-to-Career Data System for purposes consistent with the creation and execution of the Cradle-to-Career Data System Act pursuant to Article 2 (commencing with Section 10860) of Chapter 8.5 of Part 7 of Division 1 of Title 1 of the Education Code, or, in the case of education-related data, another nonprofit entity, conducting scientific research, if the request for information is approved by the Committee for the Protection of Human Subjects (CPHS) for the California Health and Human Services Agency (CHHSA) or an institutional review board, as authorized in paragraphs (5) and (6). The approval shall include a review and determination that all the following criteria have been satisfied:
(A) The researcher has provided a plan sufficient to protect personal information from improper use and disclosures, including sufficient administrative, physical, and technical safeguards to protect personal information from reasonably anticipated threats to the security or confidentiality of the information.
(B) The researcher has provided a sufficient plan to destroy or return all personal information as soon as it is no longer needed for the research project, unless the researcher has demonstrated an ongoing need for the personal information for the research project and has provided a long-term plan sufficient to protect the confidentiality of that information.
(C) The researcher has provided sufficient written assurances that the personal information will not be reused or disclosed to any other person or entity, or used in any manner, not approved in the research protocol, except as required by law or for authorized oversight of the research project.
(2) The CPHS shall enter into a written agreement with the Office of Cradle-to-Career Data, as defined in Section 10862 of the Education Code, to assist the managing entity of that office in its role as the institutional review board for the Cradle-to-Career Data System.
(3) The CPHS or institutional review board shall, at a minimum, accomplish all of the following as part of its review and approval of the research project for the purpose of protecting personal information held in agency databases:
(A) Determine whether the requested personal information is needed to conduct the research.
(B) Permit access to personal information only if it is needed for the research project.
(C) Permit access only to the minimum necessary personal information needed for the research project.
(D) Require the assignment of unique subject codes that are not derived from personal information in lieu of social security numbers if the research can still be conducted without social security numbers.
(E) If feasible, and if cost, time, and technical expertise permit, require the agency to conduct a portion of the data processing for the researcher to minimize the release of personal information.
(4) Reasonable costs to the agency associated with the agency’s process of protecting personal information under the conditions of CPHS approval may be billed to the researcher, including, but not limited to, the agency’s costs for conducting a portion of the data processing for the researcher, removing personal information, encrypting or otherwise securing personal information, or assigning subject codes.
(5) (A) The CPHS may enter into written agreements with other entities to enable other institutional review boards or privacy boards to provide the data security approvals required by this subdivision, if the data security requirements set forth in this subdivision are satisfied.
(B) For purposes of this paragraph, “privacy board” means a committee charged with reviewing research requests involving the use of personal information that meets all of the following criteria:
(i) Has members with varying backgrounds and appropriate professional competency as necessary to review the effect of the research protocol on the individual’s privacy rights.
(ii) Includes at least one member who is not affiliated with the entity requesting the personal information nor the agency from which the personal information is being requested, and is not related to any person who is affiliated with any such entities.
(iii) Does not have any member participating in a review of any project in which the member has a conflict of interest.
(6) Pursuant to paragraph (5), the CPHS shall enter into a written agreement with the institutional review board established pursuant to former Section 49079.6 of the Education Code. The agreement shall authorize, commencing July 1, 2010, or the date upon which the written agreement is executed, whichever is later, that board to provide the data security approvals required by this subdivision, if the data security requirements set forth in this subdivision and the act specified in subdivision (a) of Section 49079.5 of the Education Code are satisfied.
(t) To an insurer if authorized by Chapter 5 (commencing with Section 10900) of Division 4 of the Vehicle Code.
(u) Pursuant to Section 450, 452, 8009, or 18396 of the Financial Code.
(v) For the sole purpose of participation in interstate data sharing of prescription drug monitoring program information pursuant to the California Uniform Controlled Substances Act (Division 10 (commencing with Section 11000) of the Health and Safety Code), if disclosure is limited to prescription drug monitoring program information.
This article does not require the disclosure of personal information to the individual to whom the information pertains if that information may otherwise be withheld as set forth in Section 1798.40.
This section shall become operative on January 1, 2025.