1798.90.51.
An ALPR operator shall do all of the following:(a) Maintain reasonable security procedures and practices, including operational, administrative, technical, and physical safeguards, to protect ALPR information from unauthorized access, destruction, use, modification, or disclosure. These reasonable security procedures and practices shall include, but not be limited to, an annual audit to review and assess ALPR end-user searches during the previous year to determine if all searches were in compliance with the usage and privacy policy. If the ALPR operator is a public agency other than an airport authority, the audit shall assess whether all ALPR information that does not match information on a hot
list has been purged no more than 30 days from the date of collection. If the ALPR operator is a private corporation or limited liability company which provides an ALPR system to a public agency, the auditing requirements in this section shall apply to the public agency and shall not apply to the private entity providing the ALPR system.
(b) (1) Implement a usage and privacy policy in order to ensure that the collection, use, maintenance, sharing, and dissemination of ALPR information is consistent with respect for individuals’ privacy and civil liberties. The usage and privacy policy shall be available to the public in writing, and, if the ALPR operator has an internet website, the usage and privacy policy shall be posted conspicuously on that internet
website.
(2) The usage and privacy policy shall, at a minimum, include all of the following:
(A) The authorized purposes for using the ALPR system and collecting ALPR information.
(B) A description of the job title or other designation of the employees and independent contractors who are authorized to use or access the ALPR system, or to collect ALPR information. The policy shall identify the training requirements necessary for those authorized employees and independent contractors.
(C) A description of how the ALPR system will be monitored to ensure the security of the information and compliance with applicable privacy laws.
(D) The purposes of, process for, and restrictions on, the sale, sharing, or transfer of ALPR information to other persons.
(E) The title of the official custodian, or owner, of the ALPR system responsible for implementing this section.
(F) A description of the reasonable measures that will be used to ensure the accuracy of ALPR information and correct data errors.
(G) The length of time ALPR information will be retained, and the process the ALPR operator will utilize to determine if and when to destroy retained ALPR information. If the ALPR operator is a public agency other than an airport authority, the policy shall require ALPR information that does not match information
on a hot list to be purged no more than 30 days after the date of collection.