EXECUTIVE ORDER No. 2009 - 18

CHIEF PRIVACY OFFICER
INFORMATION PRIVACY PROTECTION COUNCIL
DEPARTMENT OF INFORMATION TECHNOLOGY

WHEREAS, Section 1 of Article V of the Michigan Constitution of 1963 vests the executive power of the State of Michigan in the Governor;

WHEREAS, under Section 8 of Article V of the Michigan Constitution of 1963, the Governor is responsible for the faithful execution of the laws;

WHEREAS, state and federal law require state agencies to collect, display, retain, destroy, and dispose of records that contain personal identifying information of the residents of this state;

WHEREAS, the collection, display, retention, destruction, and disposal of records containing the personal identifying information of the residents of this state exposes this state and its residents to security risks, including, but not limited to, identify theft and other privacy violations;

WHEREAS, federal privacy law, including, but not limited to, the Privacy Act of 1974, Public Law 93-579, 5 USC 552a; the Right to Financial Privacy Act of 1978, Public Law 95-630, 12 USC 3401; and the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, 42 USC 1320d, impose restrictions on the collection, display, retention, destruction, and disposal by government agencies of records containing an individual's personal identifying information;

WHEREAS, the Identity Theft Protection Act, 2004 PA 452, MCL 445.72, as amended by 2006 PA 566, requires, among other things, that state departments and agencies that own or license personal information included in a database or that maintain a database of personal information notify residents of this state of the unauthorized access and acquisition of that information if the department or agency determines that the security breach is likely to cause substantial loss or injury, or result in identity theft to that resident;

WHEREAS, this administration is firmly committed to ensuring not only that state government is accountable for the personal information and personal identifying information of the residents of this state for which it is responsible, but that the residents of this state understand the manner in which their personal identifying information is collected, displayed, retained, destroyed, and disposed of by state government and understand their rights when that information is used or accessed without authorization;

WHEREAS, the designation of a Chief Privacy Officer for this state, the designation of an Information Privacy Protection Officer within each principal department of state government, and the creation of an Information Privacy Protection Council will assist the state in its efforts to comply with state and federal privacy laws and to educate the residents of this state on their rights related to these laws;

NOW, THEREFORE, I, Jennifer M. Granholm, Governor of the State of Michigan, by virtue of the power and authority vested in the Governor by the Michigan Constitution of 1963 and Michigan law, order the following:

I. DEFINITIONS

As used in this Order:

A. "Department" means the Department of Information Technology, a principal department of state government created by Executive Order 2001-3, MCL 18.41.

B. "Chief Privacy Officer" means the person designated under Section II of this Order.

C. "Chief Information Security Officer" means the Director of the Office of Enterprise Security within the Department.

D. "Information Privacy Protection Officer" means the person designated under Section III of this Order.

E. "Council" means the Information Privacy Protection Council created under Section IV of this Order.

F. "Personal identifying information" means that term as defined under Section 3 of the Identity Theft Protection Act, 2004 PA 452, MCL 445.63.

G. "Personal information" means that term as defined under Section 3 of the Identity Theft Protection Act, 2004 PA 452, MCL 445.63.

II. CREATION OF THE POSITION OF CHIEF PRIVACY OFFICER

A. The Governor shall designate a person within the executive branch of state government as the Chief Privacy Officer.

B. The Chief Privacy Officer shall be responsible for coordinating programs, activities, and services of all state departments and agencies within the executive branch related to compliance with state and federal privacy laws.

C. The Chief Privacy Officer shall do all of the following:

1. Serve as the Chairperson of the Information Privacy Protection Council created under Section IV of this Order.

2. Serve as this state's primary liaison with state departments and agencies, and the Information Privacy Protection Officers designated under Section III of this Order, on compliance issues with state and federal privacy laws.

3. Provide information, guidance, and technical assistance to state departments and agencies related to compliance with state and federal privacy laws.

4. Identify resources and best practices for compliance with state and federal privacy laws.

5. Facilitate the education and training of state employees and officers on issues relating to compliance with state and federal privacy laws.

6. Provide information to the residents of this state related to compliance by state departments and agencies with state and federal privacy laws.

7. Advise the Governor on issues relating to compliance by state departments and agencies with state and federal privacy laws.

III. DESIGNATION OF INFORMATION PRIVACY PROTECTION OFFICERS

A. The director of each principal department of state government shall designate an Information Privacy Protection Officer as the primary coordinator of departmental compliance with state and federal privacy laws.

B. Each Information Privacy Protection Officer shall cooperate and coordinate efforts with the Chief Privacy Officer.

C. Each Information Privacy Protection Officer shall serve as a member of the Information Privacy Protection Council created under Section IV of this Order.

IV. CREATION OF THE INFORMATION PRIVACY PROTECTION COUNCIL

A. The Information Privacy Protection Council is created as an advisory body within the Department of Information Technology.

B. The Council shall consist of the following members:

1. The Chief Privacy Officer.

2. The Chief Information Security Officer.

3. The Information Privacy Protection Officers of each principal department of state government as designated under Section III of this Order.

C. The Chief Privacy Officer shall serve as the Chairperson of the Council.  The members of the Council shall select members of the Council to serve as Vice-Chairperson and Secretary of the Council.

V. CHARGE TO THE COUNCIL

A. The Council shall act in an advisory capacity to the Governor and shall do all of the following:

1. Review, develop, and recommend policies and procedures to be implemented by state departments and agencies to assure compliance with state and federal privacy laws and the promotion of effective information security and privacy protection.

2. Develop and recommend strategies to enhance awareness, education, and understanding of information security best practices and online measures intended to protect the personal identifiable information of the residents of this state.

3. Identify information security and privacy protection risks within state government and develop and recommend risk mitigation strategies, methods, and procedures to be adopted by state departments and agencies to lessen these risks.

4. Monitor and report compliance by state departments and agencies with state information security and privacy protection policies and procedures.

5. Recommend and coordinate a training program for state employees designed to educate, promote, and advance knowledge of information security and privacy protection policies and procedures.

VI. OPERATIONS OF THE COUNCIL

A. The Council shall be staffed and assisted by personnel from the Department, subject to available funding.  Any budgeting, procurement, or related management functions of the Council shall be performed under the direction and supervision of the Director of the Department.

B. The Council shall adopt procedures consistent with Michigan law and this Order governing its organization and operations.

C. A majority of the members of the Council serving constitutes a quorum for the transaction of the Council's business.  The Council shall act by a majority vote of its serving members.

D. The Council shall meet at the call of the Chairperson and as may be provided in procedures adopted by the Council.

E. The Council may establish advisory workgroups composed of representatives of entities participating in Council activities or other members of the public as deemed necessary by the Council to assist the Council in performing its duties and responsibilities.  The Council may adopt, reject, or modify any recommendations proposed by an advisory workgroup.

F. The Council may, as appropriate, make inquiries, studies, investigations, hold hearings, and receive comments from the public.  The Council may also consult with outside experts in order to perform its duties, including, but not limited to, experts in the private sector, organized labor, government agencies, and at institutions of higher education.

G. Members of the Council shall serve without compensation.  Members of the Council may receive reimbursement for necessary travel and expenses consistent with relevant statutes and the rules and procedures of the Civil Service Commission and the Department of Management and Budget, subject to available funding.

H. The Council may hire or retain contractors, sub-contractors, advisors, consultants, and agents, and may make and enter into contracts necessary or incidental to the exercise of the powers of the Council and the performance of its duties as the Director of the Department deems advisable and necessary, in accordance with this Order, the relevant statutes, and the rules and procedures of the Civil Service Commission and the Department of Management and Budget.

I. The Council may accept donations of labor, services, or other things of value from any public or private agency or person.

J. Members of the Council shall refer all legal, legislative, and media contacts to the Department.

VII. MISCELLANEOUS

A. All departments, committees, commissioners, or officers of this state, or of any political subdivision of this state, shall give to the Council or to any member or representative of the Council, any necessary assistance required by the Council or any member or representative of the Council, in the performance of the duties of the Council so far as is compatible with its, his, or her duties.  Free access shall also be given to any books, records, or documents in its, his, or her custody, relating to matters within the scope of inquiry, study, or review of the Council.

B. This Order shall not abate any suit, action, or other proceeding lawfully commenced by, against, or before any entity affected under this Order.  Any suit, action, or other proceeding may be maintained by, against, or before the appropriate successor of any entity affected under this Order.

C. The invalidity of any portion of this Order shall not affect the validity of the remainder of the Order, which may be given effect without any invalid portion.  Any portion of this Order found invalid by a court or other entity with proper jurisdiction shall be severable from the remaining portions of this Order.

D. This Order is effective upon filing.

Given under my hand and the Great Seal of the State of Michigan this 3rd day of April in the year of our Lord, two thousand nine.
__________________________________________
JENNIFER M. GRANHOLM
GOVERNOR
BY THE GOVERNOR:
__________________________________________
Secretary of State