CSHB 394(STA): "An Act relating to the data processing and telecommunications activities of the state; relating to the security of certain data processing records of the executive branch and making the Department of Administration responsible for the security of those records; and making the commissioner of administration the chief information officer."

00 CS FOR HOUSE BILL NO. 394(STA) 01 "An Act relating to the data processing and telecommunications activities of the state; 02 relating to the security of certain data processing records of the executive branch and 03 making the Department of Administration responsible for the security of those records; 04 and making the commissioner of administration the chief information officer." 05 BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF ALASKA: 06 * Section 1. AS 40.21.030(b) is amended to read: 07 (b) In order to carry out the records management program, the state archivist 08 shall 09 (1) analyze, develop, and coordinate the standards and procedures for 10 record making and current record keeping; 11 (2) ensure the maintenance and security of records, subject to 12 AS 44.21.165; 13 (3) initiate action to recover state records removed without 14 authorization;

01 (4) establish and operate state records centers for the purposes of 02 accepting, servicing, storing, and protecting state records that must be preserved for 03 varying periods of time but that [WHICH] are not needed for the transaction of 04 current business; 05 (5) transfer records considered to have permanent value to the state 06 archives; 07 (6) institute and maintain a training and information program in all 08 phases of the management of current records for all state agencies, subject to 09 AS 44.21.165; 10 (7) make continuing surveys of paperwork operations and recommend 11 improvements in current records management practices, including the use of space, 12 equipment, and supplies; 13 (8) initiate programs for improving the management of 14 correspondence, forms, reports, and directives as integral parts of the overall records 15 management program; 16 (9) provide centralized microfilm service for state agencies as 17 determined to be necessary by the department; 18 (10) establish standards for the preparation of records retention 19 schedules providing for the retention of state records of permanent value and for the 20 prompt and orderly disposition of state records no longer possessing administrative, 21 legal, or historical value to warrant their retention; 22 (11) receive records retention schedules from the agencies and submit 23 them to the attorney general for review and approval; 24 (12) obtain from agencies reports that are required for the 25 administration of the program. 26 * Sec. 2. AS 40.21.060 is amended to read: 27 Sec. 40.21.060. Duties of chief executive officers of state agencies. Subject 28 to AS 44.21.165, the [THE] chief executive officer of each state agency shall 29 (1) make and preserve public records containing adequate and proper 30 documentation of the organization, functions, policies, decisions, procedures, and 31 essential transactions of the agency, and designed to furnish the information necessary

01 to protect the legal and financial rights of the state and of persons directly affected by 02 the agency's activities; 03 (2) establish and maintain an active, continuing program for the 04 efficient management of the records of the agency under the procedures prescribed by 05 the department, including effective controls over the creation, maintenance, and use of 06 records in the conduct of current business; 07 (3) submit to the department, in accordance with the standards 08 established by it, records retention schedules proposing the length of time that 09 [WHICH] records having administrative, legal, or historical value shall be retained; 10 (4) apply the provisions of approved records retention schedules to 11 ensure the orderly disposition of state records including transfer to a state records 12 center; 13 (5) identify, segregate, and protect records vital to the continuing 14 operation of an agency in the event of natural, man-made, or war-caused disaster; 15 (6) cooperate with the department in conducting surveys made by it 16 under the provisions of this chapter; 17 (7) establish safeguards against unauthorized or unlawful removal or 18 loss of state records; 19 (8) comply with the regulations, standards, and procedures relating to 20 records management and archives established by the department; 21 (9) appoint a records officer who shall act as a liaison between the 22 department and the agency on all matters relating to the records management program. 23 * Sec. 3. AS 44.21.010 is amended by adding a new subsection to read: 24 (b) The commissioner of administration is the chief information officer in the 25 executive branch of the state. The chief information officer carries out the duties and 26 powers of the commissioner of administration and the Department of Administration 27 under AS 44.21.150 - 44.21.170 and 44.21.305 - 44.21.330. 28 * Sec. 4. AS 44.21 is amended by adding a new section to read: 29 Sec. 44.21.165. Security of records. (a) As the department responsible for the 30 operation and management of automatic data processing resources and activities of the 31 executive branch under AS 44.21.150, the department is the state agency responsible

01 for ensuring the security of the nonarchived records produced or maintained by the 02 automatic data processing resources and activities of state agencies through the 03 development and adoption of standards, policies, and procedures. 04 (b) The department shall 05 (1) develop, implement, and maintain policies to ensure that data 06 processing records are secure from unlawful release; 07 (2) define the responsibilities for the security of the data processing 08 records of each state agency, communicate the responsibilities to the state agency, and 09 coordinate the responsibilities among state agencies; and 10 (3) establish procedures for maintaining the security of the data 11 processing records and provide training for state agency personnel to implement the 12 procedures. 13 (c) The state information systems plan adopted by the commissioner must 14 satisfy the security requirements of this section. 15 (d) The department shall adopt regulations to implement this section. 16 (e) On or before January 1 every two years, the department shall submit to the 17 legislature a report that evaluates, for the two years since the period covered by the 18 previous report under this subsection, the effectiveness of the department's 19 implementation of this section in maintaining the security of data processing records. 20 (f) In this section, 21 (1) "data processing records" means the records that are produced or 22 maintained by the automatic data processing resources and activities of a state agency 23 and that are not being held by the Alaska State Archives; 24 (2) "records" includes personally identifiable information in a record; 25 (3) "state agency" means an agency of the executive branch.