AN ACT TO REORGANIZE THE INFORMATION TECHNOLOGY FUNCTION OF THE COMMONWEALTH TO IMPROVE DATA SECURITY, SAFEGUARD PRIVACY, AND PROMOTE BETTER SERVICE DELIVERY
Whereas, The use of modern, cost-effective technologies is essential to ensure optimal delivery of public services to the citizens of the commonwealth within the framework of a fiscally responsible budget, in a manner that is reliably and demonstrably secure and provides greater public accountability;
Whereas, Effectively ensuring data security and protecting the privacy of citizens’ data requires a commonwealth-wide strategy, first-class talent, best-in-class technologies, and a modern, dynamic organizational structure;
Whereas, Deep subject matter expertise resides in commonwealth agencies and secretariats, making it crucial that the organizational structure envisioned by this legislation respect and preserve the proper role of agencies and secretariats in managing the aspects of the application layer that relate to the day-to-day operations of the commonwealth’s core programs and services;
Be it approved pursuant to Article LXXXVII of the Amendments to the Constitution, and by the authority of the same, as follows:
SECTION 1. Section 2 of chapter 6A of the General Laws, as appearing in the 2016 Official Edition, is hereby amended by striking out, in line 5, the words “transportation and public works” and inserting in place thereof the following words:- technology services and security, and transportation and public works.
SECTION 2. Said chapter 6A, as so appearing, is hereby amended by striking out section 7A and inserting in place thereof the following section:-
Section 7A. The executive office of technology services and security is the commonwealth’s lead information technology organization. Each executive office may perform activities concerning information technology for the executive office and its constituent agencies only to the extent such activities are approved by the executive office of technology services and security. Notwithstanding any general or special law, rule, regulation, executive order, policy or procedure to the contrary, the executive office of technology services and security, upon written notice to the affected executive office or agency, may direct the transfer of any information technology resources, including, without limitation, hardware, software, services, personnel, contracts and infrastructure related to information technology, from any executive office or any agency within any executive office to the executive office of technology services and security.
SECTION 3. Subsection (c) of section 14A of said chapter 6A, as so appearing, is hereby amended by striking out subparagraph (8) and inserting in place thereof the following subparagraph:-
(8) subject to the oversight of the executive office of technology services and security, assemble all resources necessary to implement a longitudinal data system to coordinate the collection and analysis of educational data from prekindergarten programs through higher education and oversee the departments’ compliance with all standards and policies of the executive office of technology services and security.
SECTION 4. Section 5 of chapter 6C of the General Laws, as so appearing, is hereby amended by striking out, in lines 12 and 13, the words “information technology, legal, procurement, and asset management” and inserting in place thereof the following words:- legal, procurement, asset management, and, subject to the approval of the executive office of technology services and security, information technology.
SECTION 5. Said section 5 of said chapter 6C, as so appearing, is hereby further amended by striking out subsection (c).
SECTION 6. Section 12 of said chapter 6C, as so appearing, is hereby amended by inserting, in line 1, after the word “shall” the following words:- , subject to the approval and oversight of the executive office of technology services and security,.
SECTION 7. Section 4A of chapter 7 of the General Laws, as so appearing, is hereby amended by striking out, in lines 4 to 6, inclusive, the words “the Massachusetts office of information technology, which shall be headed by a chief information officer as provided in chapter 7D,”.
SECTION 8. Section 1 of chapter 7D of the General Laws, as so appearing, is hereby amended by striking out, in line 5, the words “Massachusetts office of information technology” and inserting in place thereof the following word:- commonwealth.
SECTION 9. Said section 1 of said chapter 7D, as so appearing, is hereby further amended by striking out the definition of the word “Director”.
SECTION 10. Said section 1 of said chapter 7D, is hereby further amended by striking out, in line 19, the definition of “Office” and inserting in place thereof the following definition:- “Office”, the executive office of technology services and security.
SECTION 11. Said section 1 of said chapter 7D, is hereby further amended by inserting the following definition: “Secretariat chief information officer” or “SCIO”, the person responsible for technology services, security and information technology in each executive office other than the executive office of technology services and security, who reports to both the secretary of technology services and security and the secretary of the executive office for whose technology services the SCIO is responsible.
SECTION 12. Said chapter 7D is hereby further amended by striking out section 2 and inserting in place thereof the following section:-
Section 2. There shall be an executive office of technology services and security that will be an executive office within the meaning of section 2 of chapter 6A. The office shall be administered by a secretary who shall be appointed by the governor and who shall supervise all activities concerning information technology of state agencies. The Governor may designate the secretary of the executive office of technology services and security as the chief information officer for the commonwealth. If the Governor does not designate the secretary as the chief information officer, the secretary shall, notwithstanding section 45 of chapter 30 and chapter 31, subject to the approval of the governor, appoint a chief information officer who shall report to the secretary and serve at the pleasure of the secretary. Notwithstanding any general or special law, rule, regulation, executive order, policy or procedure to the contrary, all executive department agencies shall, and other state agencies may, adhere to the policies, procedures and objectives established by the executive office of technology services and security with respect to activities concerning information technology.
SECTION 13. Said chapter 7D is hereby further amended by striking out section 3 and inserting in place thereof the following section:-
Section 3. (a) The office shall have all powers necessary or convenient to carry out its duties including, but not limited to, the power to:
(i) establish bureaus and other functional units within the office and hire employees;
(ii) as needed, require the consolidation of IT functions into a centralized service delivery model as determined by the executive office of technology services and security;
(iii) oversee, coordinate with and provide assistance, advice, and expertise in connection with business relationships between state agencies and private sector providers of information technology;
(iv) eliminate, where appropriate, duplication of duties and functions among IT personnel within state agencies;
(v) monitor trends and advances in information technology resources;
(vi) oversee and supervise the maintenance of information technology and the initiation of information technology updates or projects for state agencies;
(vii) initiate procurements of information technology resources for state agencies and enter into agreements or contracts in connection with such procurement on behalf of a state agency or other political subdivision of the commonwealth;
(viii) set policy regarding all procurements of information technology resources;
(ix) review and approve the information technology budget requests of a state agency and IT spending priorities of executive offices and agencies within any executive office;
(x) implement standards for product or service specifications, characteristics or performance requirements of IT resources that increase efficiency and improve security and identify opportunities for cost savings within state agencies based on such standardization; specifically, the office may implement the following: (a) the centralized acquisition and standardization of specifications for desktop computing equipment; (b) consolidation and centralized management of all network resources for the executive department; (c) the consolidation of information technology infrastructure; and (d) following consultation with the secretary of the executive office and the head of the agency or department within the executive offices, effectuate the centralization of other IT services and functions when centralization or standardization will promote greater security, improve service, or reduce costs;
(xi) establish special requirements for vendors of IT services to state agencies; and
(xii) adapt standards as necessary for individual agencies to comply with federal law.
(b) The office may issue administrative directives pursuant to the authority set forth in this chapter, which shall be binding on all executive department agencies and offices.
SECTION 14. Said chapter 7D is hereby further amended by striking out section 4 and inserting in place thereof the following section:-
Section 4. The secretary shall, notwithstanding section 45 of chapter 30 and chapter 31, appoint a qualified individual to serve as an enterprise chief information security officer (CISO) for the commonwealth who shall serve at the pleasure of the secretary. The CISO shall advise the secretary and the CIO on preventing data loss and fraud and protecting privacy. The CISO shall ensure all existing IT policies applicable to executive offices and agencies reflect best practices related to security and privacy.
SECTION 15. Said chapter 7D is hereby amended by inserting after section 4 the following three sections:-
Section 4A. The secretary may, notwithstanding section 45 of chapter 30 and chapter 31, appoint a qualified individual to serve as the chief data officer for the commonwealth, who shall serve at the pleasure of the secretary. Notwithstanding any general or special law, rule, regulation, executive order, policy or procedure to the contrary, the chief data officer shall develop administrative directives to govern the use, storage, collection, and dissemination of data assets for the executive department, and shall develop procedures for facilitating, where appropriate, resolution of disputes between or among agencies, departments, and executive offices regarding the use and sharing of data. The chief data officer shall have the role of promoting and facilitating, subject to all applicable federal and state laws, rules, and regulation, the sharing and use of data assets of the commonwealth in support of data-driven policymaking, research, analysis, study, or economic development.
Section 4B. The secretary may, notwithstanding section 45 of chapter 30 and chapter 31, appoint a qualified individual to serve as commonwealth chief privacy officer, who shall serve at the pleasure of the secretary. The chief privacy officer shall promote privacy and security in the use and dissemination of sensitive data, and shall serve as an ombudsperson to effectuate resolution of concerns regarding privacy and security in the use of data.
Section 4C. The secretary may, notwithstanding section 45 of chapter 30 and chapter 31, appoint a qualified individual to serve as chief digital officer, who shall serve at the pleasure of the secretary. The chief digital officer is directed to lead an effort to improve the public facing web presence and related services for executive department offices and agencies.
SECTION 16. Section 5 of said chapter 7D, as so appearing, is hereby amended, by striking out, in line 8, the words “The office shall also” and inserting in place thereof the following words:- Subject to sufficient appropriation, the office shall.
SECTION 17. Said section 5 of said chapter 7D, as so appearing, is hereby further amended by striking out, in lines 9 and 10, the words “The CIO shall” and inserting in place thereof the following words:- The secretary may, as needed,.
SECTION 18. Said chapter 7D is hereby amended by striking out section 6 and inserting in place thereof the following section:-
Section 6. (a) The secretary of each executive office established pursuant to section 2 of chapter 6A shall, in consultation with and approval by the secretary, appoint an SCIO of each executive office who shall report to the secretary of that executive office and to the secretary of technology services and security. Each SCIO shall manage all activities concerning information technology within the executive office and supervise all information technology personnel.
(b) Each SCIO shall manage the information technology personnel needs of their respective executive offices. Each SCIO shall develop an IT strategic plan for the executive office that shall be approved by the CIO that sets forth: (i) operational and project priorities; (ii) budgets; (iii) planned procurements; (iv) efficiency goals; (v) security initiatives; and (vi) staffing plans.
(c) The secretary shall supervise the activities of all SCIOs and may conduct annual compliance reviews across the executive offices to ensure full compliance with statutes, regulations, policies, standards and contractual obligations related to information technology and security.
SECTION 19. Section 7 of said chapter 7D, as so appearing, is hereby amended by striking out, in lines 1 and 2, the words “, in consultation with the operational services division,”.
SECTION 20. Said section 7 of said chapter 7D, as so appearing, is hereby further amended by inserting at the end of subsection (a), the following two sentences:- The operational services division and the comptroller shall adopt procedures and policies to ensure cooperation with the executive office of technology services and security’s IT procurement review policies and shall assist in enforcing them.
SECTION 21. Said section 7 of said chapter 7D, as so appearing, is hereby further amended by inserting, after the first sentence of subsection (b) the following sentence:- The executive office of technology services and security may require that it be named as a party to any IT contract that any agency or office within the executive department enters into.
SECTION 22. Said section 7 of said chapter 7D, as so appearing, is hereby further amended by striking out subsection (c) and inserting in place thereof the following subsection:-
(c) For IT projects that present a complex set of challenges as defined in an administrative directive promulgated by the executive office of technology services and security, the executive office of technology services and security may establish a project oversight function that may include the formation of a committee to develop criteria and benchmarks to evaluate the project and advise the executive office of technology services and security as to whether the project is accomplishing its objectives. A committee established pursuant to this section may include members from the private sector; provided, however, that members shall have no financial interest in the project overseen by the committee.
SECTION 23. Said chapter 7D is hereby further amended by inserting after section 9 and inserting in place thereof the following section:-
Section 10. Subject to and consistent with all applicable federal and state laws, rules, and regulations, the executive office of technology services and security is authorized to collect, maintain, store, share, utilize, analyze and disseminate data.
SECTION 24. Section 27B of chapter 29 is hereby repealed.
SECTION 25. Notwithstanding any general or special law or regulation to the contrary, for purposes of chapter 66 of the General Laws, the executive office of technology services and security shall not be deemed to have possession, custody, or control of any record or data belonging to any other agency, office, instrumentality, or other entity. For purposes of chapter 66 of the General Laws, such agency, office, instrumentality, or other entity shall be deemed to retain possession, custody, and control of such record and data.
SECTION 26. (a) Notwithstanding any general or special law to the contrary, this section shall facilitate the orderly transfer of the employees, proceedings, rules and regulations, property and legal obligations and functions of state government from the Massachusetts office of information technology, as transferor agency, to the executive office of technology services and security, as transferee agency.
(b) Subject to appropriation, any employees transferred to the transferee agency, including those who immediately before the effective date of this act held permanent appointment in positions classified under chapter 31 of the General Laws or have tenure in their positions as provided by section 9A of chapter 30 of the General Laws or did not hold such tenure, or held confidential positions, are hereby transferred to the transferee agency, without interruption of service within the meaning of section 9A of chapter 30, without impairment of seniority, retirement or other rights of the employee, and without reduction in compensation or salary grade, notwithstanding any change in title or duties resulting from such reorganization, and without loss of accrued rights to holidays, sick leave, vacation and benefits, and without change in union representation or certified collective bargaining unit as certified by the state labor relations commission or in local union representation or affiliation. Any collective bargaining agreement in effect immediately before the transfer date shall continue in effect and the terms and conditions of employment therein shall continue as if the employees had not been so transferred. The reorganization shall not impair the civil service status of any such reassigned employee who immediately before the effective date of this act either held a permanent appointment in a position classified under chapter 31 of the General Laws or had tenure in a position by reason of section 9A of chapter 30 of the General Laws.
(c) Notwithstanding any general or special law to the contrary, all such employees shall continue to retain their right to bargain collectively pursuant to chapter 150E of the General Laws and shall be considered employees for the purposes of chapter 150E. Nothing in this section shall confer upon any employee any right not held immediately before the date of the transfer, or to prohibit any reduction of salary grade, transfer, reassignment, suspension, discharge or layoff not prohibited before such date; nor shall anything in this section prohibit the abolition of any management position within the executive office of technology services and security.
(d) All petitions, requests, investigations, filings and other proceedings appropriately and duly brought before the transferor agency, or pending before it before the effective date of this act, shall continue unabated and remain in force, but shall be assumed and completed by the transferee agency.
(e) All orders, advisories, findings, rules and regulations duly made and all approvals duly granted by the transferor agency, which are in force immediately before the effective date of this act, shall continue in force and shall thereafter be enforced, until superseded, revised, rescinded or canceled, in accordance with law, by the transferee agency.
(f) All books, papers, records, documents, equipment, buildings, facilities, cash and other property, both personal and real, including all such property held in trust, which immediately before the effective date of this act are in the custody of the transferor agency, shall be transferred to the transferee agency.
(g) All duly existing contracts, leases and obligations of the transferor agency, shall continue in effect but shall be assumed by the transferee agency. No such existing right or remedy of any character shall be lost, impaired or affected by this act.
SECTION 27. This act shall take effect as soon as it has the force of law under subsection (c) of section 2 of Article LXXXVII of the Amendments to the Constitution.
Approved, August 1, 2017