SECTION 1. Section 1 of Chapter 7D of the General Laws, as appearing in the 2016 Official Edition, is hereby amended by inserting the following definition:-

“Personal information,” as defined in Section 1 of Chapter 93H of the General Laws. 

SECTION 2. Chapter 7D of the General Laws, as appearing in the 2016 Official Edition, is hereby amended by inserting, before the first sentence of Section 4B, the following sentence:-

a) The secretary shall create an “office of data protection, cybersecurity, and privacy,” or “ODPCP,” within the executive office of technology services and security.

SECTION 3. Chapter 7D of the General Laws, as appearing in the 2016 Official Edition, is hereby amended by inserting, after the sentence that ends with “at the pleasure of the secretary,” the following sentence:-

The chief privacy officer shall serve as the director of the ODPCP.

SECTION 4. Chapter 7D of the General Laws, as appearing in the 2016 Official Edition, is hereby amended by inserting, after the sentence that ends with “use of data,” the following language :-

b) The ODPCP shall have the following responsibilities with respect to state agencies:

(i) to conduct an annual privacy review of all state agencies;

(ii) to conduct an annual privacy training for all employees of state agencies;

(iii) to articulate privacy principles and best practices for state agencies;

(iv) to coordinate data protection in cooperation with state agencies; and

(v) to participate with the executive office of technology services and security in the review of major state agency projects involving personal information.

c) The ODPCP shall also serve as a resource regarding data privacy and protection concerns to the public and to any political subdivision of the commonwealth, including but not limited to counties, cities, or towns. The ODPCP shall:

(i) Develop and promote the dissemination of best practices for the collection and storage of personal information, including establishing and conducting a training program or programs for political subdivisions of the commonwealth and employees thereof; and

(ii) Educate consumers about the use of personal information on mobile and digital networks and measures that can help protect this information.

d) By December 1, 2021, and every year thereafter, the ODPCP shall prepare and submit to the legislature’s Joint Committee on Advanced Information Technology, the Internet and Cybersecurity a report evaluating its performance. The ODPCP must establish performance measures in its 2021 report to the Joint Committee and, in each report thereafter, demonstrate the extent to which performance results have been achieved. These performance measures shall include, but are not limited to, the following:

(i) The number of state agencies and employees who have participated in the annual privacy training;

(ii) A report on the extent of the ODPCP’s coordination with international and national experts in the fields of data privacy, data protection, and access equity;

(iii) A report on the implementation of data protection measures by state agencies attributable in whole or in part to the ODPCP’s coordination of efforts; and

(iv) The number of political subdivisions of the commonwealth and employees thereof who have participated in the ODPCP’s training programs.

(v) A report on consumer education efforts, including but not limited to the number of consumers educated through public outreach efforts, as indicated by how frequently educational documents were accessed, the ODPCP’s participation in outreach events, and inquiries received back from consumers via telephone or other media.