Christopher Bramwell, chief privacy officer and director of the Utah Office of Data Privacy, told the Economic Development and Workforce Services Interim Committee that Utah has created a statewide privacy program framework and is moving to standardize how public entities govern, retain and use data. Bramwell said the office — placed in the Department of Government Operations and only about a year old — aims to improve data governance incrementally while research and stakeholder input shape new policy recommendations.

Bramwell said the office’s goals include comprehensive data governance, verifiable data and verifiable identity so the public can “verify technologically” that data and the actors processing it are legitimate. “When all three of those requirements are met, then you’d have verifiable trust,” he said.

The office published version 2 of its privacy program framework and tracks more than 20 practices. Bramwell described an annual reporting requirement that requires governmental entities to file a privacy program report by Dec. 31 showing whether they have a program, whether they share or sell personal data, what high‑risk processing they do (for example facial recognition and profiling), and the percentage of employees completing privacy awareness training. He said the office must deploy general awareness training for the state’s roughly 250,000 public employees.

Bramwell also addressed “high‑risk processing activities” such as facial recognition, biometrics, gait analysis and license‑plate readers and said governing policy will be one of the larger challenges the office will address in coming years. He said Utah is working with associations — county assessors, cities, and other local entities — to develop standardized models so citizens have equal privacy and transparency rights across different categories of public entities.

On digital identity, Bramwell described a state‑endorsed approach being developed under provisions of SB 260 (he cited Senator Cullimore and Representative Cutler as bill sponsors) that would allow the state to “endorse and protect individual digital identity” and make it usable across public and private sectors while protecting individual control and avoiding vendor lock‑in. Key principles he outlined include treating state‑endorsed digital identity as critical infrastructure, insisting on open standards and protocols, enabling individual control and guardianship (including parental guardianship for children), and pursuing decentralized designs intended to avoid government or vendor tracking. Bramwell said Utah will host a State‑Endorsed Digital Identity summit at Utah Valley University on Oct. 17 to coordinate policymakers and technical stakeholders from other states and the private sector.

Committee members asked about cost, pace of technology change and whether all political subdivisions must file the new privacy reports. Bramwell said almost all governmental entities must complete the annual privacy program report, with “few exceptions,” and acknowledged the work of dozens of stakeholders in crafting the framework. He said the GDPA (the Government Data Privacy Act, as referenced in materials) intentionally emphasizes education and incremental compliance while the office tracks maturity and reports progress to the legislature.

The presentation was described by one committee member as useful to federal policymakers; committee discussion referenced Utah materials shared with staffers on the U.S. House Energy and Commerce Committee as an example of the state’s work informing federal deliberations.

Bramwell repeatedly emphasized the office’s role in research, training and advising — not immediate heavy enforcement — and said the office’s approach is “emergent” and technology‑agnostic so the state’s policy requirements can be met by varying technical solutions over time.

Ending: Bramwell closed by asking legislators to consider incremental changes, noting resources the office has deployed for outreach and training and pointing to the October summit and framework materials as next steps for the Legislature and state agencies to review.