An agency shall not disclose any personal information in a manner that would link the information disclosed to the individual to whom it pertains unless the information is disclosed, as follows:
(a) To the individual to whom the information pertains.
(b) With the prior written voluntary consent of the individual to whom the record pertains, but only if that consent has been obtained not more than 30 days before the disclosure, or in the time limit agreed to by the individual in the written consent.
(c) To the duly appointed guardian or conservator of the individual or a person representing the individual if it can be proven with reasonable certainty through the possession of agency forms, documents or correspondence that this person is the authorized representative of the individual to whom the information pertains.
(d) To those officers, employees, attorneys, agents, or volunteers of the agency that has custody of the information if the disclosure is relevant and necessary in the ordinary course of the performance of their official duties and is related to the purpose for which the information was acquired.
(e) To a person, or to another agency where the transfer is necessary for the transferee agency to perform its constitutional or statutory duties, and the use is compatible with a purpose for which the information was collected and the use or transfer is accounted for in accordance with Section 1798.25. With respect to information transferred from a law enforcement or regulatory agency, or information transferred to another law enforcement or regulatory agency, a use is compatible if the use of the information requested is needed in an investigation of unlawful activity under the jurisdiction of the requesting agency or for licensing, certification, or regulatory purposes by that agency.
(f) To a governmental entity when required by state or federal law.
(g) Pursuant to the California Public Records Act (Chapter 3.5 (commencing with Section 6250) of Division 7 of Title 1 of the Government Code).
(h) To a person who has provided the agency with advance, adequate written assurance that the information will be used solely for statistical research or reporting purposes, but only if the information to be disclosed is in a form that will not identify any individual.
(i) Pursuant to a determination by the agency that maintains information that compelling circumstances exist that affect the health or safety of an individual, if upon the disclosure notification is transmitted to the individual to whom the information pertains at his or her last known address. Disclosure shall not be made if it is in conflict with other state or federal laws.
(j) To the State Archives as a record that has sufficient historical or other value to warrant its continued preservation by the California state government, or for evaluation by the Director of General Services or his or her designee to determine whether the record has further administrative, legal, or fiscal value.
(k) To any person pursuant to a subpoena, court order, or other compulsory legal process if, before the disclosure, the agency reasonably attempts to notify the individual to whom the record pertains, and if the notification is not prohibited by law.
(l) To any person pursuant to a search warrant.
(m) Pursuant to Article 3 (commencing with Section 1800) of Chapter 1 of Division 2 of the Vehicle Code.
(n) For the sole purpose of verifying and paying government health care service claims made pursuant to Division 9 (commencing with Section 10000) of the Welfare and Institutions Code.
(o) To a law enforcement or regulatory agency when required for an investigation of unlawful activity or for licensing, certification, or regulatory purposes, unless the disclosure is otherwise prohibited by law.
(p) To another person or governmental organization to the extent necessary to obtain information from the person or governmental organization as necessary for an investigation by the agency of a failure to comply with a specific state law that the agency is responsible for enforcing.
(q) To an adopted person and is limited to general background information pertaining to the adopted person's natural parents, provided that the information does not include or reveal the identity of the natural parents.
(r) To a child or a grandchild of an adopted person and disclosure is limited to medically necessary information pertaining to the adopted person's natural parents. However, the information, or the process for obtaining the information, shall not include or reveal the identity of the natural parents. The State Department of Social Services shall adopt regulations governing the release of information pursuant to this subdivision by July 1, 1985. The regulations shall require licensed adoption agencies to provide the same services provided by the department as established by this subdivision.
(s) To a committee of the Legislature or to a Member of the Legislature, or his or her staff when authorized in writing by the member, where the member has permission to obtain the information from the individual to whom it pertains or where the member provides reasonable assurance that he or she is acting on behalf of the individual.
(t) (1) To the University of California, a nonprofit educational institution, or, in the case of education-related data, another nonprofit entity, conducting scientific research, provided the request for information is approved by the Committee for the Protection of Human Subjects (CPHS) for the California Health and Human Services Agency (CHHSA) or an institutional review board, as authorized in paragraphs (4) and (5). The approval required under this subdivision shall include a review and determination that all the following criteria have been satisfied:
(A) The researcher has provided a plan sufficient to protect personal information from improper use and disclosures, including sufficient administrative, physical, and technical safeguards to protect personal information from reasonable anticipated threats to the security or confidentiality of the information.
(B) The researcher has provided a sufficient plan to destroy or return all personal information as soon as it is no longer needed for the research project, unless the researcher has demonstrated an ongoing need for the personal information for the research project and has provided a long-term plan sufficient to protect the confidentiality of that information.
(C) The researcher has provided sufficient written assurances that the personal information will not be reused or disclosed to any other person or entity, or used in any manner, not approved in the research protocol, except as required by law or for authorized oversight of the research project.
(2) The CPHS or institutional review board shall, at a minimum, accomplish all of the following as part of its review and approval of the research project for the purpose of protecting personal information held in agency databases:
(A) Determine whether the requested personal information is needed to conduct the research.
(B) Permit access to personal information only if it is needed for the research project.
(C) Permit access only to the minimum necessary personal information needed for the research project.
(D) Require the assignment of unique subject codes that are not derived from personal information in lieu of social security numbers if the research can still be conducted without social security numbers.
(E) If feasible, and if cost, time, and technical expertise permit, require the agency to conduct a portion of the data processing for the researcher to minimize the release of personal information.
(3) Reasonable costs to the agency associated with the agency's process of protecting personal information under the conditions of CPHS approval may be billed to the researcher, including, but not limited to, the agency's costs for conducting a portion of the data processing for the researcher, removing personal information, encrypting or otherwise securing personal information, or assigning subject codes.
(4) The CPHS may enter into written agreements to enable other institutional review boards to provide the data security approvals required by this subdivision, provided the data security requirements set forth in this subdivision are satisfied.
(5) Pursuant to paragraph (4), the CPHS shall enter into a written agreement with the institutional review board established pursuant to Section 49079.5 of the Education Code. The agreement shall authorize, commencing July 1, 2010, or the date upon which the written agreement is executed, whichever is later, that board to provide the data security approvals required by this subdivision, provided the data security requirements set forth in this subdivision and the act specified in paragraph (1) of subdivision (a) of Section 49079.5 are satisfied.
(u) To an insurer if authorized by Chapter 5 (commencing with Section 10900) of Division 4 of the Vehicle Code.
(v) Pursuant to Section 450, 452, 8009, or 18396 of the Financial Code.
This article shall not be construed to require the disclosure of personal information to the individual to whom the information pertains when that information may otherwise be withheld as set forth in Section 1798.40.
(Amended by Stats. 2014, Ch. 64, Sec. 2.)