San Juan County commissioners on Nov. 18 tabled a proposed ordinance and accompanying privacy policy that would establish a county data-privacy program required under the Utah Government Data Privacy Act (UCA 63A-19-101).

Mac, the county administrator who introduced the ordinance, told the commission the measure would name a chief administrative officer to serve as the county's contact for data-privacy matters and require posting a privacy policy on the county website. Mac said the rules are intended to make clear what data the county collects, how it is used and how residents can contact the county if they believe their data were compromised. “We do not sell our data,” Mac said, describing the policy as a public-facing disclosure of current practices.

Commissioners raised questions about where oversight ends and technical implementation begins. Commissioner Harvey urged a segregation of duties, saying security and privacy infrastructure should not concentrate access or authority with a single person. “If we give the golden key only to one person and they’re away, that becomes an obstacle in a crisis,” Harvey said.

James Redd, the county’s IT technician, explained his operational role and the technical backups in place, noting he has industry experience and that consultants share access as needed. “I have 19 years of experience in the industry,” Redd said, and described shared keys and consultant backups that address operational continuity.

Other commissioners asked for clearer language distinguishing (a) the administrative contact who handles state compliance and policy, (b) the chief privacy officer who handles privacy programs and staff training, and (c) the technical staff who implement security and data-handling practices. Commissioner Mohr said the draft mixes oversight and hands-on responsibilities and recommended separating those duties in the ordinance and policy so responsibilities are not “muddy.”

After discussion, a commissioner moved to table both the ordinance and the privacy policy so staff could revise the language to clarify titles and duties, include an appropriate IT contact, and ensure the documents align with existing contracts with outside IT consultants. The motion to table carried on a voice vote.

The commission directed staff to rewrite the ordinance and privacy policy to (1) identify one administrative contact for state compliance, (2) list the operational IT contact(s) or a process for contacting IT, and (3) separate higher-level oversight responsibilities from boots-on-the-ground implementation tasks. Staff said they will return the revised documents to the commission for further consideration.