2-6-1502. Protection of personal information -- compliance -- extensions. (1) Each state agency that maintains the personal information of an individual shall develop procedures to protect the personal information while enabling the state agency to use the personal information as necessary for the performance of its duties under federal or state law.
(2) The procedures must include measures to:
(a) eliminate the unnecessary use of personal information;
(b) identify the person or state agency authorized to have access to personal information;
(c) restrict access to personal information by unauthorized persons or state agencies;
(d) identify circumstances in which redaction of personal information is appropriate;
(e) dispose of documents that contain personal information in a manner consistent with other record retention requirements applicable to the state agency;
(f) eliminate the unnecessary storage of personal information on portable devices; and
(g) protect data containing personal information if that data is on a portable device.
(3) Except as provided in subsection (4), each state agency that is created after October 1, 2015, shall complete the requirements of this section within 1 year of its creation.
(4) The chief information officer provided for in 2-17-511 may grant an extension to any state agency subject to the provisions of the Montana Information Technology Act provided for in Title 2, chapter 17, part 5. The chief information officer shall inform the governor, the office of budget and program planning, and the legislative finance committee of all extensions that are granted and of the rationale for granting the extensions. The chief information officer shall maintain written documentation that identifies the terms and conditions of each extension and the rationale for the extension.