Chapter 276A — Information Technology

 

ORS sections in this chapter were amended or repealed by the Legislative Assembly during its 2018 regular session. See the table of ORS sections amended or repealed during the 2018 regular session: 2018 A&R Tables

 

New sections of law were enacted by the Legislative Assembly during its 2018 regular session and pertain to or are likely to be compiled in this ORS chapter. See sections in the following 2018 Oregon Laws chapters: 2018 Session Laws 0051; 2018 Session Laws 0088

 

 

2017 EDITION

 

 

INFORMATION TECHNOLOGY

 

PUBLIC FACILITIES, CONTRACTING & INSURANCE

 

STATE CHIEF INFORMATION OFFICER

 

276A.200  Legislative findings on information resources

 

276A.203  State Chief Information Officer; qualifications; duties; Enterprise Information Resources Management Strategy; rules

 

276A.206  Oversight of state information and telecommunications technology by State Chief Information Officer; policy; rules; application for designation as community of interest

 

276A.209  State Information Technology Operating Fund

 

(Technical Services and Information Technology Management)

 

276A.223  Requirement that state agency or public corporation obtain quality management services when implementing information technology initiative; reports; exceptions

 

276A.230  Definitions

 

276A.233  Information technology portfolio-based management; inventory; standards; rules; exception

 

276A.236  Enterprise information resources management; adoption and implementation of strategy; state agency information technology initiatives costing more than $1 million

 

276A.239  Portfolio-based management of information technology resources for Secretary of State

 

276A.242  Portfolio-based management of information technology resources for State Treasurer

 

(Oregon Transparency Website)

 

276A.250  Definitions

 

276A.253  Oregon transparency website

 

276A.256  Reports of tax expenditures connected to economic development

 

276A.259  Transparency Oregon Advisory Commission; members; duties; terms; reports

 

276A.262  Transparency Oregon Advisory Commission Fund

 

(Electronic Government Portal)

 

276A.270  Definitions

 

276A.273  Electronic Government Portal Advisory Board

 

276A.276  Ability to offer government services through portal; portal provider fee

 

INFORMATION SECURITY

 

276A.300  Information systems security in executive department; rules

 

276A.303  Information systems security for Secretary of State, State Treasurer and Attorney General

 

276A.306  Information security incidents and assessments; reports

 

276A.323  State agency coordination

 

276A.326  Oregon Cybersecurity Advisory Council

 

276A.329  Oregon Cybersecurity Center of Excellence

 

276A.332  Authority of State Chief Information Officer to enter into agreements

 

276A.335  Moneys from federal government and other sources

 

OPEN DATA STANDARD

 

276A.350  Definitions

 

276A.353  Chief Data Officer; duties; rules

 

276A.356  Open data standard

 

276A.359  Technical standards manual

 

276A.362  Release of publishable data on web portal; exemptions; rules

 

276A.365  Information management by state agencies

 

276A.368  Purpose of data; limitation of liability; publishable data in public domain

 

276A.371  Obligations of state agency under public records law

 

276A.374  Application to Secretary of State and State Treasurer; rules

 

TELECOMMUNICATIONS

 

276A.400  Policy

 

276A.403  Coordination of telecommunications systems

 

276A.406  Acquisition of advanced digital communications network

 

276A.409  Use of agency travel and transportation funds for telecommunications services

 

276A.412  Contracts for telecommunications equipment and services not to exceed 10 years; contract benefits for designated communities of interest

 

276A.415  Agreements to fund or acquire telecommunications equipment and services

 

OREGON GEOGRAPHIC INFORMATION COUNCIL

 

276A.500  Definitions

 

276A.503  Oregon Geographic Information Council; establishment; purposes; membership; terms of office

 

276A.506  Powers of council; advisory committees

 

276A.509  Public body duty to share geospatial framework data with council; conditions and exceptions; methods for sharing; limitations of liability

 

276A.512  Oregon Geographic Information Council Fund; records and reports

 

276A.515  State geographic information officer; qualifications; duties

 

STATE CHIEF INFORMATION OFFICER

 

      276A.200 Legislative findings on information resources. The Legislative Assembly finds and declares that:

      (1) Information is a strategic asset of the state that must be managed as a valuable state resource.

      (2) The expanding need, use and importance of information resources in this state require strong and effective management by both individual agencies and the state as a whole.

      (3) The state must establish management procedures to ensure a framework for the review, improvement, integration, development, security and use of information resources. Principal objectives for information resources management are improved productivity of state workers, better public access to public information, increased effectiveness in the delivery of services provided by the various agencies and enhancing development of the telecommunication infrastructure available to the public.

      (4) Effective information resources management requires:

      (a) An Enterprise Information Resources Management Strategy, including management and technical policy, that is developed, maintained or updated each biennium;

      (b) Comprehensive planning of the design, acquisition, security and use of information resources;

      (c) The operation of communications systems and information resources that respond to the management information needs of agencies and programs; and

      (d) Consideration of the impact of information resources management activities on the development and vitality of telecommunications infrastructure available to the public.

      (5) Although each agency is responsible for the agency’s information resources, centralized information resource management must also exist to:

      (a) Provide statewide rules and standards;

      (b) Monitor and ensure compliance with those rules and standards;

      (c) Provide management and technical assistance; and

      (d) Ensure that the information resources management needs of state government and state government programs are addressed along with the needs of the individual agencies. [Formerly 291.037]

 

      276A.203 State Chief Information Officer; qualifications; duties; Enterprise Information Resources Management Strategy; rules. (1) The office of the State Chief Information Officer is established in the Oregon Department of Administrative Services for the purpose of directing, coordinating and overseeing state information technology and telecommunications in accordance with ORS 276A.206 and other statutes, rules and policies that govern the state’s or state agencies’ budgeting, planning, acquiring, managing, overseeing and using telecommunications and information technology.

      (2) The Governor shall appoint the State Chief Information Officer, who serves at the pleasure of the Governor. The State Chief Information Officer may adopt rules in accordance with ORS chapter 183 to exercise and carry out the duties, functions and powers committed to the State Chief Information Officer under ORS 276A.206 and other statutes, rules or policies that commit functions to the State Chief Information Officer.

      (3) The State Chief Information Officer must be a person who, by training and experience, is well qualified to:

      (a) Perform the duties that the Governor specifies; and

      (b) Carry out the functions specified in ORS 276A.206 and in other statutes, rules or policies that commit functions to the State Chief Information Officer.

      (4)(a) The State Chief Information Officer shall:

      (A) Serve as the Governor’s chief advisor concerning information resources, information technology, information systems, geographic information systems, information systems security and telecommunications.

      (B) Implement and maintain an information technology governance program for the executive department.

      (C) Adopt rules, policies and standards for budgeting, planning, acquiring, installing, operating and overseeing telecommunications and information technology for the executive department.

      (D) Review and make recommendations to the Governor and the Legislative Assembly concerning state agency information technology budget requests.

      (E) Adopt plans, rules, policies and standards for the executive department concerning geographic information systems and geographic data.

      (F) Adopt state information systems security plans, rules, policies and standards for the executive department.

      (G) Assess state agencies each biennium to evaluate compliance with the State Chief Information Officer’s rules, policies and standards and provide results of the assessments to the Governor and to the Joint Legislative Committee on Information Management and Technology.

      (H) Develop and promote training programs in information technology, information systems security, geographic information systems, enterprise architecture and project and portfolio management.

      (I) Enhance sharing and coordination among federal, tribal, regional, state government and local government entities in this state with respect to geographic information systems and geographic data.

      (J) Oversee information technology and telecommunications procurements as provided in ORS 279A.050 (7).

      (K) Conduct a market analysis each biennium to determine whether the state data center is the most effective and efficient method for providing information technology and information resources to state agencies and other users. In conducting the market analysis, the State Chief Information Officer shall consider best practices and trends among federal, state and local government entities and the extent to which new or emerging technologies affect how the state provides information technology and information resources. The State Chief Information Officer shall provide the results of the analysis to the Governor and to the Joint Legislative Committee on Information Management and Technology and may recommend changes in the information technology and information resources that the state data center provides or in methods that the state data center uses to provide information technology and information resources.

      (L) Identify information technology services that the State Chief Information Officer recommends for design, delivery and management as enterprise or shared information technology services and, each biennium, report to the Governor and the Joint Legislative Committee on Information Management and Technology concerning the status of new enterprise or shared information technology services.

      (M) Adopt or update each biennium an Enterprise Information Resources Management Strategy for the state. In addition to the functions described in ORS 276A.236, the Enterprise Information Resources Management Strategy must provide for integrating statewide technology initiatives, ensuring compliance with information technology rules, policies and standards, promoting coordination, consolidation and alignment of information resources and technologies and effectively managing the state’s and state agencies’ information technology portfolios. In developing the Enterprise Information Resources Management Strategy, the State Chief Information Officer shall consult with and consider advice and suggestions from the department, state agencies and local governments, from private sector information technology experts, from the Legislative Fiscal Officer, from the Joint Legislative Committee on Information Management and Technology or from individual members of the Legislative Assembly that the President of the Senate and the Speaker of the House of Representatives appoint for the purpose of consulting with the State Chief Information Officer under this subsection.

      (N) Identify and recommend to the Governor, within the State Chief Information Officer’s biennial budget request, resources that are necessary to implement the Enterprise Information Resources Management Strategy.

      (O) Develop standards, protocols and procedures for executive department agencies to use in searching for and identifying requested public records that are retained in electronic form and to use in fulfilling public records requests that seek records in electronic form.

      (b) As used in this subsection:

      (A) “Executive department” has the meaning given that term in ORS 174.112, except that “executive department” does not include the Secretary of State in performing the duties of the constitutional office of Secretary of State or the State Treasurer in performing the duties of the constitutional office of State Treasurer.

      (B) “Geographic data” means digital data that consist of geographic or projected map coordinate values, identification codes and associated descriptive data to locate and describe boundaries or features on, above or below the surface of the earth, demographic data or related data.

      (C) “Geographic information system” means hardware, software, and data for capturing, managing, analyzing and displaying geographic data.

      (D) “Information system” means computers, hardware, software, storage media, networks, operational procedures and processes used in collecting, processing, storing, sharing or distributing information within, or with any access beyond ordinary public access to, the state’s shared computing and network infrastructure.

      (E) “State government” has the meaning given that term in ORS 174.111.

      (5) The State Chief Information Officer may:

      (a) Organize and reorganize the office of the State Chief Information Officer in the manner the State Chief Information Officer considers necessary to conduct the work of the office of the State Chief Information Officer properly.

      (b) Divide the office of the State Chief Information Officer into administrative programs, units or sections and appoint an individual to administer each program, unit or section that the State Chief Information Officer establishes under this subsection. The individual the State Chief Information Officer appoints serves at the pleasure of the State Chief Information Officer and must be well qualified by technical training and experience in the functions the individual will perform. The State Chief Information Officer’s actions under this paragraph are subject to ORS chapter 240.

      (c) Appoint subordinate officers and employees of the office of the State Chief Information Officer, prescribe the officers’ and employees’ duties and fix compensation for the officers and employees. The State Chief Information Officer’s actions under this paragraph are subject to ORS chapter 240.

      (d) Delegate to an employee of the office of the State Chief Information Officer or to another individual any duty, function or power that the State Chief Information Officer may exercise or perform under ORS 276A.206 or under other statutes, rules or policies that commit functions to the State Chief Information Officer. For the purpose of performing an official act in the State Chief Information Officer’s name, the State Chief Information Officer may delegate a duty, function or power by means of an interagency agreement, an intergovernmental agreement in accordance with ORS chapter 190 or a contract. An official act that an individual performs in the name of the State Chief Information Officer under a delegation from the State Chief Information Officer under this paragraph is an official act of the State Chief Information Officer. [Formerly 291.039]

 

      276A.206 Oversight of state information and telecommunications technology by State Chief Information Officer; policy; rules; application for designation as community of interest. (1)(a) The State Chief Information Officer shall oversee and coordinate the planning, budgeting, architecture and standardization, consolidation, acquisition and oversight of all information and telecommunications technology by state government and agencies of state government so that statewide and individual state agencies’ plans and activities are addressed in the most integrated, economic and efficient manner, in a manner that minimizes duplication, fragmentation, redundancy and cost in state government operations and in a manner that most effectively meets state government and state agency program needs.

      (b)(A) Except as otherwise provided by law, the office of the Secretary of State and the office of the State Treasurer, in collaboration with the State Chief Information Officer, shall develop and adopt plans, policies, standards and procedures for budgeting, planning, procuring, managing, overseeing and using information technology and telecommunications for the Secretary of State or the State Treasurer, as appropriate. Each office shall ensure that the office’s plans, policies, standards and procedures are, to the extent possible, compatible with the plans, policies, standards and procedures that the State Chief Information Officer develops and adopts for other state agencies within the executive department.

      (B) The Secretary of State and the State Treasurer shall submit to the Legislative Fiscal Office:

      (i) Copies of plans, policies, standards and procedures that the Secretary of State and the State Treasurer develop and adopt under subparagraph (A) of this paragraph. The Secretary of State and the State Treasurer shall submit copies of the plans, policies, standards and procedures within 30 calendar days after adopting or amending the plans, policies, standards or procedures.

      (ii) Copies of any independent information technology audits or quality assurance reports that are public records and are not exempt from disclosure under ORS 192.311 to 192.478. The Secretary of State and the State Treasurer shall submit copies of the audits or reports within 30 calendar days after receiving the audits or reports.

      (iii) An annual report on all information technology initiatives, as defined in ORS 276A.223, and all procurements with an estimated contract price that exceeds $1 million. The Secretary of State and the State Treasurer shall submit the report not later than December 31 of each calendar year.

      (2) To facilitate accomplishment of the purpose set forth in subsection (1)(a) of this section, the State Chief Information Officer shall:

      (a) Adopt rules, policies and standards to plan for, develop architecture for and standardize the state’s information resources and technologies. In developing rules, policies and standards, the State Chief Information Officer shall consult with state agencies that have needs that information resources may satisfy. State agencies shall cooperate with the State Chief Information Officer in preparing and complying with rules, policies and standards that the State Chief Information Officer adopts.

      (b) Formulate rules, policies and standards to promote electronic communication and information sharing among state agencies and programs, between state and local governments and with the public where appropriate.

      (c) Formulate rules, policies, plans, standards and specifications to ensure that information resources and technologies fit together in a statewide system capable of providing ready access to information, information technology or telecommunication resources. Plans and specifications that the State Chief Information Officer adopts must be based on industry standards for open systems to the greatest extent possible.

      (3) Before adopting rules described in subsection (2) of this section, the State Chief Information Officer shall present the proposed rules to the Joint Legislative Committee on Information Management and Technology.

      (4) The State Chief Information Officer has the responsibility to review, oversee and ensure that state agencies’ rules and planning, acquisition and implementation activities related to information technology and telecommunications align with and support the Enterprise Information Resources Management Strategy. State agencies shall cooperate with the State Chief Information Officer to ensure that the state agencies’ rules and planning, acquisition and implementation activities align with and support the Enterprise Information Resources Management Strategy. If the Oregon Department of Administrative Services procures information technology or the Director of the Oregon Department of Administrative Services delegates authority under ORS 279A.075 to procure information technology, the department and a state contracting agency, as defined in ORS 279A.010, shall procure information technology fairly, competitively and in a manner that is consistent with the State Chief Information Officer’s rules, policies and standards.

      (5)(a) The policy of the State of Oregon is that state government telecommunications networks should be designed to provide state-of-the-art services where economically and technically feasible, using shared, rather than dedicated, lines and facilities.

      (b) The State Chief Information Officer shall, when procuring telecommunications network services, consider the goals and objectives outlined within the Enterprise Information Resources Management Strategy and the policy, acquisition, coordination and consolidation objectives for information technology that are specified in ORS 276A.400 to 276A.412 and 276A.415.

      (6)(a) The State Chief Information Officer, upon request, may furnish and deliver statewide integrated videoconferencing and statewide online access service to a public or private entity that primarily conducts activities for the direct good or benefit of the public or community at large in providing educational, economic development, health care, human services, public safety, library or other public services. The State Chief Information Officer shall adopt rules with respect to the State Chief Information Officer’s furnishing of the service.

      (b) The State Chief Information Officer shall establish statewide integrated videoconferencing and statewide online access user fees, services, delivery, rates and long range plans. The rates must reflect the State Chief Information Officer’s cost in providing the service.

      (c) The State Chief Information Officer by rule shall restrict the Internet access service that the State Chief Information Officer furnishes or delivers to private entities if the service would directly compete with two or more local established providers of Internet access services within the local exchange telecommunications service area.

      (d) The rates and services established and provided under this section are not subject to the Public Utility Commission’s regulation or authority.

      (7) An organization or organizations recognized as tax exempt under section 501(c)(3) of the Internal Revenue Code that primarily conduct activities for the direct good or benefit of the public or community at large in providing educational, economic development, health care, human services, public safety, library or other public services and that have formed an affiliation with one or more federal, state or local governmental units within this state may apply to the State Chief Information Officer for designation as a community of interest. The application must be in the form that the State Chief Information Officer prescribes and contain information about the governmental affiliation relationship, the tax exempt status of each organization and the public benefit services the organization provides or intends to provide. The State Chief Information Officer shall establish an application review and appeal process to ensure that designating the organizations as a community of interest for the purposes of including the organization in telecommunications contracts under ORS 276A.412 will result in providing educational, medical, library or other services for public benefit.

      (8) This section does not apply to any public university listed in ORS 352.002.

      (9) As used in this section and ORS 276A.203:

      (a) “Information resources” means media, instruments, plans and methods for collecting, processing, transmitting and storing data and information, including telecommunications.

      (b) “Information technology” means present and future forms of hardware, software and services for data processing, office automation and telecommunications.

      (c) “Internet access service” means electronic connectivity to the Internet and the services of the Internet.

      (d) “Open systems” means systems that allow state agencies freedom of choice by providing a vendor-neutral operating environment where different computers, applications, system software and networks operate together easily and reliably.

      (e) “State-of-the-art services” means the highest level at which equipment, facilities and the capability to distribute digital communication signals that transmit voice, data, video and images over a distance have developed at the time during which the equipment, facility or capability was installed or operating.

      (f) “Statewide integrated videoconferencing” means a statewide electronic system capable of transmitting video, voice and data communications.

      (g) “Statewide online access” means electronic connectivity to information resources such as computer conferencing, electronic mail, databases and Internet access.

      (h) “Telecommunications” means hardware, software and services for transmitting voice, data, video and images over a distance. [Formerly 291.038]

 

      276A.209 State Information Technology Operating Fund. (1) There is established the State Information Technology Operating Fund in the State Treasury, separate and distinct from the General Fund. The moneys in the State Information Technology Operating Fund may be invested as provided in ORS 293.701 to 293.857. Interest earnings on the fund assets must be credited to the fund.

      (2) The Director of the Oregon Department of Administrative Services shall deposit into the State Information Technology Operating Fund moneys for enterprise information technology and telecommunications that are appropriated to the Oregon Department of Administrative Services and that are necessary for the State Chief Information Officer to fulfill the duties, implement the functions and exercise the powers imposed upon, transferred to and vested in the State Chief Information Officer under section 1, chapter 807, Oregon Laws 2015.

      (3) The State Information Technology Operating Fund consists of:

      (a) Moneys deposited into the fund under subsection (2) of this section and ORS 276A.323 and 276A.335.

      (b) Amounts donated to the fund.

      (c) Amounts appropriated or otherwise transferred to the fund by the Legislative Assembly.

      (d) Other amounts deposited into the fund from any source.

      (4) Amounts in the fund are continuously appropriated to the State Chief Information Officer for the purposes authorized by law. [Formerly 291.041]

 

(Technical Services and Information Technology Management)

 

      276A.223 Requirement that state agency or public corporation obtain quality management services when implementing information technology initiative; reports; exceptions. (1) As used in this section:

      (a)(A) “Information technology initiative” means a project to develop or provide, with a state contracting agency’s or public corporation’s own personnel and resources, or to obtain by means of a procurement or set of related procurements:

      (i) New hardware, software or services for data processing, office automation or telecommunications;

      (ii) An overhaul, upgrade or replacement of a substantial portion of the hardware or software in an existing data processing, office automation or telecommunications system; or

      (iii) A substantial expansion of existing data processing, office automation or telecommunications services.

      (B) “Information technology initiative” does not include:

      (i) A procurement for preliminary quality assurance services or quality management services;

      (ii) A routine update to or purchase of hardware or software within an existing data processing, office automation or telecommunications system;

      (iii) A renewal of an existing contract for data processing, office automation or telecommunications services under terms and conditions that are substantially the same as in the existing contract; or

      (iv) A replacement of a component of an existing data processing, office automation or telecommunications system that is not essential for the system to function as designed or that occurs at the end of the component’s anticipated life cycle.

      (b) “Preliminary quality assurance services” means a set of services in which a contractor provides an independent and objective review of a state contracting agency’s or a public corporation’s plans, specifications, estimates, documentation, available resources and overall purpose for an information technology initiative, including services in which the contractor evaluates a proposed information technology initiative against applicable quality standards and best practices from private industry and other sources.

      (c) “Procurement” has the meaning given that term in ORS 279A.010.

      (d)(A) “Public corporation” means a corporation:

      (i) The operations of which are subject to control by this state or by an agency or instrumentality of this state, or by officers of this state or of an agency or instrumentality of this state;

      (ii) That is organized, at least in part, to serve a public purpose; and

      (iii) That receives public funds or other support from an entity described in sub-subparagraph (i) of this subparagraph.

      (B) “Public corporation” does not include:

      (i) A person or entity described in ORS 174.108 (3);

      (ii) A city, county, local service district, school district, education service district, community college district or community college service district or a public university listed in ORS 352.002; or

      (iii) An administrative subdivision of an entity described in sub-subparagraph (ii) of this subparagraph.

      (e) “Quality management services” means a set of services in which a contractor provides an independent and objective review and evaluation of a state contracting agency’s, a public corporation’s or another contractor’s performance with respect to an information technology initiative, such as services in which the contractor:

      (A) Identifies quality standards that apply or should apply to the information technology initiative;

      (B) Suggests methods and means by which the state contracting agency, the public corporation or the other contractor may meet quality standards identified in subparagraph (A) of this paragraph;

      (C) Reviews and evaluates the state contracting agency’s, the public corporation’s or the other contractor’s performance regularly as the information technology initiative progresses from start to finish;

      (D) Identifies omissions or gaps in the state contracting agency’s, the public corporation’s or the other contractor’s planning, execution, control, methodology, communication or reporting as the information technology initiative progresses from start to finish;

      (E) Identifies risks in the state contracting agency’s, the public corporation’s or the other contractor’s plans or approach to designing, developing or implementing the information technology initiative and suggests methods to reduce, mitigate or eliminate the risks;

      (F) Assists the state contracting agency or the public corporation in testing or otherwise evaluating the hardware, software or services that are developed, provided or obtained as part of an information technology initiative to determine whether the hardware, software or services conform with the quality standards identified in subparagraph (A) of this paragraph;

      (G) Advises the State Chief Information Officer, the state contracting agency or the public corporation as to whether the hardware, software or services that are developed, provided or obtained as part of an information technology initiative meet the contracting agency’s or the public corporation’s needs, specifications or expectations and otherwise enable the state contracting agency or the public corporation to achieve the objectives for the information technology initiative; or

      (H) Identifies unsatisfactory performance and suggests methods the State Chief Information Officer, the state contracting agency, the public corporation or the other contractor might use to eliminate the causes of unsatisfactory performance.

      (f) “State contracting agency” has the meaning given that term in ORS 279A.010.

      (2)(a) A state contracting agency or a public corporation that implements an information technology initiative shall obtain quality management services from a qualified contractor if the value of the information technology initiative exceeds $5 million, unless the State Chief Information Officer determines that the quality management services are not necessary. The State Chief Information Officer may require quality management services for an information technology initiative the value of which does not exceed $5 million if the information technology initiative meets criteria or standards that the State Chief Information Officer specifies in rule or policy. The State Chief Information Officer not later than December 31 of each year shall submit to the Legislative Fiscal Officer a report that identifies information technology initiatives for which:

      (A) The value exceeds $5 million; and

      (B) The State Chief Information Officer determines that quality management services are not necessary.

      (b) A state contracting agency or public corporation may, subject to ORS 279B.040, procure preliminary quality assurance services from a contractor if the information technology initiative meets the criteria set forth in paragraph (a) of this subsection or if the state contracting agency or public corporation otherwise believes that the preliminary quality assurance services will enable the contracting agency or public corporation to implement an information technology initiative successfully.

      (3) A state contracting agency or public corporation may not artificially divide or fragment an information technology initiative so as to avoid the application of this section.

      (4) Notwithstanding any procurement authority that a state contracting agency or a public corporation has that is not subject to the authority of the Director of the Oregon Department of Administrative Services or the State Chief Information Officer under ORS 279A.050 (2) or (7), the state contracting agency or public corporation is subject to the provisions of subsection (2) of this section and shall consult with and follow the rules, policies and procedures of the State Chief Information Officer in determining the extent of preliminary quality assurance services or quality management services that the state contracting agency or public corporation will require for an information technology initiative.

      (5)(a) If a state contracting agency or a public corporation awards a contract for preliminary quality assurance services or quality management services, the contract must provide that at the same time a contractor provides a preliminary or final report to the contract administrator, the contractor shall also provide a copy of the report to:

      (A) The State Chief Information Officer;

      (B) The Director of the Oregon Department of Administrative Services;

      (C) The Legislative Fiscal Officer; and

      (D) As appropriate for the specific information technology initiative, to:

      (i) The director of the state contracting agency or, if a board or commission sets policy for the state contracting agency, to the board or commission; or

      (ii) The governing body of the public corporation.

      (b) The state contracting agency or public corporation shall provide the contractor with names, addresses and other contact information the contractor needs to comply with paragraph (a) of this subsection.

      (6) This section does not apply to the Secretary of State or the State Treasurer. [Formerly 291.035]

 

      276A.230 Definitions. As used in ORS 276A.233 and 276A.236:

      (1) “Executive department” has the meaning given that term in ORS 174.112.

      (2) “Information technology” includes, but is not limited to, all present and future forms of hardware, software and services for data processing, office automation and telecommunications.

      (3) “State agency” means a board, commission, department, division, office or other entity within the executive department of state government, except:

      (a) The Secretary of State;

      (b) The State Treasurer;

      (c) The Oregon State Lottery; and

      (d) A public university that is listed in ORS 352.002. [Formerly 184.473]

 

      276A.233 Information technology portfolio-based management; inventory; standards; rules; exception. (1) The purposes of information technology portfolio-based management are to:

      (a) Ensure that state agencies link the state agencies’ information technology investments with business plans;

      (b) Facilitate risk assessment of information technology projects and investments;

      (c) Ensure that state agencies justify information technology investments on the basis of sound business cases;

      (d) Ensure that state agencies facilitate development and review of information technology performance related to business operations;

      (e) Identify projects that can cross agency and program lines to leverage resources; and

      (f) Assist in state government-wide planning for common, shared information technology infrastructure.

      (2) The State Chief Information Officer shall integrate state agency strategic and business planning, technology planning and budgeting and project expenditure processes into the State Chief Information Officer’s portfolio-based management and oversight of state information technology resources.

      (3) The State Chief Information Officer shall conduct and maintain a continuous inventory of each state agency’s current and planned investments in information technology, a compilation of information about the current and planned investments and the total life cycle cost of the current and planned investments. Each state agency shall cooperate with the State Chief Information Officer in conducting and maintaining the inventory. The State Chief Information Officer shall develop and implement state government-wide rules, policies and standards for conducting and maintaining the required inventory and for managing the state government-wide information technology portfolio. State agencies shall participate in the State Chief Information Officer’s information technology portfolio-based management program and shall comply with the rules, policies and standards that the State Chief Information Officer establishes under this subsection. The provisions of this subsection do not relieve any state agency from accountability for equipment, materials, supplies and tangible and intangible personal property under the state agency’s control.

      (4) The State Chief Information Officer shall ensure that state agencies implement portfolio-based management of information technology resources in accordance with this section and with rules, policies and standards that the State Chief Information Officer adopts.

      (5) Before adopting rules to implement the provisions of this section, the State Chief Information Officer shall present the proposed rules to the Joint Legislative Committee on Information Management and Technology. [Formerly 184.475]

 

      276A.236 Enterprise information resources management; adoption and implementation of strategy; state agency information technology initiatives costing more than $1 million. (1) The purpose of enterprise information resources management is to create a plan and implement a state government-wide approach for managing distributed information technology assets to minimize total ownership costs from acquisition through retirement, while realizing maximum benefits for transacting the state’s business and delivering services to the residents of this state.

      (2) With input and recommendations from state agencies, the State Chief Information Officer each biennium shall adopt an Enterprise Information Resources Management Strategy in accordance with ORS 276A.203. The Enterprise Information Resources Management Strategy must, among other functions, enable the State Chief Information Officer to manage and oversee distributed information technology assets throughout state government. The Enterprise Information Resources Management Strategy shall prescribe the state government-wide infrastructure and services for managing these assets. The State Chief Information Officer shall submit the Enterprise Information Resources Management Strategy to the Joint Legislative Committee on Information Management and Technology for review.

      (3) Following review by the Joint Legislative Committee on Information Management and Technology, the State Chief Information Officer shall ensure state agency implementation of the Enterprise Information Resources Management Strategy, including the development of appropriate rules, policies and standards along with budget, resource and management plans that are necessary to implement the Enterprise Information Resources Management Strategy.

      (4) State agencies shall participate in managing information technology assets in accordance with the Enterprise Information Resources Management Strategy and shall comply with the rules, policies and standards of the State Chief Information Officer.

      (5) A state agency that implements an information technology initiative, as defined in ORS 276A.223, that the State Chief Information Officer estimates will cost more than $1 million shall implement the information technology initiative under rules, policies and standards that the State Chief Information Officer develops, sets or adopts. The information technology initiative is subject to the State Chief Information Officer’s oversight and the State Chief Information Officer may require the state agency to obtain approval to implement the information technology initiative or may direct the state agency to stop or modify the implementation, cancel or modify a procurement related to the information technology initiative, modify the scope of the information technology initiative or take another action before awarding a public contract. After a state agency executes a public contract related to the information technology initiative, the State Chief Information Officer may direct the state agency to take any action in accordance with the terms and conditions of the public contract that the State Chief Information Officer deems necessary or advisable to administer and enforce the public contract, including directing the state agency to suspend performance or terminate the public contract in whole or in part. [Formerly 184.477]

 

      276A.239 Portfolio-based management of information technology resources for Secretary of State. (1) The Secretary of State shall implement portfolio-based management of information technology resources, as described in this section, to:

      (a) Ensure that the Office of the Secretary of State links its information technology investments with business plans;

      (b) Facilitate risk assessment of information technology projects and investments;

      (c) Ensure that the office justifies information technology investments on the basis of sound business cases;

      (d) Ensure that the office facilitates development and review of information technology performance related to business operations;

      (e) Identify projects that can cross agency and program lines to leverage resources; and

      (f) Assist in state government-wide planning for common, shared information technology infrastructure.

      (2) The Secretary of State shall integrate strategic and business planning, technology planning and budgeting and project expenditure processes into the Secretary of State’s information technology portfolio-based management.

      (3) The Secretary of State shall conduct and maintain a continuous inventory of current and planned investments in information technology, a compilation of information about those assets and the total life cycle cost of those assets.

      (4) The Secretary of State shall develop and implement standards, processes and procedures for the required inventory and for the management of the information technology portfolio.

      (5) As used in this section, “information technology” has the meaning given that term in ORS 276A.230. [Formerly 177.200]

 

      276A.242 Portfolio-based management of information technology resources for State Treasurer. (1) The State Treasurer shall implement portfolio-based management of information technology resources, as described in this section, to:

      (a) Ensure that the office of the State Treasurer links its information technology investments with business plans;

      (b) Facilitate risk assessment of information technology projects and investments;

      (c) Ensure that the office justifies information technology investments on the basis of sound business cases;

      (d) Ensure that the office facilitates development and review of information technology performance related to business operations;

      (e) Identify projects that can cross agency and program lines to leverage resources; and

      (f) Assist in state government-wide planning for common, shared information technology infrastructure.

      (2) The State Treasurer shall integrate strategic and business planning, technology planning and budgeting and project expenditure processes into the State Treasurer’s information technology portfolio-based management.

      (3) The State Treasurer shall conduct and maintain a continuous inventory of current and planned investments in information technology, a compilation of information about those assets and the total life cycle cost of those assets.

      (4) The State Treasurer shall develop and implement standards, processes and procedures for the required inventory and for the management of the information technology portfolio.

      (5) As used in this section, “information technology” has the meaning given that term in ORS 276A.230. [Formerly 178.100]

 

(Oregon Transparency Website)

 

      276A.250 Definitions. As used in ORS 276A.250 to 276A.262, “state agency” means any officer, board, commission, department, division or institution of state government, as defined in ORS 174.111. [Formerly 184.480]

 

      276A.253 Oregon transparency website. (1)(a) The State Chief Information Officer shall maintain and make available an Oregon transparency website. The website must allow any person to view information that is a public record and is not exempt from disclosure under ORS 192.311 to 192.478, including but not limited to information described in subsection (3) of this section. The State Chief Information Officer shall provide on the home page of the website a method for users to offer suggestions regarding the form or content of the website.

      (b) The Oregon Department of Administrative Services shall assist the State Chief Information Officer in performing duties under paragraph (a) of this subsection to the extent the State Chief Information Officer deems the assistance necessary.

      (2) State agencies and education service districts, to the extent practicable and subject to laws relating to confidentiality, when at no additional cost, using existing data and existing resources of the state agency or education service district and without reallocation of resources, shall:

      (a) Furnish information to the Oregon transparency website by posting reports and providing links to existing information system applications in accordance with standards that the State Chief Information Officer establishes; and

      (b) Provide the information in the format and manner that the State Chief Information Officer requires.

      (3) To the extent practicable and subject to laws relating to confidentiality, when at no additional cost, using existing data and existing resources of the state agency or education service district and without reallocation of resources, the Oregon transparency website must contain information about each state agency and education service district, including but not limited to:

      (a) Annual revenues of state agencies and education service districts;

      (b) Annual expenditures of state agencies and education service districts;

      (c) Annual human resources expenses, including compensation, of state agencies and education service districts;

      (d) Annual tax expenditures of state agencies, including, when possible, the identity of the recipients of each tax expenditure;

      (e) For each state agency, a description of the percentage of expenditures made in this state and the percentage of expenditures made outside this state under all contracts for goods or services the state agency enters into during each biennium;

      (f) A prominently placed graphic representation of the primary funding categories and approximate number of individuals that the state agency or the education service district serves;

      (g) A description of the mission, function and program categories of the state agency or education service district;

      (h) A copy of any audit report that the Secretary of State issues for the state agency or the education service district;

      (i) The local service plans of the education service districts;

      (j) A copy of each report required by statute for education service districts; and

      (k) A copy of all notices of public meetings of the education service districts.

      (4) In addition to the information described in subsection (3) of this section:

      (a) The State Chief Information Officer shall post on the Oregon transparency website notices of public meetings the state agency must provide under ORS 192.640. If the state agency maintains a website where minutes or summaries of the public meetings are available, the state agency shall provide the State Chief Information Officer with the link to the state agency website for posting on the Oregon transparency website.

      (b) The State Chief Information Officer shall post on the Oregon transparency website a link for the website that the Secretary of State maintains for rules that the state agency adopts. If the state agency maintains a website where the state agency posts the rules, or where any information relating to the rules of the agency is posted, the state agency shall provide the State Chief Information Officer with the link to the website for posting on the Oregon transparency website.

      (c) The State Chief Information Officer shall provide links on the Oregon transparency website for information that the State Chief Information Officer receives concerning contracts and subcontracts that a state agency or education service district enters into, to the extent that disclosing the information is allowed by law and the information is already available on websites that the state agency or education service district maintains. To the extent available, the information to which the State Chief Information Officer links under this section must include:

      (A) Information on professional, personal and material contracts;

      (B) The date of each contract and the amount payable under the contract;

      (C) The period during which the contract is or was in effect; and

      (D) The names and addresses of vendors.

      (d) The State Chief Information Officer shall provide an economic development section on the Oregon transparency website for posting of information submitted to the State Chief Information Officer by state agencies responsible for administering specific economic development programs. The section shall include, but not be limited to, the following information, if it is already collected or available within an existing database maintained by the state agency in the course of administering the economic development program:

      (A) The names of filmmakers or companies that have received reimbursements from the Oregon Production Investment Fund under ORS 284.368 and the amount of each reimbursement;

      (B) The amount of revenue bonds issued under ORS 285A.430 for the Beginning and Expanding Farmer Loan Program, the names of persons who received loans under the program and the amount of the loan;

      (C) The names of persons who received grants or loans from the Oregon Innovation Council under ORS 284.735 or 284.742 and the purpose and amount of the grant or loan;

      (D) Copies of, or links to, annual reports required to be filed under ORS 285C.615 under the strategic investment program;

      (E) Copies of, or links to, annual certifications required to be filed under ORS 285C.506 for the business development income tax exemption; and

      (F) Information required to be posted on the Oregon transparency website under ORS 276A.256.

      (e) The information reported under paragraph (d) of this subsection:

      (A) May not include proprietary information; and

      (B) Shall be provided to the State Chief Information Officer by the state agency in the format and manner required by the State Chief Information Officer.

      (f) The State Chief Information Officer shall post on the Oregon transparency website information describing the process for requesting copies of public records from a public body, including a link to the public records section of the Department of Justice webpage. At the request of a state agency or education service district, the State Chief Information Officer shall include a link to a location on the webpage of the agency or district that describes the process for requesting public records from the agency or district.

      (5) In operating, refining and recommending enhancements to the Oregon transparency website, the State Chief Information Officer and the Transparency Oregon Advisory Commission created in ORS 276A.259 shall consider and, to the extent practicable, adhere to the following principles:

      (a) The website must be accessible without cost and be easy to use;

      (b) Information included on the Oregon transparency website must be presented using plain, easily understandable language; and

      (c) The website should teach users about how state government and education service districts work and provide users with the opportunity to learn something about how state government and education service districts raise and spend revenue.

      (6) If a state agency or an education service district is not able to include information described in this section on the Oregon transparency website because of the lack of availability of information or cost in acquiring information, the Transparency Oregon Advisory Commission created in ORS 276A.259 shall list the information that is not included for the state agency or education service district in the commission’s report to the Legislative Assembly required under ORS 276A.259.

      (7)(a) For the purpose of providing transparency in the revenues, expenditures and budgets of the following entities, the State Chief Information Officer shall include on the Oregon transparency website a page that provides links to websites established by:

      (A) Local governments, as defined in ORS 174.116.

      (B) Special government bodies, as defined in ORS 174.117.

      (C) Semi-independent state agencies listed in ORS 182.454.

      (D) Public universities listed in ORS 352.002.

      (E) Public university statewide programs operated by a public university listed in ORS 352.002.

      (F) The Oregon Health and Science University.

      (G) The Oregon Tourism Commission.

      (H) The Oregon Film and Video Office.

      (I) The Travel Information Council.

      (J) The Children’s Trust Fund of Oregon Foundation.

      (K) Oregon Corrections Enterprises.

      (L) The State Accident Insurance Fund Corporation.

      (M) The Oregon Utility Notification Center.

      (N) Any public corporation created under a statute of this state and specifically designated as a public corporation.

      (b) The State Chief Information Officer shall include a link to an entity’s website after receiving a request from the entity and shall consider recommendations from the Transparency Oregon Advisory Commission for including other links to websites of the entities listed in paragraph (a) of this subsection.

      (c) At the request of any local government, as defined in ORS 174.116, or special government body, as defined in ORS 174.117, the State Chief Information Officer shall include on the Oregon transparency website notices of public meetings required to be provided under ORS 192.640 by the local government or special government body. The local government or special government body must submit public meeting notice information in the format and manner required by the State Chief Information Officer.

      (d) The office of the State Chief Information Officer shall include a prominent link on the home page of the Oregon transparency website for information posted to the page described in paragraph (a) of this subsection. [Formerly 184.483]

 

      276A.256 Reports of tax expenditures connected to economic development. (1) For each statute that authorizes a tax expenditure with a purpose connected to economic development and that is listed in subsection (2) of this section, the state agency charged with certifying or otherwise administering the tax expenditure shall submit a report to the State Chief Information Officer. If a statute does not exist to authorize a state agency to certify or otherwise administer the tax expenditure, or if a statute does not provide for certification or administration of the tax expenditure, the Department of Revenue shall submit the report.

      (2) This section applies to:

      (a) ORS 285C.175, 285C.362, 307.123, 307.455, 315.141, 315.331, 315.336, 315.341, 315.506, 315.507, 315.514, 315.533, 316.698, 316.778, 317.124, 317.391 and 317.394 and sections 1 to 5, chapter 112, Oregon Laws 2016.

      (b) Grants awarded under ORS 469B.256 in any tax year in which certified renewable energy contributions are received as provided in ORS 315.326.

      (c) ORS 315.354 except as applicable in ORS 469B.145 (2)(a)(L) or (N).

      (d) ORS 316.116, if the allowed credit exceeds $2,000.

      (3) The following information, if the information is already available in an existing database the state agency maintains, must be included in the report required under this section:

      (a) The name of each taxpayer or applicant approved for the allowance of a tax expenditure or a grant award under ORS 469B.256.

      (b) The address of each taxpayer or applicant.

      (c) The total amount of credit against tax liability, reduction in taxable income or exemption from property taxation granted to each taxpayer or applicant.

      (d) Specific outcomes or results required by the tax expenditure program and information about whether the taxpayer or applicant meets those requirements. This information must be based on data the state agency has already collected and analyzed in the course of administering the tax expenditure. Statistics must be accompanied by a description of the methodology employed in the statistics.

      (e) An explanation of the state agency’s certification decision for each taxpayer or applicant, if applicable.

      (f) Any additional information that the taxpayer or applicant submits and that the state agency relies on in certifying the determination.

      (g) Any other information that state agency personnel deem valuable as providing context for the information described in this subsection.

      (4) The information reported under subsection (3) of this section may not include proprietary information or information that is exempt from disclosure under ORS 192.311 to 192.478 or 314.835.

      (5) No later than September 30 of each year, a state agency described in subsection (1) of this section shall submit to the State Chief Information Officer the information required under subsection (3) of this section as applicable to applications for allowance of tax expenditures the state agency approved during the agency fiscal year ending during the current calendar year. The information must then be posted on the Oregon transparency website described in ORS 276A.253 no later than December 31 of the same year.

      (6)(a) In addition to the information described in subsection (3) of this section, the State Chief Information Officer shall post on the Oregon transparency website:

      (A) Copies of all reports that the State Chief Information Officer, the Department of Revenue or the Oregon Business Development Department receives from counties and other local governments relating to properties in enterprise zones that have received tax exemptions under ORS 285C.170, 285C.175 or 285C.409, or that are eligible for tax exemptions under ORS 315.506, 315.507 or 317.124 by reason of being in an enterprise zone; and

      (B) Copies of any annual reports that agencies described in subsection (1) of this section are required by law to produce regarding the administration of statutes listed in subsection (2) of this section.

      (b) The reports must be submitted to the State Chief Information Officer in a manner and format that the State Chief Information Officer prescribes.

      (7) The information described in this section that is available on the Oregon transparency website must be accessible in the format and manner required by the State Chief Information Officer.

      (8) The information described in this section must be provided to the Oregon transparency website by posting reports and providing links to existing information systems applications in accordance with standards established by the State Chief Information Officer. [Formerly 184.484]

 

      Note: 276A.256 was enacted into law by the Legislative Assembly but was not added to or made a part of ORS chapter 276A or any series therein by legislative action. See Preface to Oregon Revised Statutes for further explanation.

 

      276A.259 Transparency Oregon Advisory Commission; members; duties; terms; reports. (1) There is created the Transparency Oregon Advisory Commission consisting of nine members appointed as follows:

      (a) The President of the Senate shall appoint two members from among members of the Senate, one from the majority party and one from the minority party.

      (b) The Speaker of the House of Representatives shall appoint two members from among members of the House of Representatives, one from the majority party and one from the minority party.

      (c) The Governor shall appoint one member from an executive branch agency.

      (d) The State Chief Information Officer shall appoint one member.

      (e) The Legislative Fiscal Officer shall appoint one member.

      (f) The President of the Senate and the Speaker of the House of Representatives shall each appoint one member of the public with experience or interest in public finance, public relations, measurement of performance outcomes or technology.

      (2) The commission shall advise and make recommendations to the State Chief Information Officer regarding the creation, contents and operation of, and enhancements to, the Oregon transparency website.

      (3) A majority of the members of the commission constitutes a quorum for transacting business.

      (4) A majority of the members of the commission must approve official action by the commission.

      (5) The commission shall elect one of the commission’s members to serve as chairperson not later than October 1 of each odd-numbered year.

      (6) If there is a vacancy for any cause, the appointing authority shall make an appointment that becomes immediately effective.

      (7) The commission shall meet at times and places that the chairperson or a majority of the members of the commission specifies.

      (8) The commission may adopt rules necessary to operate the commission.

      (9) The commission shall use the services of permanent staff of the Legislative Fiscal Office to the greatest extent practicable to staff the commission. The State Chief Information Officer may provide additional assistance.

      (10) Notwithstanding ORS 171.072, members of the commission who are members of the Legislative Assembly are not entitled to mileage expenses or a per diem and serve as volunteers on the commission.

      (11) Members of the commission who are not members of the Legislative Assembly are not entitled to compensation or reimbursement for expenses and serve as volunteers on the commission.

      (12) All agencies of state government, as defined in ORS 174.111, shall assist the commission in performing the commission’s duties and, to the extent permitted by laws relating to confidentiality, to furnish such information and advice as the members of the commission consider necessary to perform the members’ duties.

      (13) The commission shall report to the Legislative Assembly not later than February 15 of each odd-numbered year. The report must describe:

      (a) Enhancements made to the Oregon transparency website during the previous two calendar years;

      (b) Possible future enhancements to the website, including but not limited to including information that relates to:

      (A) Performance outcomes that measure the success of state agency programs in achieving goals;

      (B) State agency bond debt;

      (C) State agency expenses for capital improvements;

      (D) Numbers and descriptions of jobs created through state agency contracts and subcontracts;

      (E) Lists of businesses and individuals that receive tax credits, deductions, refunds, rebates and other subsidies from a state agency;

      (F) Lists of the names of contractors that received a contract from a state agency, including the number of contracts and compensation the contractors received; and

      (G) Lists of the number of contracts that each state agency entered into during a biennium and the amount of moneys each state agency spent on the contracts; and

      (c) The feasibility of including an interactive application where citizens can simulate balancing a biennial budget for the state.

      (14) The term of office of each member is four years, but a member serves at the pleasure of the appointing authority. Before a member’s term expires, the appointing authority shall appoint a successor whose term begins on January 1 next following. A member is eligible for reappointment. If there is a vacancy for any cause, the appointing authority shall make an appointment that becomes immediately effective for the unexpired term. [Formerly 184.486]

 

      276A.262 Transparency Oregon Advisory Commission Fund. (1) The Transparency Oregon Advisory Commission may accept contributions of moneys and assistance from the United States Government or its agencies or from any other source, public or private, and agree to conditions placed on the moneys not inconsistent with the duties of the commission.

      (2) There is established in the State Treasury, separate and distinct from the General Fund, the Transparency Oregon Advisory Commission Fund. The fund consists of moneys received by the commission under this section and such other moneys as may otherwise be made available by law. Interest earned on the fund shall be credited to the fund. Moneys in the fund are continuously appropriated to the commission and may be used only for the performance of the functions of the commission. [Formerly 184.488]

 

(Electronic Government Portal)

 

      276A.270 Definitions. As used in this section and ORS 276A.273 and 276A.276:

      (1) “Electronic government portal” means an electronic information delivery system accessible by means of the Internet that a state agency designates officially as a means by which the state agency delivers information, products or services.

      (2) “Electronic government portal provider” means a person that on behalf of a state agency provides facilities, goods or services necessary to develop, host, operate, maintain or otherwise implement an electronic government portal or provides facilities, goods or services that assist a state agency in designing, developing, hosting, operating, maintaining or otherwise implementing an electronic government portal.

      (3) “Portal provider fee” means a fee for using an electronic government portal or governmental services available by means of an electronic government portal that the State Chief Information Officer charges, or authorizes an electronic government portal provider to charge, under ORS 276A.276 (3).

      (4) “State agency” means the executive department, as defined in ORS 174.112. [Formerly 182.126]

 

      276A.273 Electronic Government Portal Advisory Board. (1) There is created the Electronic Government Portal Advisory Board consisting of 13 members appointed as follows:

      (a) The President of the Senate shall appoint two nonvoting members from among members of the Senate.

      (b) The Speaker of the House of Representatives shall appoint two nonvoting members from among members of the House of Representatives.

      (c) The Governor shall appoint:

      (A) Three members who represent state agencies;

      (B) Two members who represent the public; and

      (C) One member who attends a school, community college or university in this state.

      (d) The State Chief Information Officer shall appoint two members as follows:

      (A) A representative of the State Chief Information Officer; and

      (B) A representative of the Oregon Department of Administrative Services.

      (e) The State Treasurer shall appoint one member who represents the State Treasurer.

      (2) Members of the Legislative Assembly who are members of the advisory board are nonvoting members and may act only in an advisory capacity.

      (3) The advisory board shall:

      (a) Advise the State Chief Information Officer and the Oregon Department of Administrative Services concerning:

      (A) The development of electronic government portals for the State Chief Information Officer, the department and other state agencies;

      (B) The amount, collection methods or other aspects of a portal provider fee that the State Chief Information Officer or an electronic government portal provider collects;

      (C) The priority of new governmental service applications that may be provided by means of an electronic government portal;

      (D) Terms and conditions of contracts between state agencies and electronic government portal providers; and

      (E) Rules necessary to implement electronic government portals.

      (b) Monitor the layout, content and usability of electronic government portals and advise the State Chief Information Officer and the department on ways to improve the delivery of government services by means of electronic government portals, the accountability of state agencies’ use of electronic government portals to provide government services and user satisfaction with electronic government portals.

      (c) Study, propose, develop or coordinate activities that:

      (A) Consider the needs of residents of this state;

      (B) Evaluate the performance and transparency of state agency delivery of government services; and

      (C) Further the effectiveness of and user satisfaction with:

      (i) Electronic government portals; and

      (ii) State agencies’ performance and accountability in using electronic government portals to provide government services.

      (4) A majority of the voting members of the advisory board constitutes a quorum for transacting business.

      (5) A majority of the voting members of the advisory board must approve official action by the advisory board.

      (6) The advisory board shall elect one of the members of the advisory board to serve as chairperson.

      (7) If a vacancy on the advisory board occurs for any cause, the appointing authority shall make an appointment that becomes immediately effective.

      (8) The advisory board shall meet at times and places that the chairperson or a majority of the voting members of the advisory board specifies.

      (9) The advisory board may adopt rules necessary to operate the advisory board.

      (10) The Oregon Department of Administrative Services shall provide staff support to the advisory board.

      (11) Members of the advisory board who are not members of the Legislative Assembly may not receive compensation, but may be reimbursed for actual and necessary travel and other expenses the members incur in the performance of the members’ official duties in the manner and amounts provided for in ORS 292.495. Claims for expenses the members incur in performing functions of the advisory board shall be paid out of funds appropriated to the Oregon Department of Administrative Services for purposes of the advisory board.

      (12) All state agencies shall assist the advisory board in the advisory board’s performance of the advisory board’s duties and, to the extent permitted by laws relating to confidentiality, to furnish information and advice as the members of the advisory board consider necessary to perform the duties of the advisory board. [Formerly 182.128]

 

      276A.276 Ability to offer government services through portal; portal provider fee. (1) The State Chief Information Officer, with the advice of the Electronic Government Portal Advisory Board, shall provide the ability for state agencies to offer government services by means of an electronic government portal. The electronic government portal must be secure and must comply with the information security rules, policies and standards that the State Chief Information Officer adopts under ORS 276A.300 and meet the usability standards developed in cooperation with the advisory board.

      (2) For the purposes of subsection (1) of this section, the State Chief Information Officer, under the provisions of the Public Contracting Code, may contract with an electronic government portal provider in a manner that is consistent with the State Chief Information Officer’s rules, policies and standards.

      (3)(a) The State Chief Information Officer may charge members of the public a portal provider fee, or may authorize an electronic government portal provider to charge a portal provider fee, for an electronic government service if the advisory board recommends that the State Chief Information Officer charge or authorize a portal provider fee for the electronic government service. The portal provider fee must reflect the costs incurred in hosting, operating, maintaining or implementing the electronic government portal.

      (b) The State Chief Information Officer shall cooperate with the advisory board to identify the electronic government portals or governmental services to which the portal provider fee applies.

      (4) The State Chief Information Officer may adopt rules to implement the provisions of this section.

      (5) Not later than the beginning of each odd-numbered year regular legislative session, the State Chief Information Officer shall prepare and submit to the Legislative Assembly a report in the manner provided in ORS 192.245 that summarizes the State Chief Information Officer’s activities under the provisions of this section. [Formerly 182.132]

 

INFORMATION SECURITY

 

      276A.300 Information systems security in executive department; rules. (1) As used in this section:

      (a) “Executive department” has the meaning given that term in ORS 174.112.

      (b) “Information systems” means computers, hardware, software, storage media, networks, operational procedures and processes used in collecting, processing, storing, sharing or distributing information within, or with any access beyond ordinary public access to, the state’s shared computing and network infrastructure.

      (2) The State Chief Information Officer has responsibility for and authority over information systems security in the executive department, including responsibility for taking all measures that are reasonably necessary to protect the availability, integrity or confidentiality of information systems or the information stored in information systems. The State Chief Information Officer shall, after consultation and collaborative development with agencies, establish a state information systems security plan and associated standards, policies and procedures. The plan must align with and support the Enterprise Information Resources Management Strategy described in ORS 276A.203.

      (3) The State Chief Information Officer may coordinate with the Oregon Department of Administrative Services to:

      (a) Review and verify the security of information systems operated by or on behalf of state agencies;

      (b) Monitor state network traffic to identify and react to security threats; and

      (c) Conduct vulnerability assessments of state agency information systems for the purpose of evaluating and responding to the susceptibility of information systems to attack, disruption or any other event that threatens the availability, integrity or confidentiality of information systems or the information stored in information systems.

      (4) The State Chief Information Officer shall contract with qualified, independent consultants for the purpose of conducting vulnerability assessments under subsection (3) of this section.

      (5) In collaboration with appropriate agencies, the State Chief Information Officer shall develop and implement policies for responding to events that damage or threaten the availability, integrity or confidentiality of information systems or the information stored in information systems, whether those systems are within, interoperable with or outside the state’s shared computing and network infrastructure. In the policies, the State Chief Information Officer shall prescribe actions reasonably necessary to:

      (a) Promptly assemble and deploy in a coordinated manner the expertise, tools and methodologies required to prevent or mitigate the damage caused or threatened by an event;

      (b) Promptly alert other persons of the event and of the actions reasonably necessary to prevent or mitigate the damage caused or threatened by the event;

      (c) Implement forensic techniques and controls developed under subsection (6) of this section;

      (d) Evaluate the event for the purpose of possible improvements to the security of information systems; and

      (e) Communicate and share information with appropriate agencies, using preexisting incident response capabilities.

      (6) After consultation and collaborative development with appropriate agencies and the Oregon Department of Administrative Services, the State Chief Information Officer shall implement forensic techniques and controls for the security of information systems, whether those systems are within, interoperable with or outside the state’s shared computing and network infrastructure. The techniques and controls must include using specialized expertise, tools and methodologies to investigate events that damage or threaten the availability, integrity or confidentiality of information systems or the information stored in information systems. The State Chief Information Officer shall consult with the Oregon State Police, the Office of Emergency Management, the Governor and others as necessary in developing forensic techniques and controls under this section.

      (7) The State Chief Information Officer shall ensure that reasonably appropriate remedial actions are undertaken when the State Chief Information Officer finds that such actions are reasonably necessary by reason of vulnerability assessments of information systems under subsection (3) of this section, evaluation of events under subsection (5) of this section and other evaluations and audits.

      (8)(a) State agencies are responsible for securing computers, hardware, software, storage media, networks, operational procedures and processes used in collecting, processing, storing, sharing or distributing information outside the state’s shared computing and network infrastructure, following information security standards, policies and procedures established by the State Chief Information Officer and developed collaboratively with the agencies. Agencies may establish plans, standards and measures that are more stringent than the standards established by the State Chief Information Officer to address specific agency needs if the plans, standards and measures do not contradict or contravene the state information systems security plan. Independent agency security plans must be developed within the framework of the state information systems security plan.

      (b) A state agency shall report the results of any vulnerability assessment, evaluation or audit conducted by the agency to the State Chief Information Officer for the purposes of consolidating statewide security reporting and, when appropriate, to prompt a state incident response.

      (9) This section does not apply to:

      (a) Research and student computer systems used by or in conjunction with any public university listed in ORS 352.002; and

      (b)(A) Gaming systems and networks operated by the Oregon State Lottery or contractors of the State Lottery; or

      (B) The results of Oregon State Lottery reviews, evaluations and vulnerability assessments of computer systems outside the state’s shared computing and network infrastructure.

      (10) The State Chief Information Officer shall adopt rules to implement the provisions of this section. [Formerly 182.122]

 

      276A.303 Information systems security for Secretary of State, State Treasurer and Attorney General. (1) Notwithstanding ORS 276A.300, the Secretary of State, the State Treasurer and the Attorney General have sole discretion and authority over information systems security in their respective agencies, including the discretion and authority to take all measures that are reasonably necessary to protect the availability, integrity or confidentiality of information systems or the information stored in information systems.

      (2) The Secretary of State, the State Treasurer and the Attorney General shall each establish an information systems security plan and associated standards, policies and procedures in collaboration with the State Chief Information Officer as provided in ORS 276A.300.

      (3) The plan established under subsection (2) of this section, at a minimum, must:

      (a) Be compatible with the state information systems security plan and associated standards, policies and procedures established by the State Chief Information Officer under ORS 276A.300 (2);

      (b) Assign responsibility for:

      (A) Reviewing, monitoring and verifying the security of the Secretary of State’s, the State Treasurer’s and the Attorney General’s information systems; and

      (B) Conducting vulnerability assessments of information systems for the purpose of evaluating and responding to the susceptibility of information systems to attack, disruption or any other event that threatens the availability, integrity or confidentiality of information systems or the information stored in information systems;

      (c) Contain policies for responding to events that damage or threaten the availability, integrity or confidentiality of information systems or the information stored in information systems, whether the systems are within, interoperable with or outside the state’s shared computing and network infrastructure;

      (d) Prescribe actions reasonably necessary to:

      (A) Promptly assemble and deploy in a coordinated manner the expertise, tools and methodologies required to prevent or mitigate the damage caused or threatened by an event;

      (B) Promptly alert the State Chief Information Officer and other persons of the event and of the actions reasonably necessary to prevent or mitigate the damage caused or threatened by the event;

      (C) Implement forensic techniques and controls developed under paragraph (e) of this subsection;

      (D) Evaluate the event for the purpose of possible improvements to the security of information systems; and

      (E) Communicate and share information with agencies, using preexisting incident response capabilities; and

      (e) Describe and implement forensic techniques and controls for the security of information systems, whether those systems are within, interoperable with or outside the state’s shared computing and network infrastructure, including the use of specialized expertise, tools and methodologies, to investigate events that damage or threaten the availability, integrity or confidentiality of information systems or the information stored in information systems.

      (4) The Secretary of State, the State Treasurer and the Attorney General shall participate in the planning process that the State Chief Information Officer conducts under ORS 276A.300 (2).

      (5) If the State Chief Information Officer cannot agree with the Secretary of State, the State Treasurer or the Attorney General on a joint information systems security plan and associated operational standards and policies, the State Chief Information Officer, in collaboration with the Oregon Department of Administrative Services, may take steps reasonably necessary to condition, limit or preclude electronic traffic or other vulnerabilities between information systems for which the Secretary of State, State Treasurer or Attorney General has authority under subsection (1) of this section and the information systems for which the State Chief Information Officer has authority under ORS 276A.300 (2). [Formerly 182.124]

 

      276A.306 Information security incidents and assessments; reports. (1) As used in this section:

      (a) “Information resources” means data and the means for storing, retrieving, connecting or using data, including but not limited to records, files, databases, documents, software, equipment and facilities that a state agency owns or leases.

      (b) “Information security assessment” means:

      (A) An organized method to determine a risk to or a vulnerability of a state agency’s information system or a third party information service to which a state agency subscribes; and

      (B) An independent examination and review of records, logs, policies, activities and practices to:

      (i) Assess whether a state agency’s information system is vulnerable to an information security incident;

      (ii) Ensure compliance with rules, policies, standards and procedures that the State Chief Information Officer or a state agency, under the state agency’s independent authority, adopts or otherwise promulgates; and

      (iii) Recommend necessary changes to a state agency’s rules, policies, standards and procedures to ensure compliance and prevent information security incidents.

      (c) “Information security incident” means an incident that creates a risk of harm to a state agency or the state agency’s operations and in which:

      (A) Access to, or viewing, copying, transmission, theft or usage of, a state agency’s sensitive, protected or confidential information occurs without authorization from the state agency;

      (B) A failure of compliance with a state agency’s security or acceptable use policies or practices occurs that results in access to a state agency’s information system or information resources for viewing, copying, transmission, theft or use without the state agency’s authorization; or

      (C) A state agency’s information system or information resources or a third party information service to which a state agency subscribes becomes unavailable in a reliable and timely manner to authorized individuals or organizations, or is modified or deleted under circumstances that the state agency does not intend, plan or initiate.

      (d)(A) “Information system” means a system of computers and related hardware, software, storage media and networks and any other means by which a state agency collects, uses or manages the state agency’s information resources.

      (B) “Information system” does not include a third party information service to which a state agency subscribes if the third party information service incorporates or uses hardware, software, storage media and networks that the state agency does not own or lease or that the state agency does not have the legal authority to directly monitor or control.

      (e) “State agency” means an officer, board, commission, department, agency or institute of state government, as defined in ORS 174.111, except:

      (A) Public universities listed in ORS 352.002; and

      (B) The Oregon State Lottery and entities with which the Oregon State Lottery has a contract or agreement with respect to the Oregon State Lottery’s gaming systems or networks.

      (2) A state agency shall promptly notify the Legislative Fiscal Office of an information security incident and describe the actions the state agency has taken or must reasonably take to prevent, mitigate or recover from damage to, unauthorized access to, unauthorized modifications or deletions of or other impairments of the integrity of the state agency’s information system or information resources.

      (3) Each state agency shall periodically conduct or contract for an information security assessment of the state agency’s information system and information resources and shall request results from a third party’s information security assessment of an information service that the third party provides and to which the state agency subscribes. Each state agency shall notify the Legislative Fiscal Office of the information security assessment after the state agency receives the results of the information security assessment.

      (4)(a) The State Chief Information Officer, the Secretary of State, the State Treasurer, the Attorney General, the State Court Administrator and the Legislative Administrator shall each submit to, and present in an appropriate hearing or other proceeding before, the Joint Legislative Committee on Information Management and Technology an annual report concerning the security of the information systems and information resources over which the State Chief Information Officer, the Secretary of State, the State Treasurer, the Attorney General, the State Court Administrator or the Legislative Administrator has direct or supervisory control.

      (b) The annual report described in paragraph (a) of this subsection may not include information security information or other materials that are exempt from disclosure under ORS 192.311 to 192.478.

      (5)(a) The Legislative Fiscal Office shall use the notifications the office receives under subsections (2) and (3) of this section, and any other information about an information security assessment or an information security incident that a state agency provides to the office, via a method and at a level of detail to which the state agency and the office agree, solely for the purpose of providing support and assistance to the Joint Legislative Committee on Information Management and Technology, the Joint Committee on Ways and Means and the Joint Legislative Audit Committee.

      (b)(A) Except as provided in subparagraph (B) of this paragraph, the Legislative Fiscal Officer or an employee of the Legislative Fiscal Office may not disclose to any other person the nature or contents of the notifications that the office receives under subsections (2) and (3) of this section or any other information described in paragraph (a) of this subsection to the extent that the notifications or the information are exempt from disclosure under ORS 192.311 to 192.478.

      (B) The Legislative Fiscal Officer or an employee of the Legislative Fiscal Office may disclose the nature or contents of the notifications or information described in subparagraph (A) of this paragraph if the officer or employee obtains the written consent of:

      (i) The State Chief Information Officer, with respect to notifications and information that a state agency within the executive department, as defined in ORS 174.112, provided;

      (ii) The Secretary of State, with respect to notifications and information that the office of the Secretary of State provided;

      (iii) The State Treasurer, with respect to notifications and information that the office of the State Treasurer provided;

      (iv) The Attorney General, with respect to notifications and information that the Department of Justice provided;

      (v) The State Court Administrator, with respect to notifications and information that a court or a state agency within the judicial department, as defined in ORS 174.113, provided; or

      (vi) The Legislative Administrator, with respect to notifications and information that a state agency within the legislative department, as defined in ORS 174.114, provided. [2016 c.110 §1]

 

      276A.323 State agency coordination. (1) As used in this section:

      (a) “Executive department” has the meaning given that term in ORS 174.112, except that “executive department” does not include:

      (A) The Secretary of State.

      (B) The State Treasurer.

      (C) The Attorney General.

      (D) The Oregon State Lottery.

      (E) Public universities listed in ORS 352.002.

      (b) “State agency” means an agency, as defined in ORS 183.310, in the executive department.

      (2) All state agencies shall:

      (a) Cooperate with the office of the State Chief Information Officer in the implementation of a continuing statewide agency-by-agency risk-based information technology security assessment and remediation program.

      (b) Cooperate in the development of, and follow, the plans, rules, policies and standards adopted by the State Chief Information Officer with regard to the unification of agency information technology security functions in this state.

      (c) Conduct and document the completion of annual information technology security awareness training for all agency employees.

      (d) Report security metrics using methodologies developed by the office of the State Chief Information Officer.

      (e) Participate in activities coordinated by the office of the State Chief Information Officer in order to better understand and address security incidents and critical cybersecurity threats to the state.

      (3) The State Chief Information Officer shall determine and allocate the costs to state agencies associated with providing information technology services, third-party security evaluations, vulnerability assessments and remediation measures. State agencies shall pay the costs to the State Chief Information Officer in the same manner as the state agency pays other claims. The State Chief Information Officer shall deposit into the State Information Technology Operating Fund established under ORS 276A.209 all moneys that the State Chief Information Officer receives from state agencies for purposes of providing information technology services and administering and enforcing the duties, functions and powers under this section. [2017 c.513 §2]

 

      276A.326 Oregon Cybersecurity Advisory Council. (1) The Oregon Cybersecurity Advisory Council is established within the office of the State Chief Information Officer. The council consists of nine voting members appointed by the State Chief Information Officer in consultation with the Governor. A majority of the council’s voting members must be representatives of cyber-related industries in Oregon. The voting members of the council must include at least one representative of post-secondary institutions of education and one representative of public law enforcement agencies in Oregon.

      (2) The State Chief Information Officer may appoint nonvoting members to the council from:

      (a) The Department of Justice;

      (b) The office of the Secretary of State;

      (c) The Office of Emergency Management;

      (d) The Department of Consumer and Business Services;

      (e) The Higher Education Coordinating Commission;

      (f) The State Workforce and Talent Development Board;

      (g) The Employment Department;

      (h) The Oregon Business Development Department; or

      (i) Any local, county, state, regional, tribal or federal government partner.

      (3) The State Chief Information Officer shall provide administrative and staff support and facilities as necessary for the council to carry out the purposes set forth in this section.

      (4) The purposes of the council are to:

      (a) Serve as the statewide advisory body to the State Chief Information Officer on cybersecurity.

      (b) Provide a statewide forum for discussing and resolving cybersecurity issues.

      (c) Provide information and recommend best practices concerning cybersecurity and resilience measures to public and private entities.

      (d) Coordinate cybersecurity information sharing and promote shared and real-time situational awareness between the public and private sectors in this state.

      (e) Encourage the development of the cybersecurity workforce through measures including, but not limited to, competitions aimed at building workforce skills, disseminating best practices, facilitating cybersecurity research and encouraging industry investment and partnership with post-secondary institutions of education and other career readiness programs.

      (5) The council may adopt rules necessary for the operation of the council.

      (6)(a) A majority of the voting members of the council constitutes a quorum for the transaction of business.

      (b) Official action by the council requires the approval of a majority of the voting members of the council.

      (7) The State Chief Information Officer shall appoint one member of the council to serve as chairperson and one member of the council to serve as vice chairperson.

      (8)(a) The term of office of each voting member of the council is four years, but a member serves at the pleasure of the State Chief Information Officer.

      (b) Before the expiration of the term of a voting member, the State Chief Information Officer, in consultation with the Governor, shall appoint a successor whose term begins on July 1 following the appointment. A voting member is eligible for reappointment.

      (c) A nonvoting member’s term of office is two years. A nonvoting member is eligible for reappointment.

      (d) If there is a vacancy for any cause, the State Chief Information Officer, in consultation with the Governor, shall make an appointment to become immediately effective for the unexpired term.

      (9) The council shall meet at times and places specified by the call of the chairperson or a majority of the voting members of the council.

      (10) Members of the council who are not members of the Legislative Assembly are not entitled to compensation, but the State Chief Information Officer may reimburse a member of the council for actual and necessary travel and other expenses incurred in performing the member’s official duties, in the manner and amounts provided for in ORS 292.495, from funds appropriated to the State Chief Information Officer for purposes of the council.

      (11) All agencies of state government, as defined in ORS 174.111, are directed to assist the council in the performance of the council’s duties and, to the extent permitted by laws relating to confidentiality, shall furnish information and advice the council considers necessary to perform the council’s duties. [2017 c.513 §3]

 

      276A.329 Oregon Cybersecurity Center of Excellence. The State Chief Information Officer shall develop a plan for the establishment of an Oregon Cybersecurity Center of Excellence. The State Chief Information Officer shall submit the plan to an appropriate committee or interim committee of the Legislative Assembly no later than January 1, 2019. The plan must identify any grants, donations, gifts or other form of conveyance of land, money, real or personal property or other valuable thing made to the state from any source that is expected to support the establishment and continued operation of the center. The plan must also include a description of the actions, timelines, budget and positions or contractor resources required for the center to:

      (1) Coordinate information sharing related to cybersecurity risks, warnings and incidents.

      (2) Provide support regarding cybersecurity incident response and cybercrime investigations.

      (3) Serve as an Information Sharing and Analysis Organization pursuant to 6 U.S.C. 133 et seq., and as a liaison with the National Cybersecurity and Communications Integration Center within the United States Department of Homeland Security, other federal agencies and other public and private sector entities on issues relating to cybersecurity.

      (4) Identify and participate in appropriate federal, multistate or private sector programs and efforts that support or complement the center’s cybersecurity mission.

      (5) Receive and appropriately disseminate relevant cybersecurity threat information from appropriate sources, including the federal government, law enforcement agencies, public utilities and private industry.

      (6) Draft and biennially update an Oregon Cybersecurity Strategy and a Cyber Disruption Response Plan to be submitted to the Governor and an appropriate committee or interim committee of the Legislative Assembly. The plan must:

      (a) Detail the steps that the state should take to increase the resiliency of its operations in preparation for, and during the response to, a cyber disruption event;

      (b) Address high-risk cybersecurity for the state’s critical infrastructure, including a review of information security technologies currently in place to determine if current policies are sufficient to prevent the compromise or unauthorized disclosure of critical or sensitive government information inside and outside the firewall of state agencies, and develop plans to better identify, protect from, detect, respond to and recover from significant cyber threats;

      (c) Establish a process to regularly conduct risk-based assessments of the cybersecurity risk profile, including infrastructure and activities within this state;

      (d) Provide recommendations related to securing networks, systems and data, including interoperability, standardized plans and procedures, evolving threats and best practices to prevent the unauthorized access, theft, alteration or destruction of data held by the state;

      (e) Include the recommended content and timelines for conducting cybersecurity awareness training for state agencies and the dissemination of educational materials to the public and private sectors in this state through the center;

      (f) Identify opportunities to educate the public on ways to prevent cybersecurity attacks and protect the public’s personal information;

      (g) Include strategies for collaboration with the private sector and educational institutions through the center and other venues to identify and implement cybersecurity best practices; and

      (h) Establish data breach reporting and notification requirements in coordination with the Department of Consumer and Business Services. [2017 c.513 §4]

 

      276A.332 Authority of State Chief Information Officer to enter into agreements. Notwithstanding any other provision of law, the State Chief Information Officer may:

      (1) Enter into any agreement, or any configuration of agreements, relating to state cybersecurity with any private entity or unit of government, or with any configuration of private entities and units of government. The subject of agreements entered into under this section may include, but need not be limited to, cybersecurity training and awareness, information technology security assessments and vulnerability testing, cyber disruption and incident response, risk-based remediation measures and application life cycle maintenance.

      (2) Include in any agreement entered into under this section any financing mechanisms, including but not limited to the imposition and collection of franchise fees or user fees and the development or use of other revenue sources. [2017 c.513 §5]

 

      276A.335 Moneys from federal government and other sources. (1) The office of the State Chief Information Officer may accept from the United States Government or any of its agencies any funds that are made available to the state for carrying out the purposes of ORS 276A.323 to 276A.335, regardless of whether the funds are made available by grant, loan or other financing arrangement. Under the authority granted by ORS chapter 190, the office of the State Chief Information Officer may enter into agreements and other arrangements with the United States Government or any of its agencies as may be necessary, proper and convenient for carrying out the purposes of ORS 276A.323 to 276A.335.

      (2) The office of the State Chief Information Officer may accept from any source any grant, donation, gift or other form of conveyance of land, money, real or personal property or other valuable thing made to the state or the office of the State Chief Information Officer for carrying out the purposes of ORS 276A.323 to 276A.335.

      (3) Any cybersecurity initiative, consistent with the purposes of ORS 276A.323 to 276A.335, may be financed in whole or in part by contributions of any funds or property made by any private entity or unit of government that is a party to any agreement entered into under the authority of the office of the State Chief Information Officer.

      (4) The State Chief Information Officer shall deposit into the State Information Technology Operating Fund established under ORS 276A.209 all moneys received under this section. [2017 c.513 §6]

 

OPEN DATA STANDARD

 

      276A.350 Definitions. As used in ORS 276A.350 to 276A.371:

      (1)(a) “Data” means final versions of statistical or factual information, including statistical or factual data about image files, that:

      (A) Is in alphanumeric form reflected in a list, table, graph, chart or other nonnarrative form that can be digitally transmitted or processed;

      (B) Is controlled by and regularly created or maintained by, or on behalf of, a state agency; and

      (C) Records a measurement, transaction or determination related to the mission of the agency.

      (b) “Data” does not include image files, including but not limited to designs, drawings, photos and scanned copies of original documents.

      (2) “Dataset” means a named collection of related records, maintained on a storage device, that contains data organized, formatted or structured in a specific or prescribed way.

      (3) “Mosaic effect” means a situation in which information in an individual dataset, in isolation, may not pose a risk of identifying an individual, but when combined with other available information could pose such a risk.

      (4)(a) “Publishable data” means all data and datasets collected by a state agency.

      (b) “Publishable data” does not include:

      (A) Data to which a state agency may deny access pursuant to any provision of a federal, state or local law, rule or regulation, or another applicable policy or restriction.

      (B) Data that contain a significant amount of information to which a state agency may deny access pursuant to any provision of a federal, state or local law, rule or regulation.

      (C) Data that reflect the internal deliberative process of a state agency, including but not limited to negotiating positions, future procurements or pending or reasonably anticipated legal or administrative proceedings.

      (D) Data stored on a personal computing device owned by a state agency, or data stored on a portion of a network that has been exclusively assigned to a single agency employee or to a single computing device owned or controlled by a state agency.

      (E) Materials subject to copyright, patent, trademark, confidentiality agreements or trade secret protection.

      (F) Materials that have commercial value or the disclosure of which could reduce a state agency’s competitive advantage.

      (G) Proprietary applications, computer code, software, operating systems and similar materials.

      (H) Employment records, internal employee directories or lists, facilities data, information technology and other data related to internal state agency administration.

      (I) Any other data the publication of which is prohibited by law.

      (5) “State agency” means the executive department, as defined in ORS 174.112, except that “state agency” does not include the Secretary of State or the State Treasurer. [2017 c.720 §1]

 

      276A.353 Chief Data Officer; duties; rules. (1) The State Chief Information Officer shall appoint a Chief Data Officer.

      (2) The Chief Data Officer shall:

      (a) Maintain a central web portal for the publication of publishable data under ORS 276A.362.

      (b) Establish the open data standard as provided in ORS 276A.356.

      (c) Prepare and publish the technical standards manual as provided in ORS 276A.359.

      (d) Create an enterprise data inventory that accounts for all datasets used within agency information systems and that indicates whether each dataset may be made publicly available and if the dataset is currently available to the public. The enterprise data inventory is a public record.

      (e) Provide information protection and privacy guidance for state agencies.

      (f) Establish an enterprise data and information strategy.

      (g) Identify ways to use and share existing data for business intelligence and predictive analytic opportunities.

      (h) Identify strategies to combine internal and external data sources.

      (i) Establish statewide data governance and policy area data governance and provide guidance for agencies about data governance efforts.

      (j) Oversee the delivery of education and standards to state agencies regarding data quality, master data management and data life cycle management.

      (k) Form an advisory group to assist the Chief Data Officer in carrying out the duties described in this section and in establishing an enterprise memorandum of understanding for interagency data sharing.

      (L) Submit a biennial report to a committee or interim committee of the Legislative Assembly related to information management and technology on:

      (A) The status of agency posting of publishable data; and

      (B) The status of data sharing within and between agencies, enabling cross-agency analysis to provide information for public purposes, including but not limited to program design and budgeting decisions.

      (3) The Chief Data Officer may establish and maintain an online forum to solicit feedback from the public and to encourage discussion on the open data standard and publishable data available on the web portal.

      (4) The State Chief Information Officer may adopt rules necessary to implement ORS 276A.350 to 276A.371. [2017 c.720 §2]

 

      276A.356 Open data standard. (1) The Chief Data Officer appointed under ORS 276A.353 shall establish an open data standard for state agencies publishing publishable data on the web portal maintained under ORS 276A.353. A local or tribal government may adopt the standard. The standard must include:

      (a) A format that permits public notification of updates whenever possible.

      (b) Requirements to update publishable data as often as is necessary to preserve the integrity and usefulness of publishable data.

      (c) The availability of publishable data without registration or license requirements or restrictions on the use of publishable data. As used in this paragraph, “registration or license requirements or restrictions on the use of publishable data” does not include measures designed or required to ensure access to publishable data, to protect the web portal from abuse or attempts to damage or impair the use of the web portal, or to analyze the types of publishable data being accessed to improve service delivery.

      (d) The ability to electronically search publishable data using external information technology.

      (2) In establishing the open data standard, the Chief Data Officer shall consult with subject matter experts from state agencies, organizations specializing in technology and innovation, the academic community and other interested groups designated by the Chief Data Officer. Whenever feasible, the Chief Data Officer shall consult with these entities in the development of technical and open standards.

      (3) The Chief Data Officer may adopt rules to implement the open data standard. [2017 c.720 §3]

 

      276A.359 Technical standards manual. (1) The Chief Data Officer appointed under ORS 276A.353 shall prepare and publish a technical standards manual for publishing data through the web portal maintained under ORS 276A.353. The manual must:

      (a) Enable state agencies to make publishable data available to the greatest number of users and for the greatest number of applications and emphasize that state agencies must, whenever practicable, use open data standards for web publishing in a machine-readable format.

      (b) Identify the policy for each technical standard and specify which types of data the standard applies to, and may recommend or require that publishable data be published in more than one technical standard.

      (c) Include a plan to adopt or utilize a web application programming interface that permits application programs to request and receive publishable data directly from the web portal.

      (2) The Chief Data Officer shall update the manual as necessary. [2017 c.720 §4]

 

      Note: Section 10, chapter 720, Oregon Laws 2017, provides:

      Sec. 10. The Chief Data Officer shall first publish the manual described in section 4 of this 2017 Act [276A.359] on or before November 5, 2018. [2017 c.720 §10]

 

      276A.362 Release of publishable data on web portal; exemptions; rules. (1) A state agency that releases publishable data shall release the data on the web portal maintained under ORS 276A.353 in accordance with the open data standard and technical standards manual established by the Chief Data Officer under ORS 276A.356 and 276A.359. If a state agency cannot make all publishable data available on the web portal, the state agency shall report to the Chief Data Officer all publishable data that the agency is unable to make available and state the reasons why the agency is unable to make the data available and the date by which the agency expects the publishable data to be made available on the portal.

      (2) The State Chief Information Officer shall adopt rules allowing a state agency to request an exemption from the requirements of subsection (1) of this section when:

      (a) The release of publishable data would subject the agency’s information systems to a substantial risk of cyberattack; or

      (b) The state agency is purchasing software or vendor services and industry practices do not support downstream processing and dissemination activities. [2017 c.720 §5]

 

      Note: 276A.362 becomes operative May 1, 2019. See section 12, chapter 720, Oregon Laws 2017.

 

      276A.365 Information management by state agencies. (1) A state agency shall manage information as a strategic asset throughout the information’s life cycle. To improve the management of information resources and reinforce the state’s presumption of openness, an agency shall:

      (a) Collect or create information in a way that supports downstream processing and dissemination activities, including:

      (A) Using machine-readable and open formats;

      (B) Using data standards approved by the Chief Data Officer in the collection and creation of information in order to promote data interoperability and openness;

      (C) Ensuring information stewardship through the use of open licenses; and

      (D) Using common core and extensible metadata.

      (b) Build information systems to support interoperability and information accessibility.

      (c) Strengthen data management and release practices to ensure agency data assets are managed and maintained throughout the assets’ life cycle by:

      (A) Adopting effective data asset portfolio management approaches.

      (B) Creating and maintaining an inventory of agency information resources to be included in the enterprise data inventory.

      (C) Creating and maintaining a public data listing, including datasets that can be made publicly available but that have not yet been released.

      (D) Establishing a process to engage with customers and the public to help facilitate and prioritize data release.

      (E) Clarifying roles and responsibilities for promoting efficient and effective data release practices.

      (d) Strengthen measures to ensure that privacy and confidentiality are fully protected and that data are properly secured.

      (e) Account for the mosaic effect of data aggregation.

      (f) Incorporate new interoperability and openness requirements into core agency processes.

      (2) A state agency shall integrate the following minimum requirements into the project planning documentation and technical design for all new information systems and systems preparing for modernization, as appropriate:

      (a) System designs must be scalable and flexible and must facilitate the extraction of data in multiple formats, using standards and specifications in the system design that promote industry best practices for data sharing, and separation of data from the application layer to maximize data reuse opportunities;

      (b) All data outputs of the associated system must meet the requirements described in paragraph (a) of this subsection; and

      (c) Data schemata and dictionaries must be documented and shared with internal partners and the State Chief Information Officer.

      (3)(a) A state agency’s use of proprietary software may not diminish the ability of the public to inspect and copy a public record.

      (b) A state agency may not enter into a contract for the creation of a public records database that impairs the ability of the public to inspect or copy the public records of the state agency, including but not limited to the documentation described in subsection (2)(c) of this section. [2017 c.720 §6]

 

      Note: 276A.365 becomes operative May 1, 2019. See section 12, chapter 720, Oregon Laws 2017.

 

      Note: Section 13, chapter 720, Oregon Laws 2017, provides:

      Sec. 13. Section 6 (3)(b) of this 2017 Act [276A.365 (3)(b)] applies to contracts entered into on or after the effective date of this 2017 Act [January 1, 2018]. [2017 c.720 §13]

 

      276A.368 Purpose of data; limitation of liability; publishable data in public domain. (1) Publishable data available on the web portal maintained under ORS 276A.353 is provided for informational purposes only. The state does not warrant the completeness, accuracy, content or fitness for any particular purpose or use of publishable data made available on the web portal. No warranties may be implied or inferred with respect to the publishable data made available on the web portal.

      (2) The state is not liable for any deficiencies in the completeness, accuracy, content or fitness for any particular purpose or use of publishable data made available on the web portal or by any third-party application utilizing publishable data.

      (3) All publishable data is in the public domain for purposes of applicable copyright laws.

      (4) The Chief Data Officer shall post the text of subsections (1) to (3) of this section on the web portal home page. [2017 c.720 §7]

 

      276A.371 Obligations of state agency under public records law. ORS 276A.350 to 276A.371 do not supersede any obligation imposed on a state agency by ORS 192.311 to 192.478. [2017 c.720 §8]

 

      276A.374 Application to Secretary of State and State Treasurer; rules. The Secretary of State and the State Treasurer shall by rule adopt for each respective office requirements related to data that are the same as, or are similar to, the requirements established by ORS 276A.350 to 276A.371 and by rules adopted by the State Chief Information Officer or the Chief Data Officer under ORS 276A.350 to 276A.371. [2017 c.720 §9]

 

TELECOMMUNICATIONS

 

      276A.400 Policy. The Legislative Assembly declares it to be the policy of the State of Oregon:

      (1) To use information technology in education, health care, economic development and government services to improve economic opportunities and quality of life for all Oregonians regardless of location or income.

      (2) To stimulate demand to encourage and enable long-term infrastructure innovation and improvement.

      (3) That telecommunications planning process shall:

      (a) Organize users in new ways to aggregate demand, reduce costs and create support networks;

      (b) Encourage collaboration between communities of interest by geographic area and economic sector; and

      (c) Encourage competition among technology and service providers. [Formerly 283.500]

 

      276A.403 Coordination of telecommunications systems.

(1) The State Chief Information Officer shall coordinate, in a manner that is consistent with plans, standards, policies, goals, directives and rules that the State Chief Information Officer sets, specifies or adopts, the consolidation and operation of all telecommunications systems, including emergency telecommunications systems, that the state and state agencies use. Notwithstanding any other provision of law, an agent or agency of the state may not construct, purchase or otherwise gain access to a telecommunications system without the prior approval of the State Chief Information Officer.

      (2) The provisions of this section do not require emergency service providers, as defined by the State Chief Information Officer, to consolidate telecommunications systems that emergency service providers use into nonemergency networks. [Formerly 283.505]

 

      276A.406 Acquisition of advanced digital communications network. (1) As used in this section:

      (a) “Advanced digital communications” means equipment, facilities and capability to distribute digital communications signals for transmitting voice, data, image and video over distance.

      (b) “Telecommunications provider” means any person that is capable of providing advanced digital communications including, but not limited to, a telecommunications utility as defined in ORS 759.005, a competitive telecommunications provider as defined in ORS 759.005, a cable television provider or an interstate telecommunications provider.

      (2) Notwithstanding ORS chapters 279A, 279B and 279C, the State Chief Information Officer may provide advanced digital communications services directly, may enter into an interagency or intergovernmental agreement under ORS chapter 190 to have another state agency or governmental agency provide advanced digital communications services or may acquire advanced digital communications services by entering into contracts with telecommunications providers or a consortium of telecommunications providers in a manner that is consistent with the State Chief Information Officer’s rules, policies and standards.

      (3) After a telecommunications provider or a consortium of telecommunications providers has installed an advanced digital communications network, the State Chief Information Officer shall provide all telecommunications services and operations for the state and state agencies directly, or shall enter into interagency or intergovernmental agreements under ORS chapter 190 to have another state agency or another governmental agency provide the telecommunications services and operations in a manner that is consistent with the State Chief Information Officer’s rules, policies and standards. The State Chief Information Officer may not approve the procurement of any telecommunications system or equipment that is incompatible with the network or that is inconsistent with the State Chief Information Officer’s rules, policies and standards. [Formerly 283.510]

 

      276A.409 Use of agency travel and transportation funds for telecommunications services. The State Chief Information Officer annually shall review each state agency’s budget, in conjunction with the state agency, to identify funds that the state agency uses for travel and transportation that the state agency could instead use for telecommunications. If the State Chief Information Officer determines that a state agency could use a portion of the state agency’s travel and transportation funds more effectively by instead using telecommunications, without diminishing the affected agency’s existing internal and external communications, the State Chief Information Officer shall recommend to the Emergency Board as described in ORS 291.326 action that the State Chief Information Officer determines is necessary to dedicate the identified state agency travel and transportation funds for use in telecommunications. The State Chief Information Officer shall make the recommendations to the Emergency Board not later than January 1. [Formerly 283.515]

 

      276A.412 Contracts for telecommunications equipment and services not to exceed 10 years; contract benefits for designated communities of interest. (1) For the purposes of ORS 276A.400 to 276A.412, the State Chief Information Officer may, in a manner that is consistent with the State Chief Information Officer’s rules, policies and standards, enter into a contract or contracts with telecommunications service providers and equipment manufacturers for purchasing, using or operating telecommunications equipment and services for a period not to exceed 10 years.

      (2) For purposes of ORS 276A.206, the State Chief Information Officer may extend the benefits of telecommunications contracts for networks, equipment and services to nonprofit organizations that the State Chief Information Officer designates as communities of interest under ORS 276A.206. [Formerly 283.520]

 

      276A.415 Agreements to fund or acquire telecommunications equipment and services. The State Chief Information Officer may, in a manner that is consistent with the State Chief Information Officer’s rules, policies and standards, enter into an agreement or agreements to fund or otherwise acquire telecommunications equipment and services by installment purchase or lease purchase contracts. [Formerly 283.524]

 

OREGON GEOGRAPHIC INFORMATION COUNCIL

 

      276A.500 Definitions. As used in ORS 276A.500 to 276A.515:

      (1) “Critical infrastructure information” means information about infrastructure that is so vital to this state or the United States that the incapacity or destruction of the infrastructure would detrimentally affect the personal and economic security, health or safety of residents of this state, including information about the security of items listed in ORS 192.355 (33).

      (2) “Custodian” has the meaning given that term in ORS 192.311 (2)(b).

      (3) “Geographic information” means geographic data as that term is defined in ORS 276A.203 (4)(b).

      (4) “Geographic information system” has the meaning given that term in ORS 276A.203 (4)(b).

      (5) “Geospatial framework data” means geographic information that a public body, under applicable provisions of law or on the basis of scientific methodology, technical standards or technical expertise, creates, generates, provides or aggregates and that the Oregon Geographic Information Council, in consultation with the public body, identifies as necessary to support the business processes of a governmental agency.

      (6) “Public body” has the meaning given that term in ORS 174.109. [2017 c.166 §1]

 

      276A.503 Oregon Geographic Information Council; establishment; purposes; membership; terms of office. (1) The Oregon Geographic Information Council is established within the office of the State Chief Information Officer. The State Chief Information Officer shall provide administrative and staff support and facilities that are necessary for the council to carry out the purposes set forth in this section. The purposes of the council are to:

      (a) Serve as the statewide governing body for sharing and managing geospatial framework data;

      (b) Oversee the preparation and maintenance of a plan to enhance geographic framework information sharing and management and to enhance coordination with respect to geographic framework information among public bodies within this state; and

      (c) Coordinate geospatial framework data sharing and management that occurs among public bodies.

      (2) The membership of the council consists of:

      (a) Two members of the Legislative Assembly appointed as follows:

      (A) The President of the Senate shall appoint one member from the Senate who has an interest in geographic information systems and in enhancing geospatial framework data sharing among public bodies; and

      (B) The Speaker of the House of Representatives shall appoint one member from the House of Representatives who has an interest in geographic information systems and in enhancing geospatial framework data sharing among public bodies.

      (b) The following members appointed by the Governor:

      (A) One member who represents Indian tribes, as defined in ORS 97.740;

      (B) One member who represents the Association of Oregon Counties;

      (C) One member who represents the League of Oregon Cities;

      (D) One member who represents the Special Districts Association of Oregon;

      (E) One member who represents regional governments or councils of government within this state;

      (F) One member who represents the Oregon State Association of County Assessors;

      (G) One member who represents a public safety answering point, as defined in ORS 403.105, within this state;

      (H) One member who represents the public universities listed in ORS 352.002;

      (I) One member who represents a federal agency that is concerned with collecting, managing or disseminating geospatial framework data;

      (J) One member who represents a public utility within this state;

      (K) One member who is a geographic information systems manager for a county or city in this state;

      (L) One member who represents the public and who has an interest in geographic information systems and in enhancing geospatial framework data sharing among public bodies;

      (M) The state geographic information officer that the State Chief Information Officer appoints under ORS 276A.515;

      (N) One member who represents a nonprofit professional organization with an interest in geographic information systems and in enhancing geospatial data sharing among public bodies;

      (O) Three members from state agencies with responsibility for water, land, air quality, natural resources or infrastructure;

      (P) Two members from state agencies with responsibilities for public health, human services, education or economic or community development; and

      (Q) Two members from state agencies with responsibility for public safety or emergency management.

      (3) Each group or entity identified in subsection (2)(b) of this section may recommend an individual from the group or entity for membership on the council.

      (4) Members of the Legislative Assembly appointed to the council are nonvoting members and may act in an advisory capacity only.

      (5)(a) A majority of the voting members of the council constitutes a quorum for transacting business.

      (b) A majority of the voting members of the council must approve the council’s official actions.

      (6) The council shall elect one of the council’s members to serve as chairperson and one member to serve as vice chairperson. The council shall specify in the charter described in ORS 276A.506 (1)(e) a process by which the council selects the chairperson and vice chairperson and the terms of office for the chairperson and vice chairperson.

      (7)(a) The term of office for each voting member of the council is four years, but the member serves at the pleasure of the Governor.

      (b) Before a voting member’s term expires, the Governor shall appoint a successor, whose term begins on January 1 following the Governor’s appointment. A voting member is eligible for reappointment.

      (c) A nonvoting member’s term of office is two years. A nonvoting member is eligible for reappointment.

      (d) If a vacancy occurs on the council for any reason, the appointing authority shall make an appointment to become immediately effective and the new member shall serve for the remainder of the term.

      (8) The council shall meet at times and places that the chairperson or a majority of the voting members of the council specifies.

      (9) Members of the council who are not members of the Legislative Assembly may not receive compensation, but the State Chief Information Officer, at the State Chief Information Officer’s discretion, may reimburse council members for actual and necessary travel and other expenses the members incur in performing the members’ official duties, in the manner and amounts provided for in ORS 292.495, from funds appropriated to the State Chief Information Officer for carrying out the council’s purposes.

      (10) All agencies of state government, as defined in ORS 174.111, shall assist the council in performing the council’s duties and, to the extent permitted by laws relating to confidentiality, shall furnish information and advice the council considers necessary to perform the council’s duties. [2017 c.166 §2]

 

      276A.506 Powers of council; advisory committees. (1) The Oregon Geographic Information Council has the exclusive power to:

      (a) Serve as the statewide governing body for sharing and managing geospatial framework data that public bodies share under ORS 276A.500 to 276A.515;

      (b) Develop and update every four years a strategic plan to manage geospatial framework data that aligns as closely as possible with the Enterprise Information Resources Management Strategy described in ORS 276A.203 and oversee the implementation of the plan;

      (c) Adopt, in consultation with the State Chief Information Officer, rules, policies and standards that identify geospatial framework data that public bodies must share and that specify how frequently public bodies must share the geospatial framework data;

      (d) Recommend an allocation of responsibilities among public bodies for collecting, using, managing, sharing and maintaining geospatial framework data and devise and recommend terms under which public bodies share geospatial framework data;

      (e) Adopt charters, rules, policies and procedures for carrying out the council’s purposes under ORS 276A.503;

      (f) Establish subcommittees, work groups and other bodies or methods of organization that the council deems necessary to carry out the council’s purposes under ORS 276A.503; and

      (g) Establish and appoint members to advisory committees for the purposes described in subsection (3) of this section.

      (2) The Oregon Geographic Information Council shall:

      (a) Lead and coordinate efforts to accumulate, disseminate, analyze and manage geographic information, including efforts that:

      (A) Provide a statewide forum for discussing and resolving issues related to geographic information management;

      (B) Develop and maintain partnerships for managing geographic information among public bodies; and

      (C) Identify best practices for managing geographic information and geographic information systems and determine whether and how to apply the best practices within this state.

      (b) Recommend laws, rules, policies and strategies for improving geographic information collection, dissemination, analysis and management to the Legislative Assembly, the United States Congress, public bodies and other individuals and entities.

      (c) Develop and submit each biennium to the State Chief Information Officer for approval a plan and a budget for collecting, using, managing, sharing and maintaining geospatial framework data and for maintaining a geospatial data library within the office of the State Chief Information Officer.

      (d) Work with public bodies to:

      (A) Coordinate the activities of public bodies that relate to collecting, using, managing, sharing and maintaining geospatial framework data;

      (B) Develop strategies to improve geospatial framework data sharing, to reduce duplication of effort and to improve the coordination described in subparagraph (A) of this paragraph;

      (C) Identify the types, categories, forms and other classifications of geospatial framework data that public bodies, private entities and the public need;

      (D) Disseminate information about projects that various public bodies are undertaking with respect to geospatial framework data and other geographic information;

      (E) Invite participation in developing, reviewing and updating the strategic plan described in subsection (1)(b) of this section;

      (F) Recommend legislation to enhance geospatial framework data management and sharing among public bodies; and

      (G) Recommend to the Legislative Assembly strategies for eliminating the fees that public bodies charge to other public bodies for geospatial framework data under ORS 190.050 or 192.324.

      (e) Review periodically plans, grant proposals and budget requests that public bodies make for the purpose of digital mapping and identify opportunities for collaboration and shared investment that reduce unnecessary duplication of effort.

      (f) Report on the plan described in paragraph (c) of this subsection and the council’s other activities to the State Chief Information Officer, the Governor and the Joint Legislative Committee on Information Management and Technology on or before March 1 of each odd-numbered year.

      (3)(a) The council may establish an advisory committee for any purpose, and, subject to paragraph (b) of this subsection, membership on an advisory committee is open to any person.

      (b) If the council establishes one or more advisory committees for the purpose of advising the council concerning the development, collection, sharing or aggregation of geospatial framework data, the council shall establish each advisory committee with reference to the committee members’ expertise or ability to advise the council concerning a particular category of geospatial framework data.

      (c) Each advisory committee the council establishes under paragraph (b) of this subsection shall:

      (A) Identify particular geospatial framework data that public bodies should share;

      (B) Recommend a schedule for sharing the geospatial framework data that the committee identifies in subparagraph (A) of this paragraph;

      (C) Recommend processes, work flow, procedures and necessary funding for collecting, using, managing, sharing and maintaining geospatial framework data; and

      (D)(i) Recommend and coordinate recommendations from other sources for data formats, security standards and other standards for collecting, storing, transferring, maintaining and managing geospatial framework data;

      (ii) Submit the recommendations to the council and the State Chief Information Officer; and

      (iii) Update and revise the recommendations periodically to account for new circumstances.

      (d) Members of an advisory committee may not receive compensation, but the State Chief Information Officer, at the State Chief Information Officer’s discretion, may reimburse members of an advisory committee for actual and necessary travel and other expenses the members incur in performing the members’ duties, in the manner and amounts provided for in ORS 292.495, from funds appropriated to the State Chief Information Officer for the carrying out the council’s purposes. [2017 c.166 §3]

 

      276A.509 Public body duty to share geospatial framework data with council; conditions and exceptions; methods for sharing; limitations of liability. (1)(a) Subject to ORS 192.311 to 192.478 and except as provided in paragraph (b) of this subsection, a public body shall share all geospatial framework data that the Oregon Geographic Information Council designates for sharing if:

      (A) The public body does not incur costs other than the costs that the public body would incur as a custodian of the geospatial framework data; and

      (B) The public body uses existing data and existing resources to share the geospatial framework data.

      (b) Critical infrastructure information is not subject to the requirement under paragraph (a) of this subsection to share geospatial framework data, but a public body may choose to share with other public bodies critical infrastructure information of which the public body is a custodian under conditions the public body specifies.

      (2)(a) A public body that shares geospatial framework data in accordance with subsection (1) of this section shall:

      (A) Share the geospatial framework data in compliance with standards for data interchange, data formatting and data storage that the Oregon Geographic Information Council adopts by rule. If the council has not adopted standards or if the public body does not ordinarily maintain the geospatial framework data in accordance with the standards the council adopts, the public body shall share the geospatial framework data in the format in which the public body ordinarily maintains the geospatial framework data.

      (B) Share the geospatial framework data at intervals that the council specifies by rule or, if the council does not specify an interval by rule, share the geospatial framework data annually.

      (C) Retain custody of the public body’s geospatial framework data.

      (b) A public body that shares geospatial framework data in accordance with subsection (1) of this section may:

      (A) Transfer copies of the geospatial framework data to the State Chief Information Officer for storage in the geospatial data library described in ORS 276A.506 (2)(c) and direct requests for the geospatial framework data to the individual that the State Chief Information Officer appoints under ORS 276A.515.

      (B) Share the geospatial framework data without entering into a written agreement with another public body.

      (C) Prohibit the sharing or redistribution of the public body’s geospatial framework data if the public body notifies the Oregon Geographic Information Council in writing that the geospatial framework data is exempt from disclosure under ORS 192.311 to 192.478 because the public body claims a copyright or other proprietary interest in the geospatial framework data or for another reason the public body specifies in the notice.

      (D) Withhold from public disclosure geospatial framework data that the council designates by rule as critical infrastructure information.

      (c) A public body that receives geospatial framework data from another public body may not redistribute the geospatial framework data without specific authorization from the public body that shared the geospatial framework data.

      (3) A public body that shares geospatial framework data in accordance with subsection (1) of this section is not liable for:

      (a) Omissions, inaccuracies or other errors or defects in the geospatial framework data; or

      (b) Damages, losses or claims that arise from receiving or using the geospatial framework data.

      (4) The individual that the State Chief Information Officer appoints under ORS 276A.515 shall:

      (a) Take all reasonably necessary measures to:

      (A) Secure information in the geospatial data library described in ORS 276A.506 (2)(c) in accordance with standards, policies and procedures established or rules adopted by the State Chief Information Officer under ORS 276A.300;

      (B) Protect the availability, integrity and confidentiality of the geospatial data library; and

      (C) Ensure that a recipient of geospatial framework data complies with the prohibitions a public body places on sharing or redistributing the geospatial framework data under subsection (2)(b)(C) of this section.

      (b) Provide secure electronic means by which a public body may transmit geospatial framework data to and obtain geospatial framework data from the geospatial data library. [2017 c.166 §4]

 

      Note: 276A.509 becomes operative January 2, 2020. See section 7, chapter 166, Oregon Laws 2017.

 

      276A.512 Oregon Geographic Information Council Fund; records and reports. (1) The Oregon Geographic Information Council Fund is established in the State Treasury, separate and distinct from the General Fund. All moneys that the State Chief Information Officer collects or receives for the purposes set forth in ORS 276A.500 to 276A.515 must be paid into the State Treasury and credited to the Oregon Geographic Information Council Fund. Moneys in the fund may be invested in the same manner as other state moneys and the earnings of any investments must be credited to the fund.

      (2) The State Chief Information Officer shall keep a record of all moneys deposited into the fund that indicates, by separate account, the source from which the moneys are derived, the interest earned and the activity or program against which any withdrawal is charged.

      (3) Moneys in the fund are continuously appropriated to the State Chief Information Officer for:

      (a) Developing, acquiring and maintaining geospatial framework data and activities related to sharing geospatial framework data among public bodies; and

      (b) Paying the costs associated with the Oregon Geographic Information Council.

      (4) The State Chief Information Officer may accept gifts, grants, donations and contributions from the federal government or agencies of the federal government or from any other public or private source and may agree to any conditions placed on the gift, grant, donation or contribution that is in accordance with applicable law and ORS 276A.500 to 276A.515.

      (5) The State Chief Information Officer and the Oregon Geographic Information Council shall submit to the Legislative Assembly and the Governor by December 31 of each even-numbered year a report that summarizes the balance in the fund, lists the deposits into and expenditures from the fund and provides such other details as are necessary to enable the Legislative Assembly and the Governor to understand the operations of the fund. [2017 c.166 §5]

 

      276A.515 State geographic information officer; qualifications; duties. (1) The State Chief Information Officer shall establish and appoint an individual as a state geographic information officer to fill a full-time equivalent position that manages and oversees the daily operations of the office of the State Chief Information Officer that concern or are related to geographic information and geospatial framework data.

      (2) The individual that the State Chief Information Officer appoints under subsection (1) of this section must be, by training and experience, well qualified for and capable of performing the following duties:

      (a) Serving as the State Chief Information Officer’s principal advisor concerning geographic information systems, geospatial framework data and other programs and issues that concern geographic information;

      (b) Communicating and coordinating with tribal, regional and local governments in this state, state agencies, the federal government and other public bodies on issues that concern geospatial framework data and sharing geospatial framework data;

      (c) Serving as the State Chief Information Officer’s representative on the Oregon Geographic Information Council;

      (d) Taking a leading role in coordinating the council’s development and maintenance of the strategic plan described in ORS 276A.506 (1)(b), in overseeing the implementation of the plan and in conducting the council’s activities, as described in ORS 276A.503 and 276A.506;

      (e) Taking responsibility for and directing the efforts described in ORS 276A.509 (4);

      (f) Coordinating with the Federal Geographic Data Committee, the United States Geological Survey and other federal agencies in developing geospatial framework data in this state;

      (g) Serving as the State Chief Information Officer’s liaison for existing or proposed federal programs that relate to creating or maintaining geospatial framework data in this state;

      (h) Representing the state on the National States Geographic Information Council and in local, regional and national programs and efforts that are related to geographic information systems and managing geographic information;

      (i) Overseeing compliance with rules adopted and policies, standards and plans established by the State Chief Information Officer or the Oregon Geographic Information Council with respect to geographic framework data and geographic information systems;

      (j) Consulting and collaborating with, supporting and providing services to public bodies and other stakeholders on projects that are related to geospatial framework data or other geographic information;

      (k) Leading development and deployment for, and overseeing the continuing operation, maintenance, support and enhancement of, the geospatial data library described in ORS 276A.506 (2)(c) on behalf of public bodies in this state; and

      (L) Performing other duties that the State Chief Information Officer specifies. [2017 c.166 §6]

 

CHAPTER 277 [Reserved for expansion]

_______________