The Davis County Commission held a work session on Tuesday, January 6, 2026, to receive the 2025 Annual Data Privacy Program Report, as required under Davis County Code and state law.
County Clerk Brian McKenzie presented the report, outlining the County’s progress in complying with the Government Data Privacy Act (GDPA) and the Government Records Access and Management Act (GRAMA). He explained that while certain reports submitted to the State are protected records, the presentation to the Commission was intended to provide meaningful information that could be publicly discussed.
According to the report, one of the County’s major accomplishments in 2025 was completing a comprehensive inventory of personal data collection activities across all County departments. More than 970 distinct data processing activities were identified and documented, detailing what data is collected, why it is collected, and the statutory authority for doing so.
The Clerk also reported that Davis County achieved 100 percent data privacy training compliance among all active employees during the program’s first year and experienced zero data breaches in 2025. In addition, the County launched a new Public Transparency Portal designed to provide residents with plain-language explanations of how their data is collected and used.
Using the State’s Privacy Maturity Model, Davis County improved its compliance score from 2.1 to 3.95, placing the County in the “managed” to “optimized” range for most privacy practices. County staff noted that other counties and the State Office of Data Privacy have expressed interest in using Davis County’s program as a model.
Looking ahead, the Clerk’s Office outlined three strategic goals for 2026 and 2027: expanding privacy notice deployment, minimizing unnecessary data collection, and integrating privacy impact assessments into the County’s purchasing and contracting processes.
For context, John Crofts has previously expressed strong opposition in past meetings to expanding the authority of the County Clerk beyond what is expressly provided in state statute.
During the discussion, Crofts praised the technical progress and staff work reflected in the report but reiterated concerns he has raised in prior work sessions regarding governance structure and statutory authority. Crofts believes the Data Privacy Program should reside within the County’s Information Systems Office, which he believes is better aligned with the technical and operational nature of data privacy oversight, rather than within the Clerk’s Office.
While acknowledging the reported 100 percent data privacy training compliance, Crofts believes the accomplishment should be viewed in proper context. He believes the required training is short and relatively easy, and that completion of the training alone represents only a minor early milestone, not a finished or mature program.
Crofts believes the County’s data privacy framework is not yet complete and that much of the substantive work remains ahead. He believes emphasizing early training compliance as a major achievement risks obscuring unresolved structural and governance questions.
With respect to the report’s reference to zero data breaches, Crofts believes credit for that outcome belongs primarily to the County’s Information Systems Department, rather than the Clerk’s Office. He believes there is a concerning pattern of individuals taking credit for work performed by other departments, which he believes presents facts in a misleading way.
Crofts believes this is another example of the Clerk’s Office seeking to expand its role beyond statutory limits. He believes such expansion is concerning and not in the best interest of Davis County governance.
Crofts also expressed strong disagreement with Commissioners Bob Stevenson and Lorene Kamalu, whom he believes have supported granting the Clerk’s Office additional authority through County ordinances, thereby blurring the distinction between legislative and administrative roles. Crofts believes this erosion of clearly defined authority weakens accountability and creates confusion within County government.
Crofts believes the Clerk’s responsibilities should be limited to the minimum duties explicitly authorized by state statute and has stated strong opposition to expanding the Clerk’s authority through County ordinance. He believes the Clerk’s actions in this area are concerning and warrant close scrutiny to preserve proper checks and balances.
Commissioner Kamalu commented that state privacy laws often impose difficult requirements on local governments and said Davis County has done a strong job meeting those obligations. Other department leaders thanked County staff for their coordination and training efforts, noting that the County’s program is viewed favorably by state officials.
The Commission agreed with a proposal to present the Data Privacy Program report annually each January to maintain a regular reporting schedule.
The meeting adjourned at 9:05 a.m.