What laws, regulations, and or state policies require employees to be trained annually and the employee to acknowledge they have received the training by signing an acknowledgement form?

The legal requirement for training is found in the California Information Practices Act of 1977 (Civil Code Sections 1798 et seq.) and specifically Civil Code Section 1798.20, which requires all state agencies to establish rules of conduct for persons involved with personal information and instruct such individuals on the rules and the remedies and penalties for noncompliance. The applicable state policy requirements are:

  1. State Administrative Manual (SAM) Section 5305 states an agency must maintain a security program and an ongoing privacy program, as outlined in Government Code Section 11019 and Civil Code Sections 1798 et seq.
  2. SAM Section 5320 states an agency’s personnel practices related to security management must include training of agency employees with respect to individual, agency, and statewide security responsibilities and policies; signing of acknowledgments of security responsibility by all employees; and termination procedures that ensure that agency information assets are not accessible to former employees.