"Personal information" and state record retention guidelines

by on July 6, 2009 · 0 Comment POSTED IN: HR Info Center

State laws for certain information mandate tougher record retention guidelines

“Personal” doesn’t mean any information about a person; it’s a specifically defined term. California was the first law and sort of set the standard in record retention guidelines for the other states laws. There are three common elements that are covered by California’s original Breach Notification Law and by virtually all of the other notification laws. So those are the three elements to really focus on.

Three elements that make up “personal” information in record retention guidelines

They are usually the individual’s name, plus anyone of the three following items: Social Security number, driver’s license number or state identification card number and a financial account number combined with any password or pin required to access the financial account. So, those are the big three for breach notification purposes. Now, of course, different states have added on to this and as of January 1st, 2008, the breach notification law covers all medical information in California.

The CA record retention guidelines and security procedures are defined very broadly, undoubtedly includes information maintained by HR such as doctor’s notes, information on disabilities requiring accommodation, regular documentation on employee health coverage. So, it’s important to keep in mind that these laws are getting broader and broader and covering more and more types of information.

North Dakota law and record retention guidelines
In comparison, let’s take a look at North Dakota and what elements it covers. The first reaction is normally, “Well, North Dakota, we’re not subject to North Dakota law.” You might be if you have any employee or a customer located in North Dakota or you have any information on anybody living in North Dakota that falls within the statute, so you never know.

North Dakota’s record retention guideline and data security standards include the big three elements and some new ones. We have date of birth, mother’s maiden name, and digitalized or electronic signature along with added identification number assigned by an employer.

In other words, if you take the excellent advice not to use Social Security numbers as an employee identification number, and you assigned a random number instead, guess what, under North Dakota law, that might still trigger a breach notification requirement.

In New Jersey , we have the same big three elements defining personal information under NJ record retention guidelines We also have a rather unique element saying that if there is associated data that if linked together, would constitute personal information, in other words, one of the big three elements. That is considered covered information itself if there is a breach that also gives them enough information to put it all together. And basically pull together these elements and have the name plus the Social Security number, driver’s license number, ET ceteras.

So, every state as you can see here, most of them have their own little quirks with record retention guidelines and data security. And we’ll come back in a moment to discussing what actually happens if you think there may have been a breach.

Edited remarks from the Rapid Learning Institute webinar: “Identity Theft: What HR Can Do To Protect Sensitive Employee Data” by Christine E. Lyon, Esq.

Leave a Reply


Request a Free Demo

We'd love to show you how this industry-leading training system can help you develop your team. Please fill out this quick form or give us a call at 877-792-2172 to schedule your one-on-one demo with a Rapid Learning Specialist.