Can I ignore my obligations as a service provider with access to personal information in Colorado? What are the requirements?

Based on the documents provided, as a service provider with access to personal information in Colorado, you cannot ignore your obligations to protect personal identifying information.

Requirements for Service Providers

According to CORS 24-73-102, a governmental entity that discloses personal identifying information to a third-party service provider must require that the third-party service provider implement and maintain reasonable security procedures and practices that are appropriate to the nature of the personal identifying information disclosed to the third-party service provider and reasonably designed to help protect the personal identifying information from unauthorized access, use, modification, disclosure, or destruction.

Exception to Opt Out Requirements for Service Providers

However, there is an exception to the opt-out requirements for disclosure of nonpublic personal financial information for service providers and joint marketing, as stated in Section 15 of 3 COCR 702-6 Regulation 6-4-1. The opt-out requirements do not apply when a licensee provides nonpublic personal financial information to a nonaffiliated third party to perform services for the licensee or functions on the licensee’s behalf, if the licensee provides the initial notice in accordance with Section 5 and enters into a contractual agreement with the third party that prohibits the third party from disclosing or using the information other than to carry out the purposes for which the licensee disclosed the information.

Disposal of Personal Identifying Information

Additionally, according to CORS 24-73-101, each governmental entity in the state that maintains paper or electronic documents during the course of business that contain personal identifying information shall develop a written policy for the destruction or proper disposal of those paper and electronic documents containing personal identifying information. The written policy must require that, when such paper or electronic documents are no longer needed, the governmental entity destroy or arrange for the destruction of such paper and electronic documents within its custody or control that contain personal identifying information by shredding, erasing, or otherwise modifying the personal identifying information in the paper or electronic documents to make the personal identifying information unreadable or indecipherable through any means.

Authorization for Disclosure of Nonpublic Personal Health Information

Finally, according to Section 18 of 3 COCR 702-6 Regulation 6-4-1, a licensee shall not disclose nonpublic personal health information about a consumer or customer unless an authorization is obtained from the consumer or customer whose nonpublic personal health information is sought to be disclosed. However, there are exceptions to this requirement for certain insurance functions.

Therefore, as a service provider with access to personal information in Colorado, you must implement and maintain reasonable security procedures and practices appropriate to the nature of the personal identifying information disclosed to you, and you must comply with the requirements for disposal of personal identifying information and authorization for disclosure of nonpublic personal health information.

Based on the additional context provided, there are no new requirements or exceptions that would allow you to ignore your obligations as a service provider with access to personal information in Colorado.

Jurisdiction

Colorado

• Privacy