Can I ignore my obligations as a service provider with access to personal information in Iowa? What are the requirements?

Obligations of Service Providers with Access to Personal Information in Iowa

As a service provider with access to personal information in Iowa, you cannot ignore your obligations. There are specific requirements that you must follow to ensure the protection of personal information.

Requests for Access to Records ^[1.1][2.1]

• A request for access to a record should be directed to the division where the record is maintained.
• Open records shall be made available during all customary office hours, which are 8 a.m. to 4:30 p.m. daily, excluding Saturdays, Sundays, and legal holidays.
• Requests for access to open records may be made in writing, in person, by telephone, or by electronic means.
• The custodian shall provide prompt access to an open record upon request unless the size or nature of the request makes prompt access infeasible.
• The custodian may delay access to an open record for one of the purposes authorized by Iowa Code section 22.8(4) or 22.10(4).
• The custodian of a record may deny access to the record by members of the public only on the grounds that such a denial is warranted under Iowa Code sections 22.8(4) and 22.10(4), or that it is a confidential record, or that its disclosure is prohibited by a court order.

Limits on Disclosure of Nonpublic Personal Financial Information to Nonaffiliated Third Parties ^[3.1][3.2]

• A licensee may not directly or through any affiliate disclose any nonpublic personal financial information about a consumer to a nonaffiliated third party except as otherwise authorized in these rules.
• The licensee has provided to the consumer an initial notice as required under rule 90.3(505).
• The licensee has provided to the consumer an opt-out notice as required in rule 90.6(505).
• The licensee has given the consumer a reasonable opportunity to opt out of the disclosure before the licensee discloses the information to the nonaffiliated third party.
• A licensee shall comply with this rule regardless of whether the licensee and the consumer have established a customer relationship.

Access to Confidential Records ^[1.1][2.1]

• The custodian may disclose certain confidential records to one or more members of the public, or may be authorized or required to release specified confidential records in certain circumstances or to particular persons.
• A person requesting access to a confidential record may be required to provide proof of identity or authority to secure access to the record.
• The custodian may require that a request to examine and copy a confidential record be in writing.
• After the custodian receives a request for access to a confidential record, and before the custodian releases such a record, the custodian may make reasonable efforts to notify promptly any person who is a subject of that record, is identified in that record, and whose address or telephone number is contained in that record.
• When the custodian denies a request for access to a confidential record, the custodian shall promptly notify the requester.

Personally Identifiable Information ^[1.1][4.1]

• Personal identifiers may be used to retrieve information from any of the systems of records that the department maintains that contain personally identifiable information.
• Paper, microfilm, microfiche, and various electronic means of storage are used to store records containing personally identifiable information.
• Electronic or manual data processing may be used to match, to collate, or to compare personally identifiable information in one system with personally identifiable information in another system of records or with personally identifiable information within the same system.
• Personally identifiable information in systems of records maintained by the department is retrievable through the use of personal identifiers and may be compared with information from outside the department when specified by law.

Therefore, as a service provider with access to personal information in Iowa, you must comply with the requirements outlined in the context documents to ensure the protection of personal information.

Source(s):

• [1.1] Requests for access to records.
• [2.1] Requests for access to records.
• [3.1] Other exceptions to notice and opt-out requirements for disclosure of nonpublic personal financial information.
• [3.2] Limits on disclosure of nonpublic personal financial information to nonaffiliated third parties.
• [4.1] Personally identifiable information.

Jurisdiction

Iowa

• Privacy