Can I ignore my obligations as a service provider with access to personal information in North Dakota? What are the requirements?

Based on the context documents provided, as a service provider with access to personal information in North Dakota, you cannot ignore your obligations. North Dakota has laws and regulations in place to protect the privacy of personal information.

Requirements for Service Providers with Access to Personal Information in North Dakota

The North Dakota Century Code (NDCC) and North Dakota Administrative Code (NDAC) provide requirements for service providers with access to personal information in North Dakota.

NDCC Section 6-08.1-05

NDCC Section 6-08.1-05 outlines the requirements for government access to customer information from a financial institution. A governmental agency or law enforcement agency may obtain customer information from a financial institution pursuant to either of the following:

1. The consent of the customer, in accordance with this chapter.
2. Valid legal process, in accordance with this section.

NDAC Section 45-14-01-16

NDAC Section 45-14-01-16 provides exceptions to notice and authorization requirements for disclosure of nonpublic personal financial information. The requirements for initial notice to consumers do not apply when a licensee discloses nonpublic personal financial information:

1. With the consent or at the direction of the consumer, provided that the consumer has not revoked the consent or direction.
2. To protect the confidentiality or security of a licensee’s records pertaining to the consumer, service, product, or transaction.
3. For required institutional risk control or for resolving consumer disputes or inquiries.
4. To persons holding a legal or beneficial interest relating to the consumer.
5. To persons acting in a fiduciary or representative capacity on behalf of the consumer.
6. To provide information to insurance rate advisory organizations, guaranty funds or agencies, agencies that are rating a licensee, persons that are assessing the licensee’s compliance with industry standards, and the licensee’s attorneys, accountants, and auditors.
7. To the extent specifically permitted or required under other provisions of law and in accordance with the federal Right to Financial Privacy Act of 1978.
8. To comply with federal, state, or local laws, rules, and other applicable legal requirements.
9. For purposes related to the replacement of a group benefit plan, a group health plan, a group welfare plan, or a workers’ compensation plan.

NDAC Section 45-14-01-12

NDAC Section 45-14-01-12 provides limits on redisclosure and reuse of nonpublic personal financial information. If a licensee receives nonpublic personal financial information from a nonaffiliated financial institution under an exception, the licensee’s disclosure and use of that information is limited. The licensee may disclose the information to the affiliates of the financial institution from which the licensee received the information, to its affiliates, or pursuant to an exception in section 45-14-01-15 or 45-14-01-16, in the ordinary course of business to carry out the activity covered by the exception under which the licensee received the information.

NDCC Section 44-04-18.1

NDCC Section 44-04-18.1 provides confidentiality for public employee personal, medical, and employee assistance records. Any record of a public employee’s medical treatment or use of an employee assistance program is confidential and, except as otherwise authorized by law, may not be used or disclosed without the written authorization of the employee. Personal information regarding a public employee contained in an employee’s personnel record or given to the state or a political subdivision by the employee in the course of employment is exempt.

NDAC Section 69-02-09-13

NDAC Section 69-02-09-13 provides protection for information filed by telecommunications companies. Information identified in subsections 1 through 5 of this section is protected without need for the originator to file an application and without further action by the commission, unless the commission orders otherwise.

NDAC Section 45-14-01-17

NDAC Section 45-14-01-17 requires authorization for disclosure of nonpublic personal health information. A licensee shall not disclose nonpublic personal health information about a consumer or customer unless an authorization is obtained from the consumer or customer whose nonpublic personal health information is sought to be disclosed. Exceptions to this requirement include disclosures for insurance functions, such as claims administration, claims adjustment and management, detection, investigation, or reporting of actual or potential fraud, misrepresentation, or criminal activity, underwriting, policy placement or issuance, loss control, ratemaking and guaranty fund functions, reinsurance and excess loss insurance, risk management, case management, disease management, quality assurance, quality improvement, performance evaluation, provider credentialing verification, utilization review, peer review activities, actuarial, scientific, medical, or public policy research, grievance procedures, internal administration of compliance, managerial, and information systems, policyholder service functions, auditing, reporting, data base security, administration of consumer disputes and inquiries, external accreditation standards, the replacement of a group benefit plan or workers’ compensation policy or program, activities in connection with a sale, merger, transfer, or exchange of all or part of a business or operating unit, any activity that permits disclosure without authorization pursuant to the federal Health Insurance Portability and Accountability Act privacy rules promulgated by the United States department of health and human services, disclosure that is required, or is one of the lawful or appropriate methods, to enforce the licensee’s rights or the rights of other persons engaged in carrying out a transaction or providing a product or service that a consumer requests or authorizes, and any activity otherwise permitted by law, required pursuant to governmental reporting authority, or to comply with legal process.

NDAC Section 45-14-01-15

NDAC Section 45-14-01-15 provides exceptions to notice and authorization requirements for disclosure of nonpublic personal financial information for processing and servicing transactions. The requirements for initial notice in subdivision b of subsection 1 of section 45-14-01-05, for notice and authorization in sections 45-14-01-08 and 45-14-01-11 and for service providers and joint marketing in section 45-14-01-14 do not apply if the licensee discloses nonpublic personal financial information as necessary to effect, administer, or enforce a transaction that a consumer requests or authorizes, or in connection with servicing or processing an insurance product or service that a consumer requests or authorizes, maintaining or servicing the consumer’s account with a licensee, or with another entity as part of a private label credit card program or other extension of credit on behalf of such entity, a proposed or actual securitization, secondary market sale, including sales of servicing rights, or similar transaction related to a transaction of the consumer, reinsurance or stop-loss or excess loss insurance, informing a policyholder or the policyholder’s producer or broker with respect to a claim asserted by, or paid to, a consumer under the policy and servicing and processing such claim, or maintaining or servicing a customer’s account as authorized by the customer, orally or otherwise, or as necessary to replace an insurance product or service that is nonrenewed as a result of the withdrawal of an insurer from a market.

NDAC Section 44-04-18.17

NDAC Section 44-04-18.17 provides confidentiality for personal and financial information submitted to a state agency as part of a consumer complaint or gathered pursuant to an investigation of a consumer complaint. Personal and financial information submitted to a state agency as part of a consumer complaint, or gathered pursuant to an investigation of a consumer complaint, is an exempt record as defined in subsection 5 of section 44-04-17.1. For purposes of this section, “personal and financial information” means the home address, home telephone number, social security number, consumer report, and credit, debit, or electronic fund transfer card number of the complainant and any person on whose behalf the complaint is made, and any account number of a business or individual at a bank, brokerage, or other financial institution. “Personal and financial information” does not include the nature of the complaint, name of the complainant or any person on whose behalf the complaint was submitted, or the address or telephone number of the business that is the subject of the complaint.

Conclusion

As a service provider with access to personal information in North Dakota, you cannot ignore your obligations. You must comply with the requirements outlined in the NDCC and NDAC to protect the privacy of personal information. These requirements include obtaining authorization for disclosure of nonpublic personal health information, limits on disclosure of nonpublic personal financial information to nonaffiliated third parties, exceptions to notice and authorization requirements for disclosure of nonpublic personal financial information for processing and servicing transactions, and confidentiality for personal and financial information submitted to a state agency as part of a consumer complaint or gathered pursuant to an investigation of a consumer complaint.

Jurisdiction

North Dakota

• Privacy