Can I ignore my obligations as a service provider with access to personal information in South Dakota? What are the requirements?

Based on the documents provided, as a service provider with access to personal information in South Dakota, you cannot ignore your obligations.

Requirements for Service Providers

According to SDAR 20:06:45:25, as a service provider, you must:

• Exercise appropriate due diligence in selecting your service providers.
• Require your service providers to implement appropriate measures designed to meet the objectives of §§ 20:06:45:20 to 20:06:45:26, inclusive.
• Take appropriate steps to confirm that your service providers have satisfied these obligations, where indicated by your risk assessment.

Therefore, you must ensure that your service providers are also complying with the relevant regulations.

Disclosure of Nonpublic Personal Health Information

Regarding the disclosure of nonpublic personal health information, SDAR 20:06:45:27 states that a licensee may not disclose such information unless an authorization is obtained from the consumer or customer whose information is sought to be disclosed. However, there are exceptions to this rule, such as for claims administration, fraud detection, and public policy research, among others.

Limits on Disclosure of Nonpublic Personal Financial Information

SDAR 20:06:45:10 limits the disclosure of nonpublic personal financial information to nonaffiliated third parties. A licensee may not disclose such information unless the consumer has been provided with an initial notice, an opt-out notice, and a reasonable opportunity to opt out. However, there are exceptions to this rule, such as for disclosures made with the consent or at the direction of the consumer, for disclosures to protect against fraud or unauthorized transactions, and for disclosures required by law.

Limits on Redisclosure and Reuse of Nonpublic Personal Financial Information

SDAR 20:06:45:11 limits the redisclosure and reuse of nonpublic personal financial information. If a licensee receives such information under an exception, the licensee’s disclosure and use of that information is limited. If a licensee receives such information outside of an exception, the licensee may only disclose the information to its affiliates or to any other person if the disclosure would be lawful if made directly to that person by the financial institution from which the licensee received the information.

Exception to opt out requirements for disclosure of nonpublic personal financial information for service providers and joint marketing.

SDAR 20:06:45:13 provides an exception to opt-out requirements for disclosure of nonpublic personal financial information for service providers and joint marketing. The opt-out requirements do not apply when a licensee provides nonpublic personal financial information to a nonaffiliated third party to perform services for the licensee or functions on the licensee’s behalf, if the licensee provides the initial notice in accordance with § 20:06:45:04 and enters into a contractual agreement with the third party that prohibits the third party from disclosing or using the information other than to carry out the purposes for which the licensee disclosed the information, including use under an exception in § 20:06:45:14 or 20:06:45:15 in the ordinary course of business to carry out those purposes.

Therefore, as a service provider with access to personal information in South Dakota, you must comply with the relevant regulations and ensure that your service providers are also complying with them.

Jurisdiction

South Dakota

• Privacy