Can I ignore my obligations as a service provider with access to personal information in Utah? What are the requirements?

Obligations as a Service Provider with Access to Personal Information in Utah

As a service provider with access to personal information in Utah, you cannot ignore your obligations. The requirements for the protection of personal information are outlined in UTCO 13-45-301, UTAC R590-206-12, UTAC R590-206-15, UTCO 13-44-201, UTAC R590-206-18, R895-8-6, and UTAC R895-8-6.

1. UTCO 13-45-301: This regulation prohibits the display of Social Security numbers in a manner or location that is likely to be open to public view. Additionally, the state, or a branch, agency, or political subdivision of the state, may not employ or contract for the employment of an inmate in any Department of Corrections facility or county jail in any capacity that would allow any inmate access to any other person’s personal information.
2. UTAC R590-206-12: This regulation outlines the limitations on the disclosure of nonpublic personal financial information to nonaffiliated third parties. A licensee may not disclose any nonpublic personal financial information about a consumer to a nonaffiliated third party unless the licensee has provided the consumer with an initial notice, an opt-out notice, and a reasonable opportunity to opt-out of the disclosure.
3. UTAC R590-206-15: This regulation provides an exception to the opt-out requirements for disclosure of nonpublic personal financial information for service providers and joint marketing. A licensee may provide nonpublic personal financial information to a nonaffiliated third party to perform services for the licensee or functions on the licensee’s behalf, if the licensee provides the initial notice and enters into a contractual agreement with the third party that prohibits the third party from disclosing or using the information other than to carry out the purposes for which the licensee disclosed the information.
4. UTCO 13-44-201: This regulation requires any person who conducts business in the state and maintains personal information to implement and maintain reasonable procedures to prevent unlawful use or disclosure of personal information collected or maintained in the regular course of business. Additionally, records containing personal information that are not to be retained by the person must be destroyed, or arranged for the destruction of, by shredding, erasing, or otherwise modifying the personal information to make the information indecipherable.
5. UTAC R590-206-18: This regulation requires a licensee to obtain authorization from the consumer or customer whose nonpublic personal health information is sought to be disclosed before disclosing nonpublic personal health information about a consumer or customer. However, there are exceptions to this rule, such as for claims administration, fraud detection, and scientific research.
6. R895-8-6 and UTAC R895-8-6: These regulations state that any personally identifiable information an individual provides to a State website shall be used solely by the State, its entities, and third party agents with whom it has contracted to perform a state function on its behalf, unless superseded by a federal statute, federal regulation, or State statute, or the information is designated as public record by an individual State agency as authorized under Title 63G, Chapter 2 of the Utah Code, Government Records Access and Management Act.

Conclusion

As a service provider with access to personal information in Utah, you are required to comply with the regulations outlined in UTCO 13-45-301, UTAC R590-206-12, UTAC R590-206-15, UTCO 13-44-201, UTAC R590-206-18, R895-8-6, and UTAC R895-8-6. Failure to comply with these regulations may result in legal consequences.

Jurisdiction

Utah

• Privacy