Can I store personal information about my customers in Iowa? What are the requirements?

Yes, you can store personal information about your customers in Iowa. However, there are requirements that you must follow to ensure the confidentiality and security of the information.

Requirements for Storing Personal Information in Iowa

IACO 22A.2

According to IACO 22A.2, a public agency in Iowa cannot release, publicize, or otherwise disclose personal information without the express, written permission of every member, supporter, volunteer, and donor of the tax-exempt entity identified in the information and the tax-exempt entity. However, this section does not prohibit disclosure of personal information pursuant to a lawful warrant issued by a court of competent jurisdiction, pursuant to a lawful request for discovery if certain requirements are met, pursuant to an agreement between a public agency and an entity which is exempt from taxation under section 501(c) of the federal Internal Revenue Code, or pursuant to judicial proceedings that are public pursuant to section 602.1601.

IACO 507F.4

Additionally, IACO 507F.4 requires licensees to develop, implement, and maintain a comprehensive written information security program based on the licensee’s risk assessment conducted pursuant to subsection 3. The information security program must be designed to protect the security and confidentiality of nonpublic information and the security of the licensee’s information system, protect against threats or hazards to the security or integrity of nonpublic information and the licensee’s information system, protect against unauthorized access to or the use of nonpublic information, and minimize the likelihood of harm to any consumer. Licensees must also determine which security measures are appropriate and implement each appropriate security measure, such as placing access controls on information systems, restricting access of nonpublic information stored in or at physical locations to authorized individuals only, and protecting nonpublic information by encryption or other appropriate means.

IACO 9E.7

Finally, IACO 9E.7 states that information collected, created, or maintained by the secretary related to applicants, eligible persons, and program participants is confidential unless otherwise ordered by a court or released by the lawful custodian of the records pursuant to state or federal law. This section also allows for dissemination of information relating to the program to any agency or organization if necessary for carrying out the official duties of the agency or organization, or to a person if disseminated for an official purpose, or to any other person if necessary to protect a person or property from a threat of imminent serious harm.

191 IAAC 90.14

Other exceptions to notice and opt-out requirements for disclosure of nonpublic personal financial information. 90.14(1) The requirements for initial notice to consumers in paragraph 90.3(1) “b,” for the opt out in rules 90.6(505) and 90.9(505), and for service providers and joint marketing in rule 90.12(505) do not apply when a licensee discloses nonpublic personal financial information as follows: a. With the consent or at the direction of the consumer, provided that the consumer has not revoked the consent or direction; b. To protect the confidentiality or security of a licensee’s records pertaining to the consumer, service, product, or transaction; c. To protect against or prevent actual or potential fraud or unauthorized transactions; d. For required institutional risk control or for resolving consumer disputes or inquiries; e. To persons holding a legal or beneficial interest relating to the consumer; f. To persons acting in a fiduciary or representative capacity on behalf of the consumer; g. To provide information to insurance rate advisory organizations, guaranty funds or agencies, agencies that are rating a licensee, persons that are assessing the licensee’s compliance with industry standards, and the licensee’s attorneys, accountants and auditors; h. To the extent specifically permitted or required under other provisions of law and in accordance with the federal Right to Financial Privacy Act of 1978, to law enforcement agencies including the Federal Reserve Board; Office of the Comptroller of the Currency; Federal Deposit Insurance Corporation; Office of Thrift Supervision; National Credit Union Administration; the Securities and Exchange Commission; the Secretary of the Treasury, with respect to 31 U.S.C. Chapter 53, Subchapter II, and 12 U.S.C. Chapter 21, a state insurance authority, and the Federal Trade Commission, self-regulatory organizations or for an investigation on a matter related to public safety; i. To a consumer reporting agency in accordance with the federal Fair Credit Reporting Act; j. From a consumer report reported by a consumer reporting agency; k. In connection with a proposed or actual sale, merger, transfer or exchange of all or a portion of a business or operating unit if the disclosure of nonpublic personal financial information concerns solely consumers of the business unit; l. To comply with federal, state, or local laws, rules and other applicable legal requirements; m. To comply with a properly authorized civil, criminal or regulatory investigation, or subpoena or summons by federal, state or local authorities; n. To respond to judicial process or government regulatory authorities having jurisdiction over a licensee for examination, compliance or other purposes as authorized by law; o. For purposes related to the replacement of a group benefit plan, a group health plan, a group welfare plan or a workers’ compensation plan. 90.14(2) A consumer may revoke consent by subsequently exercising the right to opt out of future disclosures of nonpublic personal financial information as permitted under subrule 90.6(7).

In summary, you can store personal information about your customers in Iowa, but you must follow the requirements outlined in IACO 22A.2, IACO 507F.4, IACO 9E.7, and 191 IAAC 90.14 to ensure the confidentiality and security of the information.

Jurisdiction

Iowa

• Privacy