Can I store personal information about my customers in North Dakota? What are the requirements?

Storing Personal Information of Customers in North Dakota

Yes, you can store personal information about your customers in North Dakota, but you must comply with the state’s privacy laws and regulations.

The North Dakota Administrative Code (NDAC) Section 45-14-01-06 requires licensees to provide a clear and conspicuous notice to customers that accurately reflects its privacy policies and practices not less than annually during the continuation of the customer relationship. The notice must include the categories of nonpublic personal financial information that the licensee collects, the categories of nonpublic personal financial information that the licensee discloses, and the categories of affiliates and nonaffiliated third parties to whom the licensee discloses nonpublic personal financial information.

Additionally, NDAC Section 45-14-01-11 limits the disclosure of nonpublic personal financial information to nonaffiliated third parties unless the licensee has provided an initial notice and a notice as required in Section 45-14-01-08, and an authorization is obtained from the consumer whose nonpublic personal information is sought to be disclosed.

Furthermore, NDAC Section 45-14-01-07 requires licensees to include specific items of information in their initial, annual, and revised privacy notices, including the categories of nonpublic personal financial information that the licensee collects, the categories of nonpublic personal financial information that the licensee discloses, and the categories of affiliates and nonaffiliated third parties to whom the licensee discloses nonpublic personal financial information.

Exceptions to notice and authorization requirements for disclosure of nonpublic personal financial information are listed in NDAC Section 45-14-01-16. These exceptions include, but are not limited to, disclosure with the consent or at the direction of the consumer, disclosure to protect the confidentiality or security of a licensee’s records pertaining to the consumer, service, product, or transaction, and disclosure to comply with federal, state, or local laws, rules, and other applicable legal requirements.

Exceptions to notice and authorization requirements for disclosure of nonpublic personal financial information for processing and servicing transactions are listed in NDAC Section 45-14-01-15. These exceptions include, but are not limited to, disclosure as necessary to effect, administer, or enforce a transaction that a consumer requests or authorizes, disclosure for servicing or processing an insurance product or service that a consumer requests or authorizes, and disclosure in connection with a proposed or actual sale, merger, transfer, or exchange of all or a portion of a business or operating unit if the disclosure of nonpublic personal financial information concerns solely consumers of the business or unit.

When authorization is required for disclosure of nonpublic personal health information is listed in NDAC Section 45-14-01-17. A licensee shall not disclose nonpublic personal health information about a consumer or customer unless an authorization is obtained from the consumer or customer whose nonpublic personal health information is sought to be disclosed. However, there are exceptions to this requirement for certain insurance functions.

Finally, NDAC Section 10-18-01-04 requires authorized individuals and agencies to comply with the security requirements under 28 C.F.R. Part 20 and NCIC when accessing the criminal justice data information sharing system.

In summary, you can store personal information about your customers in North Dakota, but you must comply with the state’s privacy laws and regulations, including providing annual privacy notices, obtaining authorization for disclosure of nonpublic personal financial information, and complying with security requirements. Exceptions to notice and authorization requirements for disclosure of nonpublic personal financial information are listed in NDAC Section 45-14-01-16 and NDAC Section 45-14-01-15. When authorization is required for disclosure of nonpublic personal health information is listed in NDAC Section 45-14-01-17.

^{[1.1][1.2][1.3][1.4][1.5][1.6][3.1][1.7]}

Source(s):

• [1.1] Annual privacy notice to customers required.
• [1.2] Other exceptions to notice and authorization requirements for disclosure of nonpublic personal financial information.
• [1.3] Limits on redisclosure and reuse of nonpublic personal financial information.
• [1.4] Exceptions to notice and authorization requirements for disclosure of nonpublic personal financial information for processing and servicing transactions.
• [1.5] When authorization required for disclosure of nonpublic personal health information.
• [1.6] Limits on disclosure of nonpublic personal financial information to nonaffiliated third parties.
• [3.1] Security requirements.
• [1.7] Information to be included in privacy notices.

Jurisdiction

North Dakota

• Privacy