Can I store personal information about my customers in South Dakota? What are the requirements?

Storing Personal Information of Customers in South Dakota

Yes, you can store personal information about your customers in South Dakota, but you must comply with the state’s privacy laws.

The South Dakota Administrative Rules (SDAR) 20:06:45:05 requires that a licensee shall provide a clear and conspicuous notice to customers that accurately reflects its privacy policies and practices not less than annually during the continuation of the customer relationship. This means that you must provide an annual privacy notice to your customers that accurately reflects your privacy policies and practices.

The SDAR 20:06:45:06 specifies the information that must be included in privacy notices. The initial, annual, and revised privacy notices that a licensee provides shall include each of the following items of information, in addition to any other information the licensee wishes to provide, that applies to the licensee and to the consumers to whom the licensee sends its privacy notice:

• The categories of nonpublic personal financial information that the licensee collects;
• The categories of nonpublic personal financial information that the licensee discloses;
• The categories of affiliates and nonaffiliated third parties to whom the licensee discloses nonpublic personal financial information, other than those parties to whom the licensee discloses information under §§ 20:06:45:14 and 20:06:45:15;
• The categories of nonpublic personal financial information about the licensee’s former customers that the licensee discloses and the categories of affiliates and nonaffiliated third parties to whom the licensee discloses nonpublic personal financial information about the licensee’s former customers, other than those parties to whom the licensee discloses information under §§ 20:06:45:14 and 20:06:45:15;
• If a licensee discloses nonpublic personal financial information to a nonaffiliated third party under § 20:06:45:13 (and no other exception in §§ 20:06:45:14 and 20:06:45:15 applies to that disclosure), a separate description of the categories of information the licensee discloses and the categories of third parties with whom the licensee has contracted;
• An explanation of the consumer’s right under subdivision 20:06:45:10(1) to opt out of the disclosure of nonpublic personal financial information to nonaffiliated third parties, including the methods by which the consumer may exercise that right at that time;
• Any disclosures that the licensee makes under § 603(d)(2)(A)(iii) of the federal Fair Credit Reporting Act (15 U.S.C. 1681a(d)(2)(A)(iii)) (that is, notices regarding the ability to opt out of disclosures of information among affiliates);
• The licensee’s policies and practices with respect to protecting the confidentiality and security of nonpublic personal information; and
• Any disclosure that the licensee makes under subdivision 20:06:45:06(2).

Therefore, if you store personal information about your customers in South Dakota, you must provide an annual privacy notice that accurately reflects your privacy policies and practices and includes the information specified in SDAR 20:06:45:06.

It is important to note that failure to comply with South Dakota’s privacy laws may result in penalties and legal action.

^[1.1][1.3]

Additionally, if you store nonpublic personal health information, you must obtain written or electronic authorization from the consumer or customer who is the subject of the information, which must contain specific information as outlined in SDAR 20:06:45:28. The authorization must specify a length of time for which it is valid, which cannot exceed 24 months, and the consumer or customer may revoke the authorization at any time. The licensee must retain the authorization or a copy thereof in the record of the individual who is the subject of nonpublic personal health information ^[1.2](:28).

There are exceptions to the opt-out requirements for disclosure of nonpublic personal financial information for service providers and joint marketing, as well as other exceptions to notice and opt-out requirements for disclosure of nonpublic personal financial information. These exceptions are outlined in SDAR 20:06:45:13 and SDAR 20:06:45:15, respectively ^[1.4](:15).

If you store prescription information electronically, you must meet certain requirements outlined in SDAR 20:51:20:02, including guaranteeing the confidentiality of the information, providing on-line retrieval of original prescription order information, and being capable of producing a hard-copy daily summary of controlled substance transactions ^[2.1].

^[1.1]:

^[1.3]:

^[2.1]:

Source(s):

• [1.1] Annual privacy notice to customers required.
• [1.2] Authorization to disclose nonpublic personal health information.
• [1.3] Information to be included in privacy notices.
• [1.4] Exception to opt out requirements for disclosure of nonpublic personal financial information for service providers and joint marketing.
• [2.1] Requirements for storing prescription information.

Jurisdiction

South Dakota

• Privacy