Can I use third-party collaboration tools that collect personal information in Colorado? What are the requirements?

Here is your answer:

Using Third-Party Collaboration Tools in Colorado

If you are using third-party collaboration tools that collect personal information in Colorado, you must comply with the state’s laws and regulations regarding the protection of personal identifying information.

According to ^[1.1], a governmental entity that maintains, owns, or licenses personal identifying information must implement and maintain reasonable security procedures and practices that are appropriate to the nature of the personal identifying information and the nature and size of the governmental entity. Additionally, if a governmental entity discloses personal identifying information to a third-party service provider, the provider must implement and maintain reasonable security procedures and practices that are appropriate to the nature of the personal identifying information disclosed.

However, ^[3.1] states that it is unlawful for a person to knowingly make available on the internet personal information about a protected person or the protected person’s immediate family if the dissemination of personal information poses an imminent and serious threat to the protected person’s safety or the safety of the protected person’s immediate family and the person making the information available on the internet knows or reasonably should know of the imminent and serious threat.

Therefore, if you are using third-party collaboration tools that collect personal information in Colorado, you must ensure that the tools comply with the state’s laws and regulations regarding the protection of personal identifying information. Additionally, you must ensure that personal information is not made available on the internet if it poses an imminent and serious threat to the protected person’s safety or the safety of the protected person’s immediate family.

Requirements for Third-Party Collaboration Tools

To comply with Colorado’s laws and regulations regarding the protection of personal identifying information, third-party collaboration tools must implement and maintain reasonable security procedures and practices that are appropriate to the nature of the personal identifying information disclosed.

According to ^[1.1], the security procedures and practices must be reasonably designed to help protect the personal identifying information from unauthorized access, use, modification, disclosure, or destruction. Additionally, the governmental entity must retain primary responsibility for implementing and maintaining reasonable security procedures and practices appropriate to the nature of the personal identifying information, and the governmental entity must implement and maintain technical controls reasonably designed to help protect the personal identifying information from unauthorized access, modification, disclosure, or destruction.

Furthermore, ^[2.1] states that if a third party makes a request for a record from a state agency and the record contains personal identifying information, the state agency must retain a written record containing certain information, including the identity of the requestor and a summary of why the request was granted or denied. This means that if a third-party collaboration tool is used to store personal identifying information, the state agency must keep a record of any requests made for that information.

Therefore, if you are using third-party collaboration tools that collect personal information in Colorado, you must ensure that the tools implement and maintain reasonable security procedures and practices that are appropriate to the nature of the personal identifying information disclosed. Additionally, you must ensure that the governmental entity retains primary responsibility for implementing and maintaining reasonable security procedures and practices appropriate to the nature of the personal identifying information, and that technical controls are implemented and maintained to help protect the personal identifying information from unauthorized access, modification, disclosure, or destruction. Finally, you must ensure that the state agency keeps a record of any requests made for personal identifying information stored on the third-party collaboration tool.

If you are unsure whether your third-party collaboration tools comply with Colorado’s laws and regulations regarding the protection of personal identifying information, you should consult with a legal professional.

^[1.1]: CORS 24-73-102 ^[2.1]: CORS 24-74-106 ^[3.1]: CORS 18-9-313

Source(s):

• [1.1] Governmental entity - protection of personal identifying information - definition.
• [2.1] Record keeping and reporting - requests for records or information - definition.
• [3.1] Personal information on the internet - victims of domestic violence, sexual assault, and stalking - other protected persons - definitions.

Jurisdiction

Colorado

• Privacy