Can I use third-party collaboration tools that collect personal information in Idaho? What are the requirements?

Use of Third-Party Collaboration Tools in Idaho

If you are using third-party collaboration tools that collect personal information in Idaho, you must comply with the state’s laws and regulations regarding the disclosure of breach of security of computerized personal information by an agency, individual, or commercial entity ^[1.1].

According to IDAPA 09.01.08.13 ^[4.2], a person may agree, through written, informed consent, to allow a third party to obtain employment security information pertaining to the person from the Department. The informed consent release must identify the specific records to be disclosed, acknowledge that Department files will be accessed to obtain the records, list all third parties authorized to access the person’s information, and indicate specific purpose(s) of the disclosure. If the disclosure is not for purposes of the Employment Security Law, the purpose(s) specified must provide a service or benefit to the person providing informed consent or to administer or evaluate a public program to which informed consent release pertains.

If you are collecting personal information from Idaho residents, you must comply with the state’s laws and regulations regarding the disclosure of breach of security of computerized personal information by an agency, individual, or commercial entity ^[1.1]. If you become aware of a breach of the security of the system, you must conduct in good faith a reasonable and prompt investigation to determine the likelihood that personal information has been or will be misused. If the investigation determines that the misuse of information about an Idaho resident has occurred or is reasonably likely to occur, you must give notice as soon as possible to the affected Idaho resident. Notice must be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement and consistent with any measures necessary to determine the scope of the breach, to identify the individuals affected, and to restore the reasonable integrity of the computerized data system.

Use and Disclosure of Confidential Information

If you are using third-party collaboration tools that collect confidential information, you must comply with IDAPA 16.05.01.75 ^[2.1]. Without consent or authorization, no one may use or disclose health or other confidential information except as provided in Section 100 of this chapter. With consent or authorization, confidential information will be used or disclosed only on a need-to-know basis and to the extent minimally necessary for the conduct of the Department’s business and the provision of benefits or services, subject to law and the exceptions listed in these rules. Recipients of information must protect against unauthorized disclosure or use of the information for purposes that are not specified in a consent or an authorization.

Access by Persons to Information Pertaining to Them

Individuals or employers may access employment security information pertaining to them, subject to the procedures and restrictions contained in the Idaho Public Records Act and reimbursement provisions in Section 020 of IDAPA 09.01.08.11 ^[4.1]. Unless the disclosure is for the purposes of the Employment Security Law, the Department will not comply with requests for disclosure of records to an individual or employer on an ongoing basis, and only existing records in the Department’s custody as of the date of receipt of the request will be disclosed, not records that may be created in the future.

Data for Research or Other Purposes

Records that contain non-identifying information may be disclosed for Department-approved research or other purposes without a written authorization, according to IDAPA 16.05.01.191 ^[2.3].

Conclusion

To summarize, if you are using third-party collaboration tools that collect personal or confidential information in Idaho, you must comply with the state’s laws and regulations regarding the disclosure of breach of security of computerized personal information by an agency, individual, or commercial entity ^[1.1]. You must also obtain written, informed consent from the person whose information is being collected and disclose the specific purpose(s) of the disclosure. If you become aware of a breach of the security of the system, you must conduct a reasonable and prompt investigation and give notice to the affected Idaho resident as soon as possible. Additionally, you must comply with IDAPA 16.05.01.75 ^[2.1] and IDAPA 09.01.08.11 ^[4.1] regarding the use and disclosure of confidential information and access by persons to information pertaining to them, respectively.

Source(s):

• [1.1] DISCLOSURE OF BREACH OF SECURITY OF COMPUTERIZED PERSONAL INFORMATION BY AN AGENCY, INDIVIDUAL OR A COMMERCIAL ENTITY.
• [2.1] USE AND DISCLOSURE OF CONFIDENTIAL INFORMATION.
• [4.1] ACCESS BY PERSONS TO INFORMATION PERTAINING TO THEM.
• [2.3] DATA FOR RESEARCH OR OTHER PURPOSES.
• [4.2] DISCLOSURE TO THIRD PARTIES WITH WRITTEN, INFORMED CONSENT.

Jurisdiction

Idaho

• Privacy