Ask Reggi Your Question Now

Reggi is the free generative AI assistance for regulatory compliance
Ask a Question

Can I use third-party collaboration tools that collect personal information in Illinois? What are the requirements?

Using Third-Party Collaboration Tools that Collect Personal Information in Illinois

If you are using third-party collaboration tools that collect personal information in Illinois, you must ensure that the third party implements and maintains reasonable security measures to protect the records from unauthorized access, acquisition, destruction, use, modification, or disclosure [1.1].

Additionally, any third party that contracts with a person to dispose of materials containing personal information must implement and monitor compliance with policies and procedures that prohibit unauthorized access to or acquisition of or use of personal information during the collection, transportation, and disposal of materials containing personal information [1.3].

If a State agency collects personal information concerning an Illinois resident, it must notify the resident at no charge that there has been a breach of the security of the system data or written material following discovery or notification of the breach. The disclosure notification shall be made in the most expedient time possible and without unreasonable delay, consistent with any measures necessary to determine the scope of the breach and restore the reasonable integrity, security, and confidentiality of the data system [1.4].

Requirements for Using Third-Party Collaboration Tools that Collect Personal Information in Illinois

The Personal Information Protection Act (PIPA) defines personal information as an individual’s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted or are encrypted or redacted but the keys to unencrypt or unredact or otherwise read the name or data elements have been acquired without authorization through the breach of security: Social Security number, driver’s license number or State identification card number, account number or credit or debit card number, or an account number or credit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account, medical information, health insurance information, or unique biometric data generated from measurements or technical analysis of human body characteristics used by the owner or licensee to authenticate an individual, such as a fingerprint, retina or iris image, or other unique physical representation or digital representation of biometric data [1.5].

Any data collector that owns or licenses personal information concerning an Illinois resident shall notify the resident at no charge that there has been a breach of the security of the system data following discovery or notification of the breach. The disclosure notification shall be made in the most expedient time possible and without unreasonable delay, consistent with any measures necessary to determine the scope of the breach and restore the reasonable integrity, security, and confidentiality of the data system [1.2].

Conclusion

To summarize, if you are using third-party collaboration tools that collect personal information in Illinois, you must ensure that the third party implements and maintains reasonable security measures to protect the records from unauthorized access, acquisition, destruction, use, modification, or disclosure. Additionally, any third party that contracts with a person to dispose of materials containing personal information must implement and monitor compliance with policies and procedures that prohibit unauthorized access to or acquisition of or use of personal information during the collection, transportation, and disposal of materials containing personal information. The Personal Information Protection Act defines personal information and requires data collectors to notify Illinois residents of any breach of the security of the system data.

Source(s):
Jurisdiction

Illinois