Can I use third-party collaboration tools that collect personal information in Oklahoma? What are the requirements?

Using Third-Party Collaboration Tools that Collect Personal Information in Oklahoma

Oklahoma has regulations that limit the disclosure and use of nonpublic personal financial information and criminal investigation information ^[1.2]. However, it is unclear from the context whether third-party collaboration tools that collect personal information are subject to these regulations.

Disclosure of Nonpublic Personal Financial Information

Licensees may provide nonpublic personal financial information to a nonaffiliated third party to perform services for the licensee or functions on the licensee’s behalf, if the licensee provides the initial notice in accordance with Section 365:35-1-10 and enters into a contractual agreement with the third party that prohibits the third party from disclosing or using the information other than to carry out the purposes for which the licensee disclosed the information ^[1.2].

Therefore, if you plan to use third-party collaboration tools that collect personal information, you should ensure that you provide the initial notice and enter into a contractual agreement with the third party that prohibits the third party from disclosing or using the information other than to carry out the purposes for which the licensee disclosed the information.

Disclosure of Nonpublic Personal Health Information

A licensee shall not disclose nonpublic personal health information about a consumer or customer unless an authorization is obtained from the consumer or customer whose nonpublic personal health information is sought to be disclosed ^[1.3].

Therefore, if you plan to use third-party collaboration tools that collect personal health information, you should obtain authorization from the consumer or customer whose nonpublic personal health information is sought to be disclosed.

Confidentiality and Release of Information

All information collected from any source will remain confidential and will not be public records except as provided in 63 O.S. 1998 Supp. Section 1-119. Under no circumstances shall the information in the database or any records from which this database is maintained be used for any purpose other than the compilation of aggregate data or the creation of anonymous medical case histories for statistical reporting and data analysis ^[3.1].

After approval by the Department, aggregate compilations prepared for release or dissemination from the data collected shall be public record. However, reports prepared at the request of an individual information provider containing information concerning only its transactions, shall not be public record ^[3.2].

Authorizations

A valid authorization to disclose nonpublic personal health information shall be in written or electronic form and shall contain the identity of the consumer or customer who is the subject of the nonpublic personal health information, a general description of the types of nonpublic personal health information to be disclosed, general descriptions of the parties to whom the licensee discloses nonpublic personal health information, the purpose of the disclosure and how the information will be used, the signature of the consumer or customer who is the subject of the nonpublic personal health information or the individual who is legally empowered to grant authority and the date signed, and notice of the length of time for which the authorization is valid and that the consumer or customer may revoke the authorization at any time and the procedure for making a revocation ^[1.4].

Conclusion

In conclusion, if you plan to use third-party collaboration tools that collect personal information in Oklahoma, you should ensure that you provide the initial notice, enter into a contractual agreement with the third party that prohibits the third party from disclosing or using the information other than to carry out the purposes for which the licensee disclosed the information, obtain authorization from the consumer or customer whose nonpublic personal health information is sought to be disclosed, and ensure that the information collected remains confidential and is not used for any purpose other than the compilation of aggregate data or the creation of anonymous medical case histories for statistical reporting and data analysis.

We recommend consulting with a legal professional in Oklahoma to determine the specific requirements for using third-party collaboration tools that collect personal information.

Source(s):

• [1.2] Exception to opt out requirements for disclosure of nonpublic personal financial information for service providers and joint marketing
• [1.3] When authorization required for disclosure of nonpublic personal health information
• [3.1] Confidentiality
• [3.2] Release and dissemination of information
• [1.4] Authorizations

Jurisdiction

Oklahoma

• Privacy