Can I use third-party project management tools that collect personal information in Georgia? What are the requirements?

Requirements for using third-party project management tools that collect personal information in Georgia

If you are using third-party project management tools that collect personal information in Georgia, you must comply with the state’s laws and regulations regarding the collection, use, and disclosure of personal information.

Registration Requirements [GARR Rule 111-1-2-.02]^[5.2]

If you employ, retain, or associate one or more vendor lobbyists that actually lobby GTA or any other Agency for contracts, you must cause such lobbyists to register with the State Ethics Commission and to file the disclosures required by Article 4 of Chapter 5 of Title 21 of the Official Code of Georgia Annotated.

Notice of Unauthorized Access to Personal Information [GARR Rule 80-14-1-.05]^[2.1]

In the event that a licensee provides notice under applicable federal or state law of an information security incident involving unauthorized access to personal information, then the licensee shall simultaneously provide a duplicate of such disclosure to the Department. For purposes of this rule, personal information is any record containing nonpublic personal information about a customer or potential customer whether in paper, electronic, or other form maintained by or on behalf of the licensee.

Submission of Business Cases for Information Technology Programs; Requirements [GACO 50-29-3]^[1.2]

All state agencies, boards, authorities, and commissions of the executive branch of state government shall provide a written business case for every information technology project that exceeds $1 million in value. Such business case shall include, among other things, an assessment of business process improvement, the need for process improvement, and corresponding change management.

All state agencies, boards, authorities, and commissions of the executive branch of state government shall provide for a change management plan and resources necessary for plan execution for projects that exceed $1 million in value, projects that directly involve two or more state agencies, or service delivery changes in existing programs that significantly change existing business processes.

Disclosure of information to contracting governmental or private organizations [GACO 34-8-128]^[6.2]

Where the department contracts to provide services to other governmental or private organizations, the department may disclose to those organizations information or records deemed private and confidential which have been acquired in the performance of the department’s obligations under the contracts.

Conclusion

In summary, if you are using third-party project management tools that collect personal information in Georgia, you must comply with the state’s registration requirements for vendor lobbyists, provide a written business case and change management plan for any information technology project that exceeds $1 million in value, and ensure that any unauthorized access to personal information is reported to the Department.

Source(s):

• [2.1] Notice of Unauthorized Access to Personal Information
• [1.2] Authority of public agencies that maintain geographic information systems to contract for the provision of services; fees; contract provisions.
• [5.2] Vendor Lobbyists
• [6.2] Disclosure of information to contracting governmental or private organizations.

Jurisdiction

Georgia, Georgia

• Privacy