Every business and organization needs to comply with laws and regulations that require certain types of information to be securely destroyed before it is discarded. Substantial penalties may be imposed on those who fail to take reasonable measures to dispose of documents properly under laws including:
Family Educational Rights and Privacy Act (FERPA)
As found at :http://www.ed.gov/policy/gen/guid/fpco/ferpa/index.html
The Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99) is a Federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education.
FERPA gives parents certain rights with respect to their children's education records. These rights transfer to the student when he or she reaches the age of 18 or attends a school beyond the high school level. Students to whom the rights have transferred are "eligible students."
- Parents or eligible students have the right to inspect and review the student's education records maintained by the school. Schools are not required to provide copies of records unless, for reasons such as great distance, it is impossible for parents or eligible students to review the records. Schools may charge a fee for copies.
- Parents or eligible students have the right to request that a school correct records which they believe to be inaccurate or misleading. If the school decides not to amend the record, the parent or eligible student then has the right to a formal hearing. After the hearing, if the school still decides not to amend the record, the parent or eligible student has the right to place a statement with the record setting forth his or her view about the contested information.
- Generally, schools must have written permission from the parent or eligible student in order to release any information from a student's education record. However, FERPA allows schools to disclose those records, without consent, to the following parties or under the following conditions (34 CFR § 99.31):
- School officials with legitimate educational interest;
- Other schools to which a student is transferring;
- Specified officials for audit or evaluation purposes;
- Appropriate parties in connection with financial aid to a student;
- Organizations conducting certain studies for or on behalf of the school;
- Accrediting organizations;
- To comply with a judicial order or lawfully issued subpoena;
- Appropriate officials in cases of health and safety emergencies; and
- State and local authorities, within a juvenile justice system, pursuant to specific State law.
Schools may disclose, without consent, "directory" information such as a student's name, address, telephone number, date and place of birth, honors and awards, and dates of attendance. However, schools must tell parents and eligible students about directory information and allow parents and eligible students a reasonable amount of time to request that the school not disclose directory information about them. Schools must notify parents and eligible students annually of their rights under FERPA. The actual means of notification (special letter, inclusion in a PTA bulletin, student handbook, or newspaper article) is left to the discretion of each school.
Return to top
The Health Insurance Portability and Accountability Act of 1996 (HIPAA)
As found at: http://www.hhs.gov/ocr/hipaa
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was signed into law on August 21, 1996. This law includes important new protections for millions of working Americans and their families who have preexisting medical conditions or might suffer discrimination in health coverage based on a factor that relates to an individual's health. HIPAA's provisions amend Title I of the Employee Retirement Income Security Act of 1974 (ERISA) as well as the Internal Revenue Code and the Public Health Service Act and place requirements on employer-sponsored group health plans, insurance companies and health maintenance organizations (HMOs). HIPAA includes changes that:
- Limit exclusions for preexisting conditions;
- Prohibit discrimination against employees and dependents based on their health status;
- Guarantee renewability and availability of health coverage to certain employers and individuals; and
- Protect many workers who lose health coverage by providing better access to individual health insurance coverage.
Return to top
Fair and Accurate Credit Transactions Act (FACTA)
As found at: http://www.privacyrights.org/fs/fs6a-facta.htm
Developed by the Federal Trade Commission, FACTA stands for Fair and Accurate Credit Transactions Act. Designed to minimize the risk of identity theft and consumer fraud, the Disposal Rule section of FACTA became law on June 1, 2005. The Disposal Rule states that any person who maintains or otherwise possesses consumer or employee information for a business purpose is required to properly dispose of the information. This includes information used, or expected to be used, to establish eligibility for credit, insurance, or employment. In addition, all information contained in or derived from consumer reports and records must be properly disposed to protect against unauthorized access to or use of the information. This part of FACTA was developed to cut down on the incidences of identity theft by, among other methods, restricting the ability of thieves to "dumpster dive" for valuable consumer information contained in discarded business records. The Disposal Rule goes on to say that all employers must take "reasonable measures" to protect against unauthorized access to or use of the information in connection with its disposal. These measures include:
- Burning, pulverizing, or shredding of physical documents
- Erasure or destruction of all electronic media
The main difference between the FACTA Disposal Rule and previously existing security laws such as HIPAA, Sarbanes-Oxley, and Gramm-Leach-Bliley is that it does not affect a single industry - it affects every business and many households in America.
Return to top
The Gramm-Leach-Bliley Act
As found at: http://www.ftc.gov/privacy/privacyinitiatives/glbact.html
The Financial Modernization Act of 1999, also known as the “Gramm-Leach-Bliley Act” or GLB Act, includes provisions to protect consumers’ personal financial information held by financial institutions. There are three principal parts to the privacy requirements: the Financial Privacy Rule, Safeguards Rule and pretexting provisions.
Return to top
The Federal Privacy Act
As found at: http://www.privacy.gov.au/act/index.html
The Federal Privacy Act was enacted to protect the privacy of individuals and businesses. Public agencies and private businesses can be held liable if any personal information is released to unauthorized individuals
Return to top
The Economic Espionage Act of 1996
As found at: http://rf-web.tamu.edu/security/secguide/T1threat/Legal.htm
As defined in the Economic Espionage Act of 1996, the term trade secret refers to all forms and types of financial, business, scientific, technical, economic or engineering information, including patterns, plans, compilations, program devices, formulas, designs, prototypes, methods, techniques, processes, procedures, programs, or codes, whether tangible or intangible, and whether or how stored, compiled, or memorialized physically, electronically, graphically, photographically, or in writing if:
- The owner thereof has taken reasonable measures to keep such information secret, and;
- The information derives independent economic value, actual or potential, from not being generally known to, and not being readily ascertainable through proper means by the public.
Return to top
As found at: http://www.independentsector.org/issues/sarbanesoxley.html
The Sarbanes-Oxley Act Addresses destruction of litigation-related documents. The law makes it a crime to alter, cover up, falsify, or destroy any document (or persuade someone else to do so) to prevent its use in an official proceeding (e.g. federal investigation or bankruptcy proceedings). The Act turns intentional document destruction into a process that must be monitored, justified, and carefully administered.
Relevance to Nonprofit Organizations:
Common sense dictates that individuals, nonprofit organizations, and companies regularly need to shred or otherwise dispose of unnecessary and outdated documents and files. Like their for-profit counterparts, nonprofit organizations need to maintain appropriate records about their operations. For example, financial records, significant contracts, real estate and other major transactions, employment files, and fundraising obligations should be archived according to guidelines established by the organization. Because of current technology, electronic files and voicemail can complicate as we come to understand the relevance of the delete button as a permanent method of file removal.
Return to top
This document does not constitute a legal opinion or legal advice. Do not rely on any of the information in this document without first obtaining legal advice.