- Each governmental entity in the state that maintains paper or electronic documents during the course of business that contain personal identifying information shall develop a written policy for the destruction or proper disposal of those paper and electronic documents containing personal identifying information. Unless otherwise required by state or federal law or regulation, the written policy must require that, when such paper or electronic documents are no longer needed, the governmental entity destroy or arrange for the destruction of such paper and electronic documents within its custody or control that contain personal identifying information by shredding, erasing, or otherwise modifying the personal identifying information in the paper or electronic documents to make the personal identifying information unreadable or indecipherable through any means.
- A governmental entity that is regulated by state or federal law and that maintains procedures for disposal of personal identifying information pursuant to the laws, rules, regulations, guidances, or guidelines established by its state or federal regulator is in compliance with this section.
- Unless a governmental entity specifically contracts with a recycler or disposal firm for destruction of documents that contain personal identifying information, nothing in this section requires a recycler or disposal firm to verify that the documents contained in the products it receives for disposal or recycling have been properly destroyed or disposed of as required by this section.
- For the purposes of this section and section 24-73-102, unless the context otherwise requires:
- “Governmental entity” means the state and any state agency or institution, including the judicial department, county, city and county, incorporated city or town, school district, special improvement district, authority, and every other kind of district, instrumentality, or political subdivision of the state organized pursuant to law. “Governmental entity” includes entities governed by home rule charters. “Governmental entity” does not include an entity acting as a third-party service provider as defined in section 24-73-102.
- “Personal identifying information” means a social security number; a personal identification number; a password; a pass code; an official state or government-issued driver’s license or identification card number; a government passport number; biometric data, as defined in section 24-73-103 (1)(a); an employer, student, or military identification number; or a financial transaction device, as defined in section 18-5-701 (3).
Source: L. 2018: Entire article added, (HB 18-1128), ch. 266, p. 1639, § 4, effective September 1.