Disposal of Consumer Report Information and Records
In accordance with the Federal Trade Commission’s (FTC) “Disposal Rule,” and in an effort to protect the privacy of consumer information, reduce the risk of fraud and identity theft, and guard against unauthorized access to or use of the information, the School District will take appropriate measures to properly dispose of sensitive information (i.e., personal identifiers) contained in or derived from consumer reports and records. Any employer who uses or possesses consumer information for a business purpose is subject to the Disposal Rule. According to the FTC, the standard for proper disposal of information derived from a consumer report is flexible, and allows the District to determine what measures are reasonable based on the sensitivity of the information, the costs and benefits of different disposal methods, and changes in technology.
The term “consumer report” shall include information obtained from a consumer reporting company that is used – or expected to be used – in establishing a consumer’s eligibility for employment or insurance, among other purposes. The term “employment purposes” when used in connection with a consumer report means a report used for the purpose of evaluating a consumer for employment, promotion, reassignment or retention as an employee.
The FTC Disposal Rule defines “consumer information” as “any record about an individual, whether in paper, electronic, or other form, that is a consumer report or is derived from a consumer report. Consumer information also means a compilation of such records. Consumer information does not include information that does not identify individuals, such as aggregate information or blind data.”
Information Covered by the Disposal Rule
The FTC has not included a rigid definition of the kinds of information that would be considered to identify particular individuals. In accordance with FTC guidance, there are a variety of personal identifiers beyond simply a person’s name that would bring information within the scope of the Disposal Rule, including, but not limited to, a social security number, driver’s license number, phone number, physical address, and email address. Depending upon the circumstances, data elements that are not inherently identifying can, in combination, identify particular individuals.
The FTC Disposal Rule defines “dispose,” “disposing,” or “disposal,” as:
- a) “The discarding or abandonment of consumer information,” or
- b) “The sale, donation, or transfer of any medium, including computer equipment, upon which consumer information is stored.”
The District will utilize disposal practices that are reasonable and appropriate to prevent the unauthorized access to – or use of – information contained in or derived from consumer reports and records. Reasonable measures to protect against unauthorized access to or use of consumer information in connection with District disposal include the following examples. These examples are not exclusive or exhaustive methods for complying with the Disposal Rule.
- a) Burning, pulverizing, or shredding of papers containing consumer information so that the information cannot practicably be read or reconstructed.
- b) Destroying or erasing electronic media containing consumer information so that the information cannot practicably be read or reconstructed.
- c) After due diligence, entering into and monitoring compliance with a contract with another party engaged in the business of record destruction to dispose of material, specifically identified as consumer information, in a manner consistent with the Disposal Rule. In this context, due diligence could include:
- 1. Reviewing an independent audit of the disposal company’s operations and/or its compliance with the Disposal Rule;
- 2. Obtaining information about the disposal company from several references or other reliable sources;
- 3. Requiring that the disposal company be certified by a recognized trade association or similar third party;
- 4. Reviewing and evaluating the disposal company’s information security policies or procedures;
- 5. Taking other appropriate measures to determine the competency and integrity of the potential disposal company; or
- 6. Requiring that the disposal company have a certificate of registration from the New York Department of State issued on or after October 1, 2008.
- d) For persons (as defined in accordance with the Fair Credit Reporting Act) or entities who maintain or otherwise possess consumer information through their provision of services directly to a person subject to the Disposal Rule, monitoring compliance with policies and procedures that protect against unauthorized or unintentional disposal of consumer information, and disposing of such information in accordance with examples a) and b) above.
Implementation of Practices and Procedures
The Board delegates to the Superintendent/designee(s) the authority and responsibility to review current practices regarding the disposal of consumer information; and to implement such further reasonable and appropriate procedures, including staff training as necessary, to ensure compliance with the FTC’s Disposal Rule.