Quick Links
district homePolicies
Adoption Date: 9/1/2012Regulations - Regulations
5671R DISPOSAL OF CONSUMER REPORT INFORMATION AND RECORDS
Pursuant to Board of Education Policy and the Federal Trade Commission's (FTC) "Disposal Rule" (16 Code of Federal Regulations Part 682) and in an effort to protect the privacy of consumer information, reduce the risk of fraud and identity theft, and guard against unauthorized access to or use of the information, the School District will take appropriate measures to properly dispose of sensitive information (i.e., personal identifiers) contained in or derived from consumer reports and records. Any employer who uses or possesses consumer information for a business purpose is subject to the Disposal Rule. According to the FTC, the standard for proper disposal of information derived from a consumer report is flexible, and allows the District to determine what measures are reasonable based on the sensitivity of the information, the costs and benefits of different disposal methods, and changes in technology.
Definitions(in accordance with the FTC's Disposal Rule and the Fair Credit Reporting Act, 15 United
States Code Section 1681 et seq.)
1) The term "person" means any individual, partnership, corporation, trust, estate, cooperative, association, government or governmental subdivision or agency, or other entity.
2) The term "consumer"means an individual.
3) The term "consumer report" means any written, oral, or other communication of any information by a consumer reporting agency bearing on a consumer's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living which is used or expected to be used or collected in whole or in part for the purpose of serving as a factor in establishing a consumer's eligibility for credit, employment, or insurance, among other purposes. Examples of consumer reports include credit reports, credit scores, reports businesses or individuals receive with information relating to employment background, check writing history, insurance claims, residential or tenant history,or medical history.
4) The term "employment purposes" when used in connection with a consumer report means a report used for the purpose of evaluating a consumer for employment, promotion, reassignment or retention as an employee.
5) The term "consumer information" means any record about an individual, whether in paper, electronic, or other form, that is a consumer report or is derived from a consumer report. Consumer information also means a compilation of such records. Consumer information does not include information that does not identify individuals, such as aggregate information or blind data.
6) The terms "dispose," "disposing," or "disposal" mean:
a. The discarding or abandonment of consumer information, or
b. The sale, donation, or transfer of any medium, including computer equipment,upon which consumer information is stored.
7) The term 'personal identifiers," per the FTC, goes beyond simply a person's name. The FTC believes that there are a variety of personal identifiers that would bring information within the scope of the Disposal Rule, including, but not limited to, a social security number, driver's license number, phone number, physical address, and email address. The FTC has not included a rigid definition within the Disposal Rule since, depending upon the circumstances, data elements that are not inherently identifying can, in combination, identify particular individuals.
8) The term "document destruction contractor" means a person, firm or corporation that owns or operates a business, the principal purpose of which is to destroy records containing personal identifying information for a fee, and for whom the total cash price of all of its document destruction contracts exceeds five hundred dollars during any period of twelve (12) consecutive months.
Proper Disposal of Consumer Information/Reasonable Measures
The District will utilize disposal practices that are reasonable and appropriate to prevent the unauthorized access to - or use of - information contained in or derived from consumer reports and records. What is considered "reasonable" will vary according to the particular entity's nature and size, the costs and benefits of available disposal methods, and the sensitivity of the information involved. The FTC's Disposal Rule does not mandate specific disposal measures.
Reasonable measures to protect against unauthorized access to or use of consumer information in connection with District disposal include the following examples. These examples are not exclusive or exhaustive methods for complying with the Disposal Rule.
1) Burning, pulverizing, or shredding of papers containing consumer information so that the information cannot practicably be read or reconstructed.
2) Destroying or erasing electronic media containing consumer information so that the information cannot practicably be read or reconstructed. Examples would include:
a. Breaking or destroying computer disks;
b. Overwriting or "wiping" electronic records prior to disposal;
c. Prior to the sale, donation or transfer of any medium, including computer equipment, upon which consumer information is stored, disposing of such electronic media by overwriting or "wiping" the data prior to disposal or making certain that the hard drive is permanently deleted.
3) After due diligence, entering into and monitoring compliance with a contract with another party engaged in the business of record destruction to dispose of material, specifically identified as consumer information, in a manner consistent with the Disposal Rule. In this context, due diligence could include:
a. Reviewing an independent audit of the disposal company's operations and/or its compliance with the Disposal Rule;
b. Obtaining information about the disposal company from several references or other reliable sources;
c. Requiring that the disposal company be certified by a recognized trade association or similar third party;
d. Reviewing and evaluating the disposal company's information security policies or procedures;
e. Taking other appropriate measures to determine the competency and integrity of the potential disposal company; or
f. Requiring that the disposal company have a certificate of registration from the New York Department of State issued on or after October 1, 2008.
4) Identifying consumer information when providing it to service providers or affiliates to ensure that the information will be disposed of properly in accordance with the Disposal Rule.