GALLAGHER EVELIUS & JONES LLP ATTORNEYS AT LAW
Home
OUR FIRMATTORNEYSPRACTICE AREASEMPLOYMENTPUBLIC SERVICECONTACT USWHAT'S NEW
PRACTICE AREAS Case StudiesRecent Developments
Employment: Recent Developments
 
Article: Safeguarding Personal Information in Your Organization's Records
 
1/24/2008
Authors: Gallagher Employment Lawyers

Do your parish or school records contain personal information such as social security or financial account numbers of students, employees, members, donors, or other individuals? Who has access to these records? How do you protect personal information from unauthorized access?

Following the recent enactment of a new Maryland consumer protection law, many organizations are facing questions such as these. The new law, the Maryland Personal Information Protection Act, requires businesses, including nonprofit organizations, to protect records that contain certain personal information of Maryland residents. The law also requires businesses to notify Maryland residents of unauthorized access to computerized records that contain their personal information under particular circumstances.

In addition to this new law, there are various other statutes and common law principles that protect individuals' personal information. For example, Maryland's Social Security Number Privacy Act prohibits public posting and certain transmissions of individuals' social security numbers. Common law concepts of negligence and invasion of privacy provide legal remedies for individuals whose private information is disclosed inappropriately. In order to comply with these laws and limit your organization's liability, it is important to protect personal information entrusted to your care.

Below are some suggestions to enhance the security of your records and prevent unauthorized access to or disclosure of personal information in these records:

  • Identify the types and locations of information currently maintained: find out what information your organization keeps and where the information is stored, including electronically stored information.

  • Identify the individuals who have access to personal information: find out who has access to records and how your organization monitors this access; limit access to the appropriate individuals within your organization; train these individuals in handling personal information.

  • Limit the personal information you collect: substitute other types of identification numbers for social security numbers; think about whether your organization needs to collect certain personal information; update forms to eliminate collection of unnecessary information.

  • Develop a records retention policy: decide how long your organization needs to keep records; set up a schedule to destroy records that are no longer needed; ensure that your organization adequately destroys records, including those stored on computer hard drives, so that personal information is unreadable or undecipherable.

  • Develop a privacy policy: specify the ways in which your organization uses personal information and the procedures used for authorized disclosures of personal information.

  • Develop a security policy: determine the steps and procedures your organization will follow to protect personal information.

  • Establish a security team and security breach response plan: include administrative, information technology, legal, and communications members on the team; address the ways in which your organization should respond to a breach of security procedures or unauthorized access to personal information.



    • This article appeared in the Winter 2008 issue of Visions.
    BACK TO RECENT DEVELOPMENTS INDEX
    BACK TO PRACTICES AREAS INDEX
    BACK TO TOP
    218 North Charles Street, Suite 400 Baltimore MD 21201 Telephone: 410 717 7702 FAX: 410 468 2786 Email: info@gallagher.com  
    Copyright 2010 Gallagher Evelius & Jones LLP All Rights Reserved.  
    info@gallagher.com Disclaimer Site Credit Site Map