Montana Code 2-6-1502. Protection of personal information — compliance — extensions
2-6-1502. Protection of personal information — compliance — extensions. (1) Each state agency that maintains the personal information of an individual shall develop procedures to protect the personal information while enabling the state agency to use the personal information as necessary for the performance of its duties under federal or state law.
Terms Used In Montana Code 2-6-1502
- Individual: means a human being. See Montana Code 2-6-1501
- Person: means an individual, a partnership, a corporation, an association, or a public organization of any character. See Montana Code 2-6-1501
- Personal information: means a first name or first initial and last name in combination with any one or more of the following data elements when the name and data elements are not encrypted:
(i)a social security number;
(ii)a driver's license number, an identification card number issued pursuant to 61-12-501, a tribal identification number or enrollment number, or a similar identification number issued by any state, the District of Columbia, the Commonwealth of Puerto Rico, Guam, the Virgin Islands, or American Samoa;
(iii)an account number or credit or debit card number in combination with any required security code, access code, or password that would permit access to a person's financial account;
(iv)medical record information as defined in 33-19-104;
(v)a taxpayer identification number; or
(vi)an identity protection personal identification number issued by the United States internal revenue service. See Montana Code 2-6-1501
- Redaction: means the alteration of personal information contained within data to make all or a significant part of the data unreadable. See Montana Code 2-6-1501
- State: when applied to the different parts of the United States, includes the District of Columbia and the territories. See Montana Code 1-1-201
- State agency: means an agency, authority, board, bureau, college, commission, committee, council, department, hospital, institution, office, university, or other instrumentality of the legislative or executive branch of state government. See Montana Code 2-6-1501
(2)The procedures must include measures to:
(a)eliminate the unnecessary use of personal information;
(b)identify the person or state agency authorized to have access to personal information;
(c)restrict access to personal information by unauthorized persons or state agencies;
(d)identify circumstances in which redaction of personal information is appropriate;
(e)dispose of documents that contain personal information in a manner consistent with other record retention requirements applicable to the state agency;
(f)eliminate the unnecessary storage of personal information on portable devices; and
(g)protect data containing personal information if that data is on a portable device.
(3)Except as provided in subsection (4), each state agency that is created after October 1, 2015, shall complete the requirements of this section within 1 year of its creation.
(4)The chief information officer provided for in 2-17-511 may grant an extension to any state agency subject to the provisions of the Montana Information Technology Act provided for in Title 2, chapter 17, part 5. The chief information officer shall inform the governor, the office of budget and program planning, and the legislative finance committee of all extensions that are granted and of the rationale for granting the extensions. The chief information officer shall maintain written documentation that identifies the terms and conditions of each extension and the rationale for the extension.