2020 5671
Non-Instructional/Business Operations
SUBJECT: DISPOSAL OF CONSUMER REPORT INFORMATION AND RECORDS
In accordance with the Federal Trade Commission’s (FTC) “Disposal Rule,” and in an effort to protect the privacy of consumer information, reduce the risk of fraud and identity theft, and guard against unauthorized access to or use of the information, the District will take appropriate measures to properly dispose of sensitive information (i.e., personal identifiers) contained in or derived from consumer reports and records. The District may determine what measures are reasonable based on the sensitivity of the information, the costs and benefits of different disposal methods, and changes in technology.
The term “consumer report” includes information obtained from a consumer reporting company that is used—or expected to be used—in establishing a consumer’s eligibility for employment or insurance, among other purposes. The term “employment purposes” when used in connection with a consumer report means a report used for the purpose of evaluating a consumer for employment, promotion, reassignment, or retention as an employee.
The FTC Disposal Rule defines “consumer information” as “any record about an individual, whether in paper, electronic, or other form, that is a consumer report or is derived from a consumer report. Consumer information also means a compilation of these records. Consumer information does not include information that does not identify individuals, such as aggregate information or blind data.”
Information Covered by the Disposal Rule
There are a variety of personal identifiers beyond simply a person’s name that would bring information within the scope of the Disposal Rule, including, but not limited to, a social security number, driver’s license number, phone number, physical address, and email address. Depending upon the circumstances, data elements that are not inherently identifying can, in combination, identify particular individuals.
Proper Disposal
The District will utilize disposal practices that are reasonable and appropriate to prevent the unauthorized access to—or use of—information contained in or derived from consumer reports and records. Reasonable measures to protect against unauthorized access to or use of consumer information in connection with District disposal include the following examples.
- Burning, pulverizing, or shredding of papers containing consumer information so that the information cannot practicably be read or reconstructed;
- Destroying or erasing electronic media containing consumer information so that the information cannot practicably be read or reconstructed;
- After due diligence, entering into and monitoring compliance with a contract with another party engaged in the business of record destruction to dispose of material, specifically identified as consumer information, in a manner consistent with the Disposal Rule. In this context, due diligence could include:
1. Reviewing an independent audit of the disposal company’s operations and/or its compliance with the Disposal Rule;
2. Obtaining information about the disposal company from several references or other reliable sources;
3. Requiring that the disposal company be certified by a recognized trade association or similar third party;
4. Reviewing and evaluating the disposal company’s information security policies or procedures;
5. Taking other appropriate measures to determine the competency and integrity of the potential disposal company; or
6. Requiring that the disposal company have a certificate of registration from the New York Department of State issued on or after October 1, 2008. - For persons (as defined in accordance with the Fair Credit Reporting Act) or entities who maintain or otherwise possess consumer information through their provision of services directly to a person subject to the Disposal Rule, monitoring compliance with policies and procedures that protect against unauthorized or unintentional disposal of consumer information, and disposing of this information in accordance with examples a) and b) above.
Implementation of Practices and Procedures
The Board delegates to the Superintendent or designee the authority and responsibility to review current practices regarding the disposal of consumer information; and to implement such further reasonable and appropriate procedures, including staff training as necessary, to ensure compliance with the FTC’s Disposal Rule.
- The Fair Credit Reporting Act, 15 USC § 1681 et seq.
- The Fair and Accurate Credit Transactions Act of 2003, Public Law §§ 108-159
- Federal Trade Commission Disposal of Consumer Report Information and Records, 16 CFR Part 682
- General Business Law Article 39-G
- 19 NYCRR § 199
Adopted: 8/24/11
Revised: 9/22/20