7-3100: Consumer Information Disposal

Purpose

As part of the federal effort to combat identify theft and other forms of consumer fraud Congress passed the Fair and Accurate Credit Transactions Act of 2003 (FACTA). In compliance with FACTA’s mandate, the Federal Trade Commission (FTC) has issued regulations governing the disposal of consumer credit information (Disposal Rule). The regulations require that reasonable measures be taken to protect against unauthorized access to or use of consumer credit information in connection with its disposal. 

The County of Sacramento is committed to reducing identity theft and other fraud through protection of personally identifiable information. The purpose of this policy is to provide consistent guidelines for consumer information disposal practices throughout the County, and to serve as a foundation upon which departments may base their own more detailed policies and procedures governing consumer information disposal. 

Authority

• Chief Information Officer

Scope

These regulations apply only to disposal of narrowly defined consumer report information, obtained from third party consumer reporting agencies, that identifies particular individuals. To the extent that members of the County workforce conduct credit and/or background checks, the regulations are not applicable. However, any consumer report or information derived from the report of a third party consumer reporting agency, as that term is defined by federal law, is subject to the regulations.

Policy

It shall be the policy of the County of Sacramento that consumer report information will be disposed of in such a way that personal information is unreadable or incapable of being reconstructed. It is the responsibility of departments and agencies to become familiar with the standards for compliance and to apply these standards in the disposal of consumer report information. Each department that utilizes consumer credit information shall document written procedures to track and dispose of paper or electronic media used for consumer information. 

Standards in Order to Comply with the Policy 

This standard, based off of 16 Code of Federal Regulations (CFR) 682.3, is one of reasonableness. It requires implementation and monitoring compliance with adopted policies and procedures relating to the destruction of consumer information. There are a number of accepted methods of document destruction so that the information cannot be practicably read or reconstructed: 

A. Paper 

Paper with consumer information must be disposed of by burning, pulverizing or shredding so that the information cannot practicably be read or reconstructed. 

B. Electronic media 

Computer equipment that previously contained consumer information must be disposed of by destroying or erasing the information. 

a. If erased, the method shall meet the Department of Defense (DoD) 5220.22-M standards, which states, “the method of destruction must preclude recognition or reconstruction of the classified information or material.” All computer equipment shall be tested to ensure information cannot be retrieved. 

b. All other media shall have all the consumer information removed (the mechanism may vary depending on the media type) and tested to ensure the information cannot be retrieved. If it is unclear whether the data can be retrieved or not, the media shall be destroyed. 

c. If the media is not technology capable of being erased, the media shall be overwritten or destroyed. 

C. Use of a third party to dispose of consumer information The reasonableness measures standard requires monitoring compliance of any contract with another party who has been contracted to dispose of consumer information. Due diligence must be exercised in monitoring compliance, including: 

a. Including language requiring vendors to adhere to the County’s Consumer Information Disposal Policy for any contracts entered into with a third party for the purpose of destroying consumer information. A copy of the policy shall be included in the bid solicitation (if applicable) and contract. 

b. Reviewing an independent audit of the disposal company’s operations and/or its compliance; 

c. Obtaining information about the disposal company from references or other reliable sources; 

d. Requiring that the disposal company be certified; 

e. Reviewing and evaluating of the disposal company’s information security measures to determine the competency and integrity of the potential disposal company. 

Policy Responsibilities

The following responsibilities are required of managers and supervisors, IT support, the general County workforce, the Department of General Services, Contract and Purchasing Services Division, the Department of General Services, Support Services Division, Surplus Property and the Office of Compliance and HIPAA. 

A. Responsibilities of managers and supervisors 

a. Ensure that reasonable measures are taken to protect against unauthorized access to or use of consumer credit information in connection with its disposal. 

b. Ensure that any workforce members that access consumer credit information are aware of this policy and associated responsibilities. 

c. Monitor compliance by the workforce. 

d. Ensure that any third party who has been contracted to dispose of consumer credit information does so in a manner consistent with this policy and departmental procedures. 

e. Ensure that any procedures developed by departments to track and dispose of paper and electronic media use for consumer information are developed, documented and submitted to the Office of Compliance and HIPAA for review. Any procedures developed by departments shall be consistent with the County’s Consumer Information Disposal Policy and not deviate from the County standard. 

B. Responsibilities of IT support 

a. Ensure all hard drives are removed and designated for disposal in accordance with the Computer Equipment and Media Storage Disposal Policy. 

b. Maintain an inventory and a record of movements of hardware and electronic media such as workstations, servers, or backup tapes. 

c. Ensure that a disposal tag is applied to PCs sent to Surplus Property subsequent to confirmation that the hard drives have been removed for destruction. 

d. Ensure that identifying tags, such as names or phone numbers, have been removed. 

C. Responsibilities of general workforce 

a. Workforce members shall follow their department procedures and adhere to County policy when disposing of consumer information. 

b. Protect against unauthorized access to or use of information in connection with its disposal. 

D. Responsibilities of Department of General Services, Contracts and Purchasing Services Division 

a. Contracts and Purchasing staff shall ensure that any contracts entered into with a third party for the purpose of destroying consumer information shall include language requiring vendors to adhere to the County’s Consumer Information Disposal Policy. A copy of the policy shall be included in the bid solicitation (if applicable) and contract. 

b. Contracts and Purchasing shall maintain due diligence, including reviewing an independent audit of the company’s operations for compliance with the Disposal Rule, obtaining information from references or other reliable sources, taking appropriate measures to determine the competency and integrity of the potential disposal company. 

E. Responsibilities of Department of General Services, Support Services Division, Surplus Property: 

a. Surplus Property staff shall ensure computer equipment is authorized for surplus and the hard drives/electronic media is destroyed per this policy. 

F. Responsibilities of Office of Compliance and HIPAA: 

a. Review all new and revised procedures submitted by the departments that utilize consumer credit information for approval and ongoing evaluation. Any procedures developed by departments shall be consistent with the County’s Consumer Information Disposal Policy and not deviate from the County standard. 

b. Work with Department of General Services, Contract and Purchasing Services Division ensuring that appropriate measures are taken to determine the competency and integrity of the disposal company. 

c. The Office of Compliance and HIPAA or its designated representatives will conduct periodic reviews for compliance with this policy.​