Before providing any personal information to a third-party you should make sure that they are actually authorized to have that information.
Getting Started
Here are some guidelines to help you and your employees determine who is and who is not authorized to obtain personal information about your customers.
- Requests from your customers.
In general, customers are authorized to find out what information you keep about them.
- Requests from individuals connected with your customers.
- Requests from the government.
If you receive a request from your state or the federal government to obtain personal information about your customers, and your customers have not consented to the release of their data pursuant to such requests, consult your attorney.
- Requests from other people.
Checklists
Requests from Individuals Authorized by Your Customers
- If your customer indicates that he/she wants someone else to see the information that you keep about the customer, consider that third-party as now "authorized."
- However...if you receive a request from a third-party (e.g. a family member, attorney, or health care provider) for information about your customer...
- Require written authorization. (e.g., a consent form, or a power-of-attorney) which has been signed and notarized by your customer.
- Carefully read the written authorization. Make sure that the written authorization encompasses the type of information that you maintain about the individual.
Requests from the Government
Consider the following:
- Don't assume that a government request is “authorized.”Just because a request comes from the government does not mean that the government is “authorized” to obtain personal information.
- Try to comply with the request without providing personal information. Sometimes government agencies request documents that include personal information without realizing it.
- If you and your attorney decide to comply with a government request, consider asking the government if you can delete the personal information that may be in the document.
Requests from Other People
- Other people, companies, or organizations that request personal information about your customers generally are not considered "authorized." For such requests, consider:
- Requiring a formal request — in writing.
- Consulting with your attorney.
- After consulting with your attorney, and/or the customer, respond to the request in writing and keep a copy of your response.
- If you receive a subpoena from an attorney do not assume that the request is "authorized."
- The mere fact that someone issues a subpoena does not mean that you must provide the information that they request.
- Immediately consult your attorney who can help you decide how to respond to the subpoena.
U.S. Legal Requirements
Federal and state laws require businesses to take steps to prevent personal information from being obtained by "unauthorized" individuals, and to alert consumers, and the government, if "unauthorized" individuals access and/or acquire that information.As a result, businesses must ensure that they only release information to "authorized" third parties.
