- 0 Comments
Following are a few of the key regulations covering data security, storage and privacy. Some of these regulations run into the hundreds of pages, so they do contain considerably more information than is covered here.
EU Data Protection Directive (DPD)
Applies to companies with offices in the European Union or which exchange personal data with companies in the EU. Data can relate to customers or employees. Companies have the option of submitting a privacy compliance plan with each country’s Data Protection Authority or can establish privacy policies in compliance with the DPD and certify with the U.S. Department of Commerce that they are in compliance. Plan must cover who can access information, data security and enforcement procedures.
Covers pharmaceutical and life sciences firms operating under the auspices of the FDA. Affected companies must “employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine. Records must be retained for two to five years.
Applies to banks, securities firms, insurance companies, loan brokers, tax preparers, financial advisers and other providers of financial products or services. Requires companies to have a written security plan to protect the confidentiality and integrity of personal consumer information. Plan must include employee management and training, security of information systems (hardware, software and data transmission) and steps to take to manage systems failures.
Health Insurance Portability and Accountability Act of 1996. Applies to all health care providers, pharmacists, and insurance companies. Governs procedures for sharing of patient information. Hospitals must retain records for a minimum of five years. If the patient is a minor, records must be kept till patient is at least 21.
IRS Revenue Procedure 97-22
Applies to any taxpayer. Details system requirements for electronic storage and indexing of tax and financial records. District Director may visit taxpayer and conduct a test of the system.
Section 1904.9 provides that records of illness and injury be retained for five years. (Note: American Industrial Hygiene Association had recommended 30 years.)
Applies to all publicly-traded companies in the U.S. Documents have to be submitted by chairmen and CFOs, attesting to the accuracy and soundness of their financial reports. The personal liability, including criminal penalties, for those executives is involved: they have to certify that everything is taking place in accordance with the standards of proper reporting and accounting. Requires documentation of all procedures used to derive financial numbers. Original correspondence from financial audits must be retained for four years after completion of audit.
Applies to brokers, dealers and members of the stock exchange. All business-related and internet communications sent and received must be retained for at least three to six years. Trading account records must be held for six years beyond the end of the account. Data must be maintained and preserved in a manner that verifies the authenticity of the data. Records must be preserved exclusively in a non-rewriteable, non-erasable format. Records must have a duplicate copy stored separately.