House File 2488 - Introduced



                                       HOUSE FILE       
                                       BY  PETTENGILL, LUKAN, SODERBERG,
                                           WINDSCHITL, ALONS, L. MILLER,
                                           FORRISTALL, ARNOLD, RASMUSSEN,
                                           HEATON, VAN ENGELENHOVEN,
                                           DEYOE, S. OLSON, GRANZOW,
                                           DRAKE, and UPMEYER


    Passed House, Date               Passed Senate, Date             
    Vote:  Ayes        Nays           Vote:  Ayes        Nays         
                 Approved                            

                                      A BILL FOR

  1 An Act relating to the destruction of public records containing
  2    personal information and providing a penalty.
  3 BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF IOWA:
  4 TLSB 6283YH 82
  5 md/nh/14

PAG LIN



  1  1    Section 1.  NEW SECTION.  22.15  PROTECTION OF PERSONAL
  1  2 INFORMATION == DESTRUCTION OF PUBLIC RECORDS == PENALTY.
  1  3    1.  "Personal information" means an individual's first name
  1  4 or first initial and last name in combination with any one or
  1  5 more of the following data elements that relate to the
  1  6 individual if neither the name nor the data elements are
  1  7 encrypted, redacted, or otherwise altered by any method or
  1  8 technology in such a manner that the name or data elements are
  1  9 unreadable:
  1 10    a.  Social security number.
  1 11    b.  Driver's license number or other unique identification
  1 12 number created or collected by a government body.
  1 13    c.  Financial account number, credit card number, or debit
  1 14 card number in combination with any required security code,
  1 15 access code, or password that would permit access to an
  1 16 individual's financial account.
  1 17    d.  Unique electronic identifier or routing code, in
  1 18 combination with any required security code, access code, or
  1 19 password.
  1 20    e.  Unique biometric data, such as a fingerprint, voice
  1 21 print or recording, retina or iris image, or other unique
  1 22 physical representation or digital representation of the
  1 23 biometric data.
  1 24    2.  Unless otherwise required by federal or state law, each
  1 25 government body shall take reasonable steps to destroy or
  1 26 arrange for the destruction of a public record, or portion
  1 27 thereof, containing personal information within its control,
  1 28 which is no longer required to be retained by the government
  1 29 body.  Destruction of a public record, or portion thereof,
  1 30 shall be in accordance with the following minimum standards:
  1 31    a.  Paper documents containing personal information shall
  1 32 be either redacted, burned, pulverized, or shredded so that
  1 33 personal information cannot practicably be read or
  1 34 reconstructed.
  1 35    b.  Electronic media and other nonpaper media containing
  2  1 personal information shall be destroyed or erased so that
  2  2 personal information cannot practicably be read,
  2  3 reconstructed, or deciphered through any means.
  2  4    3.  A government body may contract with a third party to
  2  5 destroy public records containing personal information in
  2  6 accordance with the requirements of this section.  Any third
  2  7 party hired to destroy public records containing personal
  2  8 information shall implement and monitor compliance with
  2  9 policies and procedures that prohibit unauthorized access to
  2 10 or acquisition of or use of personal information during the
  2 11 collection, transportation, and destruction of personal
  2 12 information.
  2 13    4.  A government body or third party that violates the
  2 14 provisions of this section shall be subject to a civil penalty
  2 15 of not more than one hundred dollars per public record
  2 16 affected, provided such penalty shall not exceed fifty
  2 17 thousand dollars for each instance of improper destruction.
  2 18 The office of attorney general or a county attorney may
  2 19 enforce the provisions of this section.
  2 20    Sec. 2.  IMPLEMENTATION OF ACT.  Section 25B.2, subsection
  2 21 3, shall not apply to this Act.
  2 22                           EXPLANATION
  2 23    This bill relates to the destruction of public records
  2 24 containing personal information.  The bill, in new Code
  2 25 section 22.15, specifies certain minimum standards for the
  2 26 destruction of public records that contain personal
  2 27 information.  The bill requires a government body to take
  2 28 reasonable steps and adhere to those minimum standards when
  2 29 destroying a public record which is no longer required to be
  2 30 retained by the government body.
  2 31    The bill allows a government body to contract with a third
  2 32 party to destroy public records containing personal
  2 33 information.
  2 34    The bill provides that a government body or a third party,
  2 35 which includes all officials, officers, and employees who are
  3  1 delegated authority, that violate new Code section 22.15 are
  3  2 subject to a civil penalty of not more than $100 per public
  3  3 record affected, up to a maximum penalty of $50,000 for each
  3  4 instance of improper destruction.
  3  5    The bill may include a state mandate as defined in Code
  3  6 section 25B.3.  The bill makes inapplicable Code section
  3  7 25B.2, subsection 3, which would relieve a political
  3  8 subdivision from complying with a state mandate if funding for
  3  9 the cost of the state mandate is not provided or specified.
  3 10 Therefore, political subdivisions are required to comply with
  3 11 any state mandate included in the bill.
  3 12 LSB 6283YH 82
  3 13 md/nh/14