Massachusetts Data Disposal
MGL c. 93I, § 2
Chapter 93I: DISPOSITIONS AND DESTRUCTION OF RECORDS
Section 1 Definitions
Section 2 Standards for disposal of records containing personal information; disposal by third party; enforcement
Section 3 Enforcement
Section 1: Definitions
Section 1. As used in this chapter the following words shall, unless the context clearly requires otherwise, have the following meanings:—
''Agency'', any county, city, town, or constitutional office or any agency thereof, including but not limited to, any department, division, bureau, board, commission or committee thereof, or any authority created by the general court to serve a public purpose, having either statewide or local jurisdiction.
''Data subject'', an individual to whom personal information refers.
''Person'', a natural person, corporation, association, partnership or other legal entity.
''Personal information'', a resident's first name and last name or first initial and last name in combination with any 1 or more of the following data elements that relate to the resident:—
(a) Social Security number;
(b) driver's license number or Massachusetts identification card number;
(c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password that would permit access to a resident's financial account; or
(d) a biometric indicator.
Section 2: Standards for disposal of records containing personal information; disposal by third party; enforcement
Section 2. When disposing of records, each agency or person shall meet the following minimum standards for proper disposal of records containing personal information:
(a) paper documents containing personal information shall be either redacted, burned, pulverized or shredded so that personal data cannot practicably be read or reconstructed;
(b) electronic media and other non-paper media containing personal information shall be destroyed or erased so that personal information cannot practicably be read or reconstructed.
Any agency or person disposing of personal information may contract with a third party to dispose of personal information in accordance with this chapter. Any third party hired to dispose of material containing personal information shall implement and monitor compliance with policies and procedures that prohibit unauthorized access to or acquisition of or use of personal information during the collection, transportation and disposal of personal information.
Any agency or person who violates the provisions of this chapter shall be subject to a civil fine of not more than $100 per data subject affected, provided said fine shall not exceed $50,000 for each instance of improper disposal. The attorney general may file a civil action in the superior or district court in the name of the commonwealth to recover such penalties.
Section 3: Enforcement
Section 3. The attorney general may bring an action pursuant to section 4 of chapter 93A against a person or otherwise to remedy violations of this chapter and for other relief that may be appropriate.
For more information, see here: https://malegislature.gov/Laws/GeneralLaws/PartI/TitleXV/Chapter93I
These materials were obtained directly from the State Legislative websites and are posted here for your review and reference only. No Claim to Original State Government Works. This may not be the most recent version. The State may have more current information. We make no guarantees or warranties about the accuracy or completeness of this information, or the information linked to. Please check the linked sources directly.