Arkansas Data Disposal
A.C.A. § 4-110-103 - § 4-110-104
Arkansas Code
Title 4 - Business and Commercial Law
Subtitle 7 - Consumer Protection
Chapter 110 - Personal Information Protection Act
§ 4-110-103. Definitions
§ 4-110-104. Protection of personal information
§ 4-110-103. Definitions
As used in this chapter:
(1)
(A) “Breach of the security of the system” means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a person or business.
(B) “Breach of the security of the system” does not include the good faith acquisition of personal information by an employee or agent of the person or business for the legitimate purposes of the person or business if the personal information is not otherwise used or subject to further unauthorized disclosure;
(2)
(A) “Business” means a sole proprietorship, partnership, corporation, association, or other group, however organized and whether or not organized to operate at a profit, including a financial institution organized, chartered, or holding a license or authorization certificate under the law of this state, any other state, the United States, or of any other country or the parent or the subsidiary of a financial institution.
(B) “Business” includes:
(i) An entity that destroys records; and
(ii) A state agency;
(3) “Customer” means an individual who provides personal information to a business for the purpose of purchasing or leasing a product or obtaining a service from the business;
(4) “Individual” means a natural person;
(5) “Medical information” means any individually identifiable information, in electronic or physical form, regarding the individual's medical history or medical treatment or diagnosis by a healthcare professional;
(6) “Owns or licenses” includes, but is not limited to, personal information that a business retains as part of the internal customer account of the business or for the purpose of using the information in transactions with the person to whom the information relates;
(7) “Personal information” means an individual's first name or first initial and his or her last name in combination with any one (1) or more of the following data elements when either the name or the data element is not encrypted or redacted:
(A) Social Security number;
(B) Driver's license number or Arkansas identification card number;
(C) Account number, credit card number, or debit card number in combination with any required security code, access code, or password that would permit access to an individual's financial account;
(D) Medical information; and
(E)
(i) Biometric data.
(ii) As used in this subdivision (7)(E), “biometric data” means data generated by automatic measurements of an individual's biological characteristics, including without limitation:
(a) Fingerprints;
(b) Faceprint;
(c) A retinal or iris scan;
(d) Hand geometry;
(e) Voiceprint analysis;
(f) Deoxyribonucleic acid (DNA); or
(g) Any other unique biological characteristics of an individual if the characteristics are used by the owner or licensee to uniquely authenticate the individual's identity when the individual accesses a system or account;
(8)
(A) “Records” means any material that contains sensitive personal information in electronic form.
(B) “Records” does not include any publicly available directories containing information an individual has voluntarily consented to have publicly disseminated or listed, such as name, address, or telephone number; and
(9) “State agencies” or “state agency” means any agency, institution, authority, department, board, commission, bureau, council, or other agency of the State of Arkansas supported by cash funds or the appropriation of state or federal funds.
4-110-104. Protection of personal information.
“(a) A person or business shall take all reasonable steps to destroy or arrange for the destruction of a customer’s records within its custody or control containing personal information that is no longer to be retained by the person or business by shredding, erasing, or otherwise modifying the personal information in the records to make it unreadable or undecipherable through any means.
(b) A person or business that acquires, owns, or licenses personal information about an Arkansas resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.”
For more information, see here: https://www.arkleg.state.ar.us/Acts/CodeSectionsAmended?ddBienniumSession=2015%2F2015R
These materials were obtained directly from the State Legislative websites and are posted here for your review and reference only. No Claim to Original State Government Works. This may not be the most recent version. The State may have more current information. We make no guarantees or warranties about the accuracy or completeness of this information, or the information linked to. Please check the linked sources directly.