Sec. 202. Minimization and records of access by employees and contractors
165 words·~1 min read·
/bill/119/hr/8014/ih/section-202·A research copy — for the controlling text, always check the official state or federal source. Not legal advice.
A covered entity shall restrict access to personal information and contents of communications by the employees or contractors of such covered entity based on an articulated balance between the potential for privacy harm, reasonable expectations of individuals to whom the personal information relates, and reasonable business needs. A covered entity shall maintain records identifying each instance in which an employee or a contractor of such covered entity accesses personal information or contents of communications if disclosing such personal information or contents of communication, or a data breach or data-sharing abuse involving such personal information or contents of communication, may foreseeably result in increased privacy harms.
The records required by paragraph
(1)shall include the following: A unique identifier for the employee or contractor accessing personal information or contents of communications. The date and time of access. The fields of information accessed. The individuals whose personal information was accessed or the contents of whose communications were accessed. This subsection does not apply to a small business.