External Regulations
State Regulations
Family Privacy Protection Act Policy
Purpose:
All state agencies, boards, commissions, institutions, departments, and other state entities, by whatever name known, must develop privacy policies and procedures to ensure that the collection of personal information pertaining to citizens of the State is limited to such personal information required by any such agency, board, commission, institution, department or other state entity and necessary to fulfill a legitimate public purpose.
Information Security Policy – Data Protection and Privacy
Purpose:
The South Carolina Information Security (INFOSEC) Program consists of information security policies that establish a common information security framework across South Carolina State Government Agencies and Institutions.
Federal Regulations
Federal Educational Rights and Privacy Act (FERPA)
Purpose:
FERPA stands for the Family Educational Rights and Privacy Act. It is also referred to as the Buckley Amendment. FERPA is a federal law (20 U.S.C. section 1232g) that was passed by Congress in 1974 to protect the privacy of student education records. It also provides rights to access or amend those records.
Federal Information Security Modernization Act (FISMA)
Purpose:
FISMA 2014 codifies the Department of Homeland Security’s role in administering the implementation of information security policies for federal Executive Branch civilian agencies, overseeing agencies’ compliance with those policies, and assisting OMB in developing those policies.
GAMM-LEACH-BILEY ACT (GLBA)
Purpose:
The Gramm-Leach-Bliley Act requires financial institutions – companies that offer consumers financial products or services like loans, financial or investment advice, or insurance – to explain their information-sharing practices to their customers and to safeguard sensitive data.
Health Insurance Portability and Accountability Act (HIPAA)
Purpose:
The Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, was enacted on August 21, 1996. Sections 261 through 264 of HIPAA require the Secretary of HHS to publicize standards for the electronic exchange, privacy and security of health information. Collectively these are known as the Administrative Simplification provisions.
International or Industry Regulations
General Data Protection Regulation (GDPR)
Purpose:
GDPR is a general privacy law that applies to the processing of personal data collected in or from the European Union (EU). It applies to: (A) the “processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not” (GDPR Article 3(1)) and (B) “the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to the offering of goods or services to data subjects in the Union or the monitoring of individuals in the EU. “Data subjects” refer to identified or identifiable natural persons, regardless of whether they are citizens or residents of the EU. A U.S. organization (with or without an establishment in the U.S.) can be a controller or processor subject to the GDPR for all or part of its data.
Payment Card Industry Data Security Standards (PCI)
Purpose:
The PCI SSC mission is to enhance global payment account data security by developing standards and supporting services that drive education, awareness, and effective implementation by stakeholders. We achieve this with a strategic framework to guide our decision-making process and ensure that every initiative is aligned with our mission and supports the needs of the global payments industry.
