Disposal of records containing personal information.

Checkout our iOS App for a better way to browser and research.

134.97 Disposal of records containing personal information.

(1) Definitions. In this section:

(a) “Credit card" has the meaning given in s. 421.301 (15).

(am) “Dispose" does not include a sale of a record or the transfer of a record for value.

(b) “Financial institution" means any bank, savings bank, savings and loan association or credit union that is authorized to do business under state or federal laws relating to financial institutions, any issuer of a credit card or any investment company.

(c) “Investment company" has the meaning given in s. 180.0103 (11e).

(d) “Medical business" means any organization or enterprise operated for profit or not for profit, including a sole proprietorship, partnership, firm, business trust, joint venture, syndicate, corporation, limited liability company or association, that possesses information, other than personnel records, relating to a person's physical or mental health, medical history or medical treatment.

(e) “Personal information" means any of the following:

1. Personally identifiable data about an individual's medical condition, if the data are not generally considered to be public knowledge.

2. Personally identifiable data that contain an individual's account or customer number, account balance, balance owing, credit balance or credit limit, if the data relate to an individual's account or transaction with a financial institution.

3. Personally identifiable data provided by an individual to a financial institution upon opening an account or applying for a loan or credit.

4. Personally identifiable data about an individual's federal, state or local tax returns.

(f) “Personally identifiable" means capable of being associated with a particular individual through one or more identifiers or other information or circumstances.

(g) “Record" means any material on which written, drawn, printed, spoken, visual or electromagnetic information is recorded or preserved, regardless of physical form or characteristics.

(h) “Tax preparation business" means any organization or enterprise operated for profit, including a sole proprietorship, partnership, firm, business trust, joint venture, syndicate, corporation, limited liability company or association, that for a fee prepares an individual's federal, state or local tax returns or counsels an individual regarding the individual's federal, state or local tax returns.

(2) Disposal of records containing personal information. A financial institution, medical business or tax preparation business may not dispose of a record containing personal information unless the financial institution, medical business, tax preparation business or other person under contract with the financial institution, medical business or tax preparation business does any of the following:

(a) Shreds the record before the disposal of the record.

(b) Erases the personal information contained in the record before the disposal of the record.

(c) Modifies the record to make the personal information unreadable before the disposal of the record.

(d) Takes actions that it reasonably believes will ensure that no unauthorized person will have access to the personal information contained in the record for the period between the record's disposal and the record's destruction.

(3) Civil liability; disposal and use.

(a) A financial institution, medical business or tax preparation business is liable to a person whose personal information is disposed of in violation of sub. (2) for the amount of damages resulting from the violation.

(b) Any person who, for any purpose, uses personal information contained in a record that was disposed of by a financial institution, medical business or tax preparation business is liable to an individual who is the subject of the information and to the financial institution, medical business or tax preparation business that disposed of the record for the amount of damages resulting from the person's use of the information. This paragraph does not apply to a person who uses personal information with the authorization or consent of the individual who is the subject of the information.

(4) Penalties; disposal and use.

(a) A financial institution, medical business or tax preparation business that violates sub. (2) may be required to forfeit not more than $1,000. Acts arising out of the same incident or occurrence shall be a single violation.

(b) Any person who possesses a record that was disposed of by a financial institution, medical business or tax preparation business and who intends to use, for any purpose, personal information contained in the record may be fined not more than $1,000 or imprisoned for not more than 90 days or both. This paragraph does not apply to a person who possesses a record with the authorization or consent of the individual whose personal information is contained in the record.

History: 1999 a. 9; 2005 a. 155 s. 52; Stats. 2005 s. 134.97.

Legislative Watch: Disposing Medical, Financial Records. Franklin. Wis. Law. Dec. 1999.


Download our app to see the most-to-date content.