Privacy Laws & Guidance State and federal privacy laws govern the use of personally identifiable information (PII). These laws are supplemented by policy and guidance. The Office of Privacy & Data Protection is responsible for establishing a statewide standard for information technology privacy and for reviewing existing privacy standards and practices to determine whether they meet statewide privacy requirements. Statewide standards and practices incorporate state and federal privacy law, IT guidance and requirements, and records retention and management requirements. The following laws and guidance inform North Carolina state privacy standards. State Law N.C. General Statutes - Chapter 143B Article 15: Department of Information Technology N.C. General Statutes - Chapter 75 Article 2A: Identity Theft Protection Act N.C. General Statutes - Chapter 14, Article 19C, Identity Theft, 14- 113.20, Identifying Information N.C. General Statutes - Chapter 132: Public Records N.C. General Statutes - Chapter 115C Article 21A: Privacy of Employee Personnel Records N.C. General Statutes - Chapter 115C-401.2: Student online privacy protection N.C. General Statutes - Chapter 115C-402: Student records; maintenance; contents; confidentiality N.C. General Statutes - Chapter 58 Article 39: Consumer and Customer Information Privacy (Part 1. Insurance Information and Privacy Protection) Federal Law The Privacy Act of 1974, as amended, 5 U.S.C. 552a (Social Security Numbers) HIPAA Basics for Providers: Privacy, Security & Breach Notification Rules, U.S. Centers for Medicare & Medicaid Services, Guidance, May 2021 Family Educational Rights and Privacy Act (FERPA) Policy & Memoranda NCDIT, State Adoption of Fair Information Practice Principles (FIPPs) NCDIT, State Adoption of NIST Risk Management Framework (Adoption of NIST SP 800-37 Rev. 2 and NIST SP 800-53 Rev. 5) NCDIT, Statewide Data Classification and Handling Policy Guidance National Institute of Standards and Technology (NIST) Publications NIST SP 800-37, Rev. 2 Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy NIST SP 800-53, Rev. 5, Security and Privacy Controls for Information Systems and Organizations NIST SP 800-88, Rev.1, Guidelines for Media Sanitization NIST Privacy Framework Privacy by Design Ann Cavoukian, Privacy by Design: The 7 Foundational Principles, Implementation and Mapping of Fair Information Practices Controlled Unclassified Information National Archives, Controlled Unclassified Information (CUI) Other Guidance Authorized Use of SSNs: Complying with Sec. 7 of the Privacy Act of 1974: The Social Security Administration’s guidance for state and local government agencies’ authorized use of Social Security Numbers. Includes important information about what information must be disclosed to the individual whose SSN is requested. This list is not exhaustive and will continue to be updated.