State and federal privacy laws govern the use of personally identifiable information. These laws are supplemented by policy and guidance. The Office of Privacy & Data Protection is responsible for establishing a statewide standard for information technology privacy and for reviewing existing privacy standards and practices to determine whether they meet statewide privacy requirements.
Statewide standards and practices incorporate state and federal privacy law, IT guidance and requirements, and records retention and management requirements. The following laws and guidance inform North Carolina state privacy standards.
Please note that the list below is not exhaustive and will continue to be updated.
Tab/Accordion Items
- N.C. General Statutes - Chapter 143B Article 15: Department of Information Technology
- N.C. General Statutes - Chapter 75 Article 2A: Identity Theft Protection Act
- N.C. General Statutes - Chapter 14, Article 19C, Identity Theft, 14- 113.20, Identifying Information
- N.C. General Statutes - Chapter 132: Public Records
- N.C. General Statutes - Chapter 132-1.10: Social Security Numbers and Other Personal Identifying Information
- N.C. General Statutes - Chapter 115C Article 21A: Privacy of Employee Personnel Records
- N.C. General Statutes - Chapter 115C-401.2: Student Online Privacy Protection
- N.C. General Statutes - Chapter 115C-402: Student Records; Maintenance; Contents; Confidentiality
- N.C. General Statutes - Chapter 58 Article 39: Consumer and Customer Information Privacy (Part 1. Insurance Information and Privacy Protection)
Employee Personnel Records
- N.C. General Statutes - Chapter 75 Article 2A: Identity Theft Protection Act
- N.C. General Statutes - Chapter 126 Article 7 (state and university employees)
- N.C. General Statutes - Chapter 153A-98 (county employees)
- N.C. General Statutes - 160A-168 (city employees)
- N.C. General Statutes - 131E-257.2 (public hospital employees)
- The Privacy Act of 1974, as amended, 5 U.S.C. 552a (Social Security Numbers)
- HIPAA Basics for Providers: Privacy, Security & Breach Notification Rules, U.S. Centers for Medicare & Medicaid Services, Guidance, May 2021
- Family Educational Rights and Privacy Act (FERPA)
- NCDIT, State Adoption of Fair Information Practice Principles (FIPPs)
- NCDIT, Media Protection Policy (Provides guidance on NIST 800-53 Security and Privacy Controls)
- NCDIT, State Adoption of NIST Risk Management Framework (Adoption of NIST SP 800-37 Rev. 2 and NIST SP 800-53 Rev. 5)
- NCDIT, Statewide Data Classification and Handling Policy
- NCDIT, Statewide Information Security Manual
- NCDIT, Statewide Information Security Policies
National Institute of Standards and Technology (NIST) Publications
- NIST SP 800-37, Rev. 2 Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy
- NIST SP 800-53, Rev. 5, Security and Privacy Controls for Information Systems and Organizations
- NIST SP 800-88, Rev.1, Guidelines for Media Sanitization
- NIST Privacy Framework: A Tool for Improving Privacy Through Enterprise Risk Management, Version 1.0 (January 2020)
Privacy by Design
- Ann Cavoukian, Privacy by Design: The 7 Foundational Principles, Implementation and Mapping of Fair Information Practices
Controlled Unclassified Information
- National Archives, Controlled Unclassified Information (CUI)
Office of Management & Budget Publications
- OMB Circular A-130, Managing Information as a Strategic Resource, Revised (July 28, 2016), 81 FR 49689
- OMB M-01-05, Guidance on Interagency Sharing of Personal Data - Protecting Personal Privacy (Dec. 20, 2000) 11 Pub. L. No. 116-50, § 3(a)
Data Retention Requirements & Schedules
- Functional Schedules for North Carolina State Agencies: Data retention requirements and schedules for state government agencies from the State Archives of North Carolina.
Other Guidance
- Authorized Use of SSNs: Complying with Sec. 7 of the Privacy Act of 1974: The Social Security Administration’s guidance for state and local government agencies’ authorized use of Social Security Numbers. Includes important information about what information must be disclosed to the individual whose SSN is requested.
- Security Breach Information from the N.C. Department of Justice: An overview of requirements in the Identity Theft Protection Act for businesses as well as state and local government for notifying the public of security breaches involving personal identifying information.