Standards for disposal of records containing personal information; disposal by third party; enforcement
Section 2. When disposing of records, each agency or person shall meet the following minimum standards for proper disposal of records containing personal information:
- paper documents containing personal information shall be redacted, burned, pulverized or shredded so that personal data cannot practicably be read or reconstructed;
- electronic media and other non-paper media containing personal information shall be destroyed or erased so that personal information cannot practicably be read or reconstructed.
Any agency or person disposing of personal information may contract with a third party to dispose of personal information in accordance with this chapter. Any third party hired to dispose of material containing personal information shall implement and monitor compliance with policies and procedures that prohibit unauthorized access to or acquisition of or use of personal information during the collection, transportation and disposal of personal information.
Any agency or person who violates the provisions of this chapter shall be subject to a civil fine of not more than $100 per data subject affected, provided said fine shall not exceed $50,000 for each instance of improper disposal. The attorney general may file a civil action in the superior or district court in the name of the commonwealth to recover such penalties.
Note: Up-to-date version of the law may be found on www.mass.gov.