A portion of the data acquired, assembled, evaluated, stored and/or disclosed by Data Driven Safety (the DDS Restricted Data) is subject to a number of legal restrictions. This means that DDS is required by statute and/or contract to take specific actions to ensure the DDS Restricted Data is used correctly.  DDS is committed to maintaining compliance with all federal, state, local and contractual legal requirements.

In addition to meeting the minimum legal requirements imposed on us by law, DDS is proud to ensure that all information in its possession is used fairly, responsibly and ethically, as further described in Our Data.  This mission is advanced by our:

rigorous client vetting process;
proprietary data management and quality assurance;
adherence to transparent data privacy principles; and
robust data security program.

While our team of in-house attorneys is not permitted to provide legal guidance to our customers (or anyone else, since we are not a law firm), below is additional information that may be of use to those affected and protected by DDS Restricted Data.

Important Laws, Notices and Policies:

Overview

The Driver’s Privacy Protection Act (DPPA) was enacted  to protect the privacy of motorists’ personal information (PII) from unauthorized disclosure.  The DPPA only allows DMV agencies to release PII (e.g., name and address) to organizations like DDS that have permissible use(s) for the protected data.  Additionally, certain states have enacted similar laws that go further than the federal DPPA to restrict disclosure of PII.

 

Applicability

DDS obtains PII from numerous DMV agencies in support of our Envision driver monitoring service and MVA reCOUP health care recovery program, along with several custom Prism solutions.

 

DDS Compliance

Each of DDS’s product offerings adheres to the federal DPPA (and all related state laws.  While only one permissible use must be demonstrated for data obtained under the DPPA, it is common for our services to meet several of these statutory exceptions simultaneously.   All DDS services satisfy one or more of the following permissible uses authorized specifically by 18 U.S. Code § 2721(b):

    • (2) – relating to motor vehicle and driver safety,
    • (3) – relating to identity verification,
    • (4) – relating to litigation,
    • (5) – relating to research,
    • (6) – relating to insurance support organizations,
    • (9) – relating to CDL driver monitoring and/or
    • (13) – with operator’s consent.

Beyond our legal right to obtain PII data from DMVs, DDS relies on a combination of substantive and procedural safeguards to ensure all data is maintained in a DPPA-compliant manner.  In fact, all DPPA-restricted records are:

clearly identified in our source management system;
contain a compulsory data field that indicates the specific use restrictions;
housed in databases that employ full disk encryption and active logging;
available only to DDS employees with a documented need-to-know; and
correctly cataloged and appropriately transfer-restricted.

Overview

The Fair Credit Reporting Act (FCRA) was enacted to (1) prevent the misuse of sensitive consumer information by limiting recipients to those who have a legitimate need for it; (2) improve the accuracy and integrity of consumer reports; and (3) promote the efficiency of the nation’s banking and consumer credit systems. It requires all consumer reporting agencies (CRA’s) to adopt reasonable procedures for providing information that bears on a person’s ability to obtain/maintain insurance and employment.  The Federal Trade Commission (FTC) actively enforces the FCRA to promote the accuracy, fairness, and privacy of information in the files of CRAs.

 

Applicability

DDS’s eLUMINATE and Envision products have the potential to adversely affect the employment status of certain employees (e.g., a childcare worker recently convicted of assault on a child or a driver whose license has been suspded as a result of a second DUI conviction).   Similarly, several DDS’s Prism services have the potential to adversely affect the availability and/or pricing of automotive and/or life insurance for certain persons.  DDS acknowledges that it is a CRA to the extent that it provides consumer reports and, therefore, is subject to the FCRA. 

 

DDS Compliance

The FTC has worked for years to bring predictability to the complex legal issues found in the FCRA.  In so doing, it has developed easy-to-understand materials that were designed to assist persons and organizations that are affected by the FCRA.  Some of those documents are included below for your convenience.  The full information is available at www.ftc.gov.

FTC Publications for Consumers

A Summary of Your Rights Under the Fair Credit Reporting Act (En Español)

FTC Publications for DDS Clients

Background Checks: What Employers Need to Know
Using Consumer Reports: What Employers Need to Know
Consumer Reports: What Insurers Need to Know
Using Consumer Reports for Credit Decisions

Additional FTC Publications Adhered to by DDS

What Employment Background Screening Companies Need to Know
Disposing of Consumer Report Information
Background Screening Reports and the FCRA

Overview

The Equal Employment Opportunity Commission (EEOC) is a federal agency tasked with enforcing employees’ federal rights under Title VII, the Age Discrimination in Employment Act, the Worker Adjustment and Restraining Notification Act, and the Americans with Disabilities Act.  This organization seeks to ensure (among other things) that criminal record information is not used in a discriminatory manner by employers.

 

Applicability

The EEOC has provided guidance (including a safe harbor) for employers wishing to rely on criminal history information in their retention, promotion and re-assignment decisions.  That information is found below:

Background Checks: What Employers Need to Know (joint publication between EEOC and FTC)

 Compliance

DDS’s eLUMINATE service was patterned after the EEOC’s safe harbor language.  It emphasizes the value of relevant conviction information (as opposed to arrest data) while ensuring that employers only receive alerts for recent violations that relate to the employee’s job duties.  As an additional safeguard, all such alerts include a recent copy of the actual judicial disposition document(s).  

Overview

The Standards for Privacy of Individually Identifiable Health Information (Privacy Rule) established a set of national standards for the protection of confidential health information. The U.S. Department of Health and Human Services (HHS) issued the Privacy Rule to implement the requirement of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).  

A major goal of the Privacy Rule is to assure that health information is properly protected while allowing the flow of health information needed to protect the public’s health and well-being. The Privacy Rule strikes a balance that permits important uses of information in a manner that is sensitive to the privacy interests of persons who seek care and healing.  It is designed to be both flexible and comprehensive so that it can adequately cover the variety of uses for which health data is needed.

 

Applicability

The Privacy Rule regulates the use and disclosure of individuals’ health information—called “protected health information” by organizations subject to the Privacy Rule — called “Covered Entities,” and, by extension, their contractors which are referred to as “Business Associates.”  DDS is a Business Associate to Covered Entities when it receives protected health information to perform its MVA reCOUP service offering.

 

DDS Compliance

DDS maintains compliance with all contractual obligations instituted by its Covered Entity customers, as specified in the Business Associate Agreements to which it is a signatory.

DDS does not provide traditional background screening (e.g., eLUMINATE only delivers recent criminal convictions acquired from judicial data sources, and Envision is a forward-monitoring driver application).  As a result, many state-specific laws that apply to background screening CRAs are inapplicable to our services (e.g., CRS § 12-14.3-105.3(1)(e), GA Code § 35-3-34(3)(b), Nevada Revised Statutes 598C.150(2), etc.).  However, the following are examples of legislative mandates to which DDS complies at the state level.

  • Alaska: DDS adheres to the spirit of AS §12.62.160(b)(8), which limits the disclosure by governmental agencies of non-conviction criminal justice information.
  • California:  DDS adheres to CA Civil Code §1786 et seq. (the ICRAA) and assists its clients in their continued compliance with the ICRAA.  Upon proper verification and the payment of any necessary copying fees, employees and volunteers enrolled in the eLUMINATE and/or Envision programs may view the specific information (if any) submitted to their employer by requesting it from us by phone, through mail or by coming to our offices, during normal business hours.  If you come in person, another person can come with you, so long as that person can show proper identification.  The employees at DDS will be pleased to assist you in understanding the public record data that we have on file that relates to an offense reported by DDS to your employer.  In addition, all such information is required to be shared with you by your employer in a timely manner, per the contractual terms of DDS’s agreement with your employer.
  • Hawaii: DDS provides active filtering based on job responsibility in its eLUMINATE service to assist its clients in complying with HI Revised Statutes 2003 § 378-2.5(a)(b), which requires that a reported conviction bear a “rational relationship to the duties and responsibilities of the position.”
  • Kentucky: DDS adheres to KRS Chapter 367.00 § 310, which prohibits a CRA from maintaining non-conviction information from judicial cases.
  • Massachusetts: DDS adheres to M.G.L. Chapter 151 § 4(9) and assists its clients in their continued compliance with this statute by ensuring that its employment services do not provide either non-conviction information or first convictions to any of the following misdemeanors: drunkenness, simple assault, speeding, minor traffic violation, affray, or disturbance of the peace.
  • Michigan: DDS does not provide non-conviction information for disposed cases to its clients in Michigan in an effort to assist them in adhering to Michigan Compiled Laws Act 453 of 1976 § 37.2205(a)(1).
  • Minnesota: DDS adheres to Minnesota Statutes 2003 § 13.02(2) and assists its clients in their continued compliance with this statute by notifying you that you have the right to get from your employer a complete and accurate disclosure of the nature and scope of the consumer report report prepared by DDS, if any.
  • New Mexico: DDS adheres to New Mexico Statute § 55-3-6, which (among other things) limits the reporting by CRAs of arrest-based information to the period of time that the case is pending before the applicable court.
  • New York: DDS adheres to New York State Consolidated Laws Article 25 § 380-j, which (among other things) limits the reporting by CRAs of arrest-based information to the period of time that the case is pending before the applicable court.  DDS also complies with New York City’s Fair Chance Act which requires (among other things) that employees be provided with a copy of New York’s law relating to how employers can treat persons previously convicted of a criminal offense.  If you work in New York and have not received a copy of this law, feel free to view it here:  New York Correction Law 23-A.
  • Oklahoma: 24 OK Stat. § 24-148 requires the requestor or user of a consumer report to first provide written notice to the person who is the subject of the consumer report.  This notice is required to inform the consumer that a consumer report will be used.  It must contain a box that the consumer may check to receive a copy of the consumer report.  When checked, the consumer is entitled to receive the report at no cost.  DDS requires that such notification be previously provided by our clients to all persons prior to enrollment into our Envision and eLUMINATE programs.