March 2024

1. Right to Privacy/Constitutional Protection

There is no right to privacy contained in the Constitution of the State of Rhode Island.

The Rhode Island Supreme Court ('the Supreme Court') has consistently maintained that there is no common law right to privacy in Rhode Island. In Henry v. Cherry & Webb, 30 R.I. 13, 73 A. 97 (1909), the Supreme Court declared that a person at common law had no right designated as a 'right of privacy,' for the invasion of which an action for damages lies (see also Pontbriand v. Sundlun, 699 A.2d 856 (1997) citing Kalian v. People Acting Through Community Effort, Inc. 122 R.I. 429, 409 A.2d 608 (1979) at 432, 408 A.2d at 609, noting that "the creation of new rights of action in the field of individual privacy is a question for the […] Legislature.").

Rhode Island created a statutory right to privacy under §9-1-28.1 of Chapter 1 of Title 9 of the Rhode Island General Laws ('R.I. Gen. Laws') in 1980 that includes the following rights:

• the right to be secure from unreasonable intrusion upon one's physical solitude or seclusion;

• the right to be secure from an appropriation of one's name or likeness;

• the right to be secure from unreasonable publicity given to one's private life; and

• the right to be secure from publicity that reasonably places another in a false light before the public.

Each of these statutory rights has specific provisions set forth in the statute regarding what is required to recover under each of these rights. Jurisdiction may lie in either the Superior Court or District Court for violations of the right to privacy. The statute further authorizes an award for reasonable attorneys' fees and court costs to the prevailing party.

2. Key Privacy Laws 

Identity Theft Protection Act of 2015

The Identity Theft Protection Act of 2015, under §11-49.3-1 et seq. of Chapter 49.3 of Title 11 of the R.I. Gen. Laws provides several protections for personal information, including:

• The requirement of notice of any disclosure of personal information, or any breach of the security of the system, that poses a significant risk of identity theft to any resident of Rhode Island whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person or entity.

• The requirement that a municipal agency, state agency, or person who stores, collects, processes, maintains, acquires, uses, owns, or licenses personal information about a Rhode Island resident shall implement and maintain a risk-based information security program that contains reasonable security procedures and practices appropriate to:

  • the size and scope of the organization;

  • the nature of the information; and

  • the purpose for which the information was collected in order to protect the personal information from unauthorized access, use, modification, destruction, or disclosure and to preserve the confidentiality, integrity, and availability of such information.

The Identity Theft Protection Act of 2015 also provides for several definitions, as outlined below (R.I. Gen. Laws §11-49.3-3).

Personal information: An individual’s first name or first initial and last name in combination with any one or more of the following data elements, when the name and the data elements are not encrypted or are in hard copy, paper format:

• social security number;

• driver’s license number, Rhode Island identification card number, or tribal identification number;

• account number, credit, or debit card number, in combination with any required security code, access code, password, or personal identification number, that would permit access to an individual’s financial account;

• medical or health insurance information; or

• email address with any required security code, access code, or password that would permit access to an individual’s personal, medical, insurance, or financial account.

Breach of security of the system: Unauthorized access or acquisition of unencrypted, computerized data information that compromises the security, confidentiality, or integrity of personal information maintained by the municipal agency, state agency, or person. Good faith acquisition of personal information by an employee or agent of the agency for the purposes of the agency is not a breach of the security of the system, provided, that the personal information is not used or subject to further unauthorized disclosure.

Encrypted: The transformation of data through the use of a 128-bit or higher algorithmic process into a form in which there is a low probability of assigning meaning without the use of a confidential process or key. Data shall not be considered to be encrypted if it is acquired in combination with any key, security code, or password that would permit access to the encrypted data.

Health insurance information: An individual’s health insurance policy number, subscriber identification number, or any unique identifier used by a health insurer to identify the individual.

Medical information: Any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a healthcare professional or provider.

Person: Includes any individual, sole proprietorship, partnership, association, corporation, joint venture, business, legal entity, trust, estate, cooperative, or other commercial entity.

The Identity Theft Protection Act of 2015 also provides for certain breach notification requirements (R.I. Gen. Laws §11-49.3-4). More specifically, notice of the breach must be provided by any municipal agency, state agency, or person that stores, owns, collects, processes, maintains, acquires, uses, or licenses data that includes personal information.

Notice shall be made in the most expedient time possible, but no later than 45 calendar days after confirmation of the breach.

In the event that more than 500 Rhode Island residents are to be notified, the municipal agency, state agency, or person shall notify the Rhode Island Attorney General ('AG') and the major credit reporting agencies as to the timing, content, and distribution of the notices and the approximate number of affected individuals. Notification to the AG and the major credit reporting agencies shall be made without delaying notice to affected Rhode Island residents.

Notice may be delayed if a federal, state, or local law enforcement agency determines that the notification will impede a criminal investigation.

The notice to individuals must include the following information to the extent known:

• general and brief description of the incident, including how the security breach occurred and the number of affected individuals;

• the type of information that was subject to the breach;

• the date of breach, estimated date of breach, or the date range within which the breach occurred;

• the date that the breach was discovered;

• a clear and concise description of any remediation services offered to affected individuals including toll-free numbers and websites to contact, namely the credit reporting agencies, remediation service providers, and the AG; and

• a clear and concise description of the consumer's ability to file or obtain a police report, how a consumer requests a security freeze in addition to the necessary information to be provided when requesting the security freeze, and that fees may be required to be paid to the consumer reporting agencies.

Reckless violations of R.I. Gen. Laws §11-49.3-4 subject the violator to a civil penalty of up to $100 per record which may be adjudged against a defendant. Knowing and willful violations may result in a civil penalty of not more than $200 per record which may be adjudged against a defendant. In addition, the AG may bring an action in the name of the state against a business or person when the AG has reason to believe that a violation has occurred and that the proceedings would be in the public interest.

Consumer Empowerment and Identity Theft Prevention Act of 2006

Rhode Island also has another consumer protection and identity theft statute, the Consumer Empowerment and Identity Theft Prevention Act of 2006, under §6-48-1 et seq. of Chapter 48 of Title 6 of the R.I. Gen. Laws, which establishes the right of consumers to protect themselves from identity theft or fraud by conferring upon them the right to voluntarily place a security freeze on their credit report (R.I. Gen. Laws §6-48-5).

In addition, R.I. Gen. Laws §6-48-8 provides specific protection for social security numbers. This Section states that no person, entity, state, or local agency may:

• intentionally communicate or otherwise make available to the general public all or part of an individual's social security number;

• print all or part of an individual's social security number on any card required for the individual to access products or services provided by the person or entity;

• require an individual to transmit all or part of their social security number over the internet, unless the connection is secure, or the social security number is encrypted;

• require an individual to use all or part of their social security number to access an internet website, unless a password or unique personal identification number or another authentication device is also required to access the internet website; and

• print all or part of an individual's social security number on any materials that are mailed to the individual, unless state or federal law requires the social security number to be on the document to be mailed.

3. Health Data

The Confidentiality of Health Care Communications and Information Act, under §5-37.3-1 et seq. of Chapter 37.3 of Title 5 of the R.I. Gen. Laws, protects the confidentiality of medical records by providing safeguards for maintaining the integrity of confidential healthcare information that relates to an individual patient (R.I. Gen. Laws §5-37.3-4). Confidential healthcare information that is protected by the Confidentiality of Health Care Communications and Information Act includes all information relating to a patient's healthcare history, diagnosis, condition, treatment, or evaluation obtained from a healthcare provider who has treated the patient (R.I. Gen. Laws §5-37.3-3). The Confidentiality of Health Care Communications and Information Act states that a patient's confidential healthcare information shall not be released or transferred without the written consent of the patient, or their authorized representative. The Confidentiality of Health Care Communications and Information Act provides for a specific process for the disclosure of confidential healthcare information in a judicial proceeding if the disclosure is pursuant to a subpoena (R.I. Gen. Laws §5-37.3-6.1). The Confidentiality of Health Care Communications and Information Act also enumerates several exceptions to the requirement for consent to release or transfer confidential healthcare information such as to a physician, dentist, or other medical personnel who believes, in good faith, that the information is necessary for diagnosis or treatment of that individual in a medical or dental emergency (R.I. Gen. Laws §5-37.3-4).

Penalties for violation of the Confidentiality of Health Care Communications and Information Act include civil penalties for actual and punitive damages. Any person who knowingly and intentionally violates the Confidentiality of Health Care Communications and Information Act may be fined not more than $5,000 for each violation or imprisoned for not more than six months or both. In addition, attorney's fees may be awarded at the discretion of the court to the prevailing party in any civil action brought under the Confidentiality of Health Care Communications and Information Act.

The Confidentiality of Health Care Communications and Information Act allows a private right of action for violations. In a case involving the Confidentiality of Health Care Communications and Information Act, a pharmacy was accused of violating its provisions by disclosing the plaintiff's confidential medical records to their then spouse's attorney in a contested divorce case without the plaintiff's knowledge or consent. The Supreme Court held that the pharmacy violated the Confidentiality of Health Care Communications and Information Act by disclosing its customer's records pursuant to a subpoena request to an unauthorized third party. The Supreme Court found that the pharmacy violated the plaintiff's confidentiality and privacy rights and was also liable for the plaintiff's attorney's fees (Washburn v. Rite Aid Corp., 695 A.2d 495 (RI 1997)).

R.I. Gen. Laws §5-37.3-7 allows healthcare providers to make confidential healthcare information available to medical peer-review boards without authorization.

However, confidential healthcare information before a medical peer-review board is to remain strictly confidential. Penalties for violations include civil penalties for actual and exemplary damages and criminal penalties of up to a $1,000 fine or imprisonment of not more than six months or both.

The Confidentiality of Health Care Communications and Information Act also prohibits managed care entities and managed care contractors writing policies in the state from providing any information related to enrollees that is personal in nature and could reasonably lead to the identification of an individual and is not essential for the compilation of statistical data related to enrollees, to any international, national, regional, or local medical information database (R.I. Gen. Laws §5-37.3-4).

Rhode Island laws also protect the results of an individual's HIV test and prohibit disclosure of HIV tests without the prior written consent of that individual. There are certain exceptions, including that a licensed laboratory or healthcare facility may report the results of the test, a healthcare provider may enter the HIV test results into a patient's medical record, and other notifications may take place as permitted by law (§23-6.3-7 of Chapter 6.3 of Title 23 of the R.I. Gen. Laws).

Additionally, §27-19-44 of Chapter 44 of Title 27 of the R.I. Gen. Laws provides that genetic testing information shall not be released by insurance administrators, health plans, or providers without prior written authorization of the individual.

Rhode Island's Mental Health Law, under §40.1-5-1 et seq. of Chapter 5 of Title 40.1 of the R.I. Gen. Laws, protects the privacy and dignity of mental health patients admitted to facilities covered by the Mental Health Law (R.I. Gen. Laws §40.1-5-5). Additionally, with respect to mental health records, R.I. Gen. Laws §40.1-5-26 provides that the fact of admission or certification and all information and records compiled, obtained, or maintained in the course of providing mental health services shall be confidential, and shall only be disclosed under certain enumerated circumstances, for example, to any person, with the written consent of the patient or their guardian, in communications among qualified medical or mental health professionals in the provision of services or appropriate referrals, or in the course of court proceedings. The Mental Health Law also provides that any person who withholds or denies persons admitted to such mental health facilities any rights granted under the Mental Health Law shall be fined not exceeding $2,000 or imprisoned not exceeding two years at the discretion of the court (R.I. Gen. Laws §40.1-5-39).

Regulations promulgated by Rhode Island’s Office of the Insurance Commissioner direct how health insurers may use "demographic data," meaning "self-reported data on race, ethnicity, preferred language, sex assigned at birth, gender identity, sexual orientation, and disability (230-RICR-20-30-4 et al.)."

Under the regulations, health insurers are required to obtain NCQA Health Equity Accreditation or NCQA Health Equity Accreditation Plus from the National Committee for Quality Assurance in support of making progress toward eliminating health disparities, improving health outcomes, and reducing overall healthcare cost growth by July 1, 2024 (230-RICR-20-30-4, 4.9 (E)(1)).

Health insurers are also required to systematically collect, maintain, protect, and report on demographic data. When collecting, maintaining, and reporting demographic data, health insurers must align their practices with established national standards and utilize industry-wide best practices for collecting demographic data. To the extent that health insurers use staff to collect and/or analyze demographic data, health insurers must develop and implement training on how to ask questions about the demographic data, including training on how to maintain the privacy of this sensitive information (230-RICR-20-30-4.9 (E)(2)(a)).

Health insurers are still required to adhere to all existing federal and/or state prohibitions or restrictions on the collection and/or reporting of demographic data, including the Health Insurance Portability and Accountability Act of 1996. Insurers must treat demographic data as protected health information (PHI.) (230-RICR-20-30-4.9 (E)(3)).

Health insurers must still also strictly adhere to all existing federal and/or state requirements governing the analysis and information sharing of demographic data. Under the regulations, legally and ethically acceptable use cases relative to the use of demographic data may include (230-RICR-20-30-4.9 (E)(3)):

• evaluating algorithms to identify and mitigate disparate impact or bias;

• analyzing claims, enrollment, and complaint data to better understand health care disparities or to evaluate the efficacy of programs intended to reduce health care disparities;

• provider network development and coordination of care;

• service quality improvement; or

• assessing or planning to meet the need for health-related social services and supports, including trauma-informed care, and outreach to marginalized populations.

4. Financial Data

Insurance information in the state of Rhode Island is confidential under §27-29-14 of Chapter 29 of Title 27 of the R.I. Gen. Laws. No insurance company authorized to do business in Rhode Island can share insurance information such as the name of the insured, the policy expiration date, the amount of insurance coverage, the policy number, the name of the insurance company, or the amount of the insurance premium for marketing or soliciting or sell or transfer that information to third parties for any purposes without the consent of the producer of record.

5. Employment Data

Rhode Island requires employers to keep accurate employment records of all persons employed by them, of the weekly hours worked for them by each, and of the weekly wages paid by them to each person. Such information shall also be held confidential by the Rhode Island Department of Labor and Training and shall not be published or be open to public inspection in any manner revealing the individual's or employing unit's identity (§28-42-38 of Chapter 42 of Title 28 of the R.I. Gen. Laws).

This statute provides for various situations where the Director of the Rhode Island Department of Labor and Training ('the Director') may make records available including:

• in any proceeding before a court in which the Director is a party;

• to any agency of the state charged with the administration of public assistance;

• to the railroad retirement board or to employees of the Internal Revenue Service in the performance of their public duties;

• to the federal U.S. Department of Health and Human Services;

• to the tax administrator;

• to the federal U.S. Social Security Administration; and

• to conduct any investigations.

The Director may forward to the jury commissioner, the names and addresses of all individuals receiving unemployment compensation. The Director may forward data on unemployment insurance recipients to the Department's designated research partners for the purpose of its workforce data quality and workforce innovation fund initiatives. The Director may make information available to the Department of Corrections for the purpose of case management and post-release supervision, and the Director may report information to the employees' retirement system of Rhode Island and the Office of the General Treasurer for the sole purpose of ensuring compliance with applicable laws.

Section 28-6.4-1 of Chapter 6.4 of Title 28 of the R.I. Gen. Laws provides that every employer shall, upon not less than seven days advance notice, holidays, Saturdays, and Sundays excluded, and at any reasonable time other than the employee's work hours and upon the written request of an employee, permit an employee to inspect personnel files which are used or have been used to determine that employee's qualifications for employment, promotion, additional compensation, termination, or disciplinary action. This inspection shall be made in the presence of an employer or employer's designee. This Section further provides that:

• the employee shall not be permitted to make any copies of nor remove their personnel file from the immediate place of inspection located on the business premises;

• the employer may charge the employee a fee reasonably related to the cost of supplying copies of requested documents;

• employers are not required to permit an inspection of any employee's personnel file or records on more than three occasions in any calendar year; and

• an employer that, upon request by a prospective employer or a current or former employee, provides fair and unbiased information about a current or former employee's job performance is presumed to be acting in good faith and is immune from civil liability for the disclosure and the consequences of the disclosure - the presumption of good faith is rebuttable upon a showing by a preponderance of the evidence that the information disclosed was:

  • knowingly false;

  • deliberately misleading;

  • disclosed for a malicious purpose; or

  • violative of the current or former employee's civil rights under the employment discrimination laws in effect at the time of the disclosure.

Section 28-6.4-1 of the R.I. Gen. Laws does not apply to records of an employee relating to the investigation of a possible criminal offense or records prepared for use in any civil, criminal, or grievance proceedings, any letter of reference, recommendations, managerial records kept or used only by the employer, confidential reports from previous employers, and managerial planning records.

Rhode Island also has the Employee Social Media Privacy Act, under §28-56-1 et seq. of Chapter 56 of Title 28 of the R.I. Gen. Laws, that prohibits employers from requesting, coercing, or requesting an employee or applicant to disclose the password or any other means for accessing a social media account (R.I. Gen. Laws §28-56-2). Further, employers may not compel an employee or applicant to add anyone, including the employer or their agent, to their list of contacts associated with a social media account require request, or cause an employee or applicant to change settings that affect a third party's ability to view the contents of a personal social media account (R.I. Gen. Laws §28-56-3). Penalties for violations of the Employee Social Media Privacy Act include declaratory relief, damages, and reasonable attorney's fees to a prevailing party (R.I. Gen. Laws §28-56-6).

No employer may cause an audio or video recording to be made of an employee in a restroom, locker room, or room designated by an employer for employees to change their clothes unless authorized by court order (§28-6.12-1 of Chapter 6.12 of Title 28 of the R.I. Gen. Laws). In any civil action alleging a violation of Chapter 6.12 of the R.I. Gen. Laws, the court may:

• award damages and reasonable attorney's fees and costs to a prevailing plaintiff; and

• afford injunctive relief against any employer that commits or proposes to commit a violation of this Chapter.

Employers are also prohibited from disclosing or transferring an individual's confidential health care information without the individual's written consent except in enumerated circumstances under R.I. Gen. Laws §5-37.3-4 (see section above on the Confidentiality of Health Care Communications and Information Act).

6. Online Privacy

Not applicable.

7. Unsolicited Commerical Communications 

Section 6-47-1(a) of Chapter 47 of Title 6 of the R.I. Gen. Laws provides that persons or entities that conduct business in Rhode Island are prohibited from transmitting by facsimile (fax), or cause to be faxed, documents consisting of unsolicited advertising material for the lease, sale, rental, gift offer, or other disposition or any realty, goods, services, or extension of credit unless:

• in the case of a fax, that person or entity must establish a toll-free telephone number that a recipient of the unsolicited faxed documents may call to notify the sender not to fax the recipient any further unsolicited documents; and

• in the case of faxed material, the statement shall be in at least nine-point type - the statement shall be the first text in the body of the message and shall be of the same size as the majority of the text of the message.

R.I. Gen. Laws §6-47-1(b) states that upon notification by a recipient of their request not to receive any further unsolicited fax, no person or entity conducting business in the state of Rhode Island shall fax or cause to be faxed any unsolicited documents to that recipient. Recipients of such unsolicited faxes may bring a civil action in the Superior Court against the person or entity that transmitted the unsolicited fax. Further, transmissions of unsolicited faxes are considered a violation of the Deceptive Trade Practices Act under §6-13.1-1 et seq. of Chapter 13.1 of Title 6 of the R.I. Gen. Laws, and may subject the person or entity that transmitted, or caused to be transmitted, the unsolicited fax to prosecution by the AG. In any such action by either the recipient of such unsolicited fax or the AG on behalf of the recipient or recipients, damages may be awarded in the amount of $500 for each violation, not to exceed a total of $50,000. The AG may, in such circumstances as they may deem appropriate, aggregate multiple claims against a person or entity alleged to have committed multiple violations of this Section and maintain a class action on behalf of all recipients of the unsolicited faxes. In any action brought under this Section, the court may award, in addition to the relief provided in this Section, reasonable attorneys' fees and costs.

R.I. Gen. Laws §6-47-2 contains similar provisions but with respect to unsolicited electronic mail and states that no person or entity may initiate the transmission of a commercial electronic mail message from a computer located in Rhode Island or to an electronic mail address that the sender knows, or has reason to know, is held by a Rhode Island resident unless that person or entity establishes a toll-free telephone number or valid sender operated return email address that the recipient of the unsolicited documents may call or email to notify the sender not to email any further unsolicited documents. Further, all unsolicited commercial electronic messages subject to this Section shall include a statement informing the recipient of the toll-free telephone number that the recipient may call, or a valid return address to which the recipient may write or email, as the case may be, notifying the sender not to email the recipient any further unsolicited commercial electronic mail messages to the email address or addresses specified by the recipient.

Finally, the statute provides that upon notification by a recipient of their request not to receive any further unsolicited commercial electronic mail messages, no person or entity subject to R.I. Gen. Laws §6-47-2(a) shall email, or cause to be emailed, any unsolicited documents to that recipient. Violations of this statute shall be liable for damages to the recipient of an unsolicited commercial electronic mail message in the amount of $100 for each such violation. In addition, the recipient may recover reasonable attorney's fees and costs.

Rhode Island has enacted the Telephone Sales Solicitation Act, under §5-61-1 et seq. of Chapter 61 of Title 5 of the R.I. Gen. Laws. This statute states that no salesperson or telephonic seller shall make or cause to be made any unsolicited sales calls to any residential, mobile, or telephonic paging device to Rhode Island residents on the National Do Not Call Registry (R.I. Gen. Laws §5-61-3.5). Text message advertisements on cell phones and pagers are also prohibited. Violations of this provision can result in a misdemeanor charge, and upon conviction, shall be punished by a fine of not more than $500 per violation.

8. Privacy Policies

Not applicable.

9. Data Disposal/Cybersecurity/Data Security

The law on the Safe Destruction of Documents Containing Personal Information, under §6-52-1 et seq. of Chapter 52 of Title 6 of the R.I. Gen. Laws, specifically R.I. Gen. Laws §6-52-1-4, requires that Rhode Island businesses to take reasonable steps to destroy or arrange for the destruction of a customer's personal information within its custody and control that is no longer to be retained by the business by shredding, erasing, or otherwise destroying and/or modifying the personal information in those records to make it unreadable or indecipherable through any means for the purpose of:

• ensuring the security and confidentiality of customer personal information;

• protecting against any reasonably foreseeable threats or hazards to the security or integrity of customer personal information; and

• protecting against unauthorized access to, or use of, customer personal information that could result in substantial harm or inconvenience to any customer.

R.I. Gen. Laws §6-52-1 provides for the following definitions:

Business: A sole proprietorship, partnership, corporation, association, limited liability company, or other groups, however, organized and whether or not organized to operate at a profit, including a financial institution organized, chartered, or holding a license or authorization certificate under the laws of Rhode Island or any other state, or the parent, affiliate, or subsidiary of a financial institution. This term includes any entity that destroys records, including, but not limited to, the state, a state agency, or any political subdivision of Rhode Island.

Customer: An individual who provides personal information to a business to purchase or lease a product or obtain a service from the business or whose personal information has been provided to another business from that business.

Personal information: The following information that identifies, relates to, describes, or is capable of being associated with a particular individual:

• their signature;

• social security number;

• physical characteristics or description;

• passport number;

• driver's license or state identification card number;

• insurance policy number;

• bank account number;

• credit card number;

• debit card number;

• any other financial information or confidential health care information, including all information relating to a patient's health care history;

• diagnosis condition;

• treatment; or

• evaluation obtained from a health care provider who has treated the patient which explicitly or by implication identifies a particular patient.

Record: Any material, regardless of the physical form, on which personal information is recorded or preserved by any means, including written or spoken words, graphically depicted, printed, or electromagnetically transmitted. The record does not include publicly available directories containing information an individual has voluntarily consented to have publicly disseminated or listed, such as name, address, or telephone number.

Businesses that violate these safe disposal requirements are liable to customers who incur actual damages. Such customers may bring a civil action in the Superior Court. In addition, the AG may bring an action in the name of the state against the business in violation. Businesses may be liable in a suit by the AG for actual damages of the aggrieved customer and a civil penalty of $500 for each violation, not to exceed $50,000.

Rhode Island also requires that persons, businesses, and government entities (including municipal agencies) implement and maintain a risk-based information security program that contains reasonable security procedures and practices appropriate to the size and scope of the organization; the nature of the information; and the purpose for which the information was collected in order to protect the personal information from unauthorized access, use, modification, destruction, or disclosure and to preserve the confidentiality, integrity, and availability of such information (R.I. Gen. Laws §11-49.3-2(a)).

In addition, R.I. Gen. Laws §11-49.3-2(a) provides that persons, businesses, and government entities shall not retain personal information for a period longer than is reasonably required to provide the services requested to meet the purpose for which it was collected or in accordance with a written retention policy or as may be required by law. Persons, businesses, and government entities shall destroy all personal information, regardless of the medium that such information is in, in a secure manner, including, but not limited to, shredding, pulverization, incineration, or erasure.

Also, R.I. Gen. Laws §11-49.3-2(b) states that a municipal agency, state agency, or person who or that discloses personal information about a Rhode Island resident to a non-affiliated third party shall require by written contract that the third party implement and maintain reasonable security procedures and practices appropriate to the size and scope of the organization, the nature of the information, and the purpose for which the information was collected in order to protect the personal information from unauthorized access, use, modification, destruction, or disclosure.

Municipal agency: Any department, division, agency, commission, board, office, bureau, authority, quasi-public authority, or school, fire, or water district within Rhode Island, other than a state agency, and any other agency that is in any branch of municipal government and exercises governmental functions other than in an advisory nature.

Owner: The original collector of the information.

Person: Includes any individual, sole proprietorship, partnership, association, corporation, joint venture, business, legal entity, trust, estate, cooperative, or other commercial entity.

10. Other Specific Jurisdictional Requirements

Rhode Island has several other statutes protecting the privacy rights of Rhode Island residents.

Students Privacy Rights

The Rhode Island Educational Bill of Rights, under §16-71-1 et seq. of Chapter 71 of Title 16 of the R.I. Gen. Laws, provides that parents, legal guardians, and students have the right to have educational records kept confidential and not be released to any other individual, agency, or organization without prior written consent of the parent, legal guardian, or eligible student except to the extent that the release of records is authorized by applicable law or court process (R.I. Gen. Laws §16-71-3).

Additionally, §16-38-5 of Chapter 38 of Title 16 of the R.I. Gen. Laws provides that it is unlawful for any person, persons, or institution, educational or otherwise, to circulate or permit to be circulated in any school in Rhode Island any questionnaire intentionally or unintentionally framed as to ask the pupils of any school, intimate questions about themselves and/or their families, trespassing upon the pupil's constitutional rights and invading the privacy of the home unless the questionnaire has received the approval of the Department of Elementary and Secondary Education of the Department of Education and the local school committee.

Violations of R.I. Gen. Laws §16-38-5 shall be punished by a fine not exceeding $100 for each offense.

Video Rental Privacy Law

Under §11-18-32 of Chapter 18 of Title 11 of the R.I. Gen. Laws, it is unlawful for any person to reveal, transmit, publish, or disseminate any records that would identify the names and addresses of individuals, with the titles or nature of video films, records, or cassettes which they purchased, leased, rented, or borrowed, from libraries, book stores, video stores, or record and cassette shops or any retailer or distributor of those products, whether or not the identities and listings are kept in a remote computing service or electronic storage or the disclosure is made through or by a remote computing service. All records of such transactions shall be maintained as confidential and may only be released by a written waiver.

Penalties for violations of this provision include punishment by a fine not exceeding $1,000 per violation or imprisonment up to six months or both. In addition, a person injured as a result of a violation may bring a civil action for actual damages or $250 whichever is greater for each violation, plus attorney's fees.

Access to Public Records Act

The Access to Public Records Act ('APRA'), under §38-2-1 et seq. of Chapter 2 of Title 38 of the R.I. Gen. Laws, protects from disclosure information about particular individuals maintained in the files of public bodies when disclosure would constitute an unwarranted invasion of personal privacy (R.I. Gen. Laws §38-2-1). Rhode Island's APRA makes all records of a public body public unless they fall within one of APRA's 27 exceptions (R.I. Gen. Laws §38-2-2(4)(A) to (AA)).