Affiliate: means a legal entity that controls, is controlled by, or is under common control with another legal entity or shares common branding with another legal entity. See Tennessee Code 47-18-3302
Consumer report: has the meaning ascribed to that term by Tennessee Code 47-18-2102
Consumer reporting agency: has the meaning ascribed to that term by Tennessee Code 47-18-2102
controlled: means : (A) Ownership of, or the power to vote, more than fifty percent (50%) of the outstanding shares of a class of voting security of a company. See Tennessee Code 47-18-3302
Controller: means the natural or legal person that, alone or jointly with others, determines the purpose and means of processing personal information. See Tennessee Code 47-18-3302
Corporation: A legal entity owned by the holders of shares of stock that have been issued, and that can own, receive, and transfer property, and carry on business in its own name.
Fair Credit Reporting Act: A federal law, established in 1971 and revised in 1997, that gives consumers the right to see their credit records and correct any mistakes. Source: OCC
Institution of higher education: means a public or private institution of higher education. See Tennessee Code 47-18-3302
Nonprofit organization: means : (A) A corporation organized under the Tennessee Nonprofit Corporation Act, compiled in title 48, chapter 51. See Tennessee Code 47-18-3302
Obligation: An order placed, contract awarded, service received, or similar transaction during a given period that will require payments during the same or a future period.
Processor: means a natural or legal entity that processes personal information on behalf of a controller. See Tennessee Code 47-18-3302
State: when applied to the different parts of the United States, includes the District of Columbia and the several territories of the United States. See Tennessee Code 1-3-105
Third party: means a natural or legal person, public authority, agency, or body other than the consumer, controller, processor, or an affiliate of the processor or the controller. See Tennessee Code 47-18-3302
United States: includes the District of Columbia and the several territories of the United States. See Tennessee Code 1-3-105
(1) A body, authority, board, bureau, commission, district, or agency of this state or of a political subdivision of this state;(2) A financial institution, an affiliate of a financial institution, or data subject to Title V of the federal Gramm-Leach-Bliley Act (15 U.S.C. § 6801 et seq.);(3) An individual, firm, association, corporation, or other entity that is licensed in this state under title 56 as an insurance company and transacts insurance business;(4) A covered entity or business associate governed by the privacy, security, and breach notification rules issued by the United States department of health and human services, 45 CFR Parts 160 and 164 established pursuant to HIPAA, and the federal Health Information Technology for Economic and Clinical Health Act (P.L. 111-5);(5) A nonprofit organization;(6) An institution of higher education;(7) Protected health information under HIPAA;(8) Health records for purposes of title 68;(9) Patient identifying information for purposes of 42 U.S.C. § 290dd-2;(10) Personal information:
(A) Processed for purposes of:
(i) Research conducted in accordance with the federal policy for the protection of human subjects under 45 C.F.R. part 46;(ii) Human subjects research conducted in accordance with good clinical practice guidelines issued by The International Council for Harmonization of Technical Requirements for Pharmaceuticals for Human Use; or(iii) Research conducted in accordance with the protection of human subjects under 21 CFR Parts 6, 50, and 56; or(B) Processed or sold in connection with research conducted in accordance with the requirements set forth in this part, or other research conducted in accordance with applicable law;(11) Information and documents created for purposes of the federal Health Care Quality Improvement Act of 1986 (42 U.S.C. § 11101 et seq.);(12) Patient safety work product for purposes of the federal Patient Safety and Quality Improvement Act (42 U.S.C. § 299b-21 et seq.);(13) Information that is:
(A) Derived from the healthcare-related information listed in this subsection (a) that is de-identified in accordance with the requirements for de-identification pursuant to HIPAA; or(B) Included in a limited data set as described in 45 C.F.R. § 164.514(e), to the extent that the information is used, disclosed, and maintained in the manner specified in 45 C.F.R. § 164.514(e);(14) Information originating from, and intermingled to be indistinguishable with, or information treated in the same manner as, information exempt under this subsection (a) that is maintained by a covered entity or business associate as defined by HIPAA or a program or a qualified service organization as defined by 42 U.S.C. § 290dd-2;(15) Information used only for public health activities and purposes as authorized by HIPAA;(16) The collection, maintenance, disclosure, sale, communication, or use of personal information bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by a consumer reporting agency or furnisher that provides information for use in a consumer report, and by a user of a consumer report, but only to the extent that such activity is regulated by and authorized under the federal Fair Credit Reporting Act (15 U.S.C. § 1681 et seq.);(17) Personal information collected, processed, sold, or disclosed in compliance with the federal Driver’s Privacy Protection Act of 1994 (18 U.S.C. § 2721 et seq.);(18) Personal information or educational information regulated by the federal Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g et seq.);(19) Personal information collected, processed, sold, or disclosed in compliance with the federal Farm Credit Act (12 U.S.C. § 2001 et seq.);(20) Data processed or maintained:
(A) In the course of an individual applying to, being employed by, or acting as an agent or independent contractor of a controller, processor, or third party, to the extent that the data is collected and used within the context of that role;(B) As the emergency contact information of an individual under this part used for emergency contact purposes; or(C) That is necessary to retain to administer benefits for another individual relating to the individual under subdivision (a)(20)(A) and used for the purposes of administering those benefits;(21) Information collected as part of public- or peer-reviewed scientific or statistical research in the public interest;(22) An insurance producer licensed under title 56; or(23) Personal information maintained or used for purposes of compliance with the regulation of listed chemicals under the federal Controlled Substances Act (21 U.S.C. § 830).(b) Controllers and processors that comply with the verifiable parental consent requirements of the federal Children’s Online Privacy Protection Act (15 U.S.C. § 6501 et seq.) are deemed compliant with an obligation to obtain parental consent under this part.(c) This part does not require a controller, processor, third party, or consumer to disclose trade secrets.
