Skip to content

πŸ›‘οΈ Add data disposal workflows#15

Merged
JFWooten4 merged 8 commits into
mainfrom
disposal-requirements-standards
Jun 3, 2026
Merged

πŸ›‘οΈ Add data disposal workflows#15
JFWooten4 merged 8 commits into
mainfrom
disposal-requirements-standards

Conversation

@JFWooten4
Copy link
Copy Markdown
Member

@JFWooten4 JFWooten4 commented May 18, 2026

Creates disposal procedures for Regulation S-P compliance under 17 CFR Β§ 248.30(b). The procedures should define how BlockTransfer properly disposes of consumer information and customer information, including paper records, electronic records, storage media, devices, backups, exports, and vendor-managed systems.

Recordkeeping implementation is out of scope for this PR and should be handled separately under the transfer-agent recordkeeping issue.

Regulatory basis

Subsection (b)(1): disposal standard

Every covered institution, other than notice-registered broker-dealers, must properly dispose of consumer information and customer information by taking reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal.

Subsection (b)(2): written disposal policies and procedures

Every covered institution, other than notice-registered broker-dealers, must adopt and implement written policies and procedures that address the proper disposal of consumer information and customer information according to the standard identified in paragraph (b)(1) of this section.

Subsection (b)(3): relation to other laws

Nothing in this paragraph (b) shall be construed:

a. To require any covered institution to maintain or destroy any record pertaining to an individual that is not imposed under other law; or

b. To alter or affect any requirement imposed under any other provision of law to maintain or destroy records.

Subsection (d)(7): disposal

Disposal means:

a. The discarding or abandonment of consumer information or customer information; or

b. The sale, donation, or transfer of any medium, including computer equipment, on which consumer information or customer information is stored.

Subsection (d)(1): consumer information

Consumer information means:

a. Any record about an individual, whether in paper, electronic or other form, that is a consumer report or is derived from a consumer report, or a compilation of such records, that a covered institution maintains or otherwise possesses for a business purpose regardless of whether such information pertains to:

a. Individuals with whom the covered institution has a customer relationship; or

b. To the customers of other financial institutions where such information has been provided to the covered institution.

b. Consumer information does not include information that does not identify individuals, such as aggregate information or blind data.

Subsection (d)(5)(ii): transfer-agent customer information

With respect to a transfer agent registered with the Commission or another ARA, customer information means any record containing nonpublic personal information as defined in Β§ 248.3(t) identified with any natural person, who is a securityholder of an issuer for which the transfer agent acts or has acted as transfer agent, that is in the possession of a transfer agent or that is handled or maintained by the transfer agent or on its behalf, regardless of whether such information pertains to individuals with whom the transfer agent has a customer relationship, or pertains to the customers of other financial institutions and has been provided to the transfer agent.

Changes to be made

  • Create written disposal procedures for consumer information and customer information.
  • Define covered disposal events, including discarding, abandoning, selling, donating, or transferring any medium that stores consumer information or customer information.
  • Define disposal procedures for paper records, electronic files, cloud storage, backups, exports, devices, drives, and other storage media.
  • Require reasonable measures to protect against unauthorized access to or use of information during disposal.
  • Define when disposal must be performed internally v. through an approved service provider.
  • Add service-provider disposal requirements for vendors that handle customer information or consumer information.
  • Cross-reference any separate record-retention requirements so disposal does not override records that must be preserved under other law.
  • Cross-reference the separate safeguards, service-provider oversight, vendor contract review, and transfer-agent recordkeeping workstreams.

@JFWooten4 JFWooten4 self-assigned this May 18, 2026
@JFWooten4 JFWooten4 mentioned this pull request May 19, 2026
Open
1 task
@JFWooten4 JFWooten4 moved this from To Draft to Operating Docs in Regulation S-P: File No. S7-05-23 Adoption May 22, 2026
@JFWooten4 @codex
πŸ“ Map disposal responsibilities
5ba9098 
Co-authored-by: Codex <noreply@openai.com>
JFWooten4
JFWooten4 commented May 22, 2026
View reviewed changes
Copy link
Copy Markdown
Member Author

@JFWooten4 JFWooten4 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Migrate safeguarding policies from https://github.com/blocktransfer/website/tree/7e4bfab2aa54922352b7e64e587617db4bf6b5eb/compliance

@JFWooten4 JFWooten4 mentioned this pull request May 26, 2026
Draft
@JFWooten4 JFWooten4 marked this pull request as ready for review June 3, 2026 03:29
@JFWooten4 JFWooten4 merged commit a4638d9 into main Jun 3, 2026
@JFWooten4 JFWooten4 deleted the disposal-requirements-standards branch June 3, 2026 03:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@JFWooten4 JFWooten4

Labels

None yet

Projects

Regulation S-P: File No. S7-05-23 Adoption
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@JFWooten4