Monterey County

Information Technology Policies

  

Section:  7.0
Subject: Data Privacy Policy
Date Issued: September 10, 2002
Issued by:  Director of Information Technology, as recommended by the Department Head Information Technology Steering Committee
Applies to: All Officers and employees

  

PURPOSE

To establish and maintain practices and responsibilities for respecting and protecting the privacy of personal and/or personally identifiable information that may be collected through the use of the County’s information technology resources.

POLICY STATEMENT

Monterey County and all its departments are committed to respecting and protecting the privacy of any personally identifiable information that is collected through the use of the County’s information technology resources.

Monterey County and its departments will implement data privacy and confidentiality practices that as a minimum meet the requirements of adopted state and federal legislation and regulation, including (but not necessarily limited to):

The Fair Credit Reporting Act (1970)

Privacy Act of 1974

Family Education Rights and Privacy Act (1974)

Right to Financial Privacy (1978)

Privacy Protection Act of 1980

Cable Communications Policy Act of 1984

Electronic Communications Privacy Act (1986)

Driver’s Privacy Protection Act of 1994

Communications Assistance for Law Enforcement Act of 1994

Telecommunications Act of 1996

Health Insurance Portability and Accountability Act of 1996

Children’s Online Privacy Protection Act (COPPA) of 1998

Financial Modernization Act (Graham-Leach=Bliley Act) (2000)

County officials, employees, contractors, volunteers, or others with access to personally identifiable information via the County’s information technology resources will honor the County’s privacy and security policies, hold any such information in confidence, and not use such information for any purpose other than to carry out the services they are charged with performing.

Monterey County will not sell, rent, or lease personally identifiable information to third parties.  The County will not share any personally identifiable information with any outside party without first ensuring that the outside party has similar privacy policies in place.  Exceptions include the following:

1.      The processing of the information is in the vital interests of the subject of that information or some other person.

2.      The processing of the information is necessary to carry out law enforcement duties and responsibilities.

3.      The processing of the information is necessary for the establishment of a legal claim or defense.

4.      The processing of the information is related to the provision of medical care or diagnosis.

5.      The information has been collected in the course of legitimate governmental activities and the subject has consented to the sharing of the information with third parties.

6.      The information has been manifestly made public by the subject of that information.

7.1 – Post and Adherence to the Privacy Policy

County Departments will post and adhere to a privacy policy that is consistent with this policy statement, is open, transparent, and meets generally accepted fair information principles, including providing notice as to what personal information is collected, used, and disclosed; what choices persons conducting business with the County have with regard to the business collection, use, and disclosure of that information; what access customers will have to that information; what security measures are taken to protect the information, and what enforcement and redress mechanisms are in place to remedy any violations of the policy.

7.2 – Provide Adequate Security to Maintain Privacy

The County Departments will take all reasonable steps to ensure that personally identifiable information is safe from unauthorized access, either physical or electronic.  These steps will include at least the following:

1.      Maintenance of logs to properly track information and assure that data is only accessed by authorized individuals.

2.      Maintain a written data security policies.

3.      Perform at least an annual review of its written data security policies.

4.      Train officers, employees, volunteers, contractors, and those with access to personally identifiable information in the appropriate maintenance of confidentiality.

5.      Store any such information in a secure environment (using features such as locks and electronic security).

The County Departments will use industry standard levels of encryption and authentication for the transfer or receipt of health care information, social security numbers, financial transaction information (for example, a credit card number), or other sensitive information.

The County Departments will provide industry standard levels of security and integrity to protect data being maintain by computers, and take reasonable steps to require third parties involved in fulfilling a customer transaction to also maintain appropriate levels of security.

 7.3 – Respect Preferences Regarding Unsolicated E-Mail

The County Departments will enable those persons who do not wish to be contacted online to opt out from future communications via electronic mail and maintain a “Do not contact” list.

7.4 – Access and Correction

Any County Department that collects personally identifiable information will implement and maintain a process under which the collected information may be reviewed and factual inaccuracies corrected upon request.  The process will include a means to authenticate the identity of a data subject that requests access or correction.  If access and/or correction can not be provided, an explanation of why the prohibition exists will be provided to authenticated subjects, a contact for further information will be provided, as well as a reference to the County’s Information Technology Data Privacy Policy.

7.5 – Protection of Children

In conformance with the Children’s Online Privacy Protection Act (COPPA), the County will take special efforts to protect and safeguard the privacy needs of children under the age of thirteen (13) and encourages parents to be an active participant in their child’s activities and interests.  Data collected from children under age 13 will be purged upon discovery unless approved for retention by the child’s parent(s) or guardian(s).

7.6 – Computer Tracking and Cookies

The County web site will not be designed or constructed to track, collect, or distribute personal information not entered by visitors.  Site logs may be used to generate certain kinds of non-identifying site usage data, such as the number of hits and visits to County sites.  This information will be used for internal purposes by technical support staff to provide better services to the public and may also be provided to others, but again, the statistics will contain no personal information.

The County may use non-identifying cookies in support of easier web site navigation and access to forms.  County web sites will be designed to support access and use even if the user’s browser is set to reject cookies.  Cookies will not be used to generate personal data, will not read personal data from the user’s machine, and will not be tied to anything that could be used to identify the user.

DEFINITIONS

Cookies – a piece of text often describing user preferences and choices typically stored in a small file on the user’s computers hard drive as a result of accessing a web site and interacting with it via web browser software.

Personally Identifiable Information – personal data that includes names, identification numbers (social security numbers, driver’s license numbers, etc.), post and e-mail addresses, phone and facsimile numbers, billing information, medical records, vehicle information such as vehicle identifications numbers, and complaint information.

ROLES AND RESPONSIBILITIES

Director of Information Technology – assist the County Departments with developing and maintaining data privacy policies appropriate to their use and consistent with the overall County Data Privacy Policy.  Post and maintain the overall County Data Privacy Policy on the County’s web site.  Conduct audits of information technology resource utilization to ensure compliance with the Data Privacy Policy.  Provide consultation on appropriate security measure to ensure data privacy.

County Departments – develop and post data privacy policies.  Conduct audits of policies to ensure conformance.

County Officers and employees – Understand the responsibilities of data privacy requirements and safeguard the confidentiality of personally identifiable information.