|Information Technology Policies|
|Date Issued:||September 10, 2002|
|Issued by:||Director of Information Technology, as recommended by the Department Head Information Technology Steering Committee|
|Applies to:||All Officers and employees|
To establish and maintain practices and responsibilities for respecting and protecting the privacy of personal and/or personally identifiable information that may be collected through the use of the County’s information technology resources.
Monterey County and all its departments are committed to respecting and protecting the privacy of any personally identifiable information that is collected through the use of the County’s information technology resources.
Monterey County and its departments will implement data privacy and confidentiality practices that as a minimum meet the requirements of adopted state and federal legislation and regulation, including (but not necessarily limited to):
The Fair Credit Reporting Act (1970)
Privacy Act of 1974
Family Education Rights and Privacy Act (1974)
Right to Financial Privacy (1978)
Privacy Protection Act of 1980
Cable Communications Policy Act of 1984
Electronic Communications Privacy Act (1986)
Driver’s Privacy Protection Act of 1994
Communications Assistance for Law Enforcement Act of 1994
Telecommunications Act of 1996
Health Insurance Portability and Accountability Act of
Children’s Online Privacy Protection Act (COPPA) of
Financial Modernization Act (Graham-Leach=Bliley Act) (2000)
County officials, employees, contractors, volunteers, or others with access to personally identifiable information via the County’s information technology resources will honor the County’s privacy and security policies, hold any such information in confidence, and not use such information for any purpose other than to carry out the services they are charged with performing.
Monterey County will not sell, rent, or lease personally identifiable information to third parties. The County will not share any personally identifiable information with any outside party without first ensuring that the outside party has similar privacy policies in place. Exceptions include the following:
1. The processing of the information is in the vital interests of the subject of that information or some other person.
2. The processing of the information is necessary to carry out law enforcement duties and responsibilities.
3. The processing of the information is necessary for the establishment of a legal claim or defense.
4. The processing of the information is related to the provision of medical care or diagnosis.
5. The information has been collected in the course of legitimate governmental activities and the subject has consented to the sharing of the information with third parties.
6. The information has been manifestly made public by the subject of that information.
7.2 – Provide Adequate Security to Maintain Privacy
The County Departments will take all reasonable steps to ensure that personally identifiable information is safe from unauthorized access, either physical or electronic. These steps will include at least the following:
1. Maintenance of logs to properly track information and assure that data is only accessed by authorized individuals.
2. Maintain a written data security policies.
3. Perform at least an annual review of its written data security policies.
4. Train officers, employees, volunteers, contractors, and those with access to personally identifiable information in the appropriate maintenance of confidentiality.
5. Store any such information in a secure environment (using features such as locks and electronic security).
The County Departments will use industry standard levels of encryption and authentication for the transfer or receipt of health care information, social security numbers, financial transaction information (for example, a credit card number), or other sensitive information.
The County Departments will provide industry standard levels of security and integrity to protect data being maintain by computers, and take reasonable steps to require third parties involved in fulfilling a customer transaction to also maintain appropriate levels of security.
7.3 – Respect Preferences Regarding Unsolicated E-Mail
The County Departments will enable those persons who do not wish to be contacted online to opt out from future communications via electronic mail and maintain a “Do not contact” list.
7.4 – Access and Correction
7.5 – Protection of Children
In conformance with the Children’s Online Privacy Protection Act (COPPA), the County will take special efforts to protect and safeguard the privacy needs of children under the age of thirteen (13) and encourages parents to be an active participant in their child’s activities and interests. Data collected from children under age 13 will be purged upon discovery unless approved for retention by the child’s parent(s) or guardian(s).
7.6 – Computer Tracking and Cookies
The County web site will not be designed or constructed to track, collect, or distribute personal information not entered by visitors. Site logs may be used to generate certain kinds of non-identifying site usage data, such as the number of hits and visits to County sites. This information will be used for internal purposes by technical support staff to provide better services to the public and may also be provided to others, but again, the statistics will contain no personal information.
The County may use non-identifying cookies in support of easier web site navigation and access to forms. County web sites will be designed to support access and use even if the user’s browser is set to reject cookies. Cookies will not be used to generate personal data, will not read personal data from the user’s machine, and will not be tied to anything that could be used to identify the user.
Cookies – a piece of text often describing user preferences and choices typically stored in a small file on the user’s computers hard drive as a result of accessing a web site and interacting with it via web browser software.
Personally Identifiable Information – personal data that includes names, identification numbers (social security numbers, driver’s license numbers, etc.), post and e-mail addresses, phone and facsimile numbers, billing information, medical records, vehicle information such as vehicle identifications numbers, and complaint information.
ROLES AND RESPONSIBILITIES
County Departments – develop and post data privacy policies. Conduct audits of policies to ensure conformance.County Officers and employees – Understand the responsibilities of data privacy requirements and safeguard the confidentiality of personally identifiable information.