Personal Confidential Information/Disclosure
The following policy was presented for a first reading at the July 13, 2020 School Committee meeting and will be considered for adoption at the August 17th School Committee meeting.
Written Information Security Program
In order to protect personal information of residents of the State of Rhode Island (R.I.G.L. § 11-49.3-1), and if applicable, residents of the Commonwealth of Massachusetts (201 CMR § 17.00), and in compliance with any other applicable law or regulation (the “Regulations”), the Smithfield Public Schools has developed the following Written Information Security Program (the “Program”) to address the requirements of the Regulations.
The Program’s goal is to set forth effective administrative, technical and physical safeguards applicable to personal information, to provide an outline for the ongoing compliance with the Regulations, to protect personal information from unauthorized access, use, modification, destruction or disclosure, and to position the Smithfield Public Schools to comply with future privacy and security regulations as they may develop.
Personal information for purposes of this Program shall mean: the first name and last name or first initial and last name of an individual in combination with any one or more of the following data elements that relate to such individual: (a) Social Security number; (b) driver’s license number, state-issued identification card number, passport number, taxpayer identification number, alien registration number, or tribal identification number; or (c) financial account number, credit card number, or debit card number with or without any required security code, access code, personal identification number or password, that would permit access to an individual’s financial account, or deposit or savings account number; (d) medical information or health insurance information; (e) unique biometric information (e.g. fingerprint, retinal scan); and/or (f) a username or email address in combination with security code, access code or password or security question and answer that would permit access to an online account; provided however, that “personal information” shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.
The safeguards set forth in this Program are meant to protect the security and confidentiality of personal information, and to protect against any anticipated threats or hazards to the security or integrity of personal information.
II. Information Security
In order to comply with applicable Regulations, we have appointed a Director of Technology who will be responsible for the following:
- Implementing the initial Program.
- Training employees who have exposure to personal information through their work at the Smithfield Public Schools on the various aspects of the Program, at least annually.
- Obtaining certification of attendance to and understanding of such training by the employees.
- Conducting regular testing and evaluation of the Program’s safeguards.
- Verifying the ability of third-party recipients of personal information to comply with the Regulations.
- Reviewing the Program, its scope and its effectiveness at least annually or at such time as a material change in business practice occurs that implicates the security of personal information and upgrading information safeguards as necessary to limit risk.
III. Risk Assessment
The Director of Technology will conduct a risk assessment or will supervise an outside entity to perform the risk assessment. The initial risk assessment will seek to reveal the following potential and actual risks to the security and privacy of personal information:
- Unauthorized access of personal information by an employee not entitled to the information.
- Compromised system security as a result of unauthorized access by a third party.
- Interception of personal information during transmission.
- Unauthorized access to personal information through mobile personal devices, removable media or other means.
The Director of Technology will discuss findings and recommendations resulting from the periodic reviews with relevant Smithfield Public Schools personnel.
The Director of Technology will evaluate the Smithfield Public School’s security practices to determine where improvement is necessary to limit risks, including, but not limited to, ongoing employee training, employee compliance with security policies and procedures, means for detecting and preventing security system failures, and the upgrade of safeguards, if necessary, to limit risks.
In an effort to address the internal and external risks to personal information, the Smithfield Public Schools has implemented the following policies and procedures:
A. General Safeguards
The Smithfield Public Schools will limit the amount of personal information collected to that necessary to achieve legitimate business goals and to comply with state and federal laws and regulations. The Smithfield Public Schools will limit access to personal information to those people with a need to know to accomplish legitimate business goals and to comply with state and federal laws and regulations. The Smithfield Public Schools will monitor its security systems for breaches of security and utilizes its Internet transport agency, OSHEAN, to assist in managing network security and firewall services designed to protect network systems and accounts from unauthorized access and service attacks.
Upon the occurrence of an incident requiring notification under state law, the Director of Technology (or Superintendent) will assemble an Incident Response Team and applicable incident response procedures will be followed. Post-incident review by the Smithfield Public Schools following any actual or suspected breach of security, and documentation of the actions the Smithfield Public Schools take in response to such breach, including any changes the Smithfield Public Schools makes to its business practices relating to the safeguarding of personal information will be conducted and documented.
The Smithfield Public Schools will restrict visitor access where personal information is stored. Visitors will be prohibited from visiting unescorted any area within the Smithfield Public School’s premises that contains personal information.
B. Employee Safeguards
The Smithfield Public Schools will post a copy of the Program in areas in which it will generally be seen by employees. Each employee will participate in employee training about the Program and upon successful completion of the training, certify to attending training and understanding the terms of the Program and the importance of protecting personal information.
Employee training will, among other things, address issues relating to:
- Proper access, use, and disclosure of personal information.
- Proper disposal of personal information.
- Proper safeguards for maintaining, transmitting and storing personal information.
- Logging-off computers.
- Locking files and doors.
- Limiting access to offices.
- Properly handling and protecting mobile devices and removable media.
- Password management.
Employee training will also include training to report any suspicious or confirmed unauthorized access, use or disclosure of personal information, to comply with the Program at all times, and understand that they are subject to disciplinary action for violation of the Program. Employees will be prohibited from storing, accessing or transporting personal information outside the premises of the business, unless in accordance with the Smithfield Public Schools policies.
Access to personal information by terminated employees will be revoked as soon as possible following termination, and terminated employees will be required to return all personal information in their possession; moreover, all passwords to computer systems will be promptly disabled, all access to electronic files, physical files, email, voicemail and internet access will be promptly blocked, all keys will be surrendered and all forms of identification that permit access to the Smithfield Public School’s premises or information will be returned. Terminated employees will, as a condition of severance, be required to execute an agreement whereby they agree to honor all obligations with respect to maintaining the confidentiality of personal information handled during the course of their employment, to the extent not already contractually bound to do so.
C. Non-Electronic File Safeguards
All tangible files containing personal information will be in a locked room or cabinet or stored securely offsite. The Facilities Department will control the distribution of the keys and will keep track of the number of keys issued. The Smithfield Public Schools will limit access to offsite storage facilities containing personal information to those employees with a need to access the files, and the Smithfield Public Schools will periodically request an access log to monitor who is accessing such files. When sending personal information via carrier, the Smithfield Public Schools will use overnight carriers with tracking and, if sending electronic information, encrypt the information to the extent technically feasible.
D. Electronic File Safeguards
Access to all electronic files maintained on the Smithfield Public School’s servers or the Smithfield Public School’s hardware that contain personal information will be limited to those employees with a need to know.
Moreover, the Smithfield Public Schools understands that the following protocols further protect personal information in electronic form. The Smithfield Public Schools will, to the extent technically feasible:
- Secure the services of a contract consultant to run intrusion testing as necessary.
- Install firewall protection and operating system patches on all computers with personal information.
- Install up-to-date versions of security agency software.
- Limit access to the computer system using complex logins and alphanumeric passwords that require changing periodically and require passwords and limited access to e-files containing personal information.
- Require re-login after passage of inactive time.
- Prohibit posting or sharing of passwords by employees.
- Lock users out after (5) failed log-in attempts.
- Check websites and software vendor websites for alerts about new problems and implement such vendor approved patches as soon as practical.
- Maintain control of user IDs and other identifiers.
- Maintain passwords in a location and/or format that does not compromise the security of the data the password protects.
- Prohibit the continued use of default passwords by employees (i.e. force employees to change passwords).
- Maintain a reasonably secure method of assigning and selecting passwords or the user of unique identifier technologies such as biometric s or security tokens.
- Terminate any access to personal information by terminated employees.
- Use secure computer and Internet user authentication protocols (i.e. control of user identifications and other identifiers).
E. Third-Party Vendors
When using third-party vendors for services that necessitate the sharing of personal information, the Smithfield Public Schools will:
- Obtain, when possible and practical, a copy of the third-party vendor’s written information security program designed to comply with the Regulations.
- Contractually require implementation and maintenance of privacy and security measures and a Written Information Security Program by the third-party vendor.
When disposing of files containing personal information, the Smithfield Public Schools will follow its policy and records retention schedule, (if applicable) which will include:
- Shredding all hard copies of files containing personal information when such information is no longer required or needed to be maintained by the Smithfield Public Schools.
- Destroying all electronic files containing personal information when such information is no longer required or needed to be maintained by the Smithfield Public Schools, including the destruction of residual electronic data on computers and other electronic devices.