(a) Sensitive information. Sensitive information includes the following information pertaining to village personnel, service providers, and all taxpayers and persons or entities served by the village water and/or sewer systems ("customers"), whether the information is stored in electronic or printed format:
(1) Credit card information, including without limitation the following:
A. Credit card number (in part or whole).
B. Credit card expiration date.
C. Cardholder name.
D. Cardholder address.
(2) Tax identification numbers, including without limitation the following:
A. Social Security Number (SSN).
B. Business identification number.
C. Employer identification number.
(3) Payroll information, including without limitation the following:
A. Paychecks.
B. Pay stubs.
(4) Cafeteria plan check requests and associated documentation.
(5) Medical information for any employee or customer, including without limitation the following:
A. Doctor names and claims.
B. Insurance claims.
C. Prescriptions.
D. Any related personal medical information.
(6) Other personal information belonging to village personnel, service providers, and customers, including without limitation the following:
A. Name.
B. Maiden name.
C. Address.
D. Phone number.
E. Date of birth.
F. Customer account number.
(7) Village personnel and service providers shall use commonsense judgment in securing sensitive information to the proper extent. Furthermore, village personnel must comply with the Ohio Public Records Act and the village's records organization and maintenance, dissemination, and disposition regulation (Orwell Handbook § 528). If an employee is uncertain about the sensitivity of a particular piece of information, he or she should contact the employee's immediate supervisor. Any conflict between this policy, the village's records organization and maintenance, dissemination, and disposition regulation, and the Ohio Public Records Act shall be resolved by the Orwell Records Commission.
(b) Maintenance of hard copies. Village personnel and service providers shall comply with the following policies:
(1) File cabinets, desk drawers, overhead cabinets, and any other storage space containing documents with sensitive information shall be locked when not in use.
(2) Storage rooms containingdocurnents with sensitive information such as the records room shall be locked at the end of each workday or when unsupervised.
(3) Desks, workstations, work areas, printers and fax machines, and common shared work areas shall be cleared of all documents containing sensitive information when not in use.
(4) Whiteboards, dry-erase boards, and writing tablets in common shared work areas containing sensitive information shall be erased or removed from view when not in use.
(5) When documents containing sensitive information are discarded, they shall immediately be shredded using a mechanical cross-cut shredding device approved by the United States Department ofDefense. Village records, however, may only be destroyed in accordance with the village's records organization and maintenance, dissemination, and disposition regulation.
(c) Electronic distribution. Village personnel and service providers shall comply with the following policies:
(1) Internal communications. Sensitive information may be transmitted internally using approved municipal e-mail. All sensitive information shall be encrypted when stored in an electronic format.
(2) External communications. Sensitive information sent externally shall be encrypted and password protected and shall be sent only to approved recipients. Additionally, the following statement shall be included in the e-mail:
"This message may contain confidential and/or proprietary information and is intended for the person/entity to whom it was originally addressed. Any use by others is strictly prohibited."
(Ord. 08-11-02. Passed 1-13-09.)