(A) General. The department and the village must take reasonable steps to safeguard information from any intentional or unintentional use or disclosure that is in violation of the privacy policies. Information to be safeguarded may be in any medium, including paper, electronic, oral and visual representations of confidential information.
(B) Safeguarding confidential information - workplace and workstation practices.
(1) Paper.
(a) Each of the department's or the village's workplaces and workstations will store files and documents in locked rooms or storage systems.
(b) In workplaces and workstations where lockable storage is not available, department and village staff members must take reasonable efforts to ensure the safeguarding of confidential information.
(c) Each of the department's or the village's workplaces and workstations will ensure that files and documents awaiting disposal or destruction in desk-site containers, storage rooms, or centralized waste/shred bins, are appropriately labeled, are disposed of on a regular basis, and that all reasonable measures are taken to minimize access.
(d) Each of the department's or the village's workplaces and workstations will ensure that shredding of files and documents is performed on a timely basis, consistent with record retention requirements and policies.
(2) Oral.
(a) Department and village staff and workforce members must take reasonable steps to protect the privacy of all verbal exchanges or discussions of confidential information, regardless of where the discussion occurs.
(b) Each of the department's or the village's workplaces and workstations shall make enclosed offices and/or interview rooms available for the verbal exchange of confidential information.
Exception: In work environments structured with few offices or closed rooms, such as open office environments, uses or disclosures that are incidental to an otherwise permitted use or disclosure could occur. Such incidental uses or disclosures are not considered a violation provided that the department of the village has met the reasonable safeguards and minimum necessary requirements.
(c) Each of the department's or the village's workplaces and workstation must foster employee awareness of the potential for inadvertent verbal disclosure of confidential information.
(3) Visual. Department and village staff and workforce members must ensure that observable confidential information is adequately shielded from unauthorized disclosure on computer screens and paper documents.
(a) Computer screens. Each workplace and workstation must make every effort to ensure that confidential information on computer screens is not visible to unauthorized persons.
(b) Paper documents. Department and village staff and workforce must be aware of the risks regarding how paper documents are used and handled, and must take all necessary precautions to safeguard confidential information.
(C) Safeguarding confidential information - administrative safeguards.
(1) Implementation of role-based access (RBA) and the "minimum necessary" procedure outlined hereinabove will promote administrative safeguards.
(2) Role based access (RBA) is a form of security allowing access to data based on job function in accordance with department and village security procedures. Department and village's staff and workforce members shall be given access only to the minimum necessary information to fulfill their job functions.
(3) Conducting internal reviews periodically will permit the department and the village to evaluate the effectiveness of safeguards.
(4) All department and village managers, supervisors, staff and workforce members, including volunteers and trainees, are required to sign a document constituting a formal commitment and understanding to adhere to department and village privacy and security policies.
(D) Safeguarding confidential information - workplace and workstation practices.
(1) Paper.
(a) Files and documents being stored:
1. Lockable desks, file rooms, open area storage systems must be locked.
2. Where desks, file rooms, or open area storage systems are not lockable, reasonable efforts to safeguard confidential information must be implemented.
(b) Files and documents awaiting disposal/destruction:
1. Desk-site containers: department and village workplaces and workstations will ensure that confidential information awaiting disposal is stored in containers that are appropriately labeled and are properly disposed of on a regular basis.
2. Storage rooms containing confidential information awaiting disposal: each department and village workplace and workstation workforce member will ensure that storage rooms are locked after business hours or when authorized staff or management are not present.
3. Centralized waste/shred bins: each department and village workplace and workstation workforce member will ensure that all centralized bins or containers for disposed confidential information are clearly labeled "confidential", sealed, and placed in a lockable storage room.
4. Each department and village workplace and workstation workforce member that does not have lockable storage rooms or centralized waste/shred bins must implement reasonable procedures to minimize access to confidential information.
(c) Shredding of files and documents authorized consistent with record retention requirements:
1. Department and village managers and supervisors must ensure that shredding is done timely, preferably on a daily basis.
2. Outside contractors: department and village must ensure that such entity is under a written contract that requires safeguarding of confidential information throughout the destruction process.
(2) Oral.
(a) Department and village staff and workforce members must take reasonable steps to protect the privacy of all verbal exchanges or discussions of confidential information, regardless of where the discussion occurs, and should be aware of risk levels.
(b) Locations of verbal exchange with various levels of risk:
1. Low risk: interview rooms, enclosed offices and conference rooms.
2. Medium risk: employee only areas, telephone and individual cubicles.
3. High risk: public areas, reception areas and shared cubicles housing multiple staff where clients are routinely present.
(3) Visual.
(a) Department and village staff and workforce members must ensure that observable confidential information is adequately shielded from unauthorized disclosure.
(b) Computer screens. Department and village managers, supervisors, staff and workforce members must ensure that confidential information on computer screens is not visible to unauthorized persons. Means for ensuring this protection include:
1. Use of polarized screens or other computer screen overlay devices that shield information on the screen from persons not the authorized user;
2. Placement of computers out of the visual range of persons other than the authorized user;
3. Clearing information from the screen when not actually being used;
4. Locking-down computer work stations when not in use; and
5. Other effective means as available.
(4) Paper documents.
(a) Department and village staff and workforce members must be aware of the risks regarding how paper documents are used and handled, and must take all necessary precautions to safeguard confidential information.
(b) Department and village staff and workforce members must take special care to ensure the protection and safeguarding of, and the minimum necessary access to, paper documents containing confidential information that are located on:
1. Desks;
2. Fax machines;
3. Photocopy machines;
4. Portable electronic devices (e.g., laptop computers, palm pilots, etc.);
5. Computer printers; and
6. Common areas (e.g., break rooms, cafeterias, restrooms, elevators, etc.).
(E) Safeguarding confidential information - administrative safeguards.
(1) Role based access (RBA). Roles will be created and defined based on the information in department and village's possession and where it is located and how it is used and why. A determination of who should have access to the specific data will be established.
(2) Department and village managers and supervisors will decide the role of each of their staff and workforce members and request exceptions based on the needs within their jurisdiction or area of responsibility.
(3) Managers are responsible for allowing access to enough information for their staff and workforce members to do their jobs while holding to the minimum necessary standard and policies.
(4) Department and village's managers and supervisors will:
(a) Follow all instructions and policies to safeguard confidential information;
(b) Foster a secure atmosphere and enhance the belief that confidential information is important and that protecting privacy is key to achieving department and village's privacy goals.
(c) Assess and update as necessary the safeguards in place every six months, seeking to achieve reasonable administrative, technical and physical safeguards.
(d) Utilize all security policies to augment safeguard procedures.
(5) The department's Privacy Officer is responsible for enforcing this policy, and shall be entitled to the assistance of the Village Manager in doing so, if such assistance should be needed. Individuals who violate this policy will be subject to the appropriate and applicable disciplinary process under this policy and the applicable ordinances of the village, up to and including termination or dismissal.
(Ord. 0030-03, passed 4-2-03)