HomeMy WebLinkAboutRecords Confidentiality and Security PolicyRESOLUTION 2013-233
ADOPTED
DOC ID: 8653 A
THIS IS TO CERTIFY THAT THE FOLLOWING RESOLUTION NO. 2013-233 WAS
ADOPTED AT THE REGULAR MEETING OF THE SOUTHOLD TOWN BOARD ON
MARCH 12, 2013:
RESOLVED the Town Boaxd of the Town of Southold hereby adopts the Town of Southold
Records Confidentiality and Security Policy, effective immediately and directs all depaxtment
heads to distribute said policy to all employees in their respective departments and obtain
appropriate acnowledgement of receipt.
Elizabeth A. Neville
Southold Town Clerk
RESULT: ADOPTED [UNANIMOUS]
MOVER: William Ruland, Councilman
SECONDER: Louisa P. Evans, Justice
AYES: Dinizio Jr, Ruland, Doherty, Talbot, Evans, Russell
TOWN OF SOUTHOLD
RECORDS CONFIDENTIALITY AND SECURITY POLICY
The Town of Southold regards security and confidentiality of records, data and
information to be of utmost importance. Further, it is the intent of this Policy to ensure
that confidential information, in any format, is not divulged outside of the Town of
Southold without explicit approval to do so by the Town Board. As such, the Town
requires all users of data and information to follow the procedures outlined below:
Section A: Confidential Records
As a staff member of the Town of Southold, you may be working with highly
confidential, personal, vital, and restricted records of the Town (hereinafter collectively
referred to as "Confidential Records"). Confidential Records include, but are not limited
to: personnel records; confidential legal files; appraisals; vital records; Community
Preservation Fund transfer documents or anything marked "Privileged and/or
Confidential." This Policy pertains to all records regardless of their media format: all
books, papers, microforms, electronic devices (such as computers, cell phones, tablets,
etc.), readable tapes, discs or other media, maps, photographs, film, video and sound
recordings, or any other materials, regardless of physical form or characteristics, made or
received by any Agency or by the judiciary in pursuance of law or in connection with the
transaction of public business and retained by that Agency or its legitimate successor as
evidence of the organization's functions, policies, procedures, operations, or other
activities. Electronic Records are those which are stored in a form that can be read or
processed only by means of an electronic device.
Each individual granted access to Confidential Records holds a position of trust and must
preserve the security and confidentiality of the Confidential Records he/she uses. Users
of Confidential Records are required to abide by all applicable Federal and State
guidelines and Town policies regarding confidentiality.
Any individual with authorized access to the Town's Confidential Records is given
access to use such records solely for the business of the Town and must not divulge this
information outside of the Town except for approved Town business requirements
approved by the Town Board or each respective Department Head. Personal devices
shall not be permitted to connect to the Town's network or hardware unless approved by
the Town Board and implemented through the Town's Information Technologies
Department. If the Town determines that its records are on a personal device, the
employee grants the Town the right to access and inspect that device, with or without
notice, to investigate, review and delete any Town Confidential Records at any time or
for any reason. The Town will not be liable for the loss of any personal data arising from
such actions by the Town.
To promote a secure and confidential environment for all Confidential Records, the
following guidelines and standards shall apply:
-1-
1)
Do not discuss identifying or personal information appearing on confidential
records, forms, computer files and other storage media with other staff;
family, or friends.
2)
Do not seek personal benefit or permit others to benefit personally from any
data that has come to them throughout their work assignments.
3) Do not make or permit unauthorized use of any Confidential Records.
4)
Do not enter, change, delete or add data to information systems or files
outside the scope of their job responsibilities.
5)
Do not include or cause to be included in any Town record, a false, inaccurate
or misleading entry known to the individual as such.
6)
Do not alter or delete or cause to be altered or deleted from any records report
or information system, a true and correct entry.
7) Do not release or discuss Confidential Records without proper authorization
8)
Confidential Records, forms, applications, and computer files must be stored
in a secure location designated by the appropriate Department Head.
9)
Employees must lock Department offices at the end of business hours and
ensure that all Confidential Records are secured properly.
10)
Upon the transfer of an employee to another Department within the Town or
upon the termination of an employee, the Department Head must insure that
all keys to Department offices are returned and all secure passwords are
retired.
It is each employee's responsibility to report immediately to their respective
Department Head any violations of this Policy or any other action which violates
confidentiality of Town records, data and information.
Section B: Laserfiche/Weblink Security
Employees may also have access to Confidential Records through the use of
Laserfiche/Weblink. Access to certain Departmental Confidential Records is
controlled by the Town through the use of secure passwords.
With respect to an employee's use of Laserfiche/Weblink, employees' responsibilities
are as follows:
-2-
1) Employees that utilize Laserfiche/Weblink in the course oftheir daily work
activities will be assigned user names and are responsible for creating and
maintaining a secure password for Laserfiche/Weblink.
2) Employees are responsible for maintaining a secure password by:
a. not sharing passwords with other members of the staff or members of the
public;
b. not leaving user name and password information in a location that is
visible to other staff or members of the public; and
c. remembering to sign-off or to lock their computer screen and/or not
leaving their computer unattended, open and vulnerable.
3)
Any employee who needs to sign-on directly to the public terminals must
remember to sign-off when the session is completed and to not leave the terminal
unattended while the session is ongoing.
4)
Employees must not share user names and passwords. Should an employee's
password become known by others for any reason, or if it is suspected that it is
known by another employee or member of the public, it must be changed
immediately.
5)
When changing a password, an employee must adhere to the following
parameters: password cannot contain user ID; minimum of eight (8) characters in
length; and must contain characters from all of the following categories:
uppercase letters, lowercase letters, numbers, and special characters. Employees
must change their password at least once a year and will not be able to reuse a
prior password.
6)
The Town reserves the right to monitor employee use of Laserfische/Weblink and
other Town computer systems without prior notice or consent of the employees.
Employees waive their rights to privacy regarding access to the
Laserfiche/Weblink database.
Section C: Security Measures and Procedures for computer systems
All users of Town computer systems are supplied with an individual user account to
access the data necessary for the completion of their job responsibilities. Users of the
Town's computer systems are required to follow the procedures outlined below:
1) All transactions processed by a user ID and password are the responsibility ofthe
person to whom the user ID was assigned. The user's ID and password must
remain confidential and must not be shared with anyone. Employees should be
guided by the following:
a. Using someone else's password is a violation of the Policy, no matter how
it was obtained.
-3-
b. Your password provides access information that has been granted
specifically to you. To reduce the risk of shared passwords remember
not to post your password on or near your workstation or share your
password with anyone.
c. It is each employee's responsibility to change their password immediately
if it is believed that someone else has obtained it.
2) Access to any citizen or employee information (in any format) is to be determined
based on specific j ob requirements. The appropriate Department Head is
responsible for ensuring that access is granted only to authorized individuals
based upon their j ob responsibilities. Written authorization must be received by
the Information Technologies Department prior to granting system access.
a. Employees are prohibited from viewing or accessing additional
information (in any format) unless said employee is authorized to do so.
Any access obtained without authorization is considered unauthorized
access.
b. While the network currently automatically locks a workstation after 15
minutes of inactivity, to prevent unauthorized use, the user shall log off all
applications that are confidential in nature and lock their work station,
when leaving their work stations.
3) Passwords should be changed periodically and/or if there is reason to believe they
have been compromised or revealed inadvertently.
4) Upon termination or transfer of an employee, the appropriate Department Head
will notify the Information Technologies Department and the Records
Management Department.
5) Generally the public and any non-employees should not have access to personal
computer equipment. Written approval by the respective Department Head is
required if it is determined that access is required. Once written approval is
granted by a Department Head, a copy of said approval shall be sent to the
Information Technologies Department.
-4-