The URL can be used to link to this page

Home My WebLink AboutRecords Confidentiality and Security PolicyRESOLUTION 2013-233 ADOPTED DOC ID: 8653 A THIS IS TO CERTIFY THAT THE FOLLOWING RESOLUTION NO. 2013-233 WAS ADOPTED AT THE REGULAR MEETING OF THE SOUTHOLD TOWN BOARD ON MARCH 12, 2013: RESOLVED the Town Boaxd of the Town of Southold hereby adopts the Town of Southold Records Confidentiality and Security Policy, effective immediately and directs all depaxtment heads to distribute said policy to all employees in their respective departments and obtain appropriate acnowledgement of receipt. Elizabeth A. Neville Southold Town Clerk RESULT: ADOPTED [UNANIMOUS] MOVER: William Ruland, Councilman SECONDER: Louisa P. Evans, Justice AYES: Dinizio Jr, Ruland, Doherty, Talbot, Evans, Russell TOWN OF SOUTHOLD RECORDS CONFIDENTIALITY AND SECURITY POLICY The Town of Southold regards security and confidentiality of records, data and information to be of utmost importance. Further, it is the intent of this Policy to ensure that confidential information, in any format, is not divulged outside of the Town of Southold without explicit approval to do so by the Town Board. As such, the Town requires all users of data and information to follow the procedures outlined below: Section A: Confidential Records As a staff member of the Town of Southold, you may be working with highly confidential, personal, vital, and restricted records of the Town (hereinafter collectively referred to as "Confidential Records"). Confidential Records include, but are not limited to: personnel records; confidential legal files; appraisals; vital records; Community Preservation Fund transfer documents or anything marked "Privileged and/or Confidential." This Policy pertains to all records regardless of their media format: all books, papers, microforms, electronic devices (such as computers, cell phones, tablets, etc.), readable tapes, discs or other media, maps, photographs, film, video and sound recordings, or any other materials, regardless of physical form or characteristics, made or received by any Agency or by the judiciary in pursuance of law or in connection with the transaction of public business and retained by that Agency or its legitimate successor as evidence of the organization's functions, policies, procedures, operations, or other activities. Electronic Records are those which are stored in a form that can be read or processed only by means of an electronic device. Each individual granted access to Confidential Records holds a position of trust and must preserve the security and confidentiality of the Confidential Records he/she uses. Users of Confidential Records are required to abide by all applicable Federal and State guidelines and Town policies regarding confidentiality. Any individual with authorized access to the Town's Confidential Records is given access to use such records solely for the business of the Town and must not divulge this information outside of the Town except for approved Town business requirements approved by the Town Board or each respective Department Head. Personal devices shall not be permitted to connect to the Town's network or hardware unless approved by the Town Board and implemented through the Town's Information Technologies Department. If the Town determines that its records are on a personal device, the employee grants the Town the right to access and inspect that device, with or without notice, to investigate, review and delete any Town Confidential Records at any time or for any reason. The Town will not be liable for the loss of any personal data arising from such actions by the Town. To promote a secure and confidential environment for all Confidential Records, the following guidelines and standards shall apply: -1- 1) Do not discuss identifying or personal information appearing on confidential records, forms, computer files and other storage media with other staff; family, or friends. 2) Do not seek personal benefit or permit others to benefit personally from any data that has come to them throughout their work assignments. 3) Do not make or permit unauthorized use of any Confidential Records. 4) Do not enter, change, delete or add data to information systems or files outside the scope of their job responsibilities. 5) Do not include or cause to be included in any Town record, a false, inaccurate or misleading entry known to the individual as such. 6) Do not alter or delete or cause to be altered or deleted from any records report or information system, a true and correct entry. 7) Do not release or discuss Confidential Records without proper authorization 8) Confidential Records, forms, applications, and computer files must be stored in a secure location designated by the appropriate Department Head. 9) Employees must lock Department offices at the end of business hours and ensure that all Confidential Records are secured properly. 10) Upon the transfer of an employee to another Department within the Town or upon the termination of an employee, the Department Head must insure that all keys to Department offices are returned and all secure passwords are retired. It is each employee's responsibility to report immediately to their respective Department Head any violations of this Policy or any other action which violates confidentiality of Town records, data and information. Section B: Laserfiche/Weblink Security Employees may also have access to Confidential Records through the use of Laserfiche/Weblink. Access to certain Departmental Confidential Records is controlled by the Town through the use of secure passwords. With respect to an employee's use of Laserfiche/Weblink, employees' responsibilities are as follows: -2- 1) Employees that utilize Laserfiche/Weblink in the course oftheir daily work activities will be assigned user names and are responsible for creating and maintaining a secure password for Laserfiche/Weblink. 2) Employees are responsible for maintaining a secure password by: a. not sharing passwords with other members of the staff or members of the public; b. not leaving user name and password information in a location that is visible to other staff or members of the public; and c. remembering to sign-off or to lock their computer screen and/or not leaving their computer unattended, open and vulnerable. 3) Any employee who needs to sign-on directly to the public terminals must remember to sign-off when the session is completed and to not leave the terminal unattended while the session is ongoing. 4) Employees must not share user names and passwords. Should an employee's password become known by others for any reason, or if it is suspected that it is known by another employee or member of the public, it must be changed immediately. 5) When changing a password, an employee must adhere to the following parameters: password cannot contain user ID; minimum of eight (8) characters in length; and must contain characters from all of the following categories: uppercase letters, lowercase letters, numbers, and special characters. Employees must change their password at least once a year and will not be able to reuse a prior password. 6) The Town reserves the right to monitor employee use of Laserfische/Weblink and other Town computer systems without prior notice or consent of the employees. Employees waive their rights to privacy regarding access to the Laserfiche/Weblink database. Section C: Security Measures and Procedures for computer systems All users of Town computer systems are supplied with an individual user account to access the data necessary for the completion of their job responsibilities. Users of the Town's computer systems are required to follow the procedures outlined below: 1) All transactions processed by a user ID and password are the responsibility ofthe person to whom the user ID was assigned. The user's ID and password must remain confidential and must not be shared with anyone. Employees should be guided by the following: a. Using someone else's password is a violation of the Policy, no matter how it was obtained. -3- b. Your password provides access information that has been granted specifically to you. To reduce the risk of shared passwords remember not to post your password on or near your workstation or share your password with anyone. c. It is each employee's responsibility to change their password immediately if it is believed that someone else has obtained it. 2) Access to any citizen or employee information (in any format) is to be determined based on specific j ob requirements. The appropriate Department Head is responsible for ensuring that access is granted only to authorized individuals based upon their j ob responsibilities. Written authorization must be received by the Information Technologies Department prior to granting system access. a. Employees are prohibited from viewing or accessing additional information (in any format) unless said employee is authorized to do so. Any access obtained without authorization is considered unauthorized access. b. While the network currently automatically locks a workstation after 15 minutes of inactivity, to prevent unauthorized use, the user shall log off all applications that are confidential in nature and lock their work station, when leaving their work stations. 3) Passwords should be changed periodically and/or if there is reason to believe they have been compromised or revealed inadvertently. 4) Upon termination or transfer of an employee, the appropriate Department Head will notify the Information Technologies Department and the Records Management Department. 5) Generally the public and any non-employees should not have access to personal computer equipment. Written approval by the respective Department Head is required if it is determined that access is required. Once written approval is granted by a Department Head, a copy of said approval shall be sent to the Information Technologies Department. -4-