SENSITIVE INFORMATION POLICY
|
|
Effective
|
December 18, 2006
|
|
Purpose
|
To set forth departmental policy to ensure uniformity and consistency in how sensitive information is used by employees and stored on Department IT resources
|
|
Authority
|
Statewide Information Technology Policy
ITP B.1
ITP B.7
ORC 1347.12
|
|
Reference
|
|
|
Resource
|
Office Information Technology
|
Policy
The proper storage, use and security of personal information are important to foster public confidence in the agency as well as protect DNR employees and our customers.
Therefore, ODNR employees shall comply with the following provisions:
- Use of sensitive personal or law enforcement information for other than approved official state business is prohibited.
- Allowing unauthorized personnel access to sensitive
personal or law enforcement information is prohibited.
- Sensitive personal employee information or customer information shall not be stored on mobile storage devices without written approval from the director or his designee. OIT shall consult with divisions/offices on security techniques and practices. Divisions and offices are discouraged from storing customer name and addresses on mobile storage devices. This data should only be stored when it is business critical and shall be removed from the device as soon as possible after the information is no longer required for business purposes. This excludes phone listings and contact information stored in email applications or cell phones.
- Sensitive personal or law enforcement information shall not be stored on employee owned personal computers.
- Sensitive law enforcement information copied to mobile storage devices shall be removed/deleted from the device as soon as possible after the information is no longer required for business purposes.
- Any lost or stolen departmental mobile storage device must be reported to the Office of Information Technology immediately upon discovery. The division or office that owns the missing device must investigate to determine whether sensitive personal information was stored on it and, if necessary, notify the affected individual(s) of the possible information release within 48 hours of the discovery.
Penalties
Employees that violate this policy are subject to discipline. Anyone who becomes aware of a violation of these provisions shall report it to his/her supervisor or the violator's supervisor immediately. The supervisor is responsible for notifying the Office of Information Technology chief or assistant chief.
Glossary
- Mobile Storage Device: any device that can store data e.g., laptops, PDA's, flash drives, external hard drives, CD's and DVD's.
- Sensitive Law Enforcement Information: sensitive personal information on individuals or law enforcement sensitive information i.e., "law enforcement only", "official use only" or "confidential" information; release of which could adversely affect or jeopardize follow up investigative or law enforcement activities.
- Sensitive Personal Information: includes names and addresses that are linked to social security numbers, date of birth, credit card data, and health data.
|