YCCD Data Security & Privacy Protection Administrative Procedure – DRAFT
APPLICATION: This administrative procedure applies to all individuals who collect, use, or share district information. Those individuals include, but are not limited to, staff, faculty, those working on behalf of the district, and individuals authorized by affiliated institutions and organizations.
DATA PROTECTION OFFICER: Director of IT Infrastructure and Security
This administrative procedure governs information that the district or authorized agents collect, use electronically or physically, and share with others.
The collection, retention and release of some information may be covered by law or regulation; including but not limited to the Family Educational Rights and Privacy Act (“FERPA”); the Health Insurance Portability and Accountability Act (“HIPAA”); the European Union General Data Protection Regulation (“EU GDPR”); and the California Consumer Privacy Act (CCPA); and this administrative procedure is not meant to supersede requirements related thereto.
For the sake of this administrative procedure, personally identifiable information (“PII”) is any non-public information that can identify or provide information about an individual.
This is defined as information that is generally available to anyone within or outside of the District. Access to this data is unrestricted, may already be available, and can be distributed as needed. Public data includes, but is not limited to: fundraising materials, admission recruiting materials, information posted on public web pages, and directory information. This data can be used and stored on any district managed system without additional safeguards in places.
This is information that may be considered damaging if released. Confidential data examples include financial records and all PII not considered Restricted. Confidential data can only be collected, used, or stored in approved systems or encrypted workstations. This data cannot be shared outside the district without approval of the general counsel and DPO.
This is defined as highly sensitive data, which if leaked, has a moderate to high risk on privacy, safety, or financial situation. Restricted data includes, but is not limited to: grades, social security numbers, HIPAA data, credit card data, and controlled unclassified information. Restricted data can only be collected, used, or stored in systems approved by the DPO. This data cannot be shared with new people inside the organization or outside the organization without approval of the general counsel and DPO.
Protection of Confidential and Restricted Data
- Management is responsible for ensuring that their direct reports understand the scope and implications of this administrative procedure.
- HR is responsible for ensuring that all employees acknowledge receipt of this administrative procedure.
- Individuals contracting with third parties must ensure that appropriate provisions exist in agreements to maintain the confidentiality and integrity of the data in compliance with applicable laws and regulations.
- Personal account passwords should never be shared. Individuals are held accountable for all activity performed with their accounts in accordance with our Computer and Network Usage Administrative Procedure – AP 3720 .
- Any authorized party who collects or generates new data must classify that data according to the criteria outlined above and notify the DPO to ensure appropriate tracking and protection.
- Confidential and Restricted data protection should be based on the following security principles
- Risk Assessment – appropriate protections should be defined based on the perceived risk to the data and possible harm due to unauthorized disclosure.
- Least Privilege – individuals should only be given the access that they need to complete their assigned duties
- Need to know – individuals should only be aware of information that they must know to complete assigned their duties
- Any person in possession of Confidential and Restricted data shall safeguard the data to the best of their ability and shall destroy, erase or make unreadable such data in whatever form it exists prior to disposal in accordance with YCCD’s Records Retention and Destruction – AP 3310.
- Confidential and Restricted data cannot be saved to personal equipment.
- Confidential and Restricted data in paper or physical form shall be kept in closed, secured cabinets or rooms.
- Any constituent who discovers possible evidence of a violation of this administrative procedure or possible breach or release of Confidential and Restricted data shall immediately notify the DPO and take care to preserve any and all evidence of such incident. Upon confirmation of a breach or unauthorized disclosure of confidential or restricted data, the DPO shall initiate a security incident in adherence with the information security incident response procedure.
- All district managed systems will be scanned for confidential and restricted data to help ensure compliance with the standards set above. If confidential or restricted data are found on a system, the user must delete the data if no longer necessary, or move the data to an approved location. (e.g., encrypted hard drive or file share)
- Information security and privacy staff will monitor for unauthorized activity and update requirements where appropriate.
For additional guidance specific to GDPR, please refer to Exhibit A: Yuba Community College District European Union General Data Protection Regulations (EU GDPR) Policy.
For additional details about our data collection, usage, and sharing, please refer to Exhibit B: Yuba Community College District Data Collection, Usage & Sharing
For additional guidance specific to CCPA, please refer to Exhibit C: Yuba Community College District California Consumer Protection Act (CCPA)
administrative procedure Enforcement
Staff, faculty, or students found in violation of this administrative procedure may be adjudicated per their respective handbooks.
Questions, comments, or concerns regarding this administrative procedure or the protection of data should be directed to the Data Protection Officer at email@example.com.