Your Privacy Rights
Internal Risk Mitigation of Personal Information
To guard against internal risks to the security, confidentiality, and/or integrity of any electronic, paper, or other records containing personal information as well as evaluating and improving, where necessary, the effectiveness of the current safeguards for limiting such risks, the following measures are mandatory:
The District will only collect personal information of customers and employees that is necessary to accomplish legitimate business transactions or to comply with any and all federal, state, or local regulations.
Access to records containing personal information shall be limited to those employees whose duties, relevant to their job descriptions, have a legitimate need to access said records, and only for this legitimate job-related purpose.
Written and electronic records containing personal information shall be securely destroyed or deleted at the earliest opportunity consistent with business needs or legal retention requirements. The District's records needs and associated retention and secure destruction periods can be found in the Records Management Policy and Standards Manual.
An annual training session for employees will be held to detail the provision so of this Plan.
Terminated employees must return all records containing personal data, in any form, in their possession at the time of termination. This includes all data stored on any mobile device.
A terminated employee's physical and electronic access to records containing personal information shall be restricted at the time of termination. This shall include remote electronic access to personal records, voicemail, internet, and email access.
Disciplinary action will be applicable to violations of the Plan, irrespective of whether personal data was actually accessed or used without authorization.
Should the District's practices change in a way that impacts the collection, storage, and/or transportation of records containing personal information, the Plan will be reviewed to ensure the policies contained in the Plan are adequate meeting all applicable federal and state regulations.
The IT Specialist/ Administrative Assistant, or his/her designee, shall be responsible for all review and modifications of the Plan and shall fully consult and apprise management of all reviews including any recommendations for improving security arising from the review.
User ID's and passwords shall conform to accepted security standards. All passwords shall be changed at least every 120 days.
Any unattended District computer or tablet shall be secured and require the use of the users password to gain access
External Risk Mitigation of Personal Information
Firewall protection, operating system security patches, and all software products shall be reasonably up-to-date. Security patches and critical updates shall be deployed through a centralized server to District computers.
Personal information shall not be removed from the premises in electronic or written form absent legitimate business need and use of reasonably security measures.
All system security software including, anti-virus, anti-malware, and internet security shall be reasonably up-to-date and deployed through a centralized server to District computers.
There shall be secure user authentication protocols in place that:
o Control user ID and other identifiers;
o Passwords shall conform to accepted security standards, or applies use of unique identifier technologies;
o Controls passwords to ensure that password information is secure.
Third Party Service Provider Protocol
Any service provider or individual that receives, stores, maintains, processes, or otherwise is permitted access to any file containing personal information (Third Party Service Provider) shall be required to meet the following standards as well as any and all standards under 815 ILCS 530. Such providers may include third parties who provide off-site backup storage copies of the District's electronic data, software companies who store personal information, and vendors who store and transmit personal information.
The third party service provider is required to implement security standards and comply with 815 ILCS 530.
Personal information transferring to and from a third party service provider must have an established secure network minimizing any potential threat that could occur during transactions.
Personal information stored on their network should include encryption/decryption programs.
The District has conducted an assessment to determine the areas that require the use of personal information. The following is a list of areas that require the transaction of personal information between the District and third party service provider or customer and third party service provider on behalf of the District:
Registration software
Payroll
IMRF
Drivers Abstract
Police computers and thumb drives
Insurance (medical, vision, life, dental, COBRA, and FSA/H S A plans)
PDRMA workers compensation claims
Police online ticket payment system
Security Breach
Any time there is a suspected breach in security where there is a release of personal information, a threat to the district's network, or could potentially harm the District's information systems, users must immediately notify the Director of Finance and Administration or the IT Specialist/Administrative Assistant who will initiate an investigation. Notification of such breach to the users will be in compliance with 815 ILCS 530.
Disposal of Records
To further ensure the protection of personal information, the District has put in place a records retention program (refer to Records Management Policy and Standards Manual and schedule). When disposing of records, the users must meet the following minimum standards for proper disposal of records containing personal information:
Paper documents containing personal information shall be pulverized or shredded so that personal data cannot practicably be read or reconstructed;
Electronic media and other non-paper media containing personal information must be destroyed or erased so that personal information cannot practicably be read or reconstructed.
Any third party hired to dispose of material containing personal information shall implement and monitor compliance with policies and procedures that prohibit unauthorized access to or acquisition of or use of personal information during the collection, transportation, and disposal of personal information.