Data Security and Confidentiality. An LEA may provide education records to the DOR for the performance of transition services but will do so only after the LEA has received the prior written consent of the parent or adult student with educational rights. The DOR shall: (i) keep all personally identifiable information contained in education records confidential; (ii) use education records solely for the purpose of performing this agreement; (iii) disclose education records solely to those employees with a need to know for the purpose of performing this agreement; and (iv) immediately return or confidentially destroy all education records per National Institute of Science and Technology (NIST) Special Publication (SP) 800-88 when no longer needed for the purposes for which it was disclosed. The DOR may provide consumer information to an LEA for the performance of transition services but will do so only after the DOR has received the prior written consent of the consumer. If the consumer is under the age of 18 and is not an emancipated minor, requires the written consent of the parent or guardian. The LEA shall: (i) keep all personally identifiable information contained in consumer records confidential; (ii) use consumer records solely for the purpose of performing this agreement; (iii) disclose consumer records solely to those employees with a need to know for the purpose of performing this agreement; and (iv) immediately destroy all consumer records when no longer needed for the purposes for which it was disclosed. Appropriate steps will be taken to protect confidential information of persons with disabilities, including: 1. Storage administration should include the strict control and accessibility of all storage media. 2. All storage media should be inventoried on an annual basis, or sooner as dictated by clients, regulatory, or other contractual agreements. 3. Wherever possible, physical backup and transfer should be avoided or eliminated in favor of electronic transfer of encrypted backup files. 4. All data files and databases containing personally identifiable information (PII) data will be encrypted using currently approved NIST algorithms when being electronically transferred across an internal network. That list can be found here: ▇▇▇▇▇://▇▇▇▇.▇▇▇▇.▇▇▇/Projects/Cryptographic-Standards-and-Guidelines. All data files and databases containing PII data will be encrypted using currently approved NIST algorithms and Federal Information Processing Standard (FIPS) 140-2 mode or FIPS 140-2 approved ciphers when being electronically transferred across a public network. 5. For the backups of data files and databases that contain PII data, which are backed up to removable physical media (portable electronic storage media, including tapes), the data on the removable physical media will be encrypted utilizing a FIPS 140-2 validated encryption solution. 6. Physical media containing PII data should be maintained in a secure environment prior to its transfer offsite. 7. Physical media containing PII data should be monitored during the internal shipping process and must never be left unattended before handoff to the shipper. 8. Physical media containing PII data should be shipped in locked containers with no special markings or other indications of the sensitive nature of the contents. 9. Shipping procedures should include a positive acknowledgement of receipt of encrypted backup files at the destination. In the event either party becomes aware of the possibility that the confidentiality of other party’s confidential information may have been compromised, such party shall notify the other party’s Information Security Officer (▇▇▇@▇▇▇.▇▇.▇▇▇ and ▇▇▇@▇▇▇.▇▇.▇▇▇) within two hours. Security breaches may include, but are not limited to, inappropriate use or unauthorized student/consumer information disclosure through electronic, paper and verbal methods. 1. Any report or material created during the performance of this Agreement will not contain personally identifiable information from education or consumer records and will not be released to any source except as required by this Agreement or otherwise authorized by both parties. 2. The provisions applicable to education and consumer information are as set forth in 34 Code of Federal Regulations, Part 99; 34 Code of Federal Regulations, Section 361.38 and Title 9, California Code of Regulations, Section 7140 et seq., and personal information as set forth in the Information Practices Act of 1977 (California Civil Code Section 1798 et seq.). 3. Security breaches or information security incidents that shall be reported include, but are not limited to: a. Inappropriate use or unauthorized disclosure of confidential, sensitive, or personal information (e.g., consumer information) obtained in the performance of this Agreement. Disclosure methods include, but are not limited to, electronic, paper, and verbal. b. Unauthorized access to confidential, sensitive, or personal information (e.g., consumer information) obtained in the performance of this Agreement. Information can be held in a medium that includes, but is not limited to, electronic, paper, and verbal. c. Loss or theft of information technology (IT) equipment, electronic devices/media, paper media, or data containing confidential, sensitive, or personal information (e.g., consumer information) obtained in the performance of this Agreement. IT equipment and electronic devices/media include, but are not limited to, computers (e.g., laptops, desktops, tablets), smartphones, cell phones, CDs, DVDs, USB flash drives, servers, printers, peripherals, assistive technology devices (e.g., note takers, videophones), and copiers. Data can be held in a medium that includes, but is not limited to, electronic and paper. 4. A self-training manual is available on the DOR website in the “Service Provider” section under “Annual Security and Privacy Training for VR Service Providers.” The self-training manual is named “Protecting Privacy in State Government” and can be downloaded at the following link: ▇▇▇▇://▇▇▇.▇▇▇.▇▇.▇▇▇/VRED/Security-n-Privacy- Training.html. 5. Additional training and awareness tools are available at the California Information Security Office (CISO) website and the California Department of Justice – Privacy Enforcement and Protection website. These state entities created the self-training manual, “Protecting Privacy in State Government” that DOR revised to meet its business needs.
Appears in 1 contract
Sources: State Interagency Agreement
Data Security and Confidentiality. An LEA may provide education records to the DOR for the performance of transition services but will do so only after the LEA has received the prior written consent of the parent or adult student with educational rights. The DOR shall: (i) keep all personally identifiable information contained in education records confidential; (ii) use education records solely for the purpose of performing this agreement; (iii) disclose education records solely to those employees with a need to know for the purpose of performing this agreement; and (iv) immediately return or confidentially destroy all education records per National Institute of Science and Technology (NIST) Special Publication (SP) 800-88 when no longer needed for the purposes for which it was disclosed. The DOR may provide consumer information to an LEA for the performance of transition services but will do so only after the DOR has received the prior written consent of the consumer. If the consumer is under the age of 18 and is not an emancipated minor, requires the written consent of the parent or guardian. The LEA shall: (i) keep all personally identifiable information contained in consumer records confidential; (ii) use consumer records solely for the purpose of performing this agreement; (iii) disclose consumer records solely to those employees with a need to know for the purpose of performing this agreement; and (iv) immediately destroy all consumer records when no longer needed for the purposes for which it was disclosed. Appropriate steps will be taken to protect confidential information of persons with disabilities, including:
1. Storage administration should include the strict control and accessibility of all storage media.
2. All storage media should be inventoried on an annual basis, or sooner as dictated by clients, regulatory, or other contractual agreements.
3. Wherever possible, physical backup and transfer should be avoided or eliminated in favor of electronic transfer of encrypted backup files.
4. All data files and databases containing personally identifiable information (PII) data will be encrypted using currently approved NIST algorithms when being electronically transferred across an internal network. That list can be found here: ▇▇▇▇▇://▇▇▇▇.▇▇▇▇.▇▇▇/Projects/Cryptographic-Standards-and-Guidelines. All data files and databases containing PII data will be encrypted using currently approved NIST algorithms and Federal Information Processing Standard (FIPS) 140-2 mode or FIPS 140-2 approved ciphers when being electronically transferred across a public network.
5. For the backups of data files and databases that contain PII data, which are backed up to removable physical media (portable electronic storage media, including tapes), the data on the removable physical media will be encrypted utilizing a FIPS 140-2 validated encryption solution.
6. Physical media containing PII data should be maintained in a secure environment prior to its transfer offsite.
7. Physical media containing PII data should be monitored during the internal shipping process and must never be left unattended before handoff to the shipper.
8. Physical media containing PII data should be shipped in locked containers with no special markings or other indications of the sensitive nature of the contents.
9. Shipping procedures should include a positive acknowledgement of receipt of encrypted backup files at the destination. In the event either party becomes aware of the possibility that the confidentiality of other party’s confidential information may have been compromised, such party shall notify the other party’s Information Security Officer (▇▇▇@▇▇▇.▇▇.▇▇▇ and ▇▇▇@▇▇▇.▇▇.▇▇▇) within two hours. Security breaches may include, but are not limited to, inappropriate use or unauthorized student/consumer information disclosure through electronic, paper and verbal methods.
1. Any report or material created during the performance of this Agreement will not contain personally identifiable information from education or consumer records and will not be released to any source except as required by this Agreement or otherwise authorized by both parties.
2. The provisions applicable to education and consumer information are as set forth in 34 Code of Federal Regulations, Part 99; 34 Code of Federal Regulations, Section 361.38 and Title 9, California Code of Regulations, Section 7140 et seq., and personal information as set forth in the Information Practices Act of 1977 (California Civil Code Section 1798 et seq.).
3. Security breaches or information security incidents that shall be reported include, but are not limited to:
a. Inappropriate use or unauthorized disclosure of confidential, sensitive, or personal information (e.g., consumer information) obtained in the performance of this Agreement. Disclosure methods include, but are not limited to, electronic, paper, and verbal.
b. Unauthorized access to confidential, sensitive, or personal information (e.g., consumer information) obtained in the performance of this Agreement. Information can be held in a medium that includes, but is not limited to, electronic, paper, and verbal.
c. Loss or theft of information technology (IT) equipment, electronic devices/media, paper media, or data containing confidential, sensitive, or personal information (e.g., consumer information) obtained in the performance of this Agreement. IT equipment and electronic devices/media include, but are not limited to, computers (e.g., laptops, desktops, tablets), smartphones, cell phones, CDs, DVDs, USB flash drives, servers, printers, peripherals, assistive technology devices (e.g., note takers, videophones), and copiers. Data can be held in a medium that includes, but is not limited to, electronic and paper.
4. A self-training manual is available on the DOR website in the “Service Provider” section under “Annual Security and Privacy Training for VR Service Providers.” The self-training manual is named “Protecting Privacy in State Government” and can be downloaded at the following link: ▇▇▇▇▇://▇▇▇.▇▇▇.▇▇.▇▇▇/VRED/Home/Security-n-Privacy- Training.htmlSecurityandPrivacy.
5. Additional training and awareness tools are available at the California Information Security Office (CISO) website and the California Department of Justice – Privacy Enforcement and Protection website. These state entities created the self-training manual, “Protecting Privacy in State Government” that DOR revised to meet its business needs.
Appears in 1 contract
Sources: State Interagency Agreement