This policy applies to staff, contractors, interns, and certain volunteers of The Arc as determined by the immediate supervisor.

Privacy is a set of fair information practices to ensure:

  • Personal information is accurate, relevant, and current
  • All uses of information are known and appropriate
  • Personal information is protected

Privacy also:

  • Allows individuals a choice in how their information is used or disclosed
  • Assures that personal data will be used and viewed for business purposes only
  • Enables trust between The Arc and the Public

Personal Identifiable Information (PII) must be protected at all times even if the information cannot be used singularly to identify individuals. Protecting personal information is essential to The Arc of Harrisonburg & Rockingham.  Successfully achieving The Arc’s mission depends on protecting personally identifiable information from loss, theft, or misuse.

PII can be used to distinguish or trace someone’s identity, or can be linked to a specific individual.  Any such item of information can be PII, including:

  • Sensitive data – medical, financial, or legal information
  • “Neutral” information – name, facial photos, work address; or
  • Contextual information – file folder for a specific health condition that contains a list of treated patients

Seemingly innocuous information can identify an individual when combined with other data or compared to a data set that includes other PII.  PII must be protected, whether in paper, electronic, or oral form.

Identity thieves use names, addresses, Social Security Numbers, and financial information of their victims to obtain credit cards, loans, and bank accounts for themselves.

Common Examples of PII

  • Name
  • Social Security Number (SSN)
  • Date of Birth (DOB)
  • Mother’s maiden name
  • Financial records
  • Email address
  • Driver’s license number
  • Passport number
  • Personal Health Information (PHI)

The type of information determines the protections required by law.  For example:

  • HIPAA for some types of health information
  • The Paperwork Reduction Act for information collected from citizens

Social Engineering is classically defined as the art of manipulating and exploiting human behavior to gain unauthorized access to systems and information for fraudulent or criminal purposes.  Social Engineering attacks are more common and more successful than computer hacking attack against the network.  Social engineering attacks are based on natural human desires like:

  • Trust
  • Desire to help
  • Desire to avoid conflict
  • Fear
  • Curiosity
  • Ignorance and carelessness

Social Engineers want any information that will give them access to systems or facilities.  Common targets are:

  • Passwords
  • Smart phones
  • Wallets
  • Employee’s personal information

Requirements

It is vital that The Arc safeguard PII to protect The Arc’s mission, staff, and employees.  Unauthorized disclosure of PII could result in litigation against The Arc organization and relevant employees.

As a member of The Arc workforce, you are responsible for following privacy law, policies, and procedures.  Privacy law, policies and procedures require you to:

  • Collect, use and disclose personal information only for reasons that are for a legitimate job function, support the mission of The Arc, and are allowed by law
  • Access information only for authorized purposes
  • Safeguard personal information in your possession, whether it be in paper or electronic format
  • Report suspected privacy violations or incidents
  • Shred documents containing PII; NEVER place them in the trash

Spillage is the improper storage, transmission or processing of PII.  Combat spillage by:

  • Sharing information on a need-to-know basis
  • Never access PII unless authorized to do so to perform your job
  • Encrypt emails and double-check that the recipient name(s) is correct before sending
  • When faxing, confirm that you have the correct fax number and call the recipient to confirm receipt

Maintain security outside the office.  Technology, telework, and job duties mean that many employees regularly work away from the office.  Protect information while in-route or travel by:

  • Always maintaining possession of your laptop & other mobile devices
  • Ensuring that the wireless security features are properly configured
  • Being cautious when establishing a virtual private network (VPN) connection through a non-secure environment (e.g. hotel). Do not work on sensitive material when using an insecure connection
  • Turn off/disable wireless capability when connected via Local Area Network (LAN) cable
  • Turn off your laptop while traveling so that encryption is enabled
  • Report a loss or theft of your laptop or other organizational furnished device immediately to your security point of contact

Physical Security Protection Tips

  • Lock your computer when not in use
  • Store and transport removable media such as CDs, DVDs, flash drives, and external hard drives in a secure manner to prevent theft or loss
  • Only connect authorized removable media devices
  • When possible, encrypt all devices that contain PII and sensitive information
  • Keep sensitive information out of sight when visitors are present
  • Quickly retrieve faxes that are sent to you.

Consequences of Privacy Violations can result in severe consequences including employee discipline, fines, dismissal, and even lead to imprisonment.

Remember, harmless PII, like gender or a spouse’s name, can still be used to identify a person and must be protected.

References:

The following references, but not limited to, apply:

Health Insurance Portability and Accountability Act of 1996 (HIPAA)

Privacy Act of 1974

Children’s Online Privacy Protection Act (COPPA)

E-Government Act of 2002

Reduction in Paperwork Act

E-Verify

EMPLOYEE ACKNOWLEDGEMENT

OF RECEIPT OF

THE PERSONNEL POLICIES

I acknowledge that I have read and understood the policies outlined in this copy of the Employee Handbook of The Arc of Harrisonburg and Rockingham.

I understand that these policies provide only a general reference and are not a full statement of The Arc procedures nor are they a contract. I shall update these policies as I am provided with new materials, and I shall return my copy of the Personnel Policies to the Arc upon termination of my employment.

Employee Name (please print):________________________________

Employee Signature: _____________________________________

 

Date: _________________________

OFFICE COPY

This page is to be returned to The Arc and filed in the employee’s personnel file.

 

EMPLOYEE ACKNOWLEDGEMENT

OF RECEIPT OF

THE PERSONNEL POLICIES

I acknowledge that I have read and understood the policies outlined in this copy of the Personnel Policies of The Arc of Harrisonburg and Rockingham.

I understand that these policies provide only a general reference and are not a full statement of The Arc procedure nor are they a contract. I shall update these policies as I am provided with new materials, and I shall return my copy of the Personnel Policies to the Arc upon termination of my employment.

Employee Name (please print): _________________________________

Employee signature: _____________________________________

 

Date: _________________________

Back to Table of Contents