San Mateo Un HSD | AR 4040.1 Personnel
Employee Off-Site Personal Data Handling
The district permits off-site access to administrative systems and/or off-site access to paper or electronic documents containing personal data to approved employees. The purpose of this access is to better enable approved employees to process work and meet deadlines. It is the responsibility of the district employees accessing administrative applications from off-site locations to maintain the security of this information by following all district policies and procedures and abiding by all applicable personal information privacy laws as stated below. It is equally important for district employees transporting equipment and/or documents containing personal data to maintain the security of this information at all times. Failure to abide by these policies, procedures and laws may result in the loss of access to district systems and/or legal consequences.
For the purposes of this document, district administrative systems will include, but not be limited to, any student system, special education system, business system, or personnel HR system that contains personal information related to individual students, employees, or their family members.
California Penal Code 502 - Unauthorized access to computers, computer systems and computer data: This section provides that any person who commits one of the acts listed below is guilty of a public offense. The district considers any use of district computer systems or access to any district - owned data containing personal information with the intent to commit one of the listed offenses to be "without permission." Listed offenses include, but are not limited to;
1. Damaging, deleting, destroying or using any data to defraud, deceive, extort or wrongfully control or obtain money, property or data;
2. Using computer services without permission;
3. Assisting unauthorized persons in the use of computer services without permission;
4. Assisting unauthorized persons in gaining access to documents containing personal data without permission;
5. Altering, deleting, adding or destroying hardcopy documents or electronic data on district systems without permission;
6. Disrupting computer services or causing the denial of computer services to an authorized user; and/or
7. Knowingly introducing any computer contaminant into any computer services to an authorized user computer network.
District is obligated to report all violations of the above section to appropriate authorities, which may lead to fines of up to $10,000 and/or imprisonment of up to three years.
1. "Personal information" means an individual's first name or first initial and his or her last name in combination with anyone or more of the following data elements, when either the name or the data elements are not encrypted or redacted:
A Social security number;
b. Driver's license number or California identification card number;
c. Account number, credit or debit card number, in combination with any required security code access code, or password that would permit access to an individual's financial account; and/or
d. Medical information.
2. "Medical information" means any individually identifiable, in electronic or physical form, regarding the individual's medical history or medical treatment or diagnosis by a health care professional.
3. "Personal information" does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.
The full text of Civil Code 1798.80 -1798.84 can be found in the.
Terms and Conditions
Off-site access to any district administrative system is subject to the following:
1. Employees requesting off-site access to district administrative systems and/or permission to district data containing personal information must sign and adhere to the rules and policy as stated in this document.
2. Off-site access to district administrative systems requires the written authorization of both the principal and appropriate Cabinet administrator. A copy of the written authorization is to be kept on file by Technology Support Group (TSG) for a period of two years.
3. Off-site access to district administrative systems is limited to secured channels as established and configured by TSG.
4. Off-site access to district administrative systems is limited to computers with up to date protection from viruses and other malware.
5. Off-site users of district laptops must not allow any non-authorized person to access the machine for any reason at any time. Passwords cannot be shared with non-authorized persons at any time.
6. District laptops connecting to district administrative systems must be user-defined and authenticated upon entry into the district network. All applications must be password protected. All administrative applications must time out after 30 minutes of inactivity and can only be re-accessed with a password.
7. Off-site users of district administrative systems who print off-site any screen captures, reports or other hard-copy documents that contain personal or confidential information regarding any district student, staff member, or a family member of any district student or staff member are responsible for maintaining confidentiality and security of the information.
8. Off-site users of district administrative systems shall not save on any drive of their laptop or any computer (including portable media) data that contain personal or confidential information regarding any district student, staff member, or a family member of any district student or staff member unless the data are encrypted or password protected.
9. Any personal data as defined by Civil Code 1798.80 1798.84 that is transported electronically or physically shall not be saved on the hard drive of any personally owned machine or any non-district machine, even if the data are to be stored temporarily. Employees needing to work electronically with personal data as defined by Civil Code 1798.80-1798.84 must save the data to district - purchased portable media that Encrypts or password protects the data and work exclusively from that media.
10. Employees must return district equipment (including portable media) when on a leave of absence. Upon separation of employment, employees must immediately return all district equipment. District retains the right to withhold the employee's final paycheck until all district equipment has been returned.
11. All users must report a systems security breach to the TSG administrator or designee immediately upon discovery.
1. District maintains the right to monitor all activity involving the use of district's administrative systems at any time without prior notice.
2. District retains the right to terminate access to any district system at any time without prior notice.
3. All data collected, printed and/or stored on any device owned or leased by district is the property of district.
4. District retains the right to amend its policy and/or rules at any time without prior notice.
5. Employees understand that they will be held liable for any financial damages resulting from their illegal use of district's administrative systems.
Regulation SAN MATEO UNION HIGH SCHOOL DISTRICT
approved: July 15, 2010 San Mateo, California