POLICIES & PROCEDURES FOR HANDLING CONFIDENTIAL INFORMATION NOVEMBER 5 TH 2015
Participants will understand the updated 2015 NYS Migrant Education Policies & Procedures for handling confidential information Participants will be able to employ the tools demonstrated in this presentation to better enhance the security of their workplace At the end of the presentation, participants will be able to pass the “Training of Trainers” certification exam with a score of 90% or better 11/5/20152POLICIES & PROCEDURES FOR HANDLING CONFIDENTIAL INFORMATION
Definitions and examples 11/5/2015POLICIES & PROCEDURES FOR HANDLING CONFIDENTIAL INFORMATION3
According to the GAO, Personally Identifiable Information is “any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual’s identity, such as name, Social Security number, date and place of birth, mother’s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.” 11/5/2015POLICIES & PROCEDURES FOR HANDLING CONFIDENTIAL INFORMATION4
Any sort of name (first, last, maiden, mother’s maiden, alias, etc.) Government ID numbers such as SSN, driver’s license, passport Status information such as address, employment status, education status Telephone numbers (cell, home, business, etc.) Any additional information that can be linked to the information above (DOB, place of birth, etc.) 11/5/2015POLICIES & PROCEDURES FOR HANDLING CONFIDENTIAL INFORMATION5
Why should we protect Personally Identifiable Information? 11/5/2015POLICIES & PROCEDURES FOR HANDLING CONFIDENTIAL INFORMATION6
The Family Educational Rights and Privacy Act (FERPA) 11/5/2015POLICIES & PROCEDURES FOR HANDLING CONFIDENTIAL INFORMATION7
Protects the disclosure of Personally Identifiable Information and educational records of students Governs who has access to this data 11/5/2015POLICIES & PROCEDURES FOR HANDLING CONFIDENTIAL INFORMATION8
Schools officials with legitimate educational interest Other schools to which a student is transferring Specified officials for audit or evaluation purposes Appropriate parties in connection with financial aid to a student Organizations conducting certain studies for, or on behalf of, the school Accrediting organizations To comply with a judicial order or lawfully issued subpoena Appropriate officials in cases of health and safety emergencies State and local authorities within a juvenile justice system pursuant to specific state law 11/5/2015POLICIES & PROCEDURES FOR HANDLING CONFIDENTIAL INFORMATION9
This important and commonly used document contains a considerable amount of PII Information from the COE, the databases associated with it (such as MSIX and MIS200), and related documents is private! Only access the necessary data to perform your job duties Only for official purposes related to providing services 11/5/2015POLICIES & PROCEDURES FOR HANDLING CONFIDENTIAL INFORMATION10
Protocols and responsibilities to protect sensitive information 11/5/2015POLICIES & PROCEDURES FOR HANDLING CONFIDENTIAL INFORMATION11
Ensure only authorized employees have access to private information Tie actions taken to a specific user Ensure only employees have access to the information required by their position Ensure NYS Migrant Education information is not released without consent 11/5/2015POLICIES & PROCEDURES FOR HANDLING CONFIDENTIAL INFORMATION12
Protect your logon credentials to your workstation, databases that you have access to, your accounts, etc. Never share your account passwords with anyone else. You are responsible for all actions taken with your credentials Staff should create STRONG passwords that use a combination of uppercase letters, lowercase letters, numbers, and symbols Passwords should be updated regularly 11/5/2015POLICIES & PROCEDURES FOR HANDLING CONFIDENTIAL INFORMATION13
Physical documents containing PII should be kept in an area accessible only to staff that can be locked during non-business hours Computers should be locked with [Windows] + [L] or logged off whenever they are unattended Digital media containing migrant family information should be encrypted with appropriate software Proper destruction methods should be observed when disposing of physical or electronic media that contains this information 11/5/2015POLICIES & PROCEDURES FOR HANDLING CONFIDENTIAL INFORMATION14
Incidents, Social Engineering Attempts, s, Breaches 11/5/2015POLICIES & PROCEDURES FOR HANDLING CONFIDENTIAL INFORMATION15
An incident is when you suspect or can confirm that migrant family information is at risk of being shared with an unauthorized party Can be a simple mistake, such as sending an with PII to the wrong recipient Can be the result of a computer virus infection Can be more malicious, such as an unauthorized party obtaining your credentials to databases Better safe than sorry- report any warning signs 11/5/2015POLICIES & PROCEDURES FOR HANDLING CONFIDENTIAL INFORMATION16
Be aware of individuals around you who can see your keyboard as you type in passwords Be aware of social engineering and scams. These include phony calls from help desks claiming to offer support for a problem you were not aware of, or suspicious s asking you to click a link and enter your credentials 11/5/2015POLICIES & PROCEDURES FOR HANDLING CONFIDENTIAL INFORMATION17
Attachments should be scanned with antivirus software, and suspicious attachments should not be downloaded PII should NEVER be put in the body of an , and should instead be sent as an encrypted attachment using appropriate encryption software Passwords to encrypted documents must be sent through alternative means outside of the Only refer to a migrant student or individual with a Unique ID number that is assigned to them, such as those assigned by MSIX or MIS2000 Include confidentiality notice at the bottom of s containing such attachments or information 11/5/2015POLICIES & PROCEDURES FOR HANDLING CONFIDENTIAL INFORMATION18
Microsoft Office & 7-zip 11/5/2015POLICIES & PROCEDURES FOR HANDLING CONFIDENTIAL INFORMATION19
A breach is unauthorized access to information or a database with the intent to compromise the system Step 1: Contain the breach Step 2: Contact immediate supervisor Step 3: Contact the ID&R / MIS2000 director Step 4: Document the breach In many occasions, the ID&R / MIS2000 Director might request that you participate in a detailed evaluation of the events leading to the breach for official records, prevention, and other uses. 11/5/2015POLICIES & PROCEDURES FOR HANDLING CONFIDENTIAL INFORMATION20
POLICIES & PROCEDURES FOR HANDLING CONFIDENTIAL INFORMATION THANK YOU FOR ATTENDING!