Policy #: |
Title: |
Effective Date: |
3.040 |
General Records Retention and Protection of Records Containing Personal and Confidential Information |
05/13/58 |
PURPOSE
_______________________________________________________________
Provides general guidelines to be followed by departments in the retention and destruction of records and specific procedures for the protection of records containing personal and confidential information. |
REFERENCE
_______________________________________________________________
|
May 13, 1958 Board Order, Synopsis 46 |
February 28, 2006 Board Order No. 23-A |
May 2, 2006 Board Order No. 3 |
October 3, 2006 Board Order No. 16 |
Policy No. 6.100: Information Technology and Security |
Policy No. 6.106: Information Technology Physical Security |
Policy No. 6.107: Information Technology Risk Assessment |
May 8, 2007, Board Order No. 26 |
Policy No. 6.109: Security Incident Reporting |
Policy No. 6.110: Protection of Information on Portable Computing Devises |
Policy No. 6.111: Information Security Awareness Training |
POLICY
_______________________________________________________________
County departments are to comply with the following general guidelines on records retention and specific procedures pertaining to protection of records containing personal or confidential information pending 1) Board of Supervisors' approval of the General Retention Schedules for common administrative records, which will be applicable to all County departments; and (2) Board of Supervisors' approval of the Retention Schedule specific to the records maintained by a particular department. Thereafter, each department must follow the General Retention Schedules; its specific Retention Schedule; and any policies and procedures approved by the Board of Supervisors regarding records management practices. |
Records Retention – Generally County departments shall retain records that are useful and/or are required by law (including State or Federal law) to be filed and preserved. However, County departments may destroy any record, paper or document that: 1. Is more than two years old; 2. Is of no further use to the department; 3. Is not expressly prepared or received pursuant to State statute or County charter; and 4. Is not expressly required by any law (including State or Federal law) to be filed and preserved. |
Protection of Records Containing Personal or Confidential Information County departments shall secure and appropriately dispose of all records, papers or documents with personal or confidential information. Confidential information is information that is sensitive, proprietary or personal to which access must be restricted and whose unauthorized disclosure could be harmful to a person, process or to an organization. Personal information is any information maintained by a department that identifies or describes an individual including, but not limited to, his or her name, social security number, physical description, home address, telephone number, education, financial matters, and medical or employment history. Paper documents that contain personal or confidential information such as social security numbers, health-related information, or financial information must be properly stored and secured from view by unauthorized persons. Secure measures must also be employed by all departments to safeguard personal or confidential data contained on all information technology assets in the custody of the County. (See also Board of Supervisors Policies 6.100 Information Technology and Security, 6.106 Information Technology Physical Security, 6.107 Information Technology Risk Assessment and 6.110 (Tentative), Portable Computing Device Security.) |
Departments must ensure that only authorized personnel may hold and have access to such information. |
Destruction of Records Containing Personal of Confidential Information: When records containing personal or confidential information are ready for destruction, departments shall destroy the information completely to ensure that the information cannot be recognized or reconstructed. In addition, any personal or confidential data contained on computer media must be obliterated and/or made indecipherable before disposing of the tape, diskette, CD-ROM, zip disk, or other type of medium. Each department must provide appropriate methods and equipment to routinely destroy personal or confidential information. The safeguards listed are in priority order with the most highly recommended safeguard listed first. At the minimum, one of the following safeguards must be implemented: • Conduct due diligence and hire a document destruction contractor to dispose of material either offsite or onsite. o Require that the disposal company be certified by a recognized trade association. o Review and evaluate the disposal company's information security policies and procedures. o Review an independent audit of a disposal company's operations and/or its compliance with operations. • Secure and utilize shredding equipment that performs cross-cut or confetti. • Secure and utilize erasing equipment. • Modify the information to make it unreadable or indecipherable through any means. |
Confidential Information Incident Reporting Each department must disclose to the department's management and the designated security officer any actual or suspected incident in which confidential information is disclosed to, or obtained by, an unauthorized person. Notification of the security incident must be made in the most prompt and expedient manner after the incident has been discovered. In addition, any such incident must be reported to the Fraud Hotline at 800.544.6861 or the Auditor-Controller's Office of County Investigations website at www.lacountyfraud.org where protocols are in place to respond to the incident. Within ten days, a letter notifying affected individuals of actual or suspected loss or disclosure of personal or confidential information must be sent by the impacted County department describing the types of information lost and recommended actions to be taken to mitigate the potential misuse of their information. The Chief Information Security Officer must also be promptly informed of the security breach associated with electronic data in order to communicate with other County departments and identify appropriate measures and safeguards. (See also Board of Supervisors Policy 6.109 (Tentative): Security Incident Reporting, and 6.111 (Tentative): Information Security Awareness Training.) Policy Exceptions There are no exceptions to this policy. |
RESPONSIBLE DEPARTMENT
_______________________________________________________________
Chief Executive Office |
DATE ISSUED/SUNSET DATE
_______________________________________________________________
Issue Date: May 13, 1958 |
Sunset Review Date: May 13, 2003 |
Review Date: July 22, 2004 |
Sunset Review Date: May 13, 2006 |
Review Date: October 3, 2006 |
Sunset Review Date: October 3, 2010 |