COMMUNITY ACTION PIONEERE VALLEY PRIVACY & CONFIDENTIALITY POLICIES


III. CONDITIONS GOVERNING EMPLOYMENT 

PRIVACY AND CONFIDENTIALITY 

Community Action cares about privacy and protecting the rights of clients/participants and employees. Employees must sign a Confidentiality Statement when they start working. 

Information about clients/participants or Community Action/HS & ELP business must not be shared with unauthorized people, both inside and outside the organization. 

  1. Confidentiality of Participants’, Children’s and Families’ Information 
  • Client records must be kept secure and locked. 
  • Only authorized employees can access client records when needed. 
  • Clients’/Participants’ records cannot be removed. 
  • Records can be copied for specific reasons like audits, family needs, school transition, or other authorized reasons under state and federal law. 
  • Private client/participant information must not be left out where others can see it. 
  • Employees can only discuss client/participant information on a "need to know" basis. They must be very careful about their discussion. No one outside the conversation should be able to hear information that is private. 
  • Talking about client/participant information with others outside the organization is not allowed. 
  • Medical, educational, and other private information about clients/participants must be kept confidential. 
  • Requests for release of information will be handled by designated program employees and will follow the law. 
  1. Confidentiality of Employee’s Information 
  • Employee records must be kept secure and locked. 
  • Only employees on a need-to-know basis can access employee records. 
  • Employee records cannot be removed. 
  • Copies of employee records can be made for audits, investigations, or other things as long as it follows state and federal law. 
  • Employee information must not be left out where others can see it. 
  • Employees must be careful when discussing employee information to protect privacy. Special caution must be taken to be sure other children, families, or employees do not overhear information that is private. 
  • Discussion of an employee’s file information with volunteers, families, friends, or community members is prohibited. 
  • The HR Director will handle requests for the release of information. 
  • Community Action will only release information following the state and federal confidentiality laws. 

HS & ELP has plans in place for the management of program data. These plans effectively support the availability, usability, integrity, and security of the data.  HS & ELP employees will follow the HS & ELP Data Management Plan and Procedure (available on agency’s internal website) for sharing and protections for the privacy of child records. The following are regulations in regard to managing personally identifiable information (PII): 

  • Records for each child are kept in a locked file and electronically in the HS&ELP database. Access to electronic files is granted only when required by an individual position.   
  • An employee will obtain a parent’s written consent before disclosing PII from child records 
  • The parent’s written consent will provide specifics of what child records may be disclosed, explain why the records will be disclosed, and identifies the party(s) to whom the records may be disclosed. 
  • The program may disclose without parental consent but with parental notice and the opportunity to refuse under certain circumstances. 
  • The program may disclose with parental consent under certain circumstances. 
  • The program collects employee information for the Brazelton Touch Points Center (BTPC) collaboration.  The BTPC will comply with the agency’s contract and keep information confidential as noted. 

Violation of Confidentiality Policy: Any employee who violates the Confidentiality Policy will be subject to disciplinary action, up to and including termination. 

X. INFORMATION TECHNOLOGY (IT) USAGE POLICIES 

  1. CONFIDENTIALITY AND PROTECTED INFORMATION 

All Community Action policies regarding confidentiality apply to use of telephone, electronic mail, computer and use of the Internet, including use of social networking services and any externally hosted services subscribed to by Community Action.  All staff members shall maintain propriety and an appreciation of the importance of keeping confidential all information concerning clients, even though such information may become a matter of public record.  No identifying information shall be transmitted over the agency IT systems unless properly encrypted in an attachment.  

Some data is specifically protected under Massachusetts law.  Personal Information is defined as the first name and last name or first initial and last name in combination with any one or more of the following:  

  1. Social Security number 
  2. Driver's license number or state-issued identification card number 
  3. Financial account number, or credit or debit card number (Based on 201 CMR 17.02) (Based on 201 CMR 17.02) 

Protected Client Information will not be stored on agency laptop computers or other portable devices or media (i.e., flash drives, CDs, DVDs, etc.) or transmitted by email or any other electronic means unless properly encrypted.  (See Community Action Laptop policy for additional information pertaining to agency laptops.)  All staff are not permitted to download Community Action confidential information on non-agency computers for any purpose, including working on projects at home. 

  1. COMPUTER USER ACCOUNTS 

All staff using computers containing agency data will be assigned unique user accounts, including username and confidential password.    This password shall not be shared with anyone else including your supervisor. The only exception is IT Services for the purpose of setting up and servicing your account and assigned computer(s). 

The employee’s supervisor will notify IT Services as soon as possible of any pending termination of employment. Employee access to all accounts including email shall be terminated promptly at the end of employment. 

Files and information which must be shared in the course of routine business should be stored in areas where it may be accessed from outside your account by appropriate staff. If an employee is absent and access to their computer and/or files becomes necessary, IT Services can provide access at the direction of the supervisor.