Release of Information to Third Party Consultants Policy

Release of Information to Third Party Consultants Policy

PURPOSE:

As defined by the New York state Information Security Breach and Notification Act (part of the “Internet Security and Privacy Act”), “private information” must not be released as storable data to third party consultants without security procedures that demonstrate that Jefferson Community College and third party diligence in protecting data and ensuring its proper destruction when working with a third party consultant/contractor.

STATEMENT OF POLICY:

  1. The following statement will be included in any contract between Jefferson Community College and a third party consultant/contractor: 

    “Contractor shall comply with the provisions of the New York State Information Security Breach and notification Act (General Business Law Section 899-aa and State Technology Law, Section 208.)  Contractor shall be liable for the costs associated with such breach if cause by Contractor’s negligent or willful acts or omissions or the negligent or willful acts or omissions of contractor’s agents, officers, employees or subcontractors.”

  2. When working with a third party consultant/contract, the College will approve whether there is a need for the release of “private information.”
  3. When working with a third party consultant/contractor, the College will approve the mechanism for encrypting the “private information” to be released.
  4. The consultant/subcontractor must provide written approval for receiving the “private information.”
  5. The consultant/subcontractor must provide written assurance of proper security for the stored “private information.”
  6. The consultant/subcontractor must provide written assurance of proper destruction of the “private information” when project has been completed or the “private information” is not needed anymore.
  7. Documentation of the transfer of “private information” shall be kept in writing by and storied in the Vice President of Administration’s office. The documentation shall include:
    1. The date the information was provided
    2. The type of sensitive data
    3. The type of security and/or encryption used
    4. The location of written approval by the College and the third-party consultant/contractor
    5. Record of the plan for destruction of the data by the third-party consultant/contractor
    6. Responsible parties (names, contact information and employer) to the transfer for the College and the third-party consultant/contractor
  8. The Board of Trustees hereby authorizes the President, or his/her designee, to develop and establish appropriate standards and procedures to implement and enforce this policy.

Definitions

“Private Information” shall mean personal information (i.e. information concerning a natural person which, because of name, number, symbol, mark or other identifier, can be used to identify that natural person) in combination with any one or more of the following data elements:

    1. Social security number
    2. Drivers’ license number or non-driver identification card number
    3. Account number, credit or debit card number, in combination with any required security code, access code or password which would permit access to an individual’s financial account. 

“Private Information” does not include publicly available information that is lawfully made available to the general public from federal, state or local government records.

Revision 12/13/2012

Third Party Consultants

Resolution 128-12