PERSONAL INFORMATION PROTECTION POLICY
Wednesday, November 3, 2021
SCORE Association (“SCORE”) has adopted this Personal Information Policy (the “Policy”) to govern the treatment of Personal Information of our employees, volunteers, clients, or the general public. The loss of Personal Information can result in substantial harm to individuals, including fraudulent use of the information. Protecting the confidentiality and integrity of Personal Information is a critical responsibility that must be taken seriously at all times. Compliance with this Policy is mandatory.
The purpose of the Policy is to:
- Define Personal Information and Sensitive Personal Information.
- Outline types of Personal Information that can and cannot be collected and stored
- Establish general principles for protection of Personal Information.
- Assign accountability for protection of Personal Information.
This Policy applies to all SCORE Headquarters staff (employees and contractors), volunteers, independent contractors, agents, and representatives, including any third-party provider of services to SCORE (“Third-Party Service Provider”) who have access to Personal Information SCORE has collected or otherwise has in its possession. This Policy applies to all Personal Information collected, maintained, transmitted, stored, retained, or otherwise used by SCORE regardless of the media on which that information is stored and whether relating to employees, volunteers, clients, or any other person.
“Personal Information” means information SCORE has collected or otherwise maintains or has in its possession that identifies or can be used to identify or authenticate an individual, including, but not limited to:
- Telephone numbers;
- Email addresses;
- Employee identification numbers;
- User passwords or PINs;
- User identification and account access credentials, passwords, PINs, and security question answers;
- Financial account numbers;
- Geolocation data; and
- Biometric, medical, health, or health insurance information.
“Data Owner” means the owner of any Personal Information.
“Data Subject” means the person about whom Personal Information is collected.
“Sensitive Personal Information” means Personal Information that due to its nature is subject to heightened protections. Examples include, but are not limited to:
- An individual’s government-issued identification number, including a Social Security Number, driver’s license number, or state-issued identification number;
- A financial account number, tax identification number, credit card number, or debit card number with or without any required security code, access code, PIN, or password, that would permit access;
- Biometric, medical, health or health insurance information;
- Religious or philosophical beliefs or political opinions;
- Trade union membership;
- Sexual orientation; and
- Criminal records.
“Security Incident” means any act or omission that compromises the security, confidentiality, or integrity of Personal Information or the physical, technical, administrative, or organizational safeguards of SCORE or a Third-Party Service Provider has put in place to protect Personal Information. The loss of or unauthorized access to, disclosure, or acquisition of Personal Information is a security incident.
“Personal devices” include cell phones, laptops, tablets, or home computers.
I. Collection of Personal Information
You may only collect Personal Information in compliance with applicable SCORE policies and the Personal Information collected must be limited to that which is reasonably necessary to accomplish SCORE’s legitimate business purposes or as necessary to comply with law. SCORE will only collect certain Personal Information to further SCORE’s mission, track progress, and demonstrate successes of demographic groups.
Employees and Volunteers
SCORE may collect Personal Information and Sensitive Information. Such information will be kept in a safe and secure place with access limited to employees within the Human Resources department or Third-Party Service providers. Access is limited to those individuals with a business need to know.
Clients, and the General Public
The following types of Personal Information may be collected:
- Telephone number
- Email address
- Last four digits of social security number
The following types of Personal Information may only be collected on a voluntary basis:
- Payment information (only to be collected and stored by a Third-Party Service Provider and only for event registration).
SCORE or its employees and volunteers are prohibited from collecting the following:
- Full social security numbers
- Personal tax information
- Complete date of birth
II. Access, Use, and Sharing of Personal Information
You may only access Personal Information when the information relates to and is necessary to performing duties on behalf of SCORE. You may not access Personal Information for any reason unrelated to your role with SCORE. You may not use Personal Information in a way that is incompatible with the purposes stated to the Data Subject or Data Owner at the time the information was collected. This includes not using SCORE client or volunteer email lists for non-SCORE-related events, promotional activities, or any other events or activities that are not germane to the client or volunteers being contacted. You may only share Personal Information with another SCORE employee, volunteer, or contractor if the recipient has a SCORE-related need to know the information. Personal Information may only be shared with a Third-Party Service Provider if it has a need to know the information for the purpose of providing the contracted services and if sharing the Personal Information complies with the purposes stated to the Data Subject or Data Owner.
Internal Email Protocol
Chapters should limit the use of group emails to include members of their chapter and/or district, as needed.
Districts should limit the use of group emails to include members of their district and/or region, as needed.
Any group email that you would like to be distributed outside of this protocol should be directed to the Field Operations staff who will work with field leadership. This should include the reason for the email and the expected outcome for sending it.
You must collect, maintain, and use Personal Information that is accurate, complete, and relevant to the purposes for which it was collected.
You are responsible for protecting Personal Information that you receive or collect on behalf of SCORE. You must exercise care in protective Sensitive Personal Information from loss unauthorized access and unauthorized disclosure. Personal Information collected through the SCORE website, or SCORE supported technology systems including Engage is secured in accordance with the “Information Security” Section of SCORE’s website Policy. You should make every effort to use the secure SCORE tools whenever possible. Always avoid storing Personal Information locally on you own personal device.
Any Personal Information that is not collected and stored on a SCORE database or server must adhere to the following security standards:
- Personal Information collected and stored electronically (Forms, surveys, excel or word documents) must:
- Be stored on a password protected server.
- Be stored on lockable/password protected devices.
- Personal Information collected in print or printed (check copies, personal registrations etc.) must:
- Be stored in a locked cabinet or drawer.
- Be accessible only to a limited number of SCORE employees, volunteers, or field staff.
All Personal Information stored remotely (including at-home offices) must follow the same security standards as outlined above.
When an individual with access to Personal Information leaves or is dismissed from SCORE, the chapter leader or supervisor must recover any physical keys and SCORE owned IT equipment from the individual before individual’s SCORE duties have concluded. The chapter leader or supervisor must also change any passwords or access codes that the individual had access to.
V. Retention and Disposal
You should keep Personal Information only for the amount of time it is needed to fulfill the legitimate business purpose for which it was collected or to satisfy a legal requirement. You must follow the applicable records retention schedules and policies and destroy any media containing Personal Information when it is no longer needed. This includes ensuring that all paper files containing Personal Information that are outside of the record retention policy are shredded and properly disposed.
It is inevitable that some personal information, such as Names, Telephone numbers, Email addresses will be stored on personal devices. If personal devices are used for SCORE business (example updating a business plan) there should be no information linking the work product directly to the data subject.
If any sensitive personal information, does end up on a personal device the information should be deleted from the device.
All SCORE employees, volunteers, and contractors who have access to Personal Information must be educated on this Policy and the treatment of Personal Information. In addition, whenever Personal Information is entrusted to a Third-Party Service Provider, proper management, and supervision over the outside party’s handling of that Personal Information must be ensured through appropriate contracts.
VII. Reporting a Security Incident
If you know or suspect that a Security Incident has occurred, do not attempt to investigate the matter yourself. Immediately contact the SCORE Helpdesk at firstname.lastname@example.org. You should preserve all evidence relating to the potential Security Incident.
VIII. Monitoring Compliance and Enforcement
SCORE Headquarters is responsible for administering and overseeing implementation of this Policy and, as applicable, developing related operating procedures, processes, policies, notices, and guidelines. If you are concerned that any provision of this Policy, or any related policy, operating procedure, process, or guideline designed to protect Personal Information, has been or is being violated, please contact SCORE’s Helpdesk at email@example.com. SCORE will conduct periodic reviews and audits to assess compliance with this Policy. SCORE employees, volunteers, and contractors who violate this Policy and any related guidelines, operating procedures, or processes designed to protect Personal Information and implement this Policy may be subject to discipline.
Related Policies and Procedures:
SCORE Website Policy
SCORE Chapter Record Retention Policy
SCORE Headquarters Record Retention Policy