PA-RPM 6 - Security of Information*
Electronic and printed information is protected against intentional and unintentional destruction or modification and unauthorized disclosure or use.
The agency protects confidential and other sensitive information from theft, unauthorized use, damage, or destruction by:
Interpretation: The agency needs to consider both safety and security when deciding where and how to store its records. Other important considerations include information taken off-site by staff and online access to the agency's computer system. The agency should develop a system that best fits its needs and circumstances.
Secure storage of paper records may include: locked file cabinets; a locked file room with limited access or a gatekeeper system whereby one person or a few people can unlock the file storage area or access the files themselves; or a system using a keypad or keys where only authorized individuals are given the keypad code or copies of the keys. Agencies may also consider using fireproof cabinets; metal file cabinets; a sprinkler system; or not storing records in basements in areas that are prone to flooding.
Note: Please see Checklist: Facility Observation in the Tools Index for additional assistance with this standard.
Case records are maintained and disposed of in a manner that protects privacy and confidentiality, and the agency: a. maintains case records for at least seven years after case closing unless otherwise mandated by law; and b. properly disposes of records in the event of the agency’s dissolution.
Interpretation: Adoption records or a summary of all salient information included therein are maintained permanently, and records of children or youth are maintained until the age of majority or a few years beyond, depending on advice of counsel.
Confidential information, when electronically transmitted, is protected by safeguards in compliance with applicable legal requirements.
Update: Added Interpretation - 03/01/11
Interpretation: Staff who deliver services using electronic media, including telephone and computer, discuss associated risks with service recipients.
NA The agency does not maintain a website.
The agency has policies and procedures that address the risks, benefits, and ongoing processes required to manage web-based technologies and electronic communications.
Update: Added Standard - 03/01/11
Interpretation: “Web-based technologies and electronic communications” include, but are not limited to: the agency’s own website, email, external websites, blogs, social media and networking sites, wikis, discussion forums, and photo and video sharing sites where the agency’s staff may interact with each other or with service recipients.
Risks associated with the use of web-based technologies and electronic communications may include: