Data Custodianship And Access Policy

Purpose

The Yogananda Seva (the “Organization”) maintains confidential information essential to its purpose of supporting members of the Self-Realization Fellowship and Yogoda Satsanga Society of India. This policy is intended to establish responsibilities for and availability of data containing confidential information.

Policy

While confidential information is critical to the Organization’s operations, this information must also be used with care. The benefit of sharing data is greatly diminished through misuse, misinterpretation or unnecessary restrictions on access. Although some portion of the Organization’s records are public information, some data are restricted by Organization policies and state or federal legislation. To comply with legislation and protect its community, the Organization has the right and obligation to protect, manage, secure, and control data under its purview. A violation of this policy may result in disciplinary action, up to and including termination.

Definitions

Confidential Information is defined as information disclosed to the Organization through the use of the Organization’s website and/or mobile application and which is not generally known outside the Organization, or is protected by law. Examples of Confidential Information include but are full name, Social Security number, driver’s license number, E-mail address, telephone number, credit card or bank account number.

Data Custodian: David Stember.

Data Users: Any Organization staff member, board member and volunteer who can access Confidential Information but does not have access to modify or delete that data.

Legitimate Need: A need for access to Confidential Information that arises within the scope of employment and/or in the performance of authorized duties.

Responsibilities

A. General

Access to Organization data is provided to staff members, board members and volunteers to conduct Organization business. Confidential Information, as defined by this policy, will be made available only to those Data Users who have a Legitimate Need for this information as demonstrated to the Data Custodian. All individuals accessing such data must observe the requirements for privacy and confidentiality, comply with the protection and control procedures, and accurately present the data used in any type of reporting. Individuals that have custodianship responsibilities for data access must establish internal controls to ensure that Organization policies are enforced. All Data Users are responsible for the security and privacy of the Confidential Information they access as prescribed by this policy. Please refer to the Organization’s Confidential Information Policy and Record Retention and Destruction Policy for more information.

B. Compliance

The Organization forbids the disclosure of Confidential Information in any medium, including electronic information, information on paper, and information shared verbally or visually (e.g. telephone or video), except as approved by the Data Custodians. The use of any Confidential Information for one’s own personal gain or profit, for the personal gain or profit of others or to satisfy personal curiosity is strictly prohibited. Data Users are responsible for the consequences resulting from their misuse of Confidential Information to which they have been granted access.

Should a security breach occur or the misuse of Confidential Information be reported, the Data Custodian, or other properly appointed individual, will invoke an incident response process, assembling the appropriate team to investigate the facts related to the situation and determine whether or not the matter should be referred to law enforcement. Disciplinary action will be taken in accordance with applicable regulations or Organization policy, up to and including termination.

All individuals accessing the Organization’s records are required to comply with applicable federal and state laws and Organization policies and procedures regarding security of Confidential Information and to exercise discretion with regard to such data. Any staff member, board member or volunteer who engages in unauthorized use, disclosure, alteration, or destruction of Confidential Information in violation of this policy will be subject to appropriate disciplinary action, including possible dismissal and/or legal action.

C. Specific Responsibilities Delegated to Data Custodian and Data Users

  1. Data Custodian
    The Data Custodian is responsible for:

    • Granting access to Confidential Information for a Legitimate Need as defined in this policy.
    • Ensure accuracy of all data within their area of responsibility.
    • Periodically review access to all data within their area of responsibility and update access of users if necessary.
    • Ensure that Data Users understand their responsibilities with regard to their approved access to Confidential Information.
    • Promptly report any possible breach in computer security or misuse of Confidential Information his or her supervisor.
    • To the extent applicable, review appeals resulting from decisions to deny access.
    • Monitoring the retention destruction of Confidential Information.
  2. Data Users
    Data Users are responsible for:

    • Use Confidential Information only as required to perform the his or her job responsibilities and as authorized by the Data Custodian.
    • Respect and protect the confidentiality and privacy of individuals whose records to which they have access.
    • Abide by federal and state laws and Organization policies and procedures with respect to access, use, and disclosure of Confidential Information.
    • Promptly report any possible breach in computer security or misuse of Confidential Information to the Data Custodian and his or her supervisor.

Data Storage and Retention

We will retain your Confidential Information only as long as necessary to fulfill the purposes we collected it for, including for the purposes of satisfying any legal, accounting, reporting requirements, or enforcing our agreements. Our Data Custodian will monitor and enable our process of identifying which records and information have met their required retention period and will supervise their destruction.

Electronic data containing Confidential Information must be stored in encrypted formats and on secure servers owned, maintained and operated by the Organization (the “Organization Data System”). Confidential information cannot be stored on a system other than the Organization Data System without the advance permission of the Data Custodian and demonstrated legitimate need. Electronic data containing Confidential Information cannot be stored on any mobile computing device, which includes, but is not limited to, laptops, tablets, iPads, personal digital assistants (PDAs), cell phones, CD/DVD R/W disks, USB devices, flash drives or zip drives, without the advance permission of the Data Custodian and demonstrated legitimate need. Data stored on mobile computing devices must be protected by current security standard methods (such as controlled access, firewalls, antivirus, fully updated and patched operating systems, etc.). Communications of Confidential Information via end-user messaging technologies (i.e., E-mail, instant messaging, chat or other communication methods) is prohibited.

Data Destruction

Generally, destruction and disposal of a record implies that it is made unrecognizable and disposed of in compliance with applicable laws and regulations.

  • All paper records containing Confidential Information should be shredded before disposal. This may be accomplished by shredding them in the office or through a reputable Records destruction service.
  • Recycling services should be used where possible but they must be certified and bonded to handle sensitive business records or the records must be destroyed before they are turned over to the recycling service.
  • Electronic data information scheduled for destruction shall be deleted from all individual computers, data bases, networks, and back-up storage or otherwise be disposed of in a manner that ensures protection of any sensitive, proprietary or Confidential Information.
  • No record, whether in paper or electronic format, shall be destroyed if it is part of, or may be part of, ongoing litigation.