SCOPE
This policy applies to all eligible TriMet employees and to all records created, received and maintained by TriMet. This policy is administered by and subject to the oversight of the Legal Department, with the exception of the Sensitive Security Information (“SSI”) component of this policy, which is subject to the oversight of the Director, Operations Support and is detailed in Part 7 of this policy.
PURPOSE
The purpose of this policy is to establish agency-wide sound records management practices. To assist in the establishment of such practices, the policy outlines procedures and sets standards for the creation, maintenance, access, safeguarding and disposition of agency records.
The central goals of this policy include:
- Ensuring compliance with state and federal requirements for the creation and retention of records;
- Ensuring the ability to comply with (and verify the thoroughness of response to) requests for public disclosure and specific court orders requiring the production of TriMet records;
- Ensuring that records are managed in an efficient and cost-effective manner;
- Ensuring that records are managed as a resource and that records are created and preserved in a manner consistent with its role as TriMet’s institutional memory;
- Ensuring that the confidentiality of private and sensitive security records is preserved, including private or confidential employee records and SSI;
- Ensuring that records are retained for possible use in future legal and administrative proceedings;
- Ensuring that TriMet records are sufficient to discharge TriMet’s duty to preserve a full and accurate history of its functions and operations;
- Ensuring that TriMet does not expend resources on the retention of records beyond the statutorily defined retention period and beyond its useful business life.
- Ensuring this policy and related records management procedures are well understood and adhered to by TriMet employees.
POLICY
The requirements of this policy are divided into 7 parts; a subject index is included for ease of reference:
Part 1: General
Part 2: Creation of Records
Part 3: Maintenance of and Access to Records
Part 4: Disposition of Records
Part 5: Public Access to Records
Part 6: Private or Confidential Records
Part 7: Sensitive Security Information (“SSI”)
Part 8: Legal Holds
Part 1: General
Policy
All records that are created or received by employees in the course of their work at TriMet, or transferred onto or stored on TriMet information technology are the property of TriMet and are subject to its control.
Implementation of Policy; Responsibilities:
- Executive Directors are responsible for implementing and enforcing the provisions of this policy, and for appointing staff person(s) to serve as Records Coordinator(s) within their divisions. Executive Directors shall promptly notify TriMet’s Records Analyst of their appointments or of any changes in appointments of Records Coordinator(s) within their divisions.
- Records Coordinators are responsible for the day-to-day management of their divisions’ records in accordance with this policy and shall serve as liaisons to TriMet’s Records Analyst. Records Coordinators are responsible for the following: (1) assisting in the development of divisional records management policies, procedures and systems (2) advising and training divisional staff concerning this policy and records management procedures (3) ensuring control over the transfer, storage, archiving and destruction of the division’s records (4) assisting the Legal Department with responding to public records and litigation-related records requests (5) assisting TriMet’s Records Analyst with coordinating records-related activities, and (6) assisting the Operations Division with implementing TriMet’s SSI policy.
- TriMet’s Records Analyst is responsible for developing an agency-wide records management program, issuing records management guidance, providing records management assistance to Records Coordinators, and serving as the agency liaison to the State Archivist.
- All TriMet employees have duties relative to the creation, maintenance, access, safeguarding and disposition of records as specified in this policy.
Guidelines:
1. What is a record?
A record is any form of recorded information. Generally, any work that you produce, receive or acquire in connection with your employment with TriMet is a record.
2. What level of privacy and interest do employees have in records?
None. Employees have no expectation of privacy in regard to records created or received in the course of their work at TriMet. In addition, HR-200 (TriMet’s Information Technology Basic Policy)provides: “(e)lectronically stored information, whether related to business purposes or personal use, is not personal or private and is potentially subject to public disclosure under Oregon’s public records law. This includes personal information transferred onto or stored in TriMet information technology, and potentially includes information stored in employees’ personally owned computers, cell phones and handheld devices if those computers, cell phones or handheld devices are used in conjunction with TriMet’s information technology. TriMet has the right to monitor use of computers, handheld devices, e-mail and Internet access without advance notice.”
Employees should also be aware that any records created or received in the course of their work for TriMet, and any records transferred onto or stored using TriMet’s information technology may be produced or be discoverable in a lawsuit. Further, even if a record is exempt from disclosure outside the agency, it is a part of TriMet’s institutional memory, and may be accessed and used by TriMet management.
3. Are all records treated the same?
In general, the treatment of TriMet records depends on the nature of the record. State and federal law recognizes general categories of records that include:
- Public Records: “Public records” are defined by state and federal laws. These laws require TriMet to retain its public records for certain periods of time, and to make its non-exempt records available to the public for inspection. State law definitions of “Public Records”:
- — For purposes of public inspection, a “public record” includes: any writing that contains information relating to the conduct of the public’s business, including but not limited to court records, mortgages, and deed records, prepared, owned, used or retained by TriMet regardless of physical form or characteristics.
- — For purposes of TriMet records retention, a “public record” means any information that: (A) Is prepared, owned, used or retained by TriMet; (B) Relates to an activity, transaction or function of TriMet; and (C) Is necessary to satisfy the fiscal, legal, administrative or historical policies, requirements or needs of TriMet.
Requirements for retention of public records are covered in Part 4 of this policy. Requirements for access to public records are covered in Part 5 of this policy.
- Private or Confidential Records: Confidential records include private information for which disclosure is prohibited, unless required or permitted such as in connection with a court proceeding or by a state and/or federal regulatory agency. Private or Confidential records include:
- — Personal information that is confidential and private in nature, including information found in confidential and private employee and customer records such as protected medical information, Social Security numbers, driver’s license numbers, passport numbers, and financial account information.
- — Proprietary information provided to TriMet under contract with another entity under condition that TriMet not further disclose the records.
- — Other information made confidential or exempt from disclosure by law.
Private or confidential records may be “public records” that must be retained under state and/or federal law, even if subject to exemption from public disclosure. Requirements for Confidential Records are detailed in Part 6 of this policy.
- Sensitive Security Information (“SSI”): SSI is defined by federal regulations. A record that meets the definition of SSI must be treated as SSI, even though it has been publicly disclosed, or widely distributed within TriMet in the past. Requirements for SSI are detailed in Part 7 of this policy.
4. Are there any records that do not need to be created or retained?
Yes. Generally, the following categories of records do not need to be created or retained:
5. What happens to employee work records when an employee separates from employment with TriMet?
All records within an employee’s possession pertaining to TriMet business are the property of TriMet and may not be removed or retained by an employee upon separation. An employee may remove or retain only records of a purely personal nature.
Prior to separation, employees shall assist their supervisors and divisional Records Coordinators in ensuring that their work records (including e-mail and other electronic records) are appropriately retained in their division’s record-keeping system.
See HR-430 and HR-432 for further information on employee separation from employment
6. Who should employees contact if they have any questions about TriMet’s records policies and procedures?
Employees should contact the designated Records Coordinator in their divisions if they have questions about TriMet’s Records Management Policy or their divisions’ records management procedures. Employees may also contact TriMet’s Records Analyst if they have questions about TriMet’s Records Management Policy, legal holds, or public access to records.
Part 2: Creation of Records
Policy
Employees have a duty to create complete and accurate records that appropriately document the transaction of TriMet business.
Guidelines
1. Who is responsible for creating records?
Every employee is responsible for creating complete and accurate records that provide adequate and appropriate documentation of TriMet’s business functions, policies, decisions, transactions, and operations. The creation of records should generally be incorporated into each employee’s regular tasks to ensure that information is adequately captured.
2. What type of records should employees create?
Generally, employees should create records that are sufficient to reflect TriMet’s business functions, policies, decisions, transactions and operations. The records should be sufficient to fairly represent the entirety of the work performed, and should include materials received by TriMet in addition to materials generated by TriMet. Some general types of records that employees should create include, but are not limited to:
- Records that document verbal communications such as meetings, telephone calls and in-person discussions that are related to significant TriMet business;
- Records that document the negotiation and execution of, and performance under legal and contractual agreements;
- Records that document the development and implementation of TriMet policies, decisions, and actions;
- Records that document communications related to significant TriMet business between TriMet employees and external organizations or individuals;
- Records that document the development and implementation of business programs, functions, transactions and operations.
3. What is “appropriate” documentation of TriMet business?
“Appropriate” documentation means documentation that is appropriate for public disclosure. Employees should use adequate professionalism and formality when creating records. Records should never contain offensive or inappropriate content or language. Employees should keep in mind that any record they create could be published in a newspaper, so it is important to create records that are appropriate for public disclosure. This applies particularly to e-mails, which are often mistakenly viewed as an informal means of communication.
4. Do employees need to create records for events or activities that they will not forget or will not need to retrieve?
Yes. Employees must create records when the records are necessary to document TriMet business. Records are to be created for the benefit of TriMet without regard to their necessity to the creator. Records should be created by employees with direct knowledge of the event, activity, or facts represented in the record, and as close in time to the event or activity as possible.
5. Are there any limitations on the sources of records – are there some mechanisms for acquiring records that are not permissible?
Yes. Information that is confidential and personal in nature should only be obtained lawfully, and with the knowledge and consent of the subject. Only information that is necessary for the stated purpose can be collected. Confidential and personal information cannot be shared or discussed with any employee who does not have a critical and continuous work-related need for the confidential information, and should never be shared with anyone outside TriMet, except through the Legal Department. See Part 6 – Private or Confidential Records for further guidance.
Part 3: Maintenance of and Access to Records
Policy
Every TriMet employee has a duty to maintain and preserve TriMet records for the benefit of TriMet and the public in reliable, appropriately secure, record-keeping systems. Each TriMet division shall establish reliable, appropriately secure record-keeping systems that adequately preserve the content and context of its records, and facilitates the timely retrieval of records, with or without the assistance of the creator, for the duration of the retention period. All TriMet division record-keeping systems shall conform to written policies, assigned responsibilities and formal methodologies that fully and accurately document the overall management of the system and maintain accurate controls.
Guidelines
1. What is a “reliable” record-keeping system?
A reliable record-keeping system is one that ensures adequacy of documentation, adequate system controls (such as audit trails), guidelines for classifying and filing records, and procedures for measuring the accuracy of data input and output. A reliable system also ensures that users are able to locate and retrieve records in a timely manner, with or without the assistance of the creator for the duration of the retention period.
Divisions should establish procedures to ensure that business records (including e-mails and other electronic records) that employees create or receive are incorporated into the divisions’ record-keeping systems, and not stored solely in locations or systems where records are inaccessible to other employees who have a legitimate business need for those records.
2. What is an “appropriately secure” record-keeping system?
An appropriately secure record-keeping system is one in which the storage and access controls sufficiently protect against wrongful disclosure, loss, damage or alteration of records. In general, the sufficiency of the system depends upon the type of information contained within a record.
Public records:
- Should generally be maintained in fire-resistant structures and in areas where heat and humidity are controlled; and
- Should generally be located in spaces that are kept free from obstruction and physically protected from water leakage or other destructive sources.
See Parts 6 and 7 of this policy for discussion of private or confidential records, and SSI records.
3. Under what circumstances might retrieval of records be necessary?
The retrieval of records may be required in the ordinary course of TriMet business (for review of a transaction/activity or other reference purposes), for audit purposes (financial, regulatory oversight, or internal), or for secondary purposes, including court proceedings, public records requests or historical research.
Part 4: Disposition of Records
Policy
TriMet divisions shall establish record-keeping systems and procedures to maintain and preserve records (in their original forms if possible) for the period of time prescribed by applicable state and federal laws. At the end of the prescribed retention period, the records shall be purged from TriMet’s records systems, regardless of the form or location of the record, unless it has been determined that TriMet’s business needs warrant a longer retention period or the Legal Department has placed a legal hold on the record (temporarily suspending destruction of the record).
Each division shall establish procedures governing the process of destruction and shall ensure that destruction occurs in conformance with TriMet’s records retention schedule, or the instructions of the Legal Department, and at no other time. Divisions should consult TriMet’s Records Analyst before destroying records.
Only authorized persons can destroy records that contain private, confidential or sensitive security information and must use appropriate mechanisms when destroying records to prevent the unauthorized reconstruction or recognition of the private, confidential or sensitive security information.
TriMet divisions shall take appropriate steps to ensure the long-term preservation and access of official records requiring permanent retention under applicable state and federal laws. Long-term preservation of permanent records shall conform to rules set by the State Archivist.
Guidelines
1. How long do public records have to be retained?
- TriMet follows the State Archivist’s General Retention Schedule for Counties and Special Districts (“Retention Schedule”), which is located in the Oregon Administrative Rules, Chapter 166, Division 150. The Retention Schedule prescribes minimum periods of time that public records must be retained. In addition, the Retention Schedule authorizes TriMet to destroy or otherwise dispose of public records after expiration of the prescribed retention period. The Retention Schedule is available online1; the State Archives Division provides additional guidance on how to use the Retention Schedule on its website.2
- Additional retention requirements apply to records produced in conjunction with a federally funded project, which may be found in federal laws and regulations and FTA grant requirements.
- If state and federal retention requirements conflict, the longer retention period applies. Employees should be aware that state and federal law might require certain records to be retained permanently.
- Obsolete records should not be held within any TriMet records system beyond the date for destruction specified under the State Archivist’s Retention Schedule or the applicable federal destruction schedule (whichever is longer) unless it has been determined that TriMet’s business needs warrant a longer retention period, or records destruction has been temporarily suspended by the Legal Department because of an anticipated or pending governmental investigation, audit or legal proceeding (known as a “legal hold”).
2. What is a “legal hold” and what obligations do employees have if they receive notice that certain records in their possession are potentially subject to a legal hold?
A legal hold is a directive issued by the Legal Department to preserve records that may be relevant to a lawsuit, governmental investigation, or an audit involving the agency. Records (including e-mails and other electronic records) that are relevant to the lawsuit, governmental investigation or audit must not be deleted, destroyed, concealed or altered while the legal hold is in effect. See Part 8 – Legal Holds for specific requirements.
3. What is an “official” record?
An official record is the designated public record when multiple copies exist. Generally, each division should designate the copy of a material that will constitute the official record – all other copies that are used for convenience of reference only are “duplicates” and do not need not be retained.
4. If there is more than one copy of a public record, must all copies be retained?
No. The State Archivist’s Retention Schedule only requires that the “official” copy of a record be retained; all other copies used for convenience of reference do not need to be retained. However, a duplicate copy of a record that includes additional information such as substantive annotations or comments that relate to the agency’s functions and programs is a new record and must be retained in accordance with the Retention Schedule. If it cannot be conclusively determined whether a record is the “official” copy, the record should be retained.
5. What is the procedure for identifying the “official” copy of a record and who is responsible for retaining it?
Generally, the procedure for identifying the “official” copy of a record requires a “functional analysis” of the record’s content. A division is responsible for maintaining the “official” copy of a record in accordance with the Retention Schedule if the content of the record relates to thefunction the division serves within the agency.
Some examples of the “functional analysis” include:
- An e-mail exchange between a Finance Department manager and the Human Resources Department regarding a revision to a Finance employee’s job description.
- Job descriptions are more closely a function of the HR Department, so HR is responsible for retaining the official copy.
- The agenda and minutes for a Safety Committee meeting that is distributed to attendees. The Safety Committee is a function of the Operations Division so Operations (specifically the Safety Department) is responsible for retaining the official copy.
- A work order sent to a contractor for a contract that a Capital Projects & Facilities Division engineer manages. This is a crossover function with the Procurement and Contracts Department. Procurement is responsible for retaining the official copy of the signed contract, and the engineer (as contract manager) is responsible for retaining the official copy of day-to-day correspondence with the contractor.
If a “functional analysis” of a record does not clearly indicate a single division that should be responsible for maintaining the record, the record should be retained by the holder(s) of the record in accordance with the Retention Schedule, even if this results in retention of duplicates within the agency.
6. Do I need to retain drafts of public records?
Drafts that an employee creates but does not send to another party for discussion, revision or correction do not need to be retained. However, drafts that are forwarded to or received from another party for discussion, revision or correction generally must be retained in accordance with TriMet’s Retention Schedule. If revisions or corrections are made to a draft and forwarded for discussion, the draft needs to be retained if the entire record represents a significant change in content. Minor typographical changes do not constitute a “significant change.”3
7. How long do I need to retain e-mails?
The retention requirement depends on the content of the e-mail. E-mail is a tool for communicating and not a type of record so there is no blanket retention period prescribed for “e-mail records.” E-mail messages that contain information relating to the transaction of TriMet business are public records that must be retained in accordance with TriMet’s Retention Schedule. Each division should determine the method by which it will preserve e-mail for retention purposes. Employees should not rely on electronic back-ups; agency back-ups are not for the purpose of long-term storage.
See HR-201: Information Technology – Electronic Mail Policy for detailed guidance related to the retention of e-mail messages, including retention methods and the use of TriMet’s E-Mail Archiving and Retention Software (“EARS”).
8. What measures should be taken to preserve records during the retention period?
Records should be stored in appropriately secure facilities that are fire-resistant, and provide protection from heat, humidity, water damage, mold, and other destructive sources for the duration of the applicable retention period.
Records that the State Archivist requires TriMet to keep long-term or permanently (100 years or longer) must be preserved either on paper or microfilm. Employees must follow the State Archivist’s mandatory rules for microfilming permanent and long-term public records (see OAR Chapter 166, Division 025).
Public records that are not long-term records may be stored digitally, but must comply with the State Archivist’s mandatory rules for digital imaging if the records have a retention period of 10 years or longer (see OAR Chapter 166, Division 17).
9. Is it permissible for an employee to destroy copies of records held in individual office files?
No. No records should be destroyed, deleted or permanently removed from the records system except in accordance with the retention schedule or a legal hold, unless the records are duplicates or are items that employees are not required to create or retain (as described in Part 1).
10. When can records be destroyed?
Records can only be destroyed if ALL of the following criteria have been met:
- TriMet is no longer legally required to retain the record (i.e. the applicable retention period has expired).
- TriMet does not have a continuous business need for the record.
- TriMet does not need the record to serve as its institutional memory (i.e. the record does not have historic or research value).
- The record is not subject to any legal holds.
11. What is the procedure for destroying records?
Employees should follow the procedure established by their division for destruction of records. Generally, divisions should establish systems and procedures to monitor state and federal records retention requirements, and identify records that are scheduled for destruction. This includes records in any form, including paper hard copies, electronic records stored on TriMet’s information systems, and records in other formats. The procedures should include review and approval by the divisional Records Coordinator and the Records Analyst prior to the destruction of agency records. Records that contain private, confidential or sensitive security information (“SSI”) must be destroyed in such a manner that the information cannot be read or reconstructed. See Parts 6 and 7 of this policy for further discussion of private, confidential and SSI records.
Part 5: Public Access to Records
Policy
TriMet is subject to state and federal laws affecting the disclosure of public records. Generally, employees must forward requests to inspect or copy public records to the Legal Department for review and processing, except for requests for certain records that TriMet has created for purposes of public dissemination.
Guidelines
1. What is Oregon’s Public Records Law?
Oregon’s Public Records Law establishes the right of “every person” to inspect any public record of a public body in Oregon, subject to certain exemptions. The exemptions to Oregon’s Public Records Law may be found in ORS 192.501 and 192.502.
2. What should employees do if they get a request for records from the public?
Employees should forward public records requests to the Legal Department for review and processing. Oregon law requires a public body to respond to written requests to inspect or receive a copy of a public record as soon as practicable and without unreasonable delay. It also requires a public body to acknowledge receipt of the request and include one of six legally prescribed statements in the response. The Legal Department will respond to the requestor and will determine whether the requested records fall under an exemption and should be denied or partially denied. It will also calculate and charge any fees associated with the request.
Employees are not required to forward records requests to the Legal Department if the requested records have already been officially released to the public or are documents that were created for purposes of public dissemination. Examples of officially released documents and documents created for public dissemination include: marketing brochures, public affairs announcements, individual bus line rider information, project fact-sheets, transit system schedules, and procurement solicitation documents.
3. What should employees do if they receive a request for records from another public body?
The Oregon Attorney General’s Office has determined that a public body (including its staff if they are acting in their official capacities) may not use Oregon’s Public Records Law to obtain public records from another public body. However, TriMet often collaborates with other public bodies in the ordinary course of business. Employees should contact the Legal Department for guidance to determine whether there are any applicable exemptions or restrictions that would warrant denying disclosure of the requested records to another public body.
4. Is there a public records request form, and if so, where can employees and the public obtain a copy?
Public records request forms are available for download on TriMet’s website athttp://www.trimet.org/ and on the Legal Department’s intranet site. Public records request forms may also be obtained by calling the Legal Department at 503-962-6489. Employees may direct requestors to the public records request form on TriMet’s website or send the form to requestors and instruct them to submit the completed form to the Legal Department. Each request must include the requestor’s name and contact information, a brief description of the records to be inspected, and any other specific information about the request.
5. Does TriMet charge a fee for public records requests?
Oregon’s Public Records Law authorizes TriMet to recover the “actual cost” of making records available to the public. A requestor may be required to make full or partial pre-payment of costs of compilation/review of requested records. Unless otherwise authorized by the Legal Department, fees for a public records request shall be assessed only after review by the Legal Department.
Part 6: Private or Confidential Records
Policy
Each TriMet division shall identify private or confidential records in its custody or control. The division shall maintain procedures to ensure that only essential private or confidential information is acquired and stored. The procedures shall provide for appropriate measures to protect the private or confidential records from unauthorized disclosure for the duration of the retention period. Every employee must ensure that access to private or confidential records, regardless of the location or manner of retention, is strictly limited to persons who have a critical and continuous work-related need for the confidential information.
Specific requirements for private or confidential Employee Records are addressed in HR –380, TriMet’s Human Resources Manual.
Guidelines
1. What are private or confidential records?
Confidential records include private information for which disclosure is prohibited, unless required or permitted such as in connection with a court proceeding or by a state and/or federal regulatory agency. Private or confidential records include:
— Personal information that is confidential and private in nature, including information found in confidential and private employee and customer records such as protected medical information, Social Security numbers, driver’s license numbers, passport numbers, and financial account information.
— Proprietary information provided to TriMet under contract with another entity under condition that TriMet not further disclose the records.
— Other information made confidential or exempt from disclosure by law.
2. What private or confidential information should be acquired and stored?— Proprietary information provided to TriMet under contract with another entity under condition that TriMet not further disclose the records.
— Other information made confidential or exempt from disclosure by law.
Only essential private or confidential information should be acquired and stored. Divisions are responsible for maintaining procedures to ensure that the private or confidential information it collects and stores is absolutely required to fulfill its business function within the agency.
3. How must private or confidential records be secured or maintained in order to protect against unauthorized disclosure?
The storage and maintenance requirements will vary depending upon the level of privacy or confidentiality, and the form of the record. Specific requirements will be governed by the procedures established by each division, but generally, all employees must ensure that:
- Controls exist at every level of disclosure to prevent unauthorized disclosures: i.e., hard copy to computer; computer program to additional computer program; hard copy to photocopy, etc.;
- All hard copies of confidential records, including original copies and any other copies held by individual employees, are secured in a locked file cabinet and/or locked room with access limited to authorized personnel only;
- All confidential information maintained within computer programs are adequately protected from hacking or other unauthorized access;
- Proper physical controls prevent accidental viewing of confidential records;
- Records are properly labeled in accordance with their designation as private and confidential; and
- Confidential information is not shared or discussed with any employee who has not been determined to have a critical and continuous work-related need for the confidential information.
- Unauthorized disclosure includes any dissemination of a written record, verbal communication about the content of a record, posting of a record, or any other action that causes or allows any person that is not authorized to access a record to know of its contents.
- Unauthorized disclosure can be internal (to an employee or contractor without a critical and continuous work-related need for the confidential information) or external (to a person or entity seeking information about TriMet informally or through a records request that has not been approved by the Legal Department).
- Unauthorized disclosure also includes using private or confidential information in a manner or purpose that is not within the scope of what the person disclosing the information intended at the time the disclosure was made. For instance, if a customer discloses a home address in the context of lodging a complaint, this information cannot be exported for use outside of the processing of the complaint.
5. How can someone demonstrate that he or she is authorized to access confidential records?
A person seeking access to private or confidential records must follow the authorization procedures imposed by the division that originated the private or confidential records. Employees may be required to sign a confidentiality agreement in order to access the records. In all cases, disclosure must be conditioned on the employee’s agreement to avoid any further disclosures of the records.
6. What should an employee do if requested to produce a record that contains both confidential and non-confidential information, and the confidential elements of the record are not essential to the requestor?
Any confidential information should be screened, hidden or redacted from a document or database before disclosure to an individual that is entitled to view the record, but for whom access to the confidential portions is not justified. Requests for confidential information from outside persons should always be referred to the Legal Department.
7. Can an employee gain access to his or her own confidential employee records?
Yes. All requests to view one’s own personnel file must be made to the Human Resources Department. TriMet will provide the employee with a reasonable opportunity to inspect the employee’s file. At no time can the contents of any personnel file be removed during viewing. Copies of the contents of a personnel file, including a certified copy of the file, will be provided to the employee upon request. See HR-380 in TriMet’s Human Resources Manual for further information on Employee Records.
8. Is the obligation to protect information different if the confidential records were inadvertently or accidentally acquired?
No. Every employee must safeguard confidential records, without regard to whether the information was acquired during the normal course of duties, or inadvertently.
9. What is an employee’s duty to protect confidential records from unauthorized disclosure?
In general, an employee’s duty to prevent unauthorized discovery or disclosure of confidential records includes:
- Physically securing confidential records to prevent unauthorized access (through locks, passkeys, etc.).
- Ensuring that confidential records are not available for public viewing (i.e. confidential information must not be stored on the global drive except in accordance with I.T. policy; copies of confidential records must not be left unattended on a photocopier, printer, fax machine, or computer screen, etc).
- Ensuring that any form of disclosure, through verbal, electronic or written communication, does not occur unless the person seeking access to the information has the requisite authorization.
10. What safeguarding measures apply to the transport of private or confidential records?
Divisions are responsible for establishing reasonable safeguards for the transport of any private or confidential records in their possession or control. Transport requirements will vary depending upon the level of privacy or confidentiality and the form of the record. Transport of electronic records must comply with any policies established by TriMet’s IT Department.
Some general considerations for safeguarding private or confidential records during transport include:
- Package private or confidential records securely – i.e. place them in an opaque, sealed, tamper-proof envelope or sealed box and mark it “confidential.”
- Use reliable transport or carriers.
- Take reasonable precautions during transport – i.e. do not leave private or confidential records unattended in public areas or other locations where they are susceptible to unauthorized disclosure or theft.
- Restrict the transfer of private or confidential information onto laptops, removable drives or other portable storage devices.
- Utilize encryption, password protection, redaction or similar methods that would render the confidential information inaccessible to unauthorized persons.
- Store packages that contain confidential employee records in a secure location prior to pick-up/transport and immediately after receipt.
- Private or confidential records transported in vehicles by authorized personnel should be kept locked and out of sight and should not be left unattended.
11. What type of information is protected under the “Oregon Identity Theft Protection Act”?
Under SB583 (Oregon Laws 2007, Chapter 759), also known as the Oregon Identity Theft Protection Act (“Act”), “personal information” means an individual’s first name or first initial and last name in combination with any one or more of the following data elements, when the data elements are not rendered unusable through encryption4 (unless the encryption key has also been acquired), redaction5 or other methods:
- Social Security Number;
- Driver license or Oregon identification card number;
- Passport or other United States issued identification number; or
- Financial account number, credit or debit card number in combination with any required security code, access code or password that would permit access to the person’s financial account.
Employees must ensure that confidential personal information in their possession or control is safeguarded as detailed in this section. Confidential personal information stored electronically must be safeguarded in accordance with IT policy.
12. What specific safeguarding requirements apply to Social Security numbers under the Oregon Identity Theft Protection Act?
The Oregon Identity Theft Protection Act (“Act”) provides specific safeguarding requirements for Social Security numbers. In addition to the general safeguarding requirements for private or confidential records outlined in this section, employees must ensure that a person’s Social Security number is not:
- Publicly posted or displayed unless it is redacted;
- Printed on any card required for the individual to access products or services provided by the agency;
- Printed on materials that are sent through the mail unless the individual requested information that requires a Social Security number or the Social Security number is redacted.
Under the Act, TriMet may collect, use, or release Social Security numbers as required by state or federal law, and use or print Social Security numbers for internal verification or administrative purposes.
13. How should an employee determine the correct process to use in obtaining and verifying authorization to disclose private or confidential records?
The employee should follow the authorization requirements imposed by the division that originated the private or confidential records when processing requests for access to those records.
14. If an employee is seeking access to confidential information within another employee’s control, what requirements apply to the disclosure?
Any disclosure must minimally ensure that the following criteria are satisfied:
- The person to whom access is granted must have a critical and continuous work-related need for the confidential information (as confirmed through the originating division’s process for authorizing access); and
- The scope of the access granted or information provided must be confined to the material that justified access; and
- The person to whom access is granted must understand the restrictions on further disclosure of the records (through the signing of a confidentiality agreement, or other similar control, as designated by the originating division’s process for authorizing access).
15. Are there any special requirements for destroying private or confidential records?
Yes. Private or confidential records should be destroyed at the end of their retention periods in such a manner that the private or confidential information cannot be read or reconstructed. All hard copies of private or confidential records must be shredded, electronic files must be “wiped” in a manner that ensures that the records cannot be retrieved, and computer disks must be permanently destroyed. Additionally, only authorized persons may handle the private or confidential records in order to destroy them. Authority is established according to the authorization procedures imposed by the division that originated the confidential records. Employees or contractors may be required to sign a confidentiality agreement in order to access the records for destruction.
Part 7: Sensitive Security Information (“SSI”)
Scope
This policy applies to all TriMet employees and to SSI in every form in which it is stored, including paper, electronic, and other media. The Director, Operations Support is responsible for the implementation and administration of this policy, which includes the following: (1) monitoring compliance with the SSI policy and making SSI designations (2) identifying, and clearly and conspicuously marking SSI records (3) maintaining a current SSI Master List (4) reviewing records that were previously designated as SSI and downgrading them if they no longer contain SSI (5) providing employee training on the SSI policy and procedures, and (6) communicating with Records Coordinators to ensure that the SSI policy and procedures are implemented consistently within the agency. The Director, Operations Support may establish an SSI Oversight Committee under his/her direction to assist with administration of the policy. TriMet employees are responsible for handling SSI material in their possession or control in accordance with this policy. Violations of this policy are subject to disciplinary action, up to and including termination of employment.
Policy
Every employee must ensure the proper handling of all TriMet records that constitute sensitive security information (“SSI”). Each division must maintain procedures to ensure the proper identification, marking, maintenance, safeguarding, disclosure and destruction of SSI in its custody or control. A public records request for records that includes SSI must be referred to the Legal Department for response.
The requirements of this policy are divided into the following parts:
Part A: Identifying SSI
Part B: Marking SSI
Part C: Disclosing SSI
Part D: Safeguarding SSI
Part E: Transmitting SSI
Part F: Destroying SSI
Part B: Marking SSI
Part C: Disclosing SSI
Part D: Safeguarding SSI
Part E: Transmitting SSI
Part F: Destroying SSI
Part A: Identifying SSI
Guidelines:
1. What is SSI?
SSI is defined by U.S. Department of Transportation (DOT) and Transportation Security Administration (TSA), Department of Homeland Security regulations.6. The regulations specify certain categories of information as SSI. 7 The TSA had initially interpreted the regulations to include only two categories of SSI that applied to public transit systems.8
On November 26, 2008, the TSA issued a Final Rule amending the regulations to specifically extend the federal protection afforded to SSI to rail transportation, including rail transit systems and commuter passenger train services.9 Under the Final Rule, the following categories of SSI apply to transit agencies:
- Security programs and contingency plans issued, established, required, received, or approved by the Department of Transportation (“DOT”) or Department of Homeland Security (“DHS”)10;
- Vulnerability Assessments that are directed, created, held, funded, or approved by DOT or DHS, or that will be provided to either agency in support of a Federal security program11;
Vulnerability Assessment means “any review, audit, or other examination of the security of a transportation infrastructure asset; airport; maritime facility, port area, or vessel; aircraft; railroad; railroad carrier, rail facility; train; rail hazardous materials shipper or receiver facility; rail transit system; rail transit facility; commercial motor vehicle; or pipeline; or a transportation-related automated system or network to determine its vulnerability to unlawful interference, whether during the conception, planning, design, construction, operation, or decommissioning phase. A vulnerability assessment may include proposed, recommended, or directed actions or countermeasures to address security concerns.”12
- Threat information held by the Federal government concerning transportation, transportation systems, and cyber infrastructure, including sources and methods used to gather or develop the information13.
- Other categories applicable to rail transportation under 49 CFR 1520.5(b), including:
o Security inspection or investigative information: details of any security inspection or investigation of an alleged violation of rail transportation security requirements of Federal law that could reveal a security vulnerability,
- including the identity of the Federal special agent or other Federal employee who conducted the inspection or audit14;
- o Security measures: specific details of rail transportation security measures, both operational and technical, whether applied directly by the Federal government or another person15;
- o Security training materials: records created or obtained for the purpose of training persons employed by, contracted with, or acting for the Federal government or another person to carry out rail transportation security measures required or recommended by DHS or DOT16;
- o Identifying information of certain transportation security personnel: lists of the names or other identifying information that identifies persons as having unescorted access to a secure area of a rail secure area17;
- o Critical rail infrastructure asset information: any list identifying systems or assets, whether physical or virtual, so vital to the rail transportation system that the incapacity or destruction of such assets would have a debilitating impact on transportation security if the list is (1) prepared by DHS or DOT, or (2) prepared by a State or local government agency and submitted by the agency to DHS or DOT18;
- o Research and development: information obtained or developed in the conduct of research related to rail transportation security activities, where such research is approved, accepted, funded, recommended, or directed by DHS or DOT, including research results19.
The Federal Transit Administration (FTA) has issued guidance identifying the following types of records that transit agencies should evaluate to determine if they are SSI or contain SSI:
- Security program plans and procedures that include vulnerability records or specific tactics for security operations;
- Security contingency plans and records;
- Records that reveal system or facility vulnerabilities (i.e. maps, detailed facility drawings, detailed action items from drills and exercises);
- Information about threats against the transit agency or other local transportation.
See “Sensitive Security Information (SSI): Designations, Markings, and Control – Resource Document for Transit Agencies” Federal Transit Administration (March 2009).
Employees should be aware that certain information that may impact security may not qualify as SSI, but may still be exempt from public disclosure under Oregon’s Public Records Law. Employees should refer any public requests for security-related information to the Legal Department for review. See Part 5 of this policy for further information on Public Records Requests.
2. Who is responsible for identifying SSI?
The Director, Operations Support is responsible for implementing TriMet’s SSI Policy, which includes reviewing and designating agency records as SSI. The Director, Operations Support may establish an SSI Oversight Committee and/or designate representative(s) to assist with SSI designations. The Director, Operations Support will maintain an up-to-date SSI Master List that identifies agency records that have been officially designated as SSI.
TriMet employees are responsible for identifying material that they create or receive in the course of their work for TriMet that may contain SSI. Employees should contact the Director, Operations Support for assistance and further instructions.
Part B: Marking SSI
Guidelines:
1. What markings are required for SSI documents?
All designated SSI records must be clearly and conspicuously marked with the following language:
Protective Marking –
“SENSITIVE SECURITY INFORMATION”
Distribution Limitation Statement –
“WARNING: this record contains Sensitive Security Information that is controlled under 49 CFR parts 15 and 1520. No part of this record may be disclosed to any person who has not been determined by TriMet to have a “need to know” the content of this document, as defined in 49 CFR part 1520.11. Unauthorized release or acquisition of any material information contained within this document may result in civil penalty or other action. Any public disclosure of this document, or any portion thereof is determined in accordance with federal and Oregon law. If this information is found, do not read or access the content of this document. Please return it as soon as possible to TriMet’s Safety and Security Department, Attn: Director, 4413 SE 17th Avenue, Portland, OR 97202.
2. How should employees mark designated SSI paper records?
SSI paper records must be clearly and conspicuously marked with the Protective Marking and the Distribution Limitation Statement. As a general guideline, the marking should be in plain, bold type, in Times New Roman font size 16 or the equivalent. The Protective Marking must be marked on the top of every page, and the Distribution Limitation Statement must be marked on the bottom of every page (including any front and back cover, binder or folder cover, and title page).
Transmittal documents should be marked confidential, and contain the phrase “Sensitive Security Information Attachment – Disseminate on a “Need to Know” basis only” in the reference line.
3. How should designated SSI records in other formats (including electronic records) be marked?
SSI records in other formats, including e-mail and other machine-readable electronic records, audio and video recordings, and other non-paper SSI records, must be marked with the Protective Marking and the Distribution Limitation Statement so a viewer or listener is reasonably likely to see or hear them when accessing the record.
Part C: Disclosing SSI
Guidelines
1. To whom can SSI be disclosed?
A record that meets the definition of SSI must be treated as SSI, even though it has been publicly disclosed, or widely distributed within TriMet in the past.
SSI records can only be disclosed to persons who have a “need to know” the security-sensitive content of the record, as defined by federal law. Generally, a person has a “need to know” if access to the SSI material is necessary to:
- Carry out transportation security activities;
- Supervise or manage individuals carrying out transportation security activities;
- Provide technical or legal advice regarding transportation security requirements;
- Represent TriMet in connection with any judicial or administrative proceeding regarding SSI requirements; or
- Performance of a contract or grant from the Department of Homeland Security or the Department of Transportation.
2. Who decides whether a person has a “need to know”?
The Legal Department, or the Director, Operations Support or his/her designated representative will decide whether a requestor has a “need to know.” TriMet may at its discretion make disclosure of SSI to persons with a “need to know” subject to the signing of a non-disclosure agreement, or the satisfactory completion of a security background check.
3. How do I handle a request for SSI records?
Internal requests: SSI requests made by TriMet employees should be forwarded to the Director, Operations Support or his/her designated representative, or to the Legal Department for review. Access will depend on whether the TriMet employee has a work-related “need to know” the sensitive information contained in the SSI record.
External requests: Requests made by contractors, vendors, other agencies, or by the public should be forwarded to the Legal Department and Director, Operations Support for review. The Director, Operations Support, in conjunction with the Legal Department will determine whether to grant access to the material, or whether to deny or partially deny a request because the party does not have a “need to know” or because the security-related material is exempt from disclosure under Oregon’s Public Records Law.
The Director, Operations Support should maintain an up-to-date log that documents the release of agency records that are SSI.
Part D: Protecting SSI
Guidelines
1. What disclosure requirements apply to SSI?
TriMet employees with custody or control of SSI must take reasonable steps to protect the information from unauthorized disclosure. The level of protection required for SSI records shall be commensurate with the level of risk and degree of harm that may result from the loss, misuse or unauthorized access to the information. Reasonable steps include, but are not limited to:
- Avoiding inadvertent oral disclosure (i.e. discussing SSI in a public space);
- Avoiding inadvertent visual access (i.e. leaving SSI materials unattended on a computer screen, photocopier, printer or fax machine);
- Limiting access to, or removing SSI from shared drives;
- Storing SSI records in a secure container (i.e. a locked desk or file cabinet, or in a locked room);
- Securing electronic SSI records with passwords (passwords should be sent in a separate voicemail or email);
- Employing technical safeguards for SSI records stored on TriMet computer systems to prevent hacking, or other unauthorized access.
Part E: Transmitting SSI
Guidelines
1. If SSI needs to be transmitted to another person, and that person has been determined to have a “need to know,” what is the proper mechanism for transmittal?
SSI may be transmitted through e-mail, fax, interoffice mail, personal delivery, U.S. Postal Service, or any authorized commercial shipping service. SSI shall not be posted on TriMet’s website or intranet site, or on any other public website.
When transmitted through interoffice mail, personal delivery, US Postal Service or any authorized commercial shipping service, the SSI record must be contained in an opaque sealed envelope, wrapping or carton to avoid inadvertent disclosure.
SSI attachments sent through e-mail should be password protected and include the following phrase in the subject line: “Sensitive Security Information attachment – disseminate on a ‘Need-to-Know’ basis only.” Passwords should be sent in a separate communication.
Employees should coordinate with recipients if they transmit SSI through a fax machine to ensure that the SSI will not be left unattended or at risk of unauthorized disclosure on the receiving end. Faxes should include a transmittal page that has the following phrase in the subject line: “Sensitive Security Information attachment – disseminate on a ‘Need-to-Know’ basis only.”
Part F: Destroying SSI
Guidelines
1. Who can destroy SSI?
Only persons with authorization to access SSI can destroy SSI.
2. When can SSI be destroyed?
Original copies of SSI records must be retained in compliance with state and federal laws. Appropriate safeguards must be utilized to prevent unauthorized disclosure of the SSI for the duration of the retention period.
Convenience copies of SSI that were distributed for informational purposes should be destroyed when they are no longer needed, and must be destroyed when the official copy is destroyed at the end of its legally prescribed retention period.
3. Are there any special requirements for destroying SSI?
Yes. Records containing SSI must be destroyed in a way that will prevent anyone from recognizing or reconstructing the SSI material. Hardcopies of SSI must be shredded. Electronic files must be erased and overwritten. Magnetic media, such as hard or floppy disks that contain SSI must be degaussed (i.e. de-magnetized) or permanently destroyed. Optical media, such as CD or DVD, must be overwritten or permanently destroyed.
Part 8 – Legal Holds
Policy:
A legal hold is a directive to preserve records, which may include electronically stored records. The Legal Department is responsible for issuance of legal holds on TriMet records. Records subject to a legal hold issued by the Legal Department shall not be deleted, destroyed, concealed or altered while the legal hold is in effect.
Guidelines:
1. What is a legal hold?
A legal hold is a directive issued by the Legal Department to preserve records that may be relevant to a lawsuit, governmental investigation, audit or other matter involving the agency. A legal hold issued for a lawsuit (litigation hold) is a directive to preserve records and information, which may be relevant to the lawsuit, whether actually filed or reasonably anticipated to be filed. A legal hold may also be issued to preserve records requested pursuant to a public records request. Records that are subject to a legal hold must not be deleted, destroyed, concealed or altered while the legal hold is in effect. The Legal Department will determine when a duty to preserve has been triggered and a legal hold is required.
2. How will I know if my records are subject to a legal hold?
The Legal Department will provide notice to an employee if a legal hold has been placed on any records in his or her possession or control. The notice will specify which records are subject to the hold, the manner in which the records should be preserved, and if possible, the period of time in which ordinary destruction activity is suspended.
Records subject to a legal hold may take various forms, including but not limited to: a document, paper, photograph, file, video or audio recording, and machine-readable electronic information (including e-mail, databases, and other electronically created or stored information).
The Legal Department will develop forms to implement the legal hold process.
3. The legally prescribed retention period has expired for some records I have that are now subject to a legal hold. Can I destroy these records?
No. If the Legal Department has placed a legal hold on the records, the records must not be deleted, destroyed, concealed or altered while the legal hold is in effect. The legal hold temporarily suspends the routine destruction of records, so although the legally prescribed retention period has expired, the records cannot be destroyed until the legal hold is lifted.
4. How long do I need to retain records that are subject to a legal hold?
Employees must retain records that are subject to a legal hold until the Legal Department notifies them that the legal hold has been lifted. Employees should be aware that the records might still be subject to retention and disposition requirements under Oregon’s Public Records Laws and any other applicable state or federal laws and regulations. Employees should contact their Division’s designated Records Coordinator for assistance with determining the legally prescribed retention period for their records.
3 See June 20, 2007 advice from Matthew Brown, Records Management Analyst with the Oregon State Archives Division: “A draft is: (1) A preliminary writing of a public record for discussion, revision or correction, generally by another party, or (2) A subsequent writing for discussion, revision or correction, generally by another party, that represents a significant change in content from a previous draft. There may be one or more drafts for each public record created, but not every public record will have a draft. Disposition: File with the associated program or administrative records. Retentions for these program and administrative records are found in Records Retention Schedules issued by the Secretary of State, Archives Division.”
4 Encryption means the use of an algorithmic process to transform data into a form in which the data is rendered unreadable or unusable without the use of a confidential process or key.
5 Redacted means altered or truncated so that no more than the last four digits of a Social Security number, driver license number, state identification card number, account number or credit or debit card number is accessible as part of the data.
6 See 49 CFR Part 15 and 49 CFR Part 1520. Both regulations apply to TriMet. The DOT regulations provide in part: “SSI is information obtained or developed in the conduct of security activities, including research anddevelopment, the disclosure of which the Secretary of DOT has determined would – (1) Constitute an unwarranted invasion of privacy (including, but not limited to, information contained in any personnel, medical, or similar file; (2) Reveal trade secrets or privileged or confidential information obtained from any person; or (3) be detrimental to transportation safety.” The TSA regulations contain a parallel definition, but refer to “transportation security” and to the TSA as having authority to make SSI determinations.
8 See April 27, 2007 advice from Deirdre O’Sullivan, TSA’s office of the Special Counselor, SSI Office: “According to the SSI federal regulations, there are 16 categories of SSI and only two of the 16 apply to transit systems. The two categories that apply to transit systems are vulnerability assessments and threat information.”
No comments:
Post a Comment