The Information Practices Act (IPA) provides guidelines to assure fair treatment of individuals who are the subjects of state agency records. The IPA places specific requirements on state agencies in the collection, use, maintenance, and dissemination of personal information about individuals. With specific exceptions, individuals may review, obtain copies, request amendments and corrections, and dispute information pertaining to them in state records. Specific policy guidelines for the proper administration of the IPA’s provisions are as follows:
RULES OF CONDUCT:
Commission employees responsible for the operation, disclosure, or maintenance of records containing personal information shall follow the rules of conduct for the proper administration of the IPA’s provisions. The rules of conduct are as follows (Section 1798.20, IPA):
- All Commission employees responsible for the collection, maintenance, use and dissemination of personal information about individuals shall comply with the provisions of the Information Practices Act, Civil Code Section 1798, et seq. Personal information is defined as information that identifies or describes an individual, including, but not limited to, his or her name, Social Security Number, physical description, home address, home phone number, education, financial matters and medical or employment history.
- Commission employees shall not require individuals to disclose personal information which is not necessary and relevant to the lawful State function for which the employee is responsible.
- Commission employees shall only disclose personal information, maintained by the Commission, to those individuals or government entities to whom the release of this information is authorized, as defined under the conditions of disclosure.
- Commission employees shall keep an accurate record of the disclosures of personal information authorized in #3 above, which shall include the individual’s and institution’s names, title, date, nature and purpose the information was disclosed.
- Commission employees shall assist individuals who seek information on accessing records pertaining to themselves in making their inquiry sufficiently specific and descriptive so as to facilitate locating the records requested.
- Commission employees shall make every reasonable effort to see that inquiries and access requests, by individuals, for their personal records are responded to within 30 days of receipt of request of active records and 60 days of receipt of request for inactive records that have been archived.
- Commission employees shall not disclose personal information relating to individuals for their own interest or advantage. The intentional violation of this policy shall be cause for disciplinary action, including dismissal, and possible civil action for invasion of privacy.
- Commission employees responsible for maintaining records which contain personal information shall take all necessary precautions to assure that proper administrative, technical and physical safeguards are established and followed, in order to protect the confidentiality of records containing personal information and to assure that such records are not disclosed to unauthorized individuals or entities.
RECORD OF SOURCES OF INFORMATION
Whenever the Commission collects personal information, the Commission must maintain the source or sources of the information. Commission shall also maintain the source or sources of information in a readily accessible form, so as to be able to provide it to the data subject when they inspect any record pursuant to Section 1798.34 (Section 1798.16, IPA).
SAFEGUARDS FOR PERSONAL INFORMATION
Commission employees, who have responsibilities for safeguarding personal information, must take all precautionary measures to ensure that all records containing personal information are kept in a secure area or in locked storage equipment and that access is restricted to only those employees who must have access in order to perform their assigned duties (Section 1798.21, IPA).
CONDITIONS OF DISCLOSURE
Commission employees may not disclose any personal information in a manner which would link the information to the individual to whom it pertains (Section 1798.3, IPA). Examples of personal information are:
- Home address and/or home telephone number
- Social Security Number
- Medical or employment history
- Physical description
- Financial information
- Records marked (stamped, etc.) “confidential”
Commission employees may disclose personal information to the public under any of the following criteria (Section 1798.24, IPA):
- To the individual to whom the information pertains;
- With the prior written, voluntary consent of the individual to whom the information pertains, but only in the time limit agreed to by the individual in the written consent;
- To the duly appointed guardian or conservator of the individual, provided it can be proven with reasonable certainty such person is the authorized representative of the individual;
- To those officers, employees, attorneys, agents, or volunteers of the Commission or institution, if the disclosure is relevant and necessary in the ordinary course of the performance of their official duties, and it is related to the purpose for which the information was acquired;
- To a governmental entity when required by state or federal law;
- Pursuant to the California Public Records Act, Chapter 3.5;
- To a person who has provided the institution with advance, adequate, written assurance that the information will be used solely for statistical research or reporting purposes, when the information to be disclosed is in a form that will not identify any individual;
- To any person pursuant to a subpoena court order, or other compulsory legal process, if, before the disclosure, the institution reasonably attempts to notify the individual to whom the information pertains, and if the notification is not prohibited by law;
- To any person pursuant to a search warrant;
- To a law enforcement or regulatory agency when required for an investigation of unlawful activity or for licensing, certification, or regulatory purposes, unless the disclosure is otherwise prohibited by law;
- To the Office of Information Practices when the information is necessary for that office to investigate a complaint it has received regarding an alleged violation or to perform its mediation functions.
MAINTAINING RECORDS OF DISCLOSURES
The Commission must maintain a record of each disclosure of personal information to an individual and institution outside of the Commission. The record must contain: 1) date of disclosure, 2) nature and purpose of disclosure, 3) name of person and institution to whom information is disclosed, and 4) business address of the person to whom information is disclosed (Section 1798.25, IPA) (see Attachment 1).
RETENTION PERIOD FOR RECORDS OF DISCLOSURES
Commission must retain records of disclosures for three years or until the record containing the personal information is destroyed, whichever is shorter (Section 1798.27, IPA).
COPIES OF RECORDS
The Commission will charge an agency fee of ten cents per page to an authorized individual or institution for making copies of a record (Section 1798.33, IPA).
REQUESTS FOR INSPECTION, AMENDMENT OR CORRECTION OF RECORDS
The Commission has the responsibility to coordinate and respond, in writing, within 30 days from receipt, to all written inquiries for access to, and amendment of, or correction of, Commission records by the subject individual. The Commission is required to review all written requests for access, amendment or correction of Commission records and approve, or deny, such requests within 30 days from receipt of the request.
If the Commission denies the request for access, amendment or correction of Commission records, the Commission must provide the reason for the denial and the procedures for the individual to request for a review (Sections 1798.34 – 1798.36, IPA).
INVASION OF PRIVACY
The Commission employees who intentionally disclose information, not otherwise public, which they know or should reasonably know was obtained from personal information, maintained by the Commission, may be subject to a civil action for invasion of privacy by the individual to whom the information pertains (P.L. 93-579) (Section 1798.53, IPA).
The Commission is required to inform an individual whose social security number is requested by the Commission, whether disclosure is mandatory or voluntary, by what statutory authority the number is solicited, and what it will be used for. The Commission is prohibited from denying an individual any right, benefit or privilege, provided by law, based on that individual’s refusal to disclose his or her social security number (P.L. 93-579).
The Commission is required to identify all record systems which contain personal information and submit a report to the Office of Information Practices, which identifies all new record systems, and all changes to existing record systems, containing personal information (Sections 1798.9, 1798.10, IPA).
The primary source of information for this Policy Memo comes from the publication, “The Information Practices Act of 1977,” published by the California Office of Information Practices, 1986. If there are any inconsistencies between the above-noted publication and the official Information Practices Act of 1977, the Act shall be controlling. If you have any questions regarding this policy memo, please direct your questions to your manager or the Commission’s Information Security Officer.
For questions and approval process issues relating to www.csac.ca.gov
Interim Information Security Officer
California Student Aid Commission
For more information on security and information privacy, please see the California Department of Justice website at https://oag.ca.gov/privacy/facts/online-privacy/computer-secure
Site Technical Management: CSAC Help Desk 888-294-0153 or 916-464-7222