Personal Information protected by law or identified to be confidential by the County has the

classification of Confidential Personal Information and is to be protected from unauthorized

access, destruction, use, modification, or disclosure. At a minimum, Confidential Personal

Information includes all personally identifiable medical information covered by HIPAA, social

security numbers, and driver license numbers.

Information is an essential County asset and is a vital part of the County’s business operations. In

the course of performing County business, employees, contractors, consultants, vendors, and

temporaries that have access to Confidential Personal Information are responsible for protecting

the information from unauthorized access, destruction, use, modification, or disclosure.

Laws have been passed to protect specific personal information such as the Health Insurance

Portability and Accountability Act (HIPAA), which is designed to secure Protected Health

Information, and California State Law AB 1950, which was passed to protect Personal Information

defined as a person’s name in combination with either social security number, or driver license

number, or financial account access data. Fines and penalties can be levied against organizations

that fail to adequately safeguard information protected by law.

1. Confidential Personal Information is not to be publicly displayed or exposed during the

delivery process, such as mailing postcards, or leaving reports unattended in a distribution

location or cart.

2. When disposing of paper containing Confidential Personal Information such paper is to

be shredded or placed in locked containers designed for secure disposal.

3. Confidential Personal Information sent by email or other electronic means over the

Internet is to be encrypted, if required by law, or have strong password protection.

Automated mechanisms may be employed by the County to support this standard. (A

strong password uses characters from 3 of the 4 following character types: lower-case

letters, uppercase letters, numbers, or non-alphanumeric characters.)

4. Confidential Personal Information should be stored on secured servers or mainframe

computers. If Confidential Personal Information is stored on portable or desktop

computers, or on portable media (CD, DVD, USB drive, diskette, etc.), then the

Confidential Personal Information is to be protected by encryption, if required by law, or

have strong password protection.

5. When erasing Confidential Personal Information on computer disks, use wipe utilities to

ensure the data is removed from the disks. This process is required when re-assigning,

repairing or disposing of computer equipment that stored Confidential Personal Information.

6. Unless otherwise required, the Ventura County Human Resource Payroll (VCHRP)

employee ID is to be used in place of the social security number in all instances where a

unique individual identifier is necessary for County employees.