TCA Data Use Policy

Security Level Descriptions and Access

TCA’s data systems are described in the document below.  As an organization with stakeholders spread geographically, we manage approximately 30 different online-based software systems to enable the day-to-day business of our organization.  These systems are categorized as Level 1, 2, or 3 to reflect the sensitivity of the information stored in each location, where a Level 1 designation indicates the most sensitive data and, consequently, the most highly-protected data.

Level 1

Personally Identifiable Information (PII) that requires the highest level of security and limited access. This also includes any information deemed by the TCA board as private or classified. Examples include but are not limited to:

      1. Social Security Numbers
      2. Credit Card and payment information
      3. HR information:
        1. Payroll and personal financial information
        2. W9s and other tax information
      4. Un-approved meeting minutes
      5. Financial reports
      6. Organizational finance information
      7. Completed Contracts and Agreements

A list of systems that contain Level 1 information is available in the TCA Systems and Levels doc, updated by the Google Administrator.  If you need access to this list, please contact Elise Fujimoto (elise@taikocommunityalliance.org)

Approval Policy for access to Level 1 Data

Individuals with Level 1 access must be approved by the TCA Executive Committee. Executive Committee must notify the Google Administrator when an individual is approved for Level 1 access. 

Individuals seeking Level 1 access may use the following form: TCA Confidentiality Agreement for Level 1 Data

Level 2

Personal contact information, TCA brand and messaging services.  Examples include but are not limited to:

      1. Phone numbers
      2. Email addresses
      3. Mailing addresses
      4. Administrative systems access:
        1. Website, social media, non-public program information (contracts & agreements, confidential program information)
        2. TCA meeting resources (Gotomeeting login, Zoom login)

Approval Policy for access to Level 2 Data

Committee chairs may approve Level 2 security access, and must notify the Google Administrator of these changes. 

Individuals seeking Level 2 access may use the following form: TCA Confidentiality Agreement for Level 2 Data

 

Level 3

Public Information: Information that is accessible to the general public. No approval is necessary to access Level 3 data. Examples include but are not limited to:

      1. Program publicity information
      2. Approved meeting notes
      3. Website information

Information Retention and Deletion Policy

Retention Policy

For the types of documents indicated below, TCA agrees to securely store records for the indicated amount of time. Hardcopy documents to be stored with financial documents maintained by TCA Treasurer.

TYPE OF DOCUMENT MINIMUM TERM
Program attendee registration info and agreements 5 years
Board applications and agreements 6 years
Personnel File Records (Medical records should be stored separately) 4 years (after termination)
I-9 forms (stored separately from regular personnel files) 3 years (after the date of hire or 1 year after termination)
W9 Forms 1 year
W4 Forms 4 years
Equal Pay 2 years
Title VII Records 1 year
Payroll and Tax Records (Name, Address, SSN, wage rates, Hours worked, weekly deductions, allowances, etc) 4 years
Call Logs 7 years
Meeting Minutes (soft copy) 7 years
Financial Records (soft copy is ok) 7 years

Deletion Process

      1. Hard Copy Documentation:
        1. When ready for deletion, all hard copy documentation will be securely destroyed (suggested methods below):
          1. Shredded
          2. Burned
          3. PII redacted and thrown away
      2. Soft Copy Documents and attachments will be electronically destroyed
      3. Email:
        1. Non-essential email should be deleted annually
          1. Essential email is defined as any messages or attachments necessary for archival use or future planning.
          2. Non-essential email is defined as any messages not deemed necessary for archival record keeping or future planning purposes.Onboarding and Offboarding Process

When new volunteers or staff enter or depart the organization, the following protocol should be followed.

Email Address Use and Granting

      1. TCA business must be conducted on an official TCA email address with @taikocommunityalliance.org domain. Volunteers and board members are expected to regularly check their @taikocommunityalliance.org email addresses as primary form of internal communication. @taikocommunityalliance.org email addresses may not be forwarded to personal emails.
      2. Requesting an Email
        1. Request should be submitted via email to the Google Administrator with:
          1. First and Last Name
          2. Contact Phone Number
          3. Completed TCA Data Use Agreement
          4. Any email lists to be updated
          5. Level of security access and approval (Level 2 and 1 only)
        2. Request Protocol
          1. Volunteer: Committee Chair submits the request
          2. Board Member: Board Secretary submits the request
          3. Staff: Supervising Board Member submits the request
        3. Google Administrator will
          1. Store the TCA Data Use Agreement and update information on Salesforce
          2. Create an @taikocommunityalliance.org email address for the individual
          3. Add the new user to appropriate google list(s)

Email Lists (Google Groups)

      1. Google Administrator will maintain a current list of Google Groups and members of each group. That list will be available to TCA Board Members and Committee Chairs.
      2. Google Administrator will send Committee Chairs a copy of their list annually. Committee Chairs are expected to respond to Google Administrator to verify accuracy of the list.
      3. Committee Chairs are responsible at all times for notifying the Google Administrator of:
        1. Change in membership
          1. If necessary, committee chair may approve Level 2 security access
          2. If necessary, committee chair must have Level 1 security access approved by the TCA Executive Committee
        2. Inaccuracies
      4. Committee Chairs will work with the Google Administrator to:
        1. Create group alias
        2. Forwarding and manage committee email
        3. Request new aliases
        4. Delete or remove distribution lists
      5. Sunset and Renewal Process: Google Administrator will evaluate and update lists every two years (during non-NATC year).

Document and Information Sharing Policy

      1. Security Level.  Documents and information will be shared only within the TCA environment. Sharing is only allowed within populations of similar security level access.  
        1. Level 1 information may only be shared with Level 1-approved individuals
        2. Level 2 information may only be shared with Level 2 or Level 1-approved individuals
        3. Level 3 information may be shared with anyone.
      2. Meeting Notes.  Meeting notes and committee documents should be shared with email distribution list instead of individuals whenever possible.

Personnel Change Process

      1. Committee chairs are responsible for notifying the Google Administrator of any changes in committee membership within 7 days of personnel change via email and should share the following information:
        1. Name of individual(s) involved.
        2. Reason for change.
        3. Email list(s) affected by the change.
        4. Google documents affected by the change.
        5. Change of ownership for documents.
      2. Within 48 hours, the Google Administrator will make the following adjustments and confirm the completed changes via email.
        1. If an individual will no longer be a TCA Committee Member
          1. Change passwords to individual’s @taikocommunityalliance.org accounts and documents.
          2. Change password(s) to all Level 1 and Level 2 TCA assets individual had access to.
        2. If the individual is changing Committees.
          1. Update email list(s) affected by the change.
          2. Make appropriate adjustments to Google document ownership.

Systems Access

    1. Requests for access to TCA systems should be directed to the appropriate Committee Chairs as indicated in TCA Systems and Levels. See Section 1 for Data Access Approval Policy.

Password Best Practices

    1. Passwords should be changed every 90 days [alternatively, implement two-step authentication and direct phone authentication to TCA-owned device]
    2. Passwords should contain more than 7 characters, one capital letter, one number, and one special character.

TCA Information Security Requirements

TCA Information Security Requirements For TCA partner(s) For third party external users, e.g., Discover Nikkei, or folks wanting access to Census information?

QUESTIONS?  Please contact Google Administrator for 2019, Elise Fujimoto (elise@taikocommunityalliance.org)