Privacy and Confidentiality Policy
PURPOSE
The purpose of this policy provides a comprehensive plan to enable SCERS to meet its commitment to protect the privacy of its members; to protect the security of SCERS, its employees, and its assets; and to comply with relevant legal requirements.
DEFINITIONS
Confidential Information – This is information obtained or created by SCERS which is restricted as to access, disclosure or use. It may be found in any medium, whether oral, written, or electronic. It includes the following:
a. PI: Personal Information (PI) is any non-public information that is identifiable to an individual. Examples include demographic information such as the individual’s age or address, or it may be health information, such as his or her medical history. It includes member records and sworn statements.
b. SI: Security Information (SI) is information that, if improperly disclosed, could adversely impact the security of SCERS or its members, employees, or assets. Examples include information about SCERS’ information technology systems and security, financial accounts, etc.
c. PRI: Privileged Information (PRI) is information that falls into a legally recognized category that is protected from compulsory disclosure. An example is attorney-client communications.
Employees – For purposes of this policy means all SCERS personnel who are directly or indirectly supervised by the SCERS Board and/or SCERS management.
Individual – Any person who is the subject of PI.
POLICY
SCERS shall maintain the confidentiality of information that could impact the security of its members, its employees, or its assets, as well as legally privileged information. Accordingly, SCERS does not sell or trade members’ personal information; nor does SCERS disclose it to anyone other than those who need it to provide member services or those who are legally entitled to it.
1. In accordance with applicable laws and SCERS’ mission, all SCERS employees are responsible for ensuring that PI, including member records and sworn statements, are not disclosed except to:
- Authorized SCERS employees for approved purposes,
- The member upon request, or
- Third parties who have appropriate authorizing documentation.
2. In addition, SCERS employees are responsible for ensuring that PI is obtained, used or shared only to the minimum necessary extent that is required to further SCERS’ mission, within the constraints of applicable laws. This means that access to PI is permitted on a need-to-know basis.
3. Reasonable safeguards are to be implemented to ensure the privacy of PI, including controls on who can access the information, how the information is used, how it is obtained, stored and shared, and how it is eventually discarded. Member sworn statements and member records are to be kept confidential.
4. SI and PRI are to be secured at all times from unauthorized disclosure or use.
5. The deliberate or negligent mishandling or misuse of PI, SI, or PRI is considered to be misconduct and is enforced through employee discipline.
APPLICATION
SCERS’ privacy policy will be implemented through the following activities:
1. SCERS will obtain a complete and signed Confidentiality Agreement (in a form substantially similar to the attached) from every Board of Retirement Member, SCERS employee, and all other persons associated with SCERS who in the course of that association will or may encounter Confidential Information to ensure the confidentiality of PI, SI, and PRI is maintained. Alternatively, SCERS will require its vendors and service providers to enter into service agreements that contain confidentiality provisions satisfactory to SCERS’ counsel.
2. SCERS will maintain policies and procedures that provide guidance for the handling of PI, SI, and PRI.
3. SCERS will implement physical and electronic controls to protect the privacy of PI, SI, and PRI.
4. SCERS will train all employees upon entry and periodically thereafter on privacy and confidentiality policies and procedures.
5. SCERS will maintain proper disclosures and disclaimers in all publications and communications with outside parties that may involve PI.
6. SCERS will obtain a written authorization from the individual before disclosing that individual’s PI to third parties other than third parties working on behalf of SCERS or those who require the information by law or pursuant to a court order (e.g., government agencies, litigants). Other exceptions may apply as well.
7. SCERS will obtain appropriate supporting documentation from third parties who require PI by law or pursuant to a court order before disclosing PI to such parties (e.g., government agencies, litigants).
8. SCERS will establish procedures for receiving and responding to disputes regarding PI, for providing individuals access to their own PI, and for notifying individuals about any unauthorized use of their PI.
9. SCERS will periodically review this privacy policy to ensure that it addresses all relevant laws and risks inherent in the handling of PI.
10. SCERS will monitor compliance with this policy and applicable laws. This may include periodic audits and other monitoring tools.
BACKGROUND
There are a number of laws that address privacy and security issues. The most significant law in this area is Government Code Section 31532 which precludes disclosure of SCERS’ member records and sworn statements unless proper authorization is provided. Beyond these legal requirements, SCERS continuously reviews legislation and privacy and security practices to ensure the privacy of its members and the security of its operations.
See also SCERS’ “Protection of Individual Records Policy” that identifies the retirement benefit information that is disclosable by SCERS pursuant to a Public Records Act request.
RESPONSIBILITIES
Executive Owner: Chief Operating Officer
POLICY HISTORY
Date | Description |
09-15-2021 | Board reaffirmed policy with amendments |
08-01-2018 | Renumbered from 009 |
01-17-2018 | Board affirmed in revised policy format |
05-23-2009 | Board approved new policy |
Instructions: This form* is to be completed and signed by all Retirement Board Members, all SCERS employees, and other persons associated with SCERS who in the course of that association will or may encounter information that is considered confidential. The signed form will be converted to electronic form and retained for a period of no less than six (6) years from the last day of the signer’s employment or association with SCERS.
* Click here for the form.
SCERS Policy No. 022