IT/Data Security Policy - Family Promise of Puget Sound

1. Purpose

The purpose of this policy is to establish clear guidelines and procedures for the secure and ethical use of Family Promise of Puget Sound (FPOPS) information technology (IT) resources and data. This policy is designed to protect sensitive, confidential, and proprietary information, ensure compliance with relevant laws and regulations, maintain professionalism, safeguard FPOPS’s reputation and integrity, and support mission-aligned operations.

2. Scope

This policy applies to all paid staff, active volunteers, and Board members of Family Promise of Puget Sound. It governs the use of all FPOPS systems, devices, and networks, as well as any personal devices or accounts used for FPOPS business or when FPOPS-related information is handled.

3. Guiding Principles

* Data Protection: Prioritize the security and privacy of all data, especially confidential and operational information.

* Security: Implement robust security measures to prevent unauthorized access, use, disclosure, disruption, modification, or destruction1 of FPOPS data.

* Compliance: Adhere to all applicable laws, regulations, and ethical standards related to data privacy and security.

* Professionalism: Expect professional conduct in all digital interactions and data handling.

* Accountability: Hold all individuals accountable for their actions and adherence to this policy.

* Transparency of Monitoring: Clearly communicate that FPOPS systems may be monitored to ensure compliance and security.

* Human Oversight (for AI): Ensure human review and responsibility for all AI-generated output.

* Responsible Innovation (for AI): Utilize technology, including AI, in a manner that aligns with FPOPS values and enhances service delivery responsibly.

* Safety: Contribute to the physical, psychological, and emotional safety of individuals and personnel by securely managing information, aligning with trauma-informed practice.

* Trustworthiness: Maintain the trust of individuals, donors, and the community by demonstrating a strong commitment to data security and privacy.

4. Definitions

* Confidential Information: Any information that is not public knowledge and could, if disclosed, cause harm to FPOPS, its individuals, staff, volunteers, or reputation. This includes, but is not limited to, individual personal data (e.g., names, addresses, health information, financial status), internal operational details, financial records, personnel information, unreleased strategic plans, and proprietary methods.

* FPOPS Systems: All hardware, software, networks, data storage, and electronic communication platforms owned, leased, or managed by FPOPS, including FPOPS-provided devices and cloud services (e.g., Google Workspace).

* Electronic Communications: Any transmission of information by electronic means, including email, instant messaging, internal communication platforms, and video conferencing.

* Social Media: Online platforms that allow users to create and share content or participate in social networking (e.g., Facebook, Instagram, LinkedIn, X/Twitter).

* Generative AI: Artificial intelligence tools capable of generating new content, such as text, images, or code, often in response to user prompts.

* Approved AI Agent/Platform: A Generative AI tool or platform that has been explicitly vetted and approved by FPOPS for use in specific organizational functions, based on its security, privacy features, and alignment with FPOPS policies.

5. Policy Guidelines and Procedures

5.1. Acceptable Use of FPOPS Systems

* FPOPS systems are primarily intended for official FPOPS business.

* All use must adhere to standards of professionalism and avoid any illegal, harmful, harassing, or inappropriate content. This includes compliance with the Anti-Harassment Policy and Non-Discrimination Policy.

* Limited personal use is permissible if it does not interfere with job duties, consume excessive resources, or violate any FPOPS policies.

5.2. Data Management & Privacy

* Strict Protection: All confidential information must be strictly protected from unauthorized access, disclosure, or misuse.

* Generative AI Prohibition: Inputting confidential individual data or any sensitive FPOPS operational data into any Generative AI tool or platform not explicitly approved by FPOPS for secure handling of such data is strictly prohibited. This includes publicly available tools.

* Data Anonymization: When using aggregated data for analysis or reporting purposes, ensure it is properly anonymized or de-identified to prevent the identification of individual individuals.

* AI Data Retention Awareness: Users must be aware that unapproved AI providers may retain data input, which could compromise confidentiality.

* Secure Storage: All electronic records containing confidential information must be stored securely, utilizing appropriate access controls. Regular backups of essential data are required.

* Risk Management: Handling of sensitive data is subject to FPOPS’s risk management procedures to mitigate potential vulnerabilities.

5.3. System Security

* Password Protection: Users are responsible for protecting their passwords and ensuring they are strong and unique. Passwords should never be shared.

* Secure Networks: Always use secure, trusted networks when accessing or transmitting sensitive FPOPS data. Avoid using public Wi-Fi for sensitive work unless a secure Virtual Private Network (VPN) is utilized.

* Data Encryption: Consider using data encryption for sensitive information stored on portable devices or transmitted over potentially insecure networks where feasible and appropriate.

* Reporting Security Incidents: Any suspected security breach, loss, or theft of an FPOPS-owned or personal device used for FPOPS business must be reported immediately to a supervisor and/or the CEO.

* Prohibition of Unauthorized Access: Users are prohibited from attempting to gain unauthorized access to any FPOPS system or modifying system configurations without explicit permission.

5.4. Monitoring and No Expectation of Privacy

* FPOPS systems are FPOPS property.

* FPOPS reserves the right to monitor system usage, including electronic communications, Generative AI tool usage, and internet Browse history, to the extent permitted by law, to ensure compliance with this policy and for security purposes.

* Users should have no expectation of privacy when using FPOPS systems.

* Regular audits of Generative AI usage and data documentation compliance may be conducted.

5.5. Google Workspace Usage

* FPOPS utilizes Google Workspace as its primary data platform. All staff, volunteers, and Board members are expected to adhere to this policy when using Google Workspace services for FPOPS business, including email, document storage, and communication tools.

5.6. Generative AI-Specific Use

* Only FPOPS-approved Generative AI tools may be used for FPOPS business.

* All AI-generated output must undergo human review and verification for accuracy, appropriateness, and alignment with FPOPS values before use or dissemination.

* The user is fully responsible for any content generated by AI tools that they use for FPOPS business.

* Users must be aware of potential intellectual property issues related to AI-generated content and adhere to FPOPS guidelines for such use.

5.7. Social Media Overlap

* When using social media, particularly in relation to FPOPS activities, individuals must maintain confidentiality, especially regarding individual photos or personal details.

* Social media use must uphold FPOPS’s reputation. Specific guidelines are provided in the Social Media Policy.

6. Relationship to Other Policies

This IT/Data Security Policy operates in conjunction with, and supports, several other FPOPS policies, including but not limited to:

* Confidentiality Policy

* Electronic Communications Policy

* Social Media Policy

* Generative AI Policy

* Documentation Requirements Policy

* Risk Assessment & Management Policy

* Professional Support, Supervision, and Development Policy (e.g., discussions regarding technology use in supervision)

* Anti-Harassment Policy

* Non-Discrimination Policy

7. Cooperation with Investigative Authorities

FPOPS personnel are required to cooperate fully with investigative authorities (such as the Washington Department of Children, Youth, and Families or law enforcement) regarding lawful requests for relevant information or data. All such cooperation will adhere strictly to legal requirements and FPOPS confidentiality policies.

8. Responsibilities

* All Staff, Volunteers, and Board Members: Are responsible for understanding and strictly adhering to this policy, safeguarding FPOPS systems and data, and immediately reporting any actual or suspected security breaches or policy violations.

* Supervisors and Program Directors: Are responsible for communicating and modeling adherence to this policy, addressing initial concerns related to IT/data security, and escalating issues as necessary. They also help ensure that discussions about secure practices occur within supervision.

* CEO and Leadership Team: Are responsible for overall oversight, enforcement, and guidance related to IT and data security. They ensure this policy is clearly communicated, consistently applied across the organization, and that necessary resources are allocated for system security and compliance.

* Designated IT/Admin Staff (if applicable): Responsible for implementing and maintaining FPOPS’s IT infrastructure, security measures, and data management systems, as well as providing technical support and guidance.

9. Documentation Requirements

Comprehensive documentation is required for IT and data security compliance. This includes:

* Records of security incidents and their resolution.

* Documentation of data access controls and user permissions.

* Records of regular security audits and risk assessments.

* Documentation of policy acknowledgements and relevant training.

* Secure storage of all electronic records, which is subject to regular audits.

10. Consequences of Non-Compliance

Any violation of this IT/Data Security Policy is considered a serious breach and will result in disciplinary action, which may include:

* Verbal or written warning.

* Suspension of system access.

* Reassignment of duties or volunteer roles.

* Termination of employment or volunteer service.

* Depending on the severity of the violation, individuals may also face personal legal and financial penalties.

* Failure to protect confidential data or unauthorized system use can lead to significant harm to FPOPS, including loss of individual trust and safety, damage to reputation, and potential legal or financial liabilities for the organization.

11. Policy Review

This policy will be reviewed annually by the CEO and Board of Directors, or more frequently as needed (e.g., after significant security incidents, changes in technology, or new legal requirements). This review will ensure its continued effectiveness, alignment with applicable laws, best practices in data security, and the evolving needs of FPOPS. Any revisions will be communicated to all relevant personnel.