§ 2-186. Managing, maintaining, and storing sensitive and confidential information  

(a) Employees who have access to sensitive and confidential information are required to create, handle, maintain, and dispose of such information with prudent care in order to ensure proper security. Access to sensitive and confidential information will be limited and only provided in order for authorized employees to perform essential tasks for Town of Kure Beach business.

(b) The following procedures should be followed while creating, handling, maintaining, storing, and disposing of sensitive information:

(1) Enter information directly to a final destination (i.e., computer system) and refrain from documenting the information in other areas.

(2) If sensitive information is written on paper for reference, shred immediately upon recording the information in the final destination.

(3) Electronic payment data should be handled by authorized personnel and only the last four (4) digits of the customer's credit or debit account number should be visible on reports (pending future applications).

(4) Sensitive information should not be included on e-mails.

(5) Sensitive information should not be included on printed reports except as needed for the performance of essential tasks.

(6) Maintain documents that contain sensitive information in a secured location and limit access to the area.

(7) If possible, utilize encryption to secure information in the database or storage system.

(8) Do not leave a computer unattended if sensitive information could be accessed by unauthorized individuals. While away from the computer, log off or lock the workstation.

(9) Do not store files with sensitive information on laptops or on flash drives unless the information and the device can be secured and not accessible to unauthorized individuals.

(10) Take reasonable measures when destroying sensitive data that will prohibit the information from being read or reconstructed. Documents with sensitive data should be shredded by the individual who has authorized access to the data or by another employee while in the presence of the authorized employee. The Town of Kure Beach may enter into a written contract with a third party in the business of record destruction to destroy sensitive information in a manner consistent with this policy.

(11) Limit entry into Town Hall via locked door with authorized entry or official town key/key code.

(c) In order to protect sensitive and confidential information, the Town of Kure Beach will only release sensitive information to the account holder or individual(s) who own the information upon confirmation of personal identifying information or a valid picture ID. The confirmed account holder or individual may authorize the release of sensitive information to a third party. Confidential information will only be released in accordance with state statute. The only exception will be the release of specified information pursuant to a court order, warrant, subpoena or other requirement by law.