1.20.040 Policy.
(1)
(a) General Standards. The following standards shall apply to all data, regardless of category:
(i) Data will be created, stored, or accessed for official use.
(ii) Data shall only be stored on town-owned electronic or portable storage devices and/or any I.T. established and/or approved server/cloud third party storage services.
(iii) Data containing information from multiple classification groups will be handled based on the most restrictive classification.
(iv) Agencies shall not be allowed nor authorized to directly access or obtain access to town systems, networks, applications, and/or devices, which includes any type of remote access software and/or the data center (server), firewall and other critical core infrastructure.
(v) Data will be retained in accordance with the appropriate retention schedule.
(vi) Data will be securely destroyed in accordance with any applicable laws and/or policies.
(vii) Personnel are responsible for data in their care and will:
(A) Protect data at all times to avoid unauthorized access, loss, theft, or improper disclosure;
(B) Request/access, use, and release data as necessary to satisfy the business need;
(C) Handle data in compliance with applicable laws and data sharing agreements;
(D) Ensure data is stored and transferred consistent with the classification category unless a more restrictive data sharing agreement is in place; and
(E) Immediately report to PIO any unauthorized access or release of Category 2 or higher data or lost or stolen computing/portable storage devices containing such data; and anyone affected by such release will be notified pursuant to federal and state laws. Failure or refusal to perform assigned responsibilities or willful violations of data classification policy or standards may result in disciplinary action.
(b) Exemptions. Data classification may not apply to the release of data for public records requests; therefore, all public records requests made pursuant to the Public Records Act, Chapter 42.56 RCW, regardless of assumed category or recipient of request, shall always be immediately forwarded to PIO upon receipt. Exceptions to this policy must be justified and authorized in writing by PIO.
(c) Encryption. Town utilizes Microsoft 365’s (M365) Government Community Cloud coupled with Azure Information Protection Premium P1 for Government for transmitting data via email in encrypted form in flight and at rest. Encryption must be done using Advanced Encryption Standard (AES) in the M365 system with at least 128 bits or more for the encryption key for documents and 256 bits for all other scenarios.
(d) Destruction. Data shall be destroyed in a secure manner consistent with its classifications and in accordance with any applicable laws, including WAC 434-640-030 and Chapters 19.215 and 40.14 RCW.
(2) Category 3 and 4 Data.
(a) Access. Access to Category 3 or 4 data shall not be granted outside of the town unless through a formal process, such as public disclosure or a DSA. The town shall only release restricted information in accordance with any applicable laws and shall only provide such unredacted information that would be required to adequately fulfil any such request.
(b) Transmission. Category 3 or 4 data shall only be transmitted via approved methods which only include secure encrypted email and approved secure file transfer sites.
Prior to the transmission of Category 3 and 4 data, the town shall:
(i) Review all data and redact any restricted information that is not required to adequately fulfill any such request; and
(ii) Apply data encryption if transmitted outside of the town.
(c) Internal Access. Category 3 and 4 data has restricted access within the town. Only staff authorized by the data owner and/or PIO are permitted to access, store, or release the data.
(d) Storage. Category 3 and 4 data must be encrypted when stored on portable devices, such as laptops or storage devices and portable storage devices must be hardware encrypted when transferring or storing data. If stored inside the town on nonmobile devices, data does not require encryption; however, encryption should be applied to stored data when deemed necessary by the data owner and/or PIO.
(e) Destruction. Category 3 or 4 data must be destroyed in accordance with subsection (1)(d) of this section. A completed records destruction request form must be provided to PIO.
(3) Category 1 and 2 Data.
(a) Release. Category 1 data does not require authorization to be released to the public for official town business. Category 2 data is for official use only but may not be specifically protected from disclosure; however, it is town policy not to release such data to the public unless specifically requested through a formal process, such as public disclosure or a DSA.
(b) Transmission. Category 1 or 2 data does not require encryption when transmitted.
(c) Internal Access. Category 1 data is not restricted within the town. Category 2 data may not be restricted within the town; however, it will also not be readily accessible to those employees that do not require such access to conduct official town business.
(d) Storage. Category 1 and 2 data does not require encryption when stored.
(e) Destruction. Category 1 or 2 data destruction does not have a required method for destruction. (Res. 413 § 1 (Exh. A), 2021)