FROM: Christina Cintron, Chief of Member Services
SUBJECT: Administration Policy No. 021 (Handling of Personally Identifiable Information (PII))
RECOMMENDATION:
title
Recommend that the Board approve and adopt updates to Administration Policy No. 021 (Handling of Personally Identifiable Information (PII)).
body
BACKGROUND:
General Policy No. 005 requires periodic review of SBCERA Board policies and indicates that such review shall be conducted every three years.
Accordingly, SBCERA staff has completed its review of Administrative Policy No. 021, which was last updated in March 2023.
This policy revision clarifies existing language and incorporates targeted enhancements related to the handling of Personally Identifiable Information (PII). Updates include refinement of the PII definition, including the addition of “Sensitive PII,” and reinforcement of limiting access and use of PII to the minimum necessary to perform job duties.
The revised language also provides additional clarity regarding permissible disclosures, strengthens vendor data protection requirements, and enhances breach reporting expectations. In addition, a new section has been added to address the use of technology tools, including automated and artificial intelligence-based systems, to prevent unauthorized exposure of PII.
These updates reflect current operational practices and strengthen existing safeguards without changing the overall intent of the policy.
BUDGET IMPACT:
None.
STRATEGIC PLANNING GOAL/OBJECTIVE:
Operational Excellence & Efficiency
STAFF CONTACT:
Christina Cintron
ATTACHMENTS:
Exhibit A: Administration Policy No. 021 (Handling of Personally Identifiable Information (PII)) - Redline Version
Exhibit B: Administration Policy No. 021 (Handling of Personally Identifiable Information (PII)) - Clean Version