Policy: Records and Information Security

PURPOSE

The purpose of this order is to establish the procedures, for security of all records, software, hardware, data, and related equipment and information.

POLICY

Department Policy

The Michigan State University Police Department (Department) has established this policy that all information, records, software, hardware, data, and related equipment used, maintained, owned, produced, licensed, or managed by the department, regardless of storage medium or origin, are the property of the Department; and may not be used, copied, reproduced, released, or viewed, except in accordance with established Department procedures.

Employees by virtue of their position will gain access to such information and records. What is learned as an employee cannot be used or disseminated for other than department purposes; and then only through approved channels of authority and authorization.

Dissemination of information, records, software, hardware, data, and related equipment must be approved by the Chief of Police (Chief) or designee, or other person specifically designated within this policy.

University Policy

Copyright/Patent Agreement

The University has purchased a multitude of software programs for its various operating units and are either copy-righted or patented by the owners.

Department software should never be loaned out.

Under federal law and the Agreements; the University, its employees, agents, and representatives may not duplicate those programs.

DEFINITIONS

Software: Programs that allow technology systems to operate.

The Department may develop or cause others to develop, various software programs.

Such programs shall be restricted from distribution or duplication by this department, MSU’s agents or third party vendors/assisting parties without the express consent of the Chief or designee.

Michigan Criminal Justice Information Network (MiCJIN) Application: The MiCJIN is a Web-based service that enables subscribing agencies to access multiple Michigan State Police (MSP) software systems for the records entry or searches.

Hardware: All computer, data processing, word processing, telephone, fax, communication, taping, transmissions, or other devices, hardware, or equipment used by or owned by the department.

Recording, Video, or Digital Image Capturing Equipment: All data, recordings, images, and information taken from any electronic or mechanical transfer of data, recordings, images, information, etc. stored within the individual device, or any other method of duplication or transfer of those data.

Data: Includes all data, text, reports, products, or similar items produced by Department owned or licensed programs and/or equipment.

Physical Media: Includes print-outs, copies, and other physical medium that include Department records, data, information, etc.

Electronic Media: Includes hard drives, flash drives, diskettes, or similar medium that store Department records, data or information, etc.

Authorized Personnel: As used in this policy, they include: The Chief, Command Staff, supervisors, Information Technology personnel, and the Records Office Manager.

PROCEDURES

Records Office Access

Business Hours: Entry is generally restricted to those persons who are housed within the facility and those persons on official Department business.

Non-Business Hours

During non-business hours, the office shall be secured by an access control devices.

Entry into the Records Office is restricted by card-access to Authorized Personnel only.

All other personnel are restricted from entry.

Records Security

All physical records maintained by the Records Office will not be available for direct access by Department employees. These include, but are not limited to, medical records obtained for official law enforcement purposes.

Access to the Records Office computerized data will be granted to employees for Department purposes only

Records that are authorized for use will be obtained from the State Records Management System (SRMS) in accordance with this procedure. Other records housed within the Records Office shall be addressed as follows:

If the person is authorized to obtain an electronic record, they may access the file within the SRMS system.

Only Records Office employees shall enter into the actual paper versions of record files separately stored to prepare copies.

The paper and similar files stored inside the Records Office shall be locked during non-business hours and may be accessed only by Authorized Personnel.

Files must follow release procedures outlined in ADM05 or they must be returned to the Records office without being copied or shown to any unauthorized parties.

Unless compelling circumstances require, all copies of reports shall be destroyed upon their return to the Records Office.

In all cases, documentation will be made recording the request for electronic records (via technology applications), physically stored files and documentation on the disposition of all copies provided shall be recorded in the record, no exception.

Non-SRMS Records Office computer data is restricted to viewing by Authorized Personnel only. Access to SRMS shall follow normal rules of access to technology.

All paper copies of any retrieved data shall be maintained securely and disposed of properly based on current destruction protocols.

File Maintenance

Any person from the media requesting information from the Records Office shall be referred to the Department’s Public Information Officer (PIO).

Any person requesting to retrieve information from the Records Office beyond those listed below, shall be referred to the University’s Freedom of Information Act (FOIA) Office.

Accident reports (provided the online link to obtain those reports).

Letters of loss for insurance or similar purposes are completed by Records Office personnel.

Background investigators that are properly credentialed and provide signed waivers shall be seen by Records Office personnel.

Incident reports that are pursuant to normal business practices are released with permission of the Records Office Manager or designee.

Incident Files

Incident reports within SRMS are managed by the Records Office and shall not be removed without appropriate permission. Viewing for a recognized law enforcement purpose is allowed.

Copies of any SRMS files that are printed out and not held by a court are to be destroyed or returned to the Records Office.

Master Name Files

Non-participating SRMS representatives of state, federal, and/or local law enforcement agencies do not have automatic access to the Department’s files.

All release of information beyond the normal scope of business must be cleared by the Chief or designee.

Traffic Control Orders

Traffic Control Orders are maintained in the Department’s Traffic Engineer office.

Copies will be provided for administrative needs.

Original copies will be provided for court or other legal functions.

Arrangements shall be made well in advance with the Department’s Traffic Engineer to obtain copies.

Work Schedules

Access shall be limited to Authorized Personnel.

Individual schedules shall not be taken from the Records Office, but copies will be provided for valid administrative needs.

Department Equipment, Hardware and Software

Software

Restrictions from distribution or duplication by this Department, agents or vendors shall apply to all storage methods, including but not limited to: hardware, software, disk, diskette, tape, electronic file, transfer, documentation, reports, hard copy, products, or any other method.

Non-Departmental authorized software shall not be installed on any department system.

State of Michigan applications accessed via the MiCJIN Portal shall be limited to Department authorized personnel only.

Hardware

All hardware shall be treated in accordance with established restrictions stated within these procedures or elsewhere in regard to use, confidentiality, ordinance, statutes, University policy, department policy and procedure or other rules.

These restrictions apply to any electronic or mechanical transfer of files of any information, programs, data, etc. stored within the individual device, or any other method of duplication or transfer, including Fax.

Non-Departmental authorized hardware shall not be installed on any department system.

Data

All data shall be treated in accordance with established restrictions stated within these procedures or elsewhere in regard to confidentiality, ordinance, statutes, University policy, Department policy and procedure or other rules.

These restrictions apply to any electronic or mechanical transfer of files of any information, programs, data, etc. stored within the individual device, or any other method of duplication or transfer, including Fax.

Recording, Video, or Digital Image Capturing Equipment

All data, recordings, images, and information shall be treated in accordance with established restrictions stated within these procedures or elsewhere in regard to confidentiality, ordinance, statutes, University policy, department policy and procedure or other rules.

The Chief or their designee’s authorization is required for duplication and/or release of data, recordings, images, information, etc. in accordance with the provisions of this order, statutes and University policy.

This includes, but is not limited to, Stadium security cameras, surveillance cameras, and/or Department security cameras.

University Rules and Guidelines

Copyright or Patent Agreements

The University is required to sign a License Agreement with a seller of software pursuant to which the University assumes certain legally binding obligations.

Those agreements are binding on the Department and must be followed.

Duplication Restrictions

License Agreement often restrict the use of software programs, such as limiting its use to a particular individual computer.

Many licenses require software to be returned if no longer in use or if the license is not renewed.

Sale Restrictions: When equipment is re-sold by the University, it must be first examined to see that licenses for any software with the equipment are being complied with.

Penalties

Violation of the law and the License Agreement carries with it severe civil and criminal penalties that can amount to a significant loss of University funds.

Additionally, appropriate disciplinary action will be pursued against responsible parties.

Inventory

The Deputy Director of the Management Services Bureau or designee shall maintain an inventory of all Department owned data, word processing, computer equipment, hardware and software; including those licensed, purchased or developed.

All similar equipment data, word processing, hardware and software used by the Digital Forensic and Cyber-Crime Unit (DFCCU) for confidential work performed pursuant to their duties and training is inventoried by the Assistant Chief of the Field Services Bureau.

Department Compliance

The Department and its employees are required to comply with all University and Department policy, procedures, and restrictions.

The Deputy Director of the Management Services Bureau or designee is identified by the Chief to authorize release or duplication of programs in accordance with the provisions of this procedure and with University policy.

Personnel Files

Access: Personnel files shall be maintained by the Personnel Officer and access will be through that position.

Current Employee Records

Employees wishing to review work records about current employees beyond what is accessible to those persons in Guardian are to be directed to contact the Personnel Officer.

Persons outside of the Department wishing to view personnel records and/or Guardian files shall be instructed to contact the Personnel Officer or University FOIA Office.

Supervisors are granted permission within Guardian to view a subordinate employee’s file or their own file.

Persons at the rank of Lieutenant or equivalent civilian rank or higher within the Department may be granted access to additional files and information by request and approval.

Employees may make copies of material, but are encouraged to maintain privacy and confidentiality of those copies until destroyed or otherwise disposed of during business practices.

Non-Current Employee Records

Former employees, persons conducting background investigations of former employees, or any other person requesting to view the personnel file of former employees are to be directed to contact the Personnel Officer.

All replies to such requests will be compiled by the Personnel Officer, with a synopsis of information released, date, and name/contact information for the requester will be placed in the individual’s file.

Destruction of Records

Steps to Ensure Proper Disposal, Sanitization, and Destruction of Media

These steps address all sensitive or classified data or media; and apply to all equipment that processes, stores, and/or transmits LEIN, NCIC, CJI, and classified or sensitive data owned or leased by the Police Department.

When hard drives, diskettes, tape cartridges, CDs, DVDs, ribbons, hard copies, print-outs, USB flash drives, and other similar items used to process, store, and/or transmit LEIN, NCIC, CJI, and classified or sensitive department data are no longer usable; those items must be destroyed.

Physical Media shall be disposed of by using Department supplied cross-cut shredders.

University incineration services may be used, if witnessed by Department personnel tasked with destruction of those items.

University secure shredding bins may not be used for LEIN, NCIC, CJI, and classified or sensitive data owned or leased by the Department.

Electronic Media shall be disposed of by using destruction services through Friedland Industries.

Destruction must be witnessed by Department personnel tasked with destruction of those items.

In special circumstances, hard drives may be “zeroed” out by overwriting the magnetic media seven times with 1’s or 0’s.

Computers may be disposed of by releasing equipment to University Surplus, only after the internal storage media have been destroyed pursuant to University procedures.