Page 14 - Privacy_Program
P. 14

All Employees with      DP101.18    Alleged Violations of the Organization’s Privacy and Data Security Policies
        Access to PRPI
                                            If any employee believes that another employee, supervisor, participant,
                                            volunteer, customer, or business associate has violated the organization’s
                                            Privacy and Data Security policies, he or she should immediately report the
                                            violation to his or her supervisor, unless the supervisor is the violator, and to
                                            the Director of Information Technology, Privacy and Data Security. If that is
                                            the case, it should be reported to the next level of management (the
                                            supervisor’s supervisor) or to Human Resources immediately. Any suspected
                                            privacy violation must also immediately be reported to the Director of
                                            Information Technology, Privacy and Data Security.

                                            Employees must immediately notify Asset Protection and the Director of
                                            Information Technology, Privacy and Data Security of any known attempts
                                            (successful or unsuccessful) to break into secure areas at Fairview and at other
                                            locations where GESMN employees work and store equipment or participant
                                            information. Employees must also immediately notify Asset Protection and the
                                            Director of Information Technology, Privacy and Data Security of lost or stolen
                                            laptops and desktops and other devices, even if encrypted, that may contain
                                            PHI. Also see DP281.A

                                            INFORMATION SECURITY INCIDENT RESPONSE PLAN – PROCEDURES.

                                            To facilitate an alleged privacy violations and/or incidents, employees must
                                            also complete the top portion of the Alleged Privacy Violations/Incidents
                                            Report and Determination Form and submit it to the Director of Information
                                            Technology, Privacy and Data Security within 48 hours of known violations
                                            and/or incidents. The form can be found at O:\Forms\General Forms\Alleged
                                            Privacy Violations_Incidents Report and Determination Form.docx.

                                            Staff must not discuss alleged violations or incidents with others not involved
                                            as part of the incident response team. GESMN prohibits any retaliation against
                                            any employee who reports possible violations in good faith or assists in an
                                            investigation of possible violations.



































         GES CONFIDENTIAL                                                                                    14
   9   10   11   12   13   14   15   16   17   18   19